--- title: Media & OTT Streaming on AWS (2026): Live vs VOD Architecture, Egress Math, and When IVS Beats Elemental description: On a composite mid-market OTT platform (~180k concurrent live peak, ~12 TB/month VOD catalog), routing Saturday-night live through MediaConvert batch queues added ~$4,200/mo in idle transcode capacity before switching live to IVS and keeping MediaConvert for catalog only. CloudFront egress still dominates steady-state — model it before you buy encoders. url: https://www.factualminds.com/blog/aws-media-ott-streaming-architecture-live-vod-2026/ datePublished: 2026-06-25T00:00:00.000Z dateModified: 2026-06-25T00:00:00.000Z author: palaniappan-p category: Cloud Architecture tags: aws, amazon-cloudfront, aws-elemental, amazon-ivs, media-streaming, ott, cost-optimization --- # Media & OTT Streaming on AWS (2026): Live vs VOD Architecture, Egress Math, and When IVS Beats Elemental > On a composite mid-market OTT platform (~180k concurrent live peak, ~12 TB/month VOD catalog), routing Saturday-night live through MediaConvert batch queues added ~$4,200/mo in idle transcode capacity before switching live to IVS and keeping MediaConvert for catalog only. CloudFront egress still dominates steady-state — model it before you buy encoders. **AWS discontinued Amazon Elastic Transcoder on November 13, 2025** — new video workloads belong on **AWS Elemental MediaConvert** (batch VOD) and either **Amazon IVS** (interactive live) or **MediaLive** (broadcast live). That deadline matters because many OTT runbooks still describe a single “transcode service” for everything. Live and catalog are different jobs; billing proves it fast. This post is the **video pipeline** layer — not [e-commerce peak traffic](/blog/aws-retail-architecture-black-friday-peak-traffic/) (HTTP cart scaling), not [Kinesis vs MSK](/blog/amazon-kinesis-data-streams-vs-msk-which-streaming-platform/) (event streaming analytics), and not [CloudFront vs Cloudflare](/blog/aws-cloudfront-vs-cloudflare-which-cdn-for-your-enterprise/) (CDN vendor comparison). We ship a [live vs VOD decision matrix](https://www.factualminds.com/examples/architecture-blog-2026/media-ott/live-vs-vod-decision-matrix.md), [egress cost model CSV](https://www.factualminds.com/examples/architecture-blog-2026/media-ott/egress-cost-model.csv), and [DRM packaging checklist](https://www.factualminds.com/examples/architecture-blog-2026/media-ott/drm-packaging-checklist.md). > **Benchmark pattern (not a cited client)** — Composite mid-market OTT, **~12 TB** VOD catalog on S3 Standard, **~180k** concurrent live peak on flagship sports Saturdays, **~40 live hours/month**, primary Region **us-east-1**, viewers **70% Americas / 30% EU**. Prior architecture sent **all** live and VOD through MediaConvert Basic tier. After splitting live to **IVS** and enabling **Origin Shield** on the catalog origin: MediaConvert spend fell **~$4,200/mo → ~$504/mo** (catalog-only output minutes); CloudFront egress remained the largest line (~**$1.8k/mo** modeled at ~22 TB delivered). p95 live glass-to-glass latency improved **~38s → under 5s** for the interactive app. ## Four jobs — four mechanisms | Job | Mechanism | Wrong default | | ----------------------------- | ------------------------------------ | ------------------------------------- | | Interactive live | **Amazon IVS** (low-latency) | MediaConvert batch for Saturday night | | Broadcast / ad-insertion live | **MediaLive** + **MediaPackage** | IVS when you need SCTE-35 | | VOD catalog | **MediaConvert** → S3 → package | Re-transcode live capture nightly | | Global delivery | **CloudFront** (+ **Origin Shield**) | S3 website endpoint to viewers | **Opinionated take:** **IVS for interactive live; MediaLive for broadcast live; MediaConvert for catalog only.** Syndication always terminates at CloudFront — [price egress before codecs](/blog/amazon-cloudfront-pricing-regional-tiers-requests-security/). ## Live path: IVS vs MediaLive **Amazon IVS** targets **sub-5-second** glass-to-glass for interactive experiences (AWS documents under 5 seconds for low-latency channels). Ingest is **RTMP, RTMPS, or SRT**; playback uses the IVS player SDK or HLS playback URL. Operational surface is small — channels, stream keys, recording configurations — which is why product teams ship faster than on MediaLive. **MediaLive** is the broadcast path: multi-input channels, redundant pipelines, **SCTE-35** ad markers, and handoff to **MediaPackage** for live HLS/DASH with DRM. Choose it when your operations team already runs professional encoders and ad insertion — not when you only need a creator webcam and chat. **IVS Real-Time** (stages) targets **sub-300ms** participant latency for co-watch and auctions. It is not a replacement for 24/7 linear — bill participant-hours deliberately. ## VOD path: MediaConvert and packaging MediaConvert bills **normalized output minutes** with Basic vs Professional tiers (Professional for HEVC, AV1, multi-pass, DRM). Volume discounts apply per Region. Typical catalog flow: 1. Mezzanine uploads land in **S3** (or arrive from MAM export). 2. **MediaConvert** job templates emit HLS/DASH renditions to a published bucket. 3. Optional **MediaPackage** packaging group for SPEKE DRM and consistent manifests. 