Deploying AIMS in AWS

This topic explains how to deploy AI Media Server (AIMS) in Amazon Web Services (AWS) using an Amazon Machine Image (AMI).

This topic covers:

For information regarding manual customization or maintenance tasks such as re-running the installation wizard or replacing the AIMS's default certificate, see Configuration and maintenance of the AI Media Server.

Prerequisites

Pexip Infinity

AIMS requires Pexip Infinity v36 or later. See AIMS / Pexip Infinity version features for information about which versions of Pexip Infinity are required to support the features available in each version of AIMS.

NVIDIA GPU

The AIMS VM requires complete control of all GPUs assigned to it — the GPUs cannot be shared with any other VM.

The following NVIDIA GPU models are supported in AWS:

  • NVIDIA L4 (in AWS: g6.2xlarge (or larger) instance — 1 x L4 GPU)
  • NVIDIA A100 (in AWS: p4d.24xlarge instance — 8 x A100 GPUs)
  • NVIDIA H100 (in AWS: p5.48xlarge instance — 8 x H100 GPUs)

If you are unsure about compatibility with a given GPU, please contact your Pexip authorized support representative.

Host hardware requirements

For cloud deployments, your service provider will supply sufficient CPU and RAM to match the selected instance type and GPU quantity.

AWS prerequisites

The deployment instructions assume that within AWS you have already:

  • signed up for AWS and created a user account, administrator groups etc
  • created a Virtual Private Cloud network and subnet
  • configured a VPN tunnel from the corporate/management network to the VPC, and required routing
  • created or imported an SSH key pair to associate with your VPC instances
  • created a security group
  • decided in which AWS region to deploy your AIMS instance
  • ensured that you have sufficient quota for the required instance type (and if not, requested it).

For more information on setting up your AWS environment, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html.

Firewall and DNS requirements

You must configure DNS for your deployment as follows:

  • There must be a DNS A record for the AIMS server.
  • The AIMS server must have a DNS name that is resolvable by Conferencing Nodes.
  • On Pexip Infinity, you must enter the AIMS server's host address (as per the DNS record) as the Live captions service API gateway (under Platform > Global settings > Live captions).

When requesting/generating certificates for your AIMS server:

  • The AIMS server requires TLS certificates with SHA256 or later signature algorithms. Certificates using legacy algorithms such as SHA1 and MD5 are not supported.
  • The AIMS server must have a certificate with either a CN or SAN that matches the AIMS server's host address (as per the DNS record), and this certificate must be trusted by Pexip Infinity.
  • We recommend using a 4096 bit public key (2048 bit minimum).

The following table lists the ports/protocols used to carry traffic between the AIMS server and Conferencing Nodes, DNS servers and NTP servers:

Source address Source port Destination address Destination port Protocol Notes
AIMS 123, 55000–65535 NTP server 123 UDP Required for correct log timestamps.
AIMS 55000–65535 DNS server 53 TCP/UDP Required to resolve NTP and other addresses.
Conferencing Node <any> AIMS 443 TCP (HTTPS)

Access live captions service.

Web proxies are not supported for this traffic flow.

Configuring AWS security groups

Access to AWS instances is restricted by the AWS firewall. This may be configured by associating an instance with an AWS security group that specifies the permitted inbound and outbound traffic/ports from the group.

A minimal AWS security group that permits access to AIMS would look similar to this:

Inbound rules

Type Protocol Port range Source
SSH TCP 22 <management station IP address/subnet>
HTTPS TCP 443 <Conferencing Node IP range(s)>
All ICMP ICMP All <management station IP address/subnet>

Outbound rules

Type Protocol Port range Source
All traffic All All 0.0.0.0/0

Where 0.0.0.0/0 implies any source / destination, and <management station IP address/subnet> should be restricted to a single IP address or subnet for SSH access only.

A single security group can be applied to the AIMS instance.

The AIMS instance and all Conferencing Nodes in your Pexip Infinity deployment must be able to communicate with each other. If your AIMS instance only has a private address, ensure that the necessary external systems such as NTP and DNS servers are routable from those nodes.

Installing AIMS in AWS

Installation summary

Deploying AIMS instance in AWS consists of the following steps:

  1. In the AWS management console, select the desired AWS region and use the launch wizard to create and launch an AIMS instance.
  2. After the AIMS instance has booted, SSH into it and set the administrator password. This will then terminate the SSH session.
  3. SSH in to AIMS again and complete the installation wizard.

