IP Security For Broadcasters: Part 10 - NATS Advanced Messaging

As IT and broadcast infrastructures become ever more complex, the need to securely exchange data is becoming more challenging. NATS messaging is designed to simplify collaboration between often diverse software applications.


All 12 articles in this series are available in our free 82 page eBook ‘IP Security For Broadcasters’ – download it HERE.

Articles in this series:


In this context, the acronym NATS stands for Neural Autonomic Transport System, as the structure of the messaging platform is said to function like a central nervous system. It’s important to note that this is a completely different solution than the NAT (network address translation) systems for IP addresses. It solves an entirely different problem.

Moving to virtualized environments and datacenters requires broadcasters to think completely differently about their infrastructures. To achieve the flexibility, scalability, and resilience that cloud computing promises, whether public or private, requires software to be written with virtualization in mind from the outset, not as an afterthought.

Virtualization has led to the development of software disciplines such as microservices working in containers. This is a complete change from the huge monolithic code base of previous years where scalability often relied on supplying ever larger servers. The beauty of microservices is that they can be deployed horizontally, that is, more servers of moderate power are deployed as opposed to a few huge servers, thus simplifying scalability.

Microservice Communications

For monolithic code, functions resided within the same compilation so exchanging data between them was relatively straightforward. However, as we move more to microservices and the philosophy of thinking they promote, programs must now communicate with each other outside of their codebase and often on entirely different domains. In essence, each microservice works in isolation but must still communicate with its counterparts.

One messaging solution is to use REST API communications. These are software interfaces that use HTTP messages such as GET and POST to exchange data. Although this is a well-proven technology and is used extensively, it tends to have limitations for scaling. For example, a resource-monitoring microservice may be requesting monitoring data from a single transcoder every second. This is easily achievable with REST APIs. If the number of transcoder-microservice instances increases to one hundred, or a thousand, however, then REST APIs start to show their limitations, especially in public cloud infrastructures where costs are predicated on the number of HTTP requests.

NATS messaging solves this type of scenario by using an advanced type of messaging system based on the client server model. It’s open source, scales well, and provides secure channels with the option of user client authentication.

Simple Messaging

In its simplest deployment, a NATS system will consist of two clients and a NATS server. A client will publish messages, and other clients known as subscribers will listen and opt in to receive them. This gives the potential of one-to-many broadcast type messaging, as well as querying. 

Figure 1 – NATS servers can be configured to provide scalability and resilience using virtualized servers that operate independently of the underlying network and infrastructure.

Figure 1 – NATS servers can be configured to provide scalability and resilience using virtualized servers that operate independently of the underlying network and infrastructure.

In the transcoder-microservice example, the monitoring service will publish a request-monitoring-data message to the NATS server which will in turn broadcast the message to the clients subscribing to this service (part of the configuration of the transcoding service will be to enable it to listen for monitoring broadcasts). On receiving them, the transcoders will each send their monitoring data back to the monitoring service via the NATS server.

Messages may also be point-to-point or many-to-one, as used when sending the transcoder monitoring data back to the monitoring microservice. But key to this deployment is the ability to both secure the communication channel and scale the system using the distributed resource mindset.

Message Scaling And Resilience

NATS is a middleware deployment, that is, it is independent of the underlying hardware infrastructure. This is particularly useful when scaling systems: new NATS servers can be easily deployed within a virtualized environment as it is lightweight and compact in terms of its resource utilization (see figure 1).

To improve resilience and scalability, NATS servers are clustered to provide main and backup systems as well as extra resource. A cluster of three NATS servers could be configured to provide one main NATS server and two backup servers, or three servers each acting as a client connection, or a combination of these.

Also, several clusters of NATS servers could be connected but geographically dispersed. For example, three clusters could be configured, one in Europe, one in US West Coast and one in US East Coast. Not only does this method provide local redundancy, it also provides scalable resources using virtualized servers that can be spun up and down at will.

It’s important to note that the NATS system is a message exchange method and not necessarily designed to shift large amounts of video and audio data. It is possible to achieve this, but a far better use of resources is for the microservice to read and write the media data directly to and from the storage servers. The relevant messages will be exchanged between the software applications connected to the NATS servers to provide location information for the media storage.

Keeping Messages Secure

Security is at the core of NATS and message connections can be encrypted with TLS. Also, client connections can be authenticated in several ways including Token Authentication, username/password credentials and TLS certification.

Authorization tokens are the equivalent of a stamped ticket to an event and are created when a user verifies their credentials. Once this is done, the token is used to access servers, storage, applications, and APIs thus freeing the user from logging in each time they need to access a particular service.

A centralized administration resource creates unique tokens based on a user’s login credentials with the appropriate read/write access. This is particularly useful for services exchanging messages between APIs as the token is sent with the message, allowing the receiving service to verify the request and provide the appropriate access.

NATS advanced messaging has been developed to simultaneously solve the challenges of allowing software applications to securely exchange messages while achieving scalability, flexibility, and resilience.

Part of a series supported by

You might also like...

HDR & WCG For Broadcast: Part 3 - Achieving Simultaneous HDR-SDR Workflows

Welcome to Part 3 of ‘HDR & WCG For Broadcast’ - a major 10 article exploration of the science and practical applications of all aspects of High Dynamic Range and Wide Color Gamut for broadcast production. Part 3 discusses the creative challenges of HDR…

IP Security For Broadcasters: Part 4 - MACsec Explained

IPsec and VPN provide much improved security over untrusted networks such as the internet. However, security may need to improve within a local area network, and to achieve this we have MACsec in our arsenal of security solutions.

Standards: Part 23 - Media Types Vs MIME Types

Media Types describe the container and content format when delivering media over a network. Historically they were described as MIME Types.

Building Software Defined Infrastructure: Part 1 - System Topologies

Welcome to Part 1 of Building Software Defined Infrastructure - a new multi-part content collection from Tony Orme. This series is for broadcast engineering & IT teams seeking to deepen their technical understanding of the microservices based IT technologies that are…

IP Security For Broadcasters: Part 3 - IPsec Explained

One of the great advantages of the internet is that it relies on open standards that promote routing of IP packets between multiple networks. But this provides many challenges when considering security. The good news is that we have solutions…