# Multicast in AWS Transit Gateway Multicast on transit gateways Multicast is a communication protocol used for delivering a single stream of data to multiple receiving computers simultaneously. Transit Gateway supports routing multicast traffic between subnets of attached VPCs, and it serves as a multicast router for instances sending traffic destined for multiple receiving instances. **Topics** + [ ## Multicast concepts ](#concepts) + [ ## Considerations ](#limits) + [Multicast routing](#how-multicast-works) + [Multicast domains](multicast-domains-about.md) + [Shared multicast domains](multicast-share-domain.md) + [Register sources with a multicast group](add-source-multicast-group.md) + [Register members with a multicast group](add-members-multicast-group.md) + [Deregister sources from a multicast group](remove-source-multicast-group.md) + [Deregister members from a multicast group](remove-members-multicast-group.md) + [View multicast groups](view-multicast-group.md) + [Set up multicast for Windows Server](multicastwin.md) + [Example: Manage IGMP configurations](multicast-configurations-igmp.md) + [Example: Manage static source configurations](multicast-configurations-no-igmp.md) + [Example: Manage static group member configurations](multicast-configurations-no-igmp-source.md) ## Multicast concepts The following are the key concepts for multicast: + **Multicast domain** — Allows segmentation of a multicast network into different domains, and makes the transit gateway act as multiple multicast routers. You define multicast domain membership at the subnet level. + **Multicast group** — Identifies a set of hosts that will send and receive the same multicast traffic. A multicast group is identified by a group IP address. Multicast group membership is defined by individual elastic network interfaces attached to EC2 instances. + **Internet Group Management Protocol (IGMP)** — An internet protocol that allows hosts and routers to dynamically manage multicast group membership. An IGMP multicast domain contains hosts that use the IGMP protocol to join, leave, and send messages. AWS supports the IGMPv2 protocol and both IGMP and static (API-based) group membership multicast domains. + **Multicast source** — An elastic network interface associated with a supported EC2 instance that is statically configured to send multicast traffic. A multicast source only applies to static source configurations. A static source multicast domain contains hosts that do not use the IGMP protocol to join, leave, and send messages. You use the AWS CLI to add a source and group members. The statically-added source sends multicast traffic and the members receive multicast traffic. + **Multicast group member** — An elastic network interface associated with a supported EC2 instance that receives multicast traffic. A multicast group has multiple group members. In a static source group membership configuration, multicast group members can only receive traffic. In an IGMP group configuration, members can both send and receive traffic. ## Considerations + Transit gateway multicast may not be suitable for high-frequency trading or performance-sensitive applications. We strongly recommend that you review the [Multicast quotas](transit-gateway-quotas.md#multicast-quotas) for the limits. Contact your account or Solution Architect team for a detailed review of your performance requirements. + For information about supported Regions, see [AWS Transit Gateway FAQs](https://aws.amazon.com/transit-gateway/faqs/). + You must create a new transit gateway to support multicast. + Multicast group membership is managed using the Amazon Virtual Private Cloud Console or the AWS CLI, or IGMP. + A subnet can only be in one multicast domain. + If you use a non-Nitro instance, you must disable the **Source/Dest** checkbox. For information about disabling the check, see [Changing the source or destination checking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#change_source_dest_check) in the *Amazon EC2 User Guide*. + A non-Nitro instance cannot be a multicast sender. + Multicast routing is not supported over Direct Connect, Site-to-Site VPN, peering attachments, or transit gateway Connect attachments. + A transit gateway does not support fragmentation of multicast packets. Fragmented multicast packets are dropped. For more information, see [Maximum transmission unit (MTU)](transit-gateway-quotas.md#mtu-quotas). + At startup, an IGMP host sends multiple IGMP JOIN messages to join a multicast group (typically 2 to 3 retries). In the unlikely event that all the IGMP JOIN messages get lost, the host will not become part of transit gateway multicast group. In such a scenario you will need to re-trigger the IGMP JOIN message from the host using application specific methods. + A group membership starts with the receipt of IGMPv2 JOIN message by the transit gateway and ends with the receipt of