Deploying AIMS in GCP

This topic explains how to deploy AI Media Server (AIMS) in Google Cloud Platform (GCP). Pexip publishes a disk image for the AIMS virtual machine that you can run on a VM instance in GCP.

This topic covers:

• Prerequisites
• Configuring GCP firewall rules
• Installing AIMS in GCP

For information regarding manual customization or maintenance tasks such as re-running the installation wizard or replacing the AIMS's default certificate, see Configuration and maintenance of the AI Media Server.

Prerequisites

Pexip Infinity

AIMS requires Pexip Infinity v36 or later. See AIMS / Pexip Infinity version features for information about which versions of Pexip Infinity are required to support the features available in each version of AIMS.

NVIDIA GPU

The AIMS VM requires complete control of all GPUs assigned to it — the GPUs cannot be shared with any other VM.

The following NVIDIA GPU models are supported in GCP:

• NVIDIA L4 (in GCP: g2-standard-8 (or larger) instance — 1 x L4 GPU)
• NVIDIA A100 (in GCP: a2-highgpu-8g instance — 8 x A100 GPUs)
• NVIDIA H100 (in GCP: a3-highgpu-8g instance — 8 x H100 GPUs)

If you are unsure about compatibility with a given GPU, please contact your Pexip authorized support representative.

Host hardware requirements

For cloud deployments, your service provider will supply sufficient CPU and RAM to match the selected instance type and GPU quantity.

GCP prerequisites

These deployment instructions assume that within GCP you have already:

• signed up to the Google Cloud Platform
• configured a Google Cloud VPN (for a private or hybrid cloud deployment)

For more information on setting up your Google Cloud Platform Virtual Machines, see https://cloud.google.com/compute/docs/instances/.

Firewall and DNS requirements

You must configure DNS for your deployment as follows:

• There must be a DNS A record for the AIMS server.
• The AIMS server must have a DNS name that is resolvable by Conferencing Nodes.
• On Pexip Infinity, you must enter the AIMS server's host address (as per the DNS record) as the Live captions service API gateway (under Platform > Global settings > Live captions).

When requesting/generating certificates for your AIMS server:

• The AIMS server requires TLS certificates with SHA256 or later signature algorithms. Certificates using legacy algorithms such as SHA1 and MD5 are not supported.
• The AIMS server must have a certificate with either a CN or SAN that matches the AIMS server's host address (as per the DNS record), and this certificate must be trusted by Pexip Infinity.
• We recommend using a 4096 bit public key (2048 bit minimum).

The following table lists the ports/protocols used to carry traffic between the AIMS server and Conferencing Nodes, DNS servers and NTP servers:

Source address	Source port	Destination address	Destination port	Protocol	Notes
AIMS	123, 55000–65535	NTP server	123	UDP	Required for correct log timestamps.
AIMS	55000–65535	DNS server	53	TCP/UDP	Required to resolve NTP and other addresses.
Conferencing Node	<any>	AIMS	443	TCP (HTTPS)	Access live captions service. Web proxies are not supported for this traffic flow.

Configuring GCP firewall rules

Access to GCP instances is restricted by the GCP firewall. The firewall must be configured to permit the following traffic flows. When creating these rules, they should target a tag, for example pexip-aims. This tag should then be added when creating your AIMS VM.

Inbound rules

Type	Protocol	Port range	Source
SSH	TCP	22	<management station IP address/subnet>
HTTPS	TCP	443	<Conferencing Node IP range(s)>
All ICMP	ICMP	All	<management station IP address/subnet>

Outbound rules

Type	Protocol	Port range	Source
All traffic	All	All	0.0.0.0/0

Where 0.0.0.0/0 implies any source / destination, and <management station IP address/subnet> should be restricted to a single IP address or subnet for SSH access only.

The AIMS instance and all Conferencing Nodes in your Pexip Infinity deployment must be able to communicate with each other. If your AIMS instance only has a private address, ensure that the necessary external systems such as NTP and DNS servers are routable from those nodes.

Installing AIMS in GCP

Installation summary

Deploying AIMS instance in GCP consists of the following steps:

1. In GCP, obtain the Pexip AIMS disk image.
2. Use the launch wizard to launch an AIMS instance.
3. After the AIMS instance has booted, SSH into it and set the administrator password. This will then terminate the SSH session.
4. SSH in to AIMS again and complete the installation wizard.

These steps are described below in more detail.

Obtaining the AIMS disk images

To copy a disk image into your project you must use the gcloud CLI tool. The easiest way to do this is via the cloud shell terminal (the terminal icon top right of the GCP interface pops open a terminal in the bottom of the browser).