These steps are described below in more detail.

Configuring and launching an AIMS instance

  1. In the AWS management console, ensure that you have selected the AWS region in which you intend to deploy AIMS.

  2. Find the appropriate AIMS image:

    1. From the EC2 dashboard, select Images > AMIs.
    2. From the drop-down menu at the top of the list of instances, select Public Images.
    3. In the Search box, enter Owner : 686087431763 to see all of the Pexip images.
    4. Find and select Pexip AIMS 2.0.0 (build 440.0.0).
  3. From the top right of the screen, select Launch instance from AMI.
  4. Enter a Name. You can also optionally add Tags to your instance, if you want to categorize your AWS resources.
  5. Select an Instance type — see NVIDIA GPU for a list of supported instances.
  6. You are now asked to select an existing Key pair or create a new key pair.

    Select the key pair that you want to associate with this instance, and acknowledge that you have the private key file.

    You will need to supply the private key when you subsequently SSH into this instance.

  7. Configure Network settings.

    Complete the following fields (leave all other settings as default):

    VPC Use default VPC.
    Subnet Use default subnet.
    Auto-assign Public IP

    Enable or disable this option according to whether you want the node to be reachable from a public IP address.

    Your subnet may be configured so that instances in that subnet are assigned a public IP address by default.

    Note that AIMS only needs to be publicly accessible if you want to perform system administration tasks from clients located in the public internet.
    Firewall (security groups)

    Select and assign your existing security group to your AIMS instance.
  8. Configure storage.

    Accept the default settings (the Pexip AMI sets these defaults appropriately for AIMS).

  9. From the top right of the screen, review the Summary of the configuration details for your instance.

    Ensure that Number of instances is set to 1.

  10. Select Launch instance.

Connecting over SSH

Next you connect over SSH into the AIMS instance to complete the installation.

  1. Use an SSH client to access the AIMS instance by its private IP address, supplying your private key file as appropriate.

  2. Follow the login process in the SSH session:

    1. At the login prompt, enter the username admin.
    2. Supply the key passphrase, if requested.
    3. At the "Enter new UNIX password:" prompt, enter your desired password, and then when prompted, enter the password again.

    This will then log you out and terminate your SSH session.

Running the installation wizard

  1. Reconnect over SSH into the AIMS instance and continue the installation process:

    1. Log in again as admin.

      You are presented with another login prompt:

      [sudo] password for admin:

    2. Enter the UNIX password you just created.

      The AIMS installation wizard will begin after a short delay.

    3. Follow the prompts to set the following configuration for the AIMS VM.

      If you subsequently rerun the installation wizard, the default values for the questions use the answers from the previous run (if they are still valid).

      If you select Enter, the default value is applied:

      SettingDefault valueMultiple entries allowed?
      IP addressAs assigned by DHCP, otherwise 192.168.0.100 *No
      Network maskAs assigned by DHCP, otherwise 255.255.255.0 *No
      GatewayAs assigned by DHCP, otherwise 192.168.0.1 *No
      HostnameAs assigned by DHCP, otherwise pexaimsNo
      Domain suffixAs assigned by DHCP, otherwise <no default>No
      DNS serversAs assigned by DHCP, otherwise 8.8.8.8Yes, if separated by a space or comma
      NTP servers

      As assigned by DHCP, otherwise:

      • 0.pexip.pool.ntp.org
      • 1.pexip.pool.ntp.org
      		Yes, if separated by a space or comma
      Enable incident reporting (yes/no)<no default> 
      Contact email address **<no default>No
      Send deployment and usage statistics to Pexip (yes/no)<no default> 

      * The addresses entered here are assigned as static IP addresses. When deploying in a cloud service, these values are replaced with the IP address and network settings for your instance.

      ** Shown and required if incident reporting is enabled.

      † The NTP server must be accessible by the AIMS server at the time the startup wizard is run. Installation will fail if the AIMS server is unable to synchronize its time with an NTP server.

      When all of the installation wizard steps have been completed, the AIMS VM will automatically reboot.

      The DNS and NTP servers at the default addresses are only accessible if your instance has a public IP address.

Next steps