the IGMPv2 LEAVE message. The transit gateway keeps track of hosts that successfully joined the group. As a cloud multicast router, transit gateway issues an IGMPv2 QUERY message to all members every two minutes. Each member sends an IGMPv2 JOIN message in response, which is how the members renew their membership. If a member fails to reply to three consecutive queries, the transit gateway removes this membership from all joined groups. However, it continues sending queries to this member for 12 hours before permanently removing the member from its to-be-queried list. An explicit IGMPv2 LEAVE message immediately and permanently removes the host from any further multicast processing. + The transit gateway keeps track of hosts that successfully joined the group. In the event of a transit gateway outage, the transit gateway continues to send multicast data to the host for seven minutes (420 seconds) after the last successful IGMP JOIN message. The transit gateway continues to send membership queries to the host for up to 12 hours or until it receives a IGMP LEAVE message from the host. + The transit gateway sends membership query packets to all the IGMP members so that it can track multicast group membership. The source IP of these IGMP query packets is 0.0.0.0/32, and the destination IP is 224.0.0.1/32 and the protocol is 2. Your security group configuration on the IGMP hosts (instances), and any ACLs configuration on the host subnets must allow these IGMP protocol messages. + When the multicast source and destination are in the same VPC, you cannot use security group referencing to set the destination security group to accept traffic from the source's security group. + For static multicast groups and sources, AWS Transit Gateway automatically remove static groups and sources for ENIs that no longer exist. This is performed by periodically assuming the [Transit Gateway service-linked role](service-linked-roles.md#tgw-service-linked-roles) to describe ENIs in the account. + Only static multicast supports IPv6. Dynamic multicast does not. ## Multicast routing Multicast routing When you enable multicast on a transit gateway, it acts as a multicast router. When you add a subnet to a multicast domain, we send all multicast traffic to the transit gateway that is associated with that multicast domain. ### Network ACLs Network ACL rules operate at the subnet level. They apply to multicast traffic, because transit gateways reside outside of the subnet. For more information, see [Network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) in the * Amazon VPC User Guide*. For Internet Group Management Protocol (IGMP) multicast traffic, the following are the minimum inbound rules. The remote host is the host sending the multicast traffic. | Type | Protocol | Source | Description | | --- | --- | --- | --- | | Custom Protocol | IGMP(2) | 0.0.0.0/32 | IGMP query | | Custom UDP Protocol | UDP | Remote host IP address | Inbound multicast traffic | The following are the minimum outbound rules for IGMP. | Type | Protocol | Destination | Description | | --- | --- | --- | --- | | Custom Protocol | IGMP(2) | 224.0.0.2/32 | IGMP leave | | Custom Protocol | IGMP(2) | Multicast group IP address | IGMP join | | Custom UDP Protocol | UDP | Multicast group IP address | Outbound multicast traffic | ### Security groups Security group rules operate at the instance level. They can be applied to both inbound and outbound multicast traffic. The behavior is the same as with unicast traffic. For all group member instances, you must allow inbound traffic from the group source. For more information, see [Security groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html) in the *Amazon VPC User Guide*. For IGMP multicast traffic, you must have the following inbound rules at a minimum. The remote host is the host sending the multicast traffic. You can't specify a security group as the source of the UDP inbound rule. | Type | Protocol | Source | Description | | --- | --- | --- | --- | | Custom Protocol | 2 | 0.0.0.0/32 | IGMP query | | Custom UDP Protocol | UDP | Remote host IP address | Inbound multicast traffic | For IGMP multicast traffic, you must have the following outbound rules at a minimum. | Type | Protocol | Destination | Description | | --- | --- | --- | --- | | Custom Protocol | 2 | 224.0.0.2/32 | IGMP leave | | Custom Protocol | 2 | Multicast group IP address | IGMP join | | Custom UDP Protocol | UDP | Multicast group IP address | Outbound multicast traffic | # Multicast domains in AWS Transit Gateway Multicast domains A multicast domain allows segmentation of a multicast network into different domains. To begin using multicast with a transit gateway, create a multicast domain, and then associate subnets with the domain. ## Multicast domain attributes The following table details the multicast domain attributes. You cannot enable both attributes at the same