Skip to main content

Production Deployment

This guide covers best practices, architecture patterns, and operational considerations for deploying Moq in production.

Architecture Overview

A production Moq deployment typically consists of: 
Publishers → Origin Relays → Regional Relays → Edge Relays → Viewers
              (Primary)       (Intermediate)    (CDN/Edge)

Component Roles

  • Origin Relays: Receive content from publishers, authenticate, validate
  • Regional Relays: Aggregate traffic, provide redundancy, span continents
  • Edge Relays: Serve viewers, cache content, distributed globally
  • Root Relay: Coordinates cluster, tracks broadcasts (can be any relay)

Deployment Checklist

1

TLS Certificates

Use valid TLS certificates from Let’s Encrypt or a commercial CA. Self-signed certificates are not suitable for production.
certbot certonly --standalone -d relay.example.com
2

Authentication

Enable JWT authentication and disable public access (or limit to specific paths).
[auth]
key = "/etc/moq/secret.jwk"
# public = ""  # Disable public access
3

Monitoring

Set up logging, metrics, and alerting to track relay health and performance.
4

Redundancy

Deploy at least 2 relays per region for high availability.
5

Load Balancing

Use DNS or anycast to distribute traffic across relays.
6

Firewall

Configure firewalls to allow only necessary traffic.
7

Systemd Service

Run relays as system services with automatic restart.
8

Auto-scaling

Configure auto-scaling based on CPU, bandwidth, or connection count.

Multi-Region Deployment

Three-Tier Architecture

For global deployments: 
Layer 1: Origin (1-2 relays)

   └─── Receives content from publishers
   │   Authoritative source
   │   High-reliability hardware

   v
Layer 2: Regional (3-6 relays)

   └─── NA-East, NA-West, EU-West, EU-East, APAC, SA
   │   Aggregate traffic from origins
   │   Provide redundancy

   v
Layer 3: Edge (10-100+ relays)

   └─── Major cities worldwide
       Serve viewers
       Cache content
       Lowest latency to users

Configuration Example

Origin Relay (us-east-1):
origin.toml
[log]
level = "info"

[server]
listen = "[::]:443"

[server.tls]
cert = "/etc/letsencrypt/live/origin.example.com/fullchain.pem"
key = "/etc/letsencrypt/live/origin.example.com/privkey.pem"

[auth]
key = "/etc/moq/secret.jwk"
# No public access on origin

# This is the root relay for the cluster
Regional Relay (eu-west-1):
regional.toml
[log]
level = "info"

[server]
listen = "[::]:443"

[server.tls]
cert = "/etc/letsencrypt/live/eu.example.com/fullchain.pem"
key = "/etc/letsencrypt/live/eu.example.com/privkey.pem"

[auth]
key = "/etc/moq/public.jwk"  # Public key from origin

[cluster]
root = "https://origin.example.com?jwt=CLUSTER_TOKEN"
node = "https://eu.example.com"
Edge Relay (london):
edge.toml
[log]
level = "warn"  # Less verbose on edge

[server]
listen = "[::]:443"

[server.tls]
cert = "/etc/letsencrypt/live/london.example.com/fullchain.pem"
key = "/etc/letsencrypt/live/london.example.com/privkey.pem"

[web.https]
listen = "[::]:443"
cert = "/etc/letsencrypt/live/london.example.com/fullchain.pem"
key = "/etc/letsencrypt/live/london.example.com/privkey.pem"

[auth]
key = "/etc/moq/public.jwk"
public = "demo"  # Allow anonymous viewing on edge

[cluster]
root = "https://origin.example.com?jwt=CLUSTER_TOKEN"
node = "https://london.example.com"

High Availability

Load Balancing

DNS Round-Robin

Simplest approach: 
relay.example.com.  A      1.2.3.4
relay.example.com.  A      5.6.7.8
relay.example.com.  AAAA   2001:db8::1
relay.example.com.  AAAA   2001:db8::2
Pros:
  • Simple to implement
  • No additional infrastructure
Cons:
  • No health checking
  • Clients may cache DNS
  • Not latency-aware

