# Bidirectional streaming with WebRTC
<a name="runtime-webrtc"></a>

With Amazon Bedrock AgentCore Runtime, you can use WebRTC (Web Real-Time Communication) to enable real-time media streaming between clients and agents. WebRTC is useful when building voice agents for browser and mobile applications, where clients use the browser-native WebRTC API or mobile WebRTC SDKs for real-time media. For more information about WebRTC, see [WebRTC API](https://developer.mozilla.org/en-US/docs/Web/API/WebRTC_API) in the MDN Web Docs.

**Topics**
+ [Using WebRTC on AgentCore Runtime](#runtime-webrtc-requirements)
+ [TURN streaming options](#runtime-webrtc-turn-options)
+ [Tutorial: WebRTC with TURN relaying using Amazon Kinesis Video Streams](runtime-webrtc-get-started-kvs.md)

## Using WebRTC on AgentCore Runtime
<a name="runtime-webrtc-requirements"></a>

WebRTC on AgentCore Runtime requires:
+  **VPC network mode** – Your AgentCore Runtime must be configured with VPC network mode. For more information, see [Configure Amazon Bedrock AgentCore Runtime and tools for VPC](agentcore-vpc.md).
+  **TURN relay** – TURN relay is required for media traffic between the client and the agent. The VPC must support outbound UDP traffic to your TURN endpoints.

## TURN streaming options
<a name="runtime-webrtc-turn-options"></a>

The following TURN server options are available for WebRTC on AgentCore Runtime:

Amazon Kinesis Video Streams managed TURN Relay  
KVS provides managed TURN servers through the `GetIceServerConfig` API. This option requires no TURN infrastructure management and integrates natively with AWS IAM for authentication. A KVS signaling channel resource is required to obtain TURN credentials. For WebRTC signaling itself (exchanging ICE candidates and session descriptions), you can use either the AgentCore Runtime invoke API or the KVS signaling channel. To get started, see [Tutorial: WebRTC with TURN relaying using Amazon Kinesis Video Streams](runtime-webrtc-get-started-kvs.md).

Third-party managed TURN  
You can use a third-party managed TURN provider.

Self-hosted TURN  
You can host and operate your own TURN infrastructure using open-source software such as coturn on Amazon EC2 or Amazon ECS.

# Tutorial: WebRTC with TURN relaying using Amazon Kinesis Video Streams
<a name="runtime-webrtc-get-started-kvs"></a>

In this tutorial, you build a WebRTC voice connection between a browser client and an agent running on AgentCore Runtime, using Amazon Kinesis Video Streams (KVS) managed TURN for media relaying. The agent processes audio in real-time using an Amazon Bedrock foundation model for speech-to-speech conversation.

When complete, you will have a working WebRTC connection where audio streams bidirectionally between the browser and your agent.

This tutorial requires a VPC with internet egress for connectivity to KVS TURN endpoints. For more information, see [Internet access considerations](agentcore-vpc.md#agentcore-internet-access) . All other prerequisites are handled by the sample application. The sample uses the AgentCore CLI for deployment to AgentCore Runtime.

For the complete sample application, see [WebRTC Voice Agent with KVS TURN](https://github.com/awslabs/amazon-bedrock-agentcore-samples/tree/main/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc) on GitHub.

## Architecture
<a name="runtime-webrtc-kvs-architecture"></a>

![\[Architecture diagram showing WebRTC on AgentCore Runtime with KVS TURN relaying through a VPC.\]](http://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/images/runtime-webrtc-architecture.png)


Browser client  
A web page that captures microphone audio using the browser WebRTC API and plays the agent’s audio response.

AgentCore Runtime  
Hosts the agent and attaches to the user’s VPC via an elastic network interface (ENI) in a private subnet.

Agent  
A Python application deployed to AgentCore Runtime that handles WebRTC signaling and TURN credential management through the `/invocations` endpoint, and streams audio between the client and a foundation model.

User VPC with internet egress  
Provides network connectivity from the agent to the KVS TURN relay server. Traffic routes from the ENI in the private subnet through a NAT gateway and internet gateway to reach the TURN endpoints.

KVS TURN relay server  
Relays media traffic between the browser client and the agent. The agent obtains temporary TURN credentials from KVS using the [GetIceServerConfig](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/API_signaling_GetIceServerConfig.html) API.

## How it works
<a name="runtime-webrtc-kvs-how-it-works"></a>

1. The client invokes the agent to fetch KVS TURN credentials and ICE server configuration.

1. The client creates a WebRTC offer and sends it to the agent. The agent creates a peer connection configured with KVS TURN servers and returns an answer.

1. The client and agent exchange ICE candidates to establish connectivity through the TURN server.

1. Once connected, the client streams microphone audio to the agent over WebRTC. The agent forwards the audio to an Amazon Bedrock foundation model and streams the model’s spoken response back to the client.