Restricting Video Playback Using IP Address

This topic provides an overview of how IP address restriction can be used to limit video distribution.

Overview

In order to limit video playback to internal viewers only, Video Cloud Enterprise publishers can use IP address restriction. This approach prevents all the players in an account from loading unless the browser loading the player uses one of a specified list (whitelist) of allowed IP addresses. This provides a level of security that goes beyond domain restriction or geo-restriction.

When you set up IP address restriction, it applies to all the players in that account. You will need to use a separate account for players and videos that you want to make publicly available.

When a user tries to load a page that contains a Video Cloud player from an address that is not on the whitelist, they will see an error message that says "The video you are trying to watch cannot be viewed from your current country or location."

How to set up IP address restriction

To set up IP address restriction for one of your Video Cloud accounts, contact Brightcove Support. You will need to work with Support to identify or create an account for this purpose and provide a text file that contains your IP address whitelist.

Creating an IP address whitelist

To set up IP address restriction for one of your Video Cloud accounts, you need to provide Brightcove Support with a whitelist of the IP addresses that should be allowed to load Video Cloud players. Most companies use one or more gateways through which internal corporate traffic reaches the outside Internet. Your IP address whitelist should include the IP addresses of all of these gateways.

The whitelist should include each IP address on a separate line. You can also include a range of IP addresses. For example:

38.39.23.40
38.39.23.48
38.39.23.50-38.112.23.69
38.39.23.100-38.112.23.199

You can use subnet masks in Dot-decimal notation, such as:

38.39.23.50/255.255.255.0

You can also use CIDR block notation, such as:

38.39.23.50|24

38.39.23.50/24

Video Cloud content

When using the Playback API to retrieve content from a Video Cloud account which is configured for IP restrictions, you must use the following instead of the standard URL:

https://edge-elb.api.brightcove.com/playback/v1

Use edge-elb.api... vs the normal edge.api...

Implementation details

When a Brightcove Player is asked to load a video from a Video Cloud account, it connects to the catalog at this address:

https://edge.api.brightcove.com/playback/v1/.

Here is how that URL behaves:

When hitting Edge from within North America, it hits Edge directly, and Edge sees the user's IP address. It can either allow or deny access to the catalog as per the IP Restriction whitelist. This is the desired behaviour.
When hitting Edge from outside North America it goes via Cloudfront for load-balancing/local caching CDN reasons. This causes issues because Edge sees the Cloudfront IP instead of the user's IP, and denies all requests. This is because Cloudfront isn't on the whitelist (and never should it be because then anyone using Cloudfront would have access).

There is an alternative endpoint for Edge that can remedy this situation for non-North American customers. The endpoint is:

edge-elb.api.brightcove.com.

The downside to this approach is that it will introduce a very slight delay to the retrieval of cached content from outside of the US because catalog requests will be going to Virginia in the U.S. rather than through Cloudfront's global network of local servers. It's likely that this will be barely noticeable, but it's worth considering and testing. Content itself will be delivered as normal, from local servers. When accessing from North America or through an North American proxy, there will be no change in performance at all.

If you feel the slight delay is worth the benefit, you must configure every player that needs to access the IP restricted account from outside North America. You can make this change in Studio in the PLAYERS module. The following steps lead you through the configuration change:

Open the Players module and either create a new player or locate the player to which you wish to make the configuration change.
Click the link for the player to open the player's properties.
Click JSON Editor in the left navigation menu.
Locate the video_cloud section in the JSON, which will look similar to the following (there may be more or fewer name/value pairs):
```
"video_cloud": {
    "policy_key": "BCpkADaw...ndVx5X"
  },
```
After the last entry, add a comma, then the following name/value pair:
```
"base_url": "https://edge-elb.api.brightcove.com/playback/v1/"
```
The JSON Editor should appear similar to the following:
Save and publish the updated player.

The base_url setting should ONLY be used with IP restriction configuration.