GeoDNS

Route users to nearest relay: 
# Users in North America get:
relay.example.com.  A      us-east.example.com

# Users in Europe get:
relay.example.com.  A      eu-west.example.com

# Users in Asia get:
relay.example.com.  A      ap-south.example.com
Providers: Route53, Cloudflare, NS1, Azure Traffic Manager

Anycast

Multiple relays share the same IP address: 
All relays announce: 203.0.113.10
Internet routing delivers to nearest relay
Pros:
  • Automatic failover
  • Lowest latency (network-layer routing)
  • No DNS caching issues
Cons:
  • Requires BGP setup
  • More complex infrastructure
  • Typically needs hosting with anycast support

Health Checking

Monitor relay health: 
#!/bin/bash
# health-check.sh

RELAY_URL="http://relay.example.com:4443/"

if curl -sf "$RELAY_URL" > /dev/null; then
  echo "Relay healthy"
  exit 0
else
  echo "Relay unhealthy"
  exit 1
fi
Run from monitoring system (Prometheus, Datadog, etc.)

Redundant Origins

Deploy origins in active-active or active-passive: Active-Passive: 
Primary Origin (active)

   v (failure)

Secondary Origin (standby)
Publishers connect to primary, failover to secondary. Active-Active: 
Origin A ←───── Publishers (50%)
Origin B ←───── Publishers (50%)
Both origins active, load balanced.

Security

Network Security

Firewall Rules

  • Allow only UDP 443 and TCP 443
  • Restrict management ports to internal IPs
  • Use security groups/firewall rules

DDoS Protection

  • Use DDoS protection service (Cloudflare, AWS Shield)
  • Rate limit connections per IP
  • Monitor for anomalies

Private Networks

  • Use private networking for relay-to-relay communication
  • VPN or VPC peering between regions
  • Keep cluster tokens on private network

Intrusion Detection

  • Monitor logs for suspicious activity
  • Alert on authentication failures
  • Track connection patterns

Application Security

Authentication

Always enable authentication in production: 
[auth]
key = "/etc/moq/secret.jwk"
# Never use public = "" in production without careful consideration
See Authentication Guide for setup.

Token Security

  • Short-lived tokens: 1-24 hours maximum
  • Refresh tokens: Issue new tokens before expiration
  • Revocation: Rotate keys to revoke all tokens
  • Minimal permissions: Only grant needed publish/subscribe rights

Secrets Management

Never commit keys to version control: 
# Use secrets management
# AWS Secrets Manager
aws secretsmanager get-secret-value --secret-id moq/secret.jwk \
  --query SecretString --output text > /etc/moq/secret.jwk

# HashiCorp Vault
vault kv get -field=jwk secret/moq/key > /etc/moq/secret.jwk

# Kubernetes Secret
kubectl create secret generic moq-key --from-file=secret.jwk

TLS Best Practices

  • Use Let’s Encrypt: Free, automated, trusted
  • Auto-renewal: Set up certbot auto-renewal
  • Strong ciphers: Let QUIC handle cipher selection
  • Certificate monitoring: Alert before expiration

Monitoring & Observability

Metrics to Track

  • CPU usage
  • Memory usage
  • Network bandwidth (in/out)
  • Disk I/O
  • UDP packet loss
  • Connection count

Logging

[log]
level = "info"  # warn for edge, info for regional, debug for origin
Structured logging: 
# JSON logs for parsing
RUST_LOG=info moq-relay relay.toml 2>&1 | jq .