You can use the following commands to copy the images:

• gcloud compute images create pexip-aims-2-0-0-440-0-0 --source-image pexip-aims-2-0-0-440-0-0 --source-image-project pexip-product-images

The images are then copied into your project, which allows them to be selected when creating a VM later on. These commands may take a little while to complete.

Note:

• If you are running an older version of AIMS then the image name (in bold in the commands above) must be replaced with a name from the list below.
• "pexip-product-images" is the GCP unique identifier of the Pexip GCP project that hosts the images for public consumption.

Previous AIMS releases

AIMS version	Image name
v1	pexip-aims-1-0-0-270-0-0

Configuring and launching an AIMS instance

1. From the GCP project console, go to Compute engine > VM instances.
2. Select Create Instance.

3. Complete the following fields (leave all other settings as default):

   Name	Enter a unique name for the instance, for example "pexip-aims".
   Zone	Select an appropriate Zone. Typically you should choose a zone that is geographically close to the location from where it will be administered.
   Machine type	Select an instance with a supported GPU.
   Boot disk	Select Change. Select Custom images. Select your GCP project. Select a Boot disk type of SSD where available. Select Select.
   Identity and API access	For Service account, select No service account.
   Networking: Network tags	Expand the Advanced options section and open the Networking section. Assign a Network tag to the instance, for example "pexip-aims". This is the tag that should be targeted by your AIMS firewall rules (see Configuring GCP firewall rules).
   Networking: External IP	You must decide whether or not to assign a public IP address to the instance. Note that AIMS only needs to be publicly accessible if you want to perform system administration tasks from clients located in the public internet.
   SSH keys	An SSH key must be applied to the AIMS instance if you are not already using a project-wide key for all of the instances in your project. The username element of the SSH key must be "admin" or "admin@<domain>". To apply an instance-level key: Open the Security section and then open the Manage Access section. Select Add item to add your own, existing SSH key. This produces a text box. Copy the contents of your public SSH key file and paste them into the text box. Modify the username element at the end of the key to "admin" or "admin@<domain>" if necessary.

4. Select Create to create the instance.

Connecting over SSH

Next you connect over SSH into the AIMS instance to complete the installation.

1. Use an SSH client to access the AIMS instance by its private IP address, supplying your private key file as appropriate.

2. Follow the login process in the SSH session:

   1. At the login prompt, enter the username admin.
   2. Supply the key passphrase, if requested.
   3. At the "Enter new UNIX password:" prompt, enter your desired password, and then when prompted, enter the password again.

   This will then log you out and terminate your SSH session.

Running the installation wizard

1. Reconnect over SSH into the AIMS instance and continue the installation process:

   1. Log in again as admin.

      You are presented with another login prompt:

      [sudo] password for admin:

   2. Enter the UNIX password you just created.

      The AIMS installation wizard will begin after a short delay.

   3. Follow the prompts to set the following configuration for the AIMS VM.

      If you subsequently rerun the installation wizard, the default values for the questions use the answers from the previous run (if they are still valid).

      If you select Enter, the default value is applied:

      Setting	Default value	Multiple entries allowed?
      IP address	The IP address must match the internal IP address allocated by GCE (the default should be correct).	No
      Network mask	The Network mask must be 255.255.255.255	No
      Gateway	The Gateway must be the internal IP address of the gateway for the GCE region (the default should be correct).	No
      Hostname	As assigned by DHCP, otherwise pexaims	No
      Domain suffix	As assigned by DHCP, otherwise <no default>	No
      DNS servers	Configure one or more DNS servers. You must override the default values if it is a private deployment.	Yes, if separated by a space or comma
      NTP servers† The NTP server must be accessible by the AIMS server at the time the startup wizard is run. Installation will fail if the AIMS server is unable to synchronize its time with an NTP server.	Configure one or more NTP servers. You must override the default values if it is a private deployment.	Yes, if separated by a space or comma
      Enable incident reporting (yes/no)	<no default>
      Contact email address ** Shown and required if incident reporting is enabled.	<no default>	No
      Send deployment and usage statistics to Pexip (yes/no)	<no default>
      ** Shown and required if incident reporting is enabled. † The NTP server must be accessible by the AIMS server at the time the startup wizard is run. Installation will fail if the AIMS server is unable to synchronize its time with an NTP server.

      When all of the installation wizard steps have been completed, the AIMS VM will automatically reboot.

      The DNS and NTP servers at the default addresses are only accessible if your instance has a public IP address.
      

Next steps

• Configuration and maintenance of the AI Media Server
• Enabling live captions