time. | Attribute | Description | | --- | --- | | Igmpv2Support (AWS CLI) **IGMPv2 support** (console) | This attribute determines how group members join or leave a multicast group. When this attribute is disabled, you must add the group members to the domain manually. Enable this attribute if at least one member uses the IGMP protocol. Members join the multicast group in one of the following ways: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc/latest/tgw/multicast-domains-about.html) If you register multicast group members, you must deregister them, too. The transit gateway ignores an IGMP `LEAVE` message sent by a manually added group member. | | StaticSourcesSupport (AWS CLI) **Static sources support** (console) | This attribute determines whether there are static multicast sources for the group. When this attribute is enabled, you must add sources for a multicast domain using [register-transit-gateway-multicast-group-sources ](https://docs.aws.amazon.com/cli/latest/reference/ec2/register-transit-gateway-multicast-group-sources.html). Only multicast sources can send multicast traffic. When this attribute is disabled, there are no designated multicast sources. Any instances that are in subnets associated with the multicast domain can send multicast traffic, and the group members receive the multicast traffic. | # Create an IGMP multicast domain in AWS Transit Gateway Create an IGMP multicast domain If you have not already done so, review the available multicast domain attributes. For more information, see [Multicast domains in AWS Transit Gateway](multicast-domains-about.md). **To create an IGMP multicast domain using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Multicast**. 1. Choose **Create transit gateway multicast domain**. 1. For **Name tag**, enter a name for the domain. 1. For **Transit gateway ID**, choose the transit gateway that processes the multicast traffic. 1. For **IGMPv2 support**, select the checkbox. 1. For **Static sources support**, clear the checkbox. 1. To automatically accept cross-account subnet associations for this multicast domain, select **Auto accept shared associations**. 1. Choose **Create transit gateway multicast domain**. **To create an IGMP multicast domain using the AWS CLI** Use the [create-transit-gateway-multicast-domain](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-transit-gateway-multicast-domain.html) command. ``` aws ec2 create-transit-gateway-multicast-domain --transit-gateway-id tgw-0xexampleid12345 --options StaticSourcesSupport=disable,Igmpv2Support=enable ``` # Create a static source multicast domain in AWS Transit Gateway Create a static source multicast domain If you have not already done so, review the available multicast domain attributes. For more information, see [Multicast domains in AWS Transit Gateway](multicast-domains-about.md). **To create a static multicast domain using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Multicast**. 1. Choose **Create transit gateway multicast domain**. 1. For **Name tag**, enter a name to identify the domain. 1. For **Transit gateway ID**, choose the transit gateway that processes the multicast traffic. 1. For **IGMPv2 support**, clear the checkbox. 1. For **Static sources support**, select the checkbox. 1. To automatically accept cross-account subnet associations for this multicast domain, select **Auto accept shared associations**. 1. Choose **Create transit gateway multicast domain**. **To create a static multicast domain using the AWS CLI** Use the [create-transit-gateway-multicast-domain](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-transit-gateway-multicast-domain.html) command. ``` aws ec2 create-transit-gateway-multicast-domain --transit-gateway-id tgw-0xexampleid12345 --options StaticSourcesSupport=enable,Igmpv2Support=disable ``` # Associating VPC attachments and subnets with a multicast domain in AWS Transit Gateway Associating VPC attachments and subnets with a multicast domain Use the following procedure to associate a VPC attachment with a multicast domain. When you create an association, you can then select the subnets to include in the multicast domain. Before you begin, you must create a VPC attachment on your transit gateway. For more information, see [Amazon VPC attachments in AWS Transit Gateway](tgw-vpc-attachments.md). **To associate VPC attachments with a multicast domain using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Multicast**. 1. Select the multicast domain, and then choose **Actions**, **Create association**. 1. For **Choose attachment to associate**, select the transit gateway attachment. 1. For **Choose subnets to associate**, select the subnets to include in the multicast domain. 