# Send to logging service
moq-relay relay.toml 2>&1 | logger -t moq-relay

Alerting

Set up alerts for:
  • Relay down (health check fails)
  • High CPU usage (over 80%)
  • High memory usage (over 90%)
  • Certificate expiring (less than 7 days)
  • Authentication failure spike
  • Abnormal traffic patterns

Performance Optimization

Operating System

# Increase file descriptors
echo "* soft nofile 1048576" >> /etc/security/limits.conf
echo "* hard nofile 1048576" >> /etc/security/limits.conf

# Optimize network stack
sysctl -w net.core.rmem_max=134217728
sysctl -w net.core.wmem_max=134217728
sysctl -w net.ipv4.udp_mem='4096 873800 16777216'

# Increase UDP buffer
sysctl -w net.core.netdev_max_backlog=5000

Hardware Recommendations

Origin Relays

  • CPU: 8-16 cores
  • RAM: 16-32 GB
  • Network: 10 Gbps
  • Storage: Fast SSD for caching

Regional Relays

  • CPU: 16-32 cores
  • RAM: 32-64 GB
  • Network: 10-40 Gbps
  • Storage: NVMe SSD

Edge Relays

  • CPU: 4-8 cores
  • RAM: 8-16 GB
  • Network: 1-10 Gbps
  • Storage: SSD for caching

Cloud Provider Recommendations

Origin: c7g.2xlarge (8 vCPU, 16 GB RAM)Regional: c7g.4xlarge (16 vCPU, 32 GB RAM)Edge: c7g.xlarge (4 vCPU, 8 GB RAM)Use Elastic IP or ALB with UDP support.

Scaling

Horizontal Scaling

Add more relays as traffic grows: 
Phase 1: Single relay
  → 1,000 concurrent viewers

Phase 2: Regional cluster
  → 10,000 concurrent viewers

Phase 3: Multi-region cluster
  → 100,000+ concurrent viewers

Phase 4: Multi-tier with edge
  → 1,000,000+ concurrent viewers

Auto-scaling

With Kubernetes or cloud auto-scaling: 
# Kubernetes HPA example
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: moq-relay
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: moq-relay
  minReplicas: 2
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 80

Backup & Disaster Recovery

Configuration Backup

# Backup relay config and keys
tar czf moq-backup-$(date +%Y%m%d).tar.gz \
  /etc/moq/*.toml \
  /etc/moq/*.jwk

# Store securely
aws s3 cp moq-backup-*.tar.gz s3://backups/moq/

Recovery Plan

1

Prepare backup relay

Keep standby relay with same config, different IP
2

Document DNS changes

Document how to update DNS records
3

Test failover

Regularly test switching to backup
4

Runbook

Maintain runbook for common failures

Cost Optimization

Bandwidth Costs

Moq’s biggest cost is typically bandwidth:
  • Clustering reduces costs: Route traffic optimally
  • Caching: Edge relays cache content
  • Deduplication: One source, many viewers
  • Quality adaptation: Lower quality = less bandwidth

Cloud Cost Tips

  • Use spot/preemptible instances for non-critical edge relays
  • Reserved instances for origin/regional relays
  • Multi-cloud to leverage free egress tiers
  • Monitor bandwidth with usage alerts

Troubleshooting

  • Check logs: journalctl -u moq-relay -n 100
  • Look for OOM kills: dmesg | grep -i oom
  • Check disk space: df -h
  • Verify config file is valid
  • Check geographic distance to relay
  • Verify network path: mtr relay.example.com
  • Check relay CPU usage
  • Verify QUIC is not being blocked
  • Test with different DNS resolver
  • Check network connectivity between relays
  • Verify cluster token is valid and not expired
  • Check for firewall rules blocking relay-to-relay traffic
  • Ensure root relay is accessible from all leaves
  • Verify certificate is not expired: openssl x509 -in cert.pem -noout -dates
  • Check certificate matches hostname
  • Ensure full chain is provided
  • Check Let’s Encrypt rate limits

Next Steps

Relay Setup

Detailed relay configuration

Authentication

Setup JWT authentication

Publishing

Connect publishers to production relay

Monitoring

Advanced monitoring and debugging

Build docs developers (and LLMs) love

Get started for freeTalk to us