Deploy janus-gateway server with SIP plugin inside Docker in AWS EC2

I am trying to deploy janus-gateway-server(build from the latest version of main) with a proxy-service as a sidecar. The main idea is to hide janus-gateway-server from exposing all its rest endpoints to the outside world, the webrtc clients can reach janus-gateway-server through my proxy for signalling, but for media I will have to expose the rtp ports anyway.

in janus.jcfg - I have restricted the port range for the webrtc side for media
in janus.sip.plugin.jcfg - i have restricted the port range for the sip side for media

I do not know what to do for the signalling ports? I did not find anything mentioned about it in the janus documentation.
I found a reply from @lorenzo saying that we cannot restrict the signalling port range- SIP Client port in INVITE message

1. Then how can I add that in the security rules of the EC2 instance, that these ports can be accessed by these webrtc clients CIDAR range only.

Now comes the deployment part.
I tried using host network, everything works fine. But I am skeptical to use host network.

Here is the docker-compose file for host-network- (This is working fine)

services:
  janus-gateway-server:
    container_name: janus-gateway-server
    build:
      context: ./janus-gateway-server
      dockerfile: Dockerfile-janus-gateway-server
    restart: always
    volumes:
      - janus-config:/opt/janus/etc/janus/
    network_mode: "host"
    command: ["/opt/janus/bin/janus"]
    depends_on:
      - janus-proxy-service

  janus-proxy-service:
    container_name: janus-proxy-service
    build:
      context: ./janus-proxy-service
      dockerfile: Dockerfile-janus-proxy
    restart: always
    environment:
      - JANUS_WS_URL=ws://localhost:8188
    network_mode: "host"

volumes:
  janus-config:

I wanted to work with bridge network, but as exposing the rtp ports causes the janus-gateway-server to get stuck during startup indefinitely, even in extra large instance in ec2.

Here is the docker-compose file for bridge mode- (Fails to even startup the container)

services:
  janus-gateway-server:
    container_name: janus-gateway-server
    build:
      context: ./janus-gateway-server
      dockerfile: Dockerfile-janus-gateway-server
    restart: always
    volumes:
      - janus-config:/opt/janus/etc/janus/
    networks:
      - janus-network
    command: ["/opt/janus/bin/janus"]
    depends_on:
      - janus-proxy-service
    ports:
      - "40000-45000:40000-45000/udp"

  janus-proxy-service:
    container_name: janus-proxy-service
    build:
      context: ./janus-proxy-service
      dockerfile: Dockerfile-janus-proxy
    restart: always
    environment:
      - JANUS_WS_URL=ws://janus-gateway-server:8188
    networks:
      - janus-network
    ports:
      - "8080:8080"

volumes:
  janus-config:

networks:
  janus-network:
    driver: bridge

2. If I use bridge mode, how can I deploy it without getting stuck? Am I doing anything wrong here?
3. Also do I need to set the nat_1_1 mapping?
4. And do I need to turn this flag on in janus.plugin.sip.jcfg file?

# Indicate if the server is behind NAT. If so, the server will use STUN
	# to guess its own public IP address and use it in the Contact header of
	# outgoing requests
	behind_nat = false

I went throught Alessandro’s presentation- JanusCon - Alessandro Amirante - Janus & Docker: friends or foe?

He suggested to use docker’s macvlan network, I tried that, but it seems EC2 does not support it. None of my containers could talk to the internet and no one from the internet could reach my containers.

“Amazon EC2 networking doesn’t allow to use private ips in the
containers through bridges or macvlan.”

Here is the docker-compose file for the macvlan networking- (does not work)

services:
  janus-gateway-server:
    container_name: janus-gateway-server
    build:
      context: ./janus-gateway-server
      dockerfile: Dockerfile-janus-gateway-server
    restart: always
    volumes:
      - janus-config:/opt/janus/etc/janus/
    networks:
      janus_macvlan:
        ipv4_address: 12.0.2.100
    command: ["/opt/janus/bin/janus"]
    depends_on:
      - janus-proxy-service

  janus-proxy-service:
    container_name: janus-proxy-service
    build:
      context: ./janus-proxy-service
      dockerfile: Dockerfile-janus-proxy
    restart: always
    environment:
      - JANUS_WS_URL=ws://12.0.2.100:8188
    networks:
      janus_macvlan:
        ipv4_address: 12.0.2.101

volumes:
  janus-config:

networks:
  janus_macvlan:
    name: janus_macvlan
    driver: macvlan
    driver_opts:
      parent: enX0
      promisc: "true"
    ipam:
      config:
        - subnet: 12.0.2.0/24
          gateway: 12.0.2.1

I am stuck currently. If anyone is using docker to deploy janus-gateway-server, please help me. What is the correct way to deploy janus-gateway-server in EC2? Or any service where we need to expose a lot of ports?

try this ? GitHub - wangsrGit119/janus-webrtc-gateway-docker: Docker image for the Janus WebRTC Server;Janus docker 容器 镜像

Thanks for the reply, but dockefile is not a problem for me. As I have mentioned with host network its working fine. But then with this in a single EC2 we have to go with a single janus server, or else it would very difficult to manage the ports. And if we go with single janus server per ec2, we might not be fully using all the power of the host machine.

And macvlan works on on-prem solutions, most cloud providers blocks it.
Bridge networking takes a huge amount of time because it has to expose and map a lot of ports.

So I wanted to get some idea, how people have done this? which is the correct way to deploy this in production.

Ricardo,
I’m having a similar issue. Have you made an progress on this?

Hi @maaark, I went ahead with host network, and used stunner infront of janus. Stunner (TURN server) multiplexes everything into a single port, which I am exposing in the NLB. From stunner to janus its communicating internally.