1. Choose **Create association**. **To associate VPC attachments with a multicast domain using the AWS CLI** Use the [associate-transit-gateway-multicast-domain](https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-transit-gateway-multicast-domain.html) command. # Disassociate a subnet from a multicast domain in AWS Transit Gateway Disassociate a subnet from a multicast domain Use the following procedure to disassociate subnets from a multicast domain. **To disassociate subnets using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Multicast**. 1. Select the multicast domain. 1. Choose the **Associations** tab. 1. Select the subnet, and then choose **Actions**, **Delete association**. **To disassociate subnets using the AWS CLI** Use the [disassociate-transit-gateway-multicast-domain](https://docs.aws.amazon.com/cli/latest/reference/ec2/disassociate-transit-gateway-multicast-domain.html) command. # View multicast domain associations in AWS Transit Gateway View multicast domain associations View your multicast domains to verify that they are available, and that they contain the appropriate subnets and attachments. **To view a multicast domain using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Multicast**. 1. Select the multicast domain. 1. Choose the **Associations** tab. **To view a multicast domain using the AWS CLI** Use the [describe-transit-gateway-multicast-domains](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-transit-gateway-multicast-domains.html) command. # Add tags to a multicast domain in AWS Transit Gateway Add tags to a multicast domain Add tags to your resources to help organize and identify them, such as by purpose, owner, or environment. You can add multiple tags to each multicast domain. Tag keys must be unique for each multicast domain. If you add a tag with a key that is already associated with the multicast domain, it updates the value of that tag. For more information, see [Tagging your Amazon EC2 Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html). **To add tags to a multicast domain using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Multicast**. 1. Select the multicast domain. 1. Choose **Actions**, **Manage tags**. 1. For each tag, choose **Add new tag** and enter a **Key** and **Value** for the tag. 1. Choose **Save**. **To add tags to a multicast domain using the AWS CLI** Use the [create-tags](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-tags.html) command. # Delete a multicast domain in AWS Transit Gateway Delete a multicast domain Use the following procedure to delete a multicast domain. **To delete a multicast domain using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Multicast**. 1. Select the multicast domain, and then choose **Actions**, **Delete multicast domain**. 1. When prompted for confirmation, enter **delete** and then choose **Delete**. **To delete a multicast domain using the AWS CLI** Use the [delete-transit-gateway-multicast-domain](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-transit-gateway-multicast-domain.html) command. # Shared multicast domains in AWS Transit Gateway Shared multicast domains With multicast domain sharing, multicast domain owners can share the domain with other AWS accounts inside its organization or across organizations in AWS Organizations. As the multicast domain owner, you can create and manage the multicast domain centrally. Once shared, those users can perform the following operations on a shared multicast domain: + Register and deregister group members or group sources in the multicast domain + Associate a subnet with the multicast domain, and disassociate subnets from the multicast domain A multicast domain owner can share a multicast domain with: + AWS accounts inside its organization or across organizations in AWS Organizations + An organizational unit inside its organization in AWS Organizations + Its entire organization in AWS Organizations + AWS accounts outside of AWS Organizations. To share a multicast domain with an AWS account outside of your Organization, you must create a resource share using AWS Resource Access Manager, and then choose **Allow sharing with anyone** when selecting the Principals to share the multicast domain with. For more information on creating a resource share, see [Creating a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html) in the *AWS RAM User Guide* **Topics** + [ ## Prerequisites for sharing a multicast domain ](#sharing-prereqs) + [ ## Related services ](#sharing-related) + [ ## Shared multicast domain permissions ](#sharing-perms) + [ ## Billing and metering ](#sharing-billing) + [ ## Quotas ](#sharing-quotas) + [Share resources across Availability Zones](sharing-azs.md) + [Share a multicast domain](sharing-share.md) + [Unshare a shared multicast domain](sharing-unshare.md) + [Identify a shared multicast domain](sharing-identify.md) ## Prerequisites for sharing a multicast domain + To share a multicast domain, you must own it in your AWS account. You cannot share a multicast domain that has been shared with you. + To share a multicast domain with your