Multi Media LLC operates live production events, remote collaboration workflows, and on-demand video delivery at scale. This brief maps their core infrastructure challenges to Cloudflare's Realtime platform — and quantifies the technical and business outcomes they can expect.
The Problem
Multi Media LLC's current stack relies on a mix of third-party CDNs, self-managed SFU deployments, and legacy streaming infrastructure. At scale — and especially for live events — this creates compounding pain across three dimensions.
Traditional CDN-based video delivery uses TCP and long HLS/DASH segments. For live events with thousands of concurrent viewers, this means 5–30 second glass-to-glass latency and buffer stalls when regional origin capacity is exhausted. Remote production teams can't collaborate in real time on a 20-second lag.
Remote production relies on WebRTC for real-time audio/video between crew. NATs and firewalls at venues, hotels, and corporate networks routinely block peer-to-peer connections. Without a managed TURN relay service, teams fall back to software workarounds, degraded quality, or dropped connections mid-shoot.
Delivering premium event recordings and brand films to paying clients requires granular access control. Public video IDs are trivially shareable. Geo-restrictions, time-limited access, and per-client authentication are needed but require custom middleware on top of every current CDN or streaming provider.
Live event spikes generate massive outbound bandwidth. Self-managed SFU deployments require over-provisioning compute to handle peak loads — most of that capacity sits idle. Third-party CDN egress charges scale linearly with audience size, making large events increasingly expensive to run.
The Solution
Cloudflare Realtime replaces Multi Media LLC's patchwork of vendors with a single, globally distributed platform. Every component is serverless, managed, and deeply integrated.
A Selective Forwarding Unit that routes WebRTC audio/video/data between participants without re-encoding. It functions as both an interactive conferencing SFU and a broadcast CDN fanout system. No servers to provision — it scales automatically across Cloudflare's network using anycast routing.
Publishers send three simultaneous encodings (high / medium / low) using WebRTC RTP stream identifiers (RIDs). The SFU dynamically selects the appropriate layer for each subscriber based on their network conditions — or operators can pin a layer manually via the API. Per-track bandwidth estimation runs independently.
const transceiver = pc.addTransceiver(track, {
direction: "sendonly",
sendEncodings: [
{ rid: "f", scaleResolutionDownBy: 1 }, // 1080p full
{ rid: "h", scaleResolutionDownBy: 2 }, // 540p half
{ rid: "q", scaleResolutionDownBy: 4 }, // 270p quarter
],
});A managed TURN relay that ensures WebRTC connectivity even through NATs, corporate firewalls, and venue networks that block UDP. Uses anycast routing so clients automatically connect to the nearest Cloudflare location. Free when used with the Realtime SFU — otherwise $0.05/GB outbound.
WHIP (WebRTC-HTTP Ingest Protocol) and WHEP (WebRTC-HTTP Egress Protocol) are IETF-standardized signaling protocols that allow any encoder — OBS, hardware encoders, or custom apps — to push and pull WebRTC streams via simple HTTP requests, without implementing custom SDP negotiation.
// Ingest: encoder POSTs SDP offer to your Worker
const whipResp = await fetch(
`https://rtc.live.cloudflare.com/v2/apps/${APP_ID}/sessions/new`,
{
method: 'POST',
headers: { 'Authorization': `Bearer ${TOKEN}` },
body: sdpOffer
}
);
const { sessionId, sdpAnswer } = await whipResp.json();MoQ Transport is an IETF-standardized protocol for live media delivery over QUIC — the same transport layer as HTTP/3. Unlike HLS/DASH (TCP-based, high latency) or WebRTC (peer-optimized, complex at scale), MoQ is purpose-built for scalable, sub-second live streaming from a single publisher to massive audiences. Cloudflare's open-source moq-rs implements the full relay server and publisher client.
Cloudflare Stream's signed URL system lets Multi Media LLC deliver recorded event footage and brand films exclusively to paying or authenticated clients. JWTs are generated server-side (inside a Worker) using a signing key — tokens can carry expiry, geo restrictions, and download permissions with no per-token API call needed.
const payload = {
sub: videoUID,
exp: Math.floor(Date.now() / 1000) + 3600,
accessRules: [
{ type: 'ip.geoip.country', action: 'allow', country: ['US'] },
{ type: 'any', action: 'block' }
]
};
// Sign with RSA-256 using stored JWK — no API call
const token = await signJWT(payload, signingKey);Cloudflare's Cloudflare Meet (formerly Orange Meets) demonstrates MLS-based E2EE over the Realtime SFU. The SFU never sees plaintext media — it only forwards encrypted bytes. A WASM Rust service worker handles per-frame MLS encryption and a designated committer algorithm manages key rotation as participants join and leave.