4. **CloudFront** distribution with separate cache behaviors for manifests (short TTL) and segments (long TTL). Context for a one-off probe — AWS CLI 2.x, `us-east-1`: ```bash aws mediaconvert describe-endpoints --region us-east-1 aws mediaconvert list-jobs --max-results 5 --endpoint-url ``` ## Egress math (where OTT budgets actually go) Once catalog encoding is amortized, **data transfer out via CloudFront** dominates. The [egress CSV](https://www.factualminds.com/examples/architecture-blog-2026/media-ott/egress-cost-model.csv) models: - Catalog-only replay factor (~1.3× catalog TB/month as delivered egress) - **Origin Shield** incremental cost vs duplicate origin fetches - **Failure row**: live misrouted through MediaConvert (output minutes explode) Pair with [data transfer traps](/blog/aws-data-transfer-costs-startups/) when origin and analytics buckets sit in different Regions — video origins are not exempt from cross-Region charges on admin traffic. > **What broke** — Opening weekend for a licensed sports package. Operations triggered the **same MediaConvert queue** used for nightly catalog refreshes to process live capture files “until IVS was ready.” Queue depth hit **11 hours** at peak; viewers saw **45–90s** latency; monthly MediaConvert line **~$17.5k** vs **~$700** baseline. Detection: Cost Explorer `MediaConvert` dimension spike + IVS channel idle in CloudWatch. Fix: **IVS ingest for live**, MediaConvert reserved for S3-triggered catalog jobs only; added EventBridge rule guard so live S3 prefixes cannot enqueue batch jobs during event windows. ## DRM and multi-CDN cautions Premium catalogs need **MediaPackage SPEKE** with KMS-backed keys — see the [DRM checklist](https://www.factualminds.com/examples/architecture-blog-2026/media-ott/drm-packaging-checklist.md). Multi-CDN contracts fail when **two CDNs pull the same MediaPackage origin** without Origin Shield — you pay duplicate origin egress and risk cache inconsistency on hot titles. ## What to do this week 1. Split **live** and **VOD** IAM and queue boundaries — no shared MediaConvert queue. 2. Model **CloudFront egress** from last month’s top three titles using the CSV artifact. 3. Pilot **IVS** for one interactive stream; keep MediaConvert for catalog-only. 4. Enable **Origin Shield** on the catalog origin if global POPs hammer S3 during premieres. 5. Run DRM checklist on staging players (iOS + Android) before subscription launch. ## What this post doesn't cover - **Studio MAM, IMF, and on-prem playout** — ingest starts after MAM export. - **Full legal review** of content licensing territories — geo blocks on CloudFront are mentioned, not law advice. - **Amazon Kinesis / analytics on viewing events** — see [Kinesis decision guide](/blog/amazon-kinesis-data-streams-vs-msk-which-streaming-platform/). - **Retail e-commerce peak scaling** — [retail architecture](/blog/aws-retail-architecture-black-friday-peak-traffic/). **Related:** [CloudFront pricing](/blog/amazon-cloudfront-pricing-regional-tiers-requests-security/) · [Data transfer costs](/blog/aws-data-transfer-costs-startups/) · [Architecture review services](/services/aws-architecture-review/) ## FAQ ### When should we use Amazon IVS instead of AWS Elemental MediaLive? Choose Amazon IVS for interactive live experiences that need sub-5-second glass-to-glass latency — creator streams, live shopping, sports companion apps, and chat-heavy events. IVS ingests RTMP, RTMPS, or SRT and delivers through AWS-managed low-latency infrastructure built on the same core technology as Twitch. Choose MediaLive when you need broadcast-grade features: multi-rendition HLS/DASH with SCTE-35 ad insertion, professional contribution workflows, or tight integration with MediaPackage for live DRM. IVS is the default for net-new interactive products; MediaLive is the default when your operations team already speaks broadcast. ### When should we NOT move our OTT stack to AWS Elemental? Skip a full Elemental rebuild when you have a sunk-cost third-party packager (Bitmovin, Harmonic, etc.) that your operators already run — AWS can still be S3 origin plus CloudFront delivery. Do not replace a studio MAM with Glue jobs; ingest after MAM export. If primary distribution is YouTube or TikTok ingest APIs, AWS is your owned-app CDN, not the social platform pipe. Internal town halls under 500 viewers rarely justify MediaLive cluster cost — IVS or Chime SDK is simpler. ### What breaks when live events are routed through VOD transcode? Batch MediaConvert jobs are sized for catalog refresh, not spike live ingest. A live sports window routed through the same queue as catalog episodes creates queue depth, stale segments, and bill shock — you pay output minutes for renditions that should be real-time. Symptoms: viewers see 30–90 second latency, manifest gaps during peak, and MediaConvert line items 5–10× normal on event nights. Fix: split pipelines — IVS or MediaLive for live; MediaConvert on S3 events for VOD only. ### How does CloudFront Origin Shield help OTT catalogs? Origin Shield adds a centralized caching layer in the AWS Region closest to your origin (S3 or MediaPackage). Without it, each CloudFront regional edge cache may fetch the same hot object independently, multiplying origin egress and MediaPackage origin load during global premiere weekends. Origin Shield incurs additional per-request and data-processing charges but often pays back when a single title fans out across dozens of POPs. Enable it per origin after measuring cache hit ratio — not on day one before you have traffic shape. ### Does IVS Real-Time replace MediaLive for linear channels? No. IVS Real-Time targets sub-300ms participant-to-participant latency for stages, co-watch, and auctions — not 24/7 linear broadcast with ad markers. Real-Time bills on participant connection duration and message volume; operating it like a linear channel without audience caps is a cost trap. Use Real-Time when interactivity is the product; use MediaLive plus MediaPackage for traditional linear. ### What could go wrong during DRM go-live? FairPlay playback fails while web works — certificate or SKD URL mismatch. All clients get manifest 403 — CloudFront origin access control not aligned with MediaPackage. License server retry storms after key rotation — players hammer expired keys. Run the DRM packaging checklist artifact in staging with reference iOS and Android players before prod cutover. --- *Source: https://www.factualminds.com/blog/aws-media-ott-streaming-architecture-live-vod-2026/*