organization or an organizational unit in AWS Organizations, you must enable sharing with AWS Organizations. For more information, see [ Enable Sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS RAM User Guide*. ## Related services Multicast domain sharing integrates with AWS Resource Access Manager (AWS RAM). AWS RAM is a service that enables you to share your AWS resources with any AWS account or through AWS Organizations. With AWS RAM, you share resources that you own by creating a *resource share*. A resource share specifies the resources to share, and the users with whom to share them. Consumers can be individual AWS accounts, or organizational units or an entire organization in AWS Organizations. For more information about AWS RAM, see the *[AWS RAM User Guide](https://docs.aws.amazon.com/ram/latest/userguide/)*. ## Shared multicast domain permissions ### Permissions for owners Owners are responsible for managing the multicast domain and the members and attachments that they register or associate with the domain. Owners can change or revoke shared access at any time. They can use AWS Organizations to view, modify, and delete resources that consumers create on shared multicast domains. ### Permissions for consumers Users of the shared multicast domain can perform the following operations on shared multicast domains in the same way that they would on multicast domains that they created: + Register and deregister group members or group sources in the multicast domain + Associate a subnet with the multicast domain, and disassociate subnets from the multicast domain Consumers are responsible for managing the resources that they create on the shared multicast domain. Customers cannot view or modify resources owned by other consumers or by the multicast domain owner, and they cannot modify multicast domains that are shared with them. ## Billing and metering There are no additional charges for sharing multicast domains for either the owner, or consumers. ## Quotas A shared multicast domain counts toward the owner's and shared user's multicast domain quotas. # Share resources across Availability Zones in AWS Transit Gateway Share resources across Availability Zones To ensure that resources are distributed across the Availability Zones for a Region, AWS Transit Gateway independently map s Availability Zones to names for each account. This could lead to Availability Zone naming differences across accounts. For example, the Availability Zone `us-east-1a` for your AWS account might not have the same location as `us-east-1a` for another AWS account. To identify the location of your multicast domain relative to your accounts, you must use the *Availability Zone ID* (AZ ID). The AZ ID is a unique and consistent identifier for an Availability Zone across all AWS accounts. For example, `use1-az1` is an AZ ID for the `us-east-1` Region and it is the same location in every AWS account. **To view the AZ IDs for the Availability Zones in your account** 1. Open the AWS RAM console at [https://console.aws.amazon.com/ram/home](https://console.aws.amazon.com/ram/home). 1. The AZ IDs for the current Region are displayed in the **Your AZ ID** panel on the right-hand side of the screen. # Share a multicast domain in AWS Transit Gateway Share a multicast domain When an owner shares a multicast domain with you, you can do the following: + Register and deregister group members or group sources + Associate and disassociate subnets **Note** To share a multicast domain, you must add it to a resource share. A resource share is an AWS RAM resource that lets you share your resources across AWS accounts. A resource share specifies the resources to share, and the consumers with whom they are shared. When you share a multicast domain using the Amazon Virtual Private Cloud Console, you add it to an existing resource share. To add the multicast domain to a new resource share, you must first create the resource share using the [AWS RAM console](https://console.aws.amazon.com/ram). If you are part of an organization in AWS Organizations and sharing within your organization is enabled, consumers in your organization are automatically granted access to the shared multicast domain. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared multicast domain after accepting the invitation. You can share a multicast domain that you own using the Amazon Virtual Private Cloud console, AWS RAM console, or the AWS CLI. **To share a multicast domain that you own using the \$1Amazon Virtual Private Cloud Console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Multicast Domains**. 1. Select your multicast domain, and then choose **Actions**, **Share multicast domain**. 