Technical Architecture
Three deployment patterns covering live production, remote crew collaboration, and on-demand client delivery — all on a single Cloudflare account.
An on-site encoder (OBS or hardware) pushes via WHIP to the Cloudflare Realtime SFU. The SFU fans out to viewers via WHEP or the WebRTC player. Simulcast ensures every viewer — from a 5G phone to a fiber desktop — gets the right quality layer automatically. TURN over TLS:443 handles venue networks that block UDP.
Directors, producers, and remote crew join a shared SFU room. Each participant publishes audio and video; the SFU selectively forwards streams. The MLS-based E2EE layer (from Cloudflare Meet / Orange Meets) encrypts every frame in-browser — Cloudflare's SFU forwards ciphertext only. TURN ensures connectivity from any location.
Completed productions are uploaded to Cloudflare Stream. A Cloudflare Worker generates signed JWT tokens on demand, scoped per client with expiry, geo-restriction, and optional download permissions. Clients access deliverables through a Pages-hosted portal — no public video IDs are ever exposed.
requireSignedURLs: true is set immediately, disabling any public access.Expected Outcomes
Mapped across two dimensions: the technical gains the engineering team experiences, and the business results that flow from them.
WebRTC SFU delivery via WHEP replaces HLS polling. Combined with simulcast for adaptive quality, live event viewers experience real-time playback instead of 20–30 second buffered segments. MoQ Transport (IETF draft-14 in moq-rs) pushes this to sub-200ms at CDN scale as it matures.
Cloudflare TURN over TLS:443 ensures fallback connectivity from any environment — venue networks, hotel WiFi, corporate firewalls. The anycast routing means the relay is co-located with the SFU edge, keeping round-trip latency minimal even through relay.
Simulcast with three RID layers (full / half / quarter resolution) means the SFU switches quality per-subscriber based on their real-time bandwidth estimate. No manual quality selection by viewers, no quality locking that wastes bandwidth on capable connections.
The Realtime SFU is serverless — Multi Media LLC deploys no compute for live event scale. No pre-provisioned SFU clusters, no capacity planning spreadsheets before events. The Cloudflare network absorbs arbitrary audience spikes without operator intervention.
MLS-based end-to-end encryption (IETF RFC 9420), as deployed in Cloudflare Meet, ensures that confidential pre-release content and NDA-covered sessions are never accessible to the infrastructure layer. Perfect forward secrecy and post-compromise security are guaranteed by continuous group key agreement.
Stream signed URLs using RSA-256 JWTs generated inside a Worker (no Cloudflare API call per token) provide time-bound, geo-restricted, per-client access control on recorded content. Signing keys are rotated independently; up to 1,000 keys can be active simultaneously.
Self-managed SFU deployments (media servers, autoscaling groups, ops overhead) are replaced by a pay-per-use serverless model. There is no idle capacity to pay for between events. Infrastructure costs shift from fixed CapEx to variable costs that scale directly with revenue-generating events.
Signed URLs unlock a commercial model where recordings are sold as time-limited access products. Geo-restricted tokens allow territory-based licensing. Download-enabled tokens can back a premium tier. All of this is implemented in a single Worker with no external auth service.
Sub-500ms real-time collaboration between remote directors, producers, and on-site crew eliminates the communication lag that adds hours to remote production days. Review cycles that currently require in-person meetings can be conducted remotely without quality loss.
Cloudflare TURN is $0 when used with the Realtime SFU — a managed relay service that would otherwise require dedicated TURN server infrastructure is included at no additional cost for the primary use case, reducing the total cost of the real-time stack.
Stream, Realtime SFU, TURN, Workers, Pages, R2, and Durable Objects are all on one Cloudflare account, one contract, one billing surface. Replacing separate CDN, SFU-vendor, TURN vendor, and video hosting contracts reduces procurement complexity and creates leverage for negotiation.
WHIP/WHEP (IETF), MoQ Transport (IETF draft-14), and MLS (RFC 9420) are all open standards. Multi Media LLC's stack is not locked to proprietary protocols — the same encoder, player, and key management flows work across any standards-compliant infrastructure.
Go Deeper
Everything you need to evaluate, prototype, and deploy — directly from Cloudflare's engineering and product teams.