Amazon Cloud App Streaming Details
This document describes the technical architecture and key components of Amazon cloud app streaming for Vega OS Fire TV devices, explaining how Fire OS applications run in AWS cloud containers while streaming the user interface to Vega OS Fire TV devices. It covers the video playback workflow, content security, and app data handling. The documentation also covers geographic deployment considerations and IP tunneling configuration options affecting their app's network traffic patterns and regional performance.
Architecture
The customer initiates an Amazon cloud app streaming session by opening the dedicated mini app that was installed on their Vega OS Fire TV device from the Appstore. The session creates a Fire OS container in the AWS cloud and launches the Fire OS APK in the container. User interface elements are streamed down to the Vega OS Fire TV device from the app in the container via a UDP stream. User input events are sent to the cloud container by the mini app, also via a UDP stream. Content play requests initiated from the app in the cloud are sent to the device to be streamed and decoded locally. The client composite renders the user interface with the decoded video content to present a seamless experience to the end customer. The diagram below shows how the components interact.
Video playback
Below is the detailed step-by-step of video playback in Amazon cloud app streaming:
- Customer UI interaction on device are sent to the app instance running on Fire OS in a cloud container.
- A customer interaction with app instance results in a content play request.
- App instance calls to developer CDN gets routed to on-device streaming player.
- App instance uses MediaDRM and MediaCodec interfaces which are bridged to device streaming player.
- Device media player fetches content from developer CDN.
- Device streaming player sends non-AV payload to app instance for state synchronization.
- Device streaming player decodes the AV payload using on-device secure video pipe.
- Playback information is synchronized between device and media player in app instance context.
- App instance streams UI to device client.
- App instance UI is composited along with the video content and rendered on the device screen.
Content security
Amazon cloud app streaming delivers content directly to the device, so it has the same high security as apps running fully local:
- PlayReady and Widevine are supported.
- Playback of DRM protected content is satisfied by a DRM client running on the Vega OS Fire TV device. The DRM-system specific license request message is generated by the DRM client running on the Vega OS Fire TV device, and hence as the DRM license is individualized for the Vega OS Fire TV device, only the DRM client running on the Vega OS Fire TV device can get access to the content keys carried in the DRM license.
- Decode of audio and video content consumed by the video streaming app happens on the Vega OS Fire TV device.
- The cloud container running the Fire OS app does not retain the DRM system specific messages. For example, DRM license request, DRM license, and DRM license renewal request that pass through the app for each DRM-protected playback session.
App data handling
Amazon cloud app streaming uses strong data security measures to handle app data.
- App data is collected, accessed, and stored on a per Vega OS Fire TV device and user basis.
- App data does not leave the Fire OS cloud app unencrypted.
- App data is encrypted with keys that are individualized to both the Vega OS Fire TV device and user before leaving the Fire OS cloud app to be persisted in at-rest storage. This data is inaccessible when the mini app on the device is not in use.
- App data is only present unencrypted within the memory space of a containerized FireOS cloud app running in support of an active app session.
Geographic considerations
Amazon cloud app streaming is deployed in systems regionally according to preferred marketplace. For example, US apps are deployed in the United States and IN apps are deployed in India. Within a system, customers are routed to connect to container servers hosted in the region with the lowest latency for them. Apps without IP tunneling will see app logic traffic (for example, catalog requests and logins) coming from one of the respective AWS gateway addresses and streaming traffic coming from the Vega OS Fire TV device. Apps with IP tunneling will see all traffic coming from the Vega OS Fire TV device.
IP tunneling
Having the Fire OS app running in a cloud container will cause your app's back-end services and third-party SDKs to see traffic from a limited set of public AWS gateway IPs instead of from a variety of device IPs. Also, the IP address seen by your content delivery network will not align with the IP address seen by your back-end servers. This can create challenges including:
- Local ad targeting based on may not function correctly.
- VPN inhibitors might be falsely triggered.
- Other geo-fencing solutions might not function as corrected.
- High-traffic events might trigger denial of service attack warnings.
To address these problems, apps can be configured to support IP tunneling, where all IP traffic is routed through the device. However, enabling IP tunneling has the potential downside to increase lag in customer interactions and reduce speed of content catalog browsing and other interactions in the app, which is the reason it is not enabled by default. If your app is encountering issues like the ones above, you should reach out to Developer Support with the Cloud App Program category and Functional Issues subject to request that your app be enabled with IP tunneling.
Last updated: Sep 30, 2025