1. Select your resource share and choose **Share multicast domain**. **To share a multicast domain that you own using the AWS RAM console** See [Creating a Resource Share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-create) in the *AWS RAM User Guide*. **To share a multicast domain that you own using the AWS CLI** Use the [create-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/create-resource-share.html) command. # Unshare a shared multicast domain in AWS Transit Gateway Unshare a shared multicast domain When a shared multicast domain is unshared, the following happens to consumer multicast domain resources: + Consumer subnets are disassociated from the multicast domain. The subnets remain in the consumer account. + Consumer group sources and group members are disassociated from the multicast domain, and then deleted from the consumer account. To unshare a multicast domain, you must remove it from the resource share. You can do this from the AWS RAM console or the AWS CLI. To unshare a shared multicast domain that you own, you must remove it from the resource share. You can do this using the Amazon Virtual Private Cloud, AWS RAM console, or the AWS CLI. **To unshare a shared multicast domain that you own using the \$1Amazon Virtual Private Cloud Console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Multicast Domains**. 1. Select your multicast domain, and then choose **Actions**, **Stop sharing**. **To unshare a shared multicast domain that you own using the AWS RAM console** See [Updating a Resource Share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-update) in the *AWS RAM User Guide*. **To unshare a shared multicast domain that you own using the AWS CLI** Use the [disassociate-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/disassociate-resource-share.html) command. # Identify a shared multicast domain in AWS Transit Gateway Identify a shared multicast domain Owners and consumers can identify shared multicast domains using the Amazon Virtual Private Cloud and AWS CLI **To identify a shared multicast domain using the \$1Amazon Virtual Private Cloud Console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Multicast Domains**. 1. Select your multicast domain. 1. On the **Transit Multicast Domain Details **page, view the **Owner ID** to identify the AWS account ID of the multicast domain. **To identify a shared multicast domain using the AWS CLI** Use the [describe-transit-gateway-multicast-domains](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-transit-gateway-multicast-domains.html) command. The command returns the multicast domains that you own and multicast domains that are shared with you. `OwnerId` shows the AWS account ID of the multicast domain owner. # Register sources with a multicast group in AWS Transit Gateway Register sources with a multicast group **Note** This procedure is only required when you have set the **Static sources support** attribute to **enable**. Use the following procedure to register sources with a multicast group. The source is the network interface that sends multicast traffic. You need the following information before you add a source: + The ID of the multicast domain + The IDs of the sources' network interfaces + The multicast group IP address **To register sources using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Multicast**. 1. Select the multicast domain, and then choose **Actions**, **Add group sources**. 1. For **Group IP address**, enter either the IPv4 CIDR block or IPv6 CIDR block to assign to the multicast domain. 1. Under **Choose network interfaces**, select the multicast senders' network interfaces. 1. Choose **Add sources**. **To register sources using the AWS CLI** Use the [register-transit-gateway-multicast-group-sources](https://docs.aws.amazon.com/cli/latest/reference/ec2/register-transit-gateway-multicast-group-sources.html) command. # Register members with a multicast group in AWS Transit Gateway Register members with a multicast group Use the following procedure to register group members with a multicast group. You need the following information before you add members: + The ID of the multicast domain + The IDs of the group members' network interfaces + The multicast group IP address **To register members using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Multicast**. 1. Select the multicast domain, and then choose **Actions**, **Add group members**. 1. For **Group IP address**, enter either the IPv4 CIDR block or IPv6 CIDR block to assign to the multicast domain. 1. Under **Choose network interfaces**, select the multicast receivers' network interfaces. 1. Choose **Add members**. **To register members using the AWS CLI** Use the [register-transit-gateway-multicast-group-members](https://docs.aws.amazon.com/cli/latest/reference/ec2/register-transit-gateway-multicast-group-members.html) command. # Deregister sources from a multicast group in AWS Transit Gateway Deregister sources from a multicast group You don't need to follow this procedure unless you manually added a source to the multicast group. **To remove a source using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Multicast**. 