Restrict access to DRM license and AES key delivery using IP allowlists

  • Artikel
  • 2 minit untuk dibaca

media services logo v3

Looking for Media Services v2 documentation?
Having trouble? See the Troubleshooting guide for solutions to issues with using Media Services.
Code samples can be found on the Samples page.

When securing media with the content protection and DRM features of Media Services, you could encounter scenarios where you need to limit the delivery of licenses or key requests to to a specific IP range of client devices on your network. To restrict content playback and delivery of keys, you can use the IP allowlist for Key Delivery.

In addition, you can also use the allowlist to completely block all public internet access to Key Delivery traffic and only allow traffic from your private network endpoints.

The IP allowlist for Key Delivery restricts the delivery of both DRM licenses and AES-128 keys to clients within the supplied IP allowlist range.

Setting the allowlist for key delivery

The settings for the Key Delivery IP allowlist are on the Media Services account resource. When creating a new Media Services account, you can restrict the allowed IP ranges through the KeyDelivery property on the Media Services account resource.

The defaultAction property can be set to "Allow" or "Deny" to control delivery of licenses and keys to clients in the allowlist range.

The ipAllowList property is an array of single IPv4 address and/or IPv4 ranges using CIDR notation.

Setting the allowlist in the portal

The Azure portal provides a method for configuring and updating the IP allowlist for key delivery. Navigate to your Media Services account and access the Key delivery menu under Settings.