1. Select the multicast domain. 1. Choose the **Groups** tab. 1. Select the sources, and then choose **Remove source**. **To remove a source using the AWS CLI** Use the [deregister-transit-gateway-multicast-group-sources](https://docs.aws.amazon.com/cli/latest/reference/ec2/deregister-transit-gateway-multicast-group-sources.html) command. # Deregister members from a multicast group in AWS Transit Gateway Deregister members from a multicast group You don't need to follow this procedure unless you manually added a member to the multicast group. **To deregister members using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Multicast**. 1. Select the multicast domain. 1. Choose the **Groups** tab. 1. Select the members, and then choose **Remove member**. **To deregister members using the AWS CLI** Use the [deregister-transit-gateway-multicast-group-members](https://docs.aws.amazon.com/cli/latest/reference/ec2/deregister-transit-gateway-multicast-group-members.html) command. # View multicast groups in AWS Transit Gateway View multicast groups You can view information about your multicast groups to verify that members were discovered using the IGMPv2 protocol. **Member type** (in the console), or `MemberType` (in the AWS CLI) displays IGMP when AWS discovered members with the protocol. **To view multicast groups using the console** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. On the navigation pane, choose **Transit Gateway Multicast**. 1. Select the multicast domain. 1. Choose the **Groups** tab. **To view multicast groups using the AWS CLI** Use the [search-transit-gateway-multicast-groups](https://docs.aws.amazon.com/cli/latest/reference/ec2/search-transit-gateway-multicast-groups.html) command. The following example shows that the IGMP protocol discovered multicast group members. ``` aws ec2 search-transit-gateway-multicast-groups --transit-gateway-multicast-domain tgw-mcast-domain-000fb24d04EXAMPLE { "MulticastGroups": [ { "GroupIpAddress": "224.0.1.0", "TransitGatewayAttachmentId": "tgw-attach-0372e72386EXAMPLE", "SubnetId": "subnet-0187aff814EXAMPLE", "ResourceId": "vpc-0065acced4EXAMPLE", "ResourceType": "vpc", "NetworkInterfaceId": "eni-03847706f6EXAMPLE", "MemberType": "igmp" } ] } ``` # Set up multicast for Windows Server in AWS Transit Gateway Set up multicast for Windows Server You'll need to perform additional steps when setting up multicast to work with transit gateways on Windows Server 2019 or 2022. To set this up you'll need to use PowerShell, and run the following commands: **To set up multicast for Windows Server using PowerShell** 1. Change Windows Server to use IGMPv2 instead of IGMPv3 for the TCP/IP stack: `PS C:\> New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name IGMPVersion -PropertyType DWord -Value 3 ` **Note** `New-ItemProperty` is a property index that specifies the IGMP version. Because IGMP v2 is the supported version for multicast, the property `Value` must be `3`. Instead of editing the Windows registry you can run the following command to set the IGMP version to 2.: `Set-NetIPv4Protocol -IGMPVersion Version2` 1. Windows Firewall drops most UDP traffic by default. You'll first need to check which connection profile is being used for multicast: ``` PS C:\> Get-NetConnectionProfile | Select-Object NetworkCategory NetworkCategory --------------- Public ``` 1. Update the connection profile from the previous step to allow access to the required UDP port(s): `PS C:\> Set-NetFirewallProfile -Profile Public -Enabled False` 1. Reboot the EC2 instance. 1. Test your multicast application to ensure traffic is flowing as expected. # Example: Manage IGMP configurations using AWS Transit Gateway Example: Manage IGMP configurations This example shows at least one host that uses the IGMP protocol for multicast traffic. AWS automatically creates the multicast group when it receives an IGMP `JOIN` message from an instance, and then adds the instance as a member in this group. You can also statically add non-IGMP hosts as members to a group using the AWS CLI. Any instances that are in subnets associated with the multicast domain can send traffic, and the group members receive the multicast traffic. Use the following steps to complete the configuration: 1. Create a VPC. For more information, see [Create a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html) in the *Amazon VPC User Guide*. 1. Create a subnet in the VPC. For more information, see [Create a subnet](https://docs.aws.amazon.com/vpc/latest/userguide/create-subnets.html) in the *Amazon VPC User Guide*. 1. Create a transit gateway configured for multicast traffic. For more information, see [Create a transit gateway in AWS Transit Gateway](create-tgw.md). 1. Create a VPC attachment. For more information, see [Create a VPC attachment in AWS Transit Gateway](create-vpc-attachment.md). 1. Create a multicast domain configured for IGMP support. For more information, see [Create an IGMP multicast domain in AWS Transit Gateway](create-tgw-igmp-domain.md). Use the following settings: + Enable **IGMPv2 support**. + Disable **Static sources support**. 1. Create an association between subnets in the transit gateway VPC attachment and the multicast domain. For more information see [Associating VPC attachments and subnets with a multicast domain in AWS Transit Gateway](associate-attachment-to-domain.md). 1. The default IGMP version for EC2 is IGMPv3. You need to change the version for all IGMP group members. You can run the following command: ``` sudo sysctl net.ipv4.conf.eth0.force_igmp_version=2 ``` 1. Add the members that do not use the IGMP protocol to the multicast group. For more information, see [Register members with a multicast group in AWS Transit Gateway](add-members-multicast-group.md). # Example: Manage static source configurations in AWS Transit Gateway Example: Manage static source configurations This example statically adds multicast sources to a group. Hosts do not use the IGMP protocol to join or leave multicast groups. You need to statically add the group members that receive the multicast traffic. Use the following steps to complete the configuration: 1. Create a VPC. For more information, see [Create a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html) in the *Amazon VPC User Guide*. 1. Create a subnet in the VPC. For more information, see [Create a subnet](https://docs.aws.amazon.com/vpc/latest/userguide/create-subnets.html) in the *Amazon VPC User Guide*. 1. Create a transit gateway configured for multicast traffic. For more information, see [Create a transit gateway in AWS Transit Gateway](create-tgw.md). 1. Create a VPC attachment. For more information, see [Create a VPC attachment in AWS Transit Gateway](create-vpc-attachment.md). 1. Create a multicast domain configured for no IGMP support, and support for statically adding sources. For more information, see [Create a static source multicast domain in AWS Transit Gateway](create-tgw-domain.md). Use the following settings: + Disable **IGMPv2 support**. + To manually add sources, enable **Static sources support**. The sources are the only resources that can send multicast traffic when the attribute is enabled. Otherwise, any instances that are in subnets associated with the multicast domain can send multicast traffic, and the group members receive the multicast traffic. 1. Create an association between subnets in the transit gateway VPC attachment and the multicast domain. For more information see [Associating VPC attachments and subnets with a multicast domain in AWS Transit Gateway](associate-attachment-to-domain.md). 1. If you enable **Static sources support**, add the source to the multicast group. For more information, see [Register sources with a multicast group in AWS Transit Gateway](add-source-multicast-group.md). 1. Add the members to the multicast group. For more information, see [Register members with a multicast group in AWS Transit Gateway](add-members-multicast-group.md). # Example: Manage static group member configurations in AWS Transit Gateway Example: Manage static group member configurations This example shows statically adding multicast members to a group. Hosts cannot use the IGMP protocol to join or leave multicast groups. Any instances that are in subnets associated with the multicast domain can send multicast traffic, and the group members receive the multicast traffic. Use the following steps to complete the configuration: 1. Create a VPC. For more information, see [Create a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html) in the *Amazon VPC User Guide*. 1. Create a subnet in the VPC. For more information, see [Create a subnet](https://docs.aws.amazon.com/vpc/latest/userguide/create-subnets.html) in the *Amazon VPC User Guide*. 1. Create a transit gateway configured for multicast traffic. For more information, see [Create a transit gateway in AWS Transit Gateway](create-tgw.md). 1. Create a VPC attachment. For more information, see [Create a VPC attachment in AWS Transit Gateway](create-vpc-attachment.md). 1. Create a multicast domain configured for no IGMP support, and support for statically adding sources. For more information, see [Create a static source multicast domain in AWS Transit Gateway](create-tgw-domain.md). Use the following settings: + Disable **IGMPv2 support**. + Disable **Static sources support**. 1. Create an association between subnets in the transit gateway VPC attachment and the multicast domain. For more information see [Associating VPC attachments and subnets with a multicast domain in AWS Transit Gateway](associate-attachment-to-domain.md). 1. Add the members to the multicast group. For more information, see [Register members with a multicast group in AWS Transit Gateway](add-members-multicast-group.md).