Download AWS guide as PDFDeploying Pexip Infinity on Amazon Web Services (AWS)
The Amazon Elastic Compute Cloud (Amazon EC2) service provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can deploy Pexip Infinity even faster.
You can use Amazon EC2 to launch as many or as few virtual servers as you need, and use those virtual servers to host a Pexip Infinity Management Node and as many Conferencing Nodes as required for your Pexip Infinity platform.
Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in conferencing requirements. This means that you can also use the AWS APIs and the Pexip Infinity management API to monitor usage and bring up / tear down Conferencing Nodes as required to meet conferencing demand.
Pexip publishes Amazon Machine Images (AMIs) for the Pexip Infinity Management Node and Conferencing Nodes. These AMIs may be used to launch instances of each node type as required.
Deployment options
There are three main deployment options for your Pexip Infinity platform when using AWS:
- Private cloud: all nodes are deployed within an AWS Virtual Private Cloud (VPC). Private addressing is used for all nodes and connectivity is achieved by configuring a VPN tunnel from the corporate network to the VPC. As all nodes are private, this is equivalent to an on-premises deployment which is only available to users internal to the organization.
- Public cloud: all nodes are deployed within an AWS VPC. Private addressing is used for all nodes but, in addition, public IP addresses are allocated to each node. These public addresses are then configured on the relevant node as a static NAT address. Access to the nodes is permitted from the public internet, or a restricted subset of networks, as required.
- Hybrid cloud: the Management Node, and optionally some Conferencing Nodes, are deployed in the corporate network. A VPN tunnel is created from the corporate network to the VPC. Additional Conferencing Nodes are deployed in the VPC and are managed from the on-premises Management Node. Access to the AWS-hosted Conferencing Nodes may be restricted as per private cloud or may be made more widely available, as per public cloud.
Limitations
The following limitations currently apply:
-
All of the Pexip Infinity node instances that are hosted on AWS must be deployed in a single AWS region, in order for inter-node communication between the Management Node and all of its associated Conferencing Nodes to succeed. (In a hybrid cloud deployment, some nodes may be deployed in the corporate network, but those deployed in the VPC must all be in the same AWS region.)
Each AWS region contains multiple Availability Zones. A Pexip Infinity system location is equivalent to an AWS Availability Zone.
Note, however, that service providers may deploy multiple independent Pexip Infinity platforms in any region.
-
SSH access to AWS-hosted Pexip Infinity nodes requires key-based authentication. (Password-based authentication is considered insufficiently secure for use in the AWS environment and is not permitted.) An SSH key pair must be set up within the AWS account used to launch the Pexip Infinity instances and must be assigned to each instance at launch time. You can create key pairs within AWS via the EC2 Dashboard Key Pairs option, or use third-party tools such as PuTTYgen to generate a key pair and then import the public key into AWS. Note that:
- Pexip Infinity node instances only support a single key pair.
- If you are using a Linux or Mac SSH client to access your instance you must use the chmod command to make sure that your private key file on your local client (SSH private keys are never uploaded) is not publicly viewable. For example, if the name of your private key file is my-key-pair.pem, use the following command: chmod 400 /path/my-key-pair.pem
See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html for more information about creating a key pair.
Recommended instance types
AWS instances come in many different sizes. In general, Pexip Infinity Conferencing Nodes should be considered compute intensive and Management Nodes reflect a more general-purpose workload.
For deployments of up to 30 Conferencing Nodes, we recommend using:
- an m4.large instance for a Management Node
- a c4.2xlarge instance for Conferencing Nodes
Larger instance types (such as c4.4xlarge and c4.8xlarge) may be used, but the capacity does not increase linearly so these may not represent the best value.
AWS security groups
Access to AWS instances is restricted by the AWS firewall. This may be configured by associating an instance with an AWS security group that specifies the permitted inbound and outbound traffic from the group.
A minimal AWS security group that permits access to a public cloud style Pexip Infinity deployment would look similar to this:
Inbound rules
| Type | Protocol | Port range | Source |
|---|---|---|---|
| SSH | TCP | 22 | <management station IP address/subnet> |
| HTTPS | TCP | 443 | 0.0.0.0/0 |
| Custom TCP Rule | TCP | 1720 | 0.0.0.0/0 |
| Custom TCP Rule | TCP | 5060 | 0.0.0.0/0 |
| Custom TCP Rule | TCP | 5061 | 0.0.0.0/0 |
| Custom TCP Rule | TCP | 8443 | <management station IP address/subnet> |
| Custom TCP Rule | TCP | 33000-49999 | 0.0.0.0/0 |
| Custom UDP Rule * | UDP | 5060 | 0.0.0.0/0 |
| Custom UDP Rule | UDP | 40000-49999 | 0.0.0.0/0 |
| Custom UDP Rule | UDP | 500 | <sg-12345678> |
| Custom UDP Rule | UDP | 1719 | 0.0.0.0/0 |
| Custom Protocol | ESP (50) | All | <sg-12345678> |
| All ICMP | ICMP | All | <management station IP address/subnet> |
| * only required if you intend to enable SIP over UDP | |||
Outbound rules
| Type | Protocol | Port range | Source |
|---|---|---|---|
| All traffic | All | All | 0.0.0.0/0 |
Where 0.0.0.0/0 implies any source / destination, <management station IP address/subnet> should be restricted to a single IP address or subnet for SSH access only, and <sg-12345678> is the identity of this security group (and thus permits traffic from other AWS instances — the Management Node and Conferencing Nodes — associated with the same security group).
A single security group can be applied to the Management Nodes and all Conferencing Nodes. However, if you want to apply further restrictions to your Management Nodes (for example, to exclude the TCP/UDP signaling and media ports), then you can configure additional security groups and use them as appropriate for each AWS instance. Remember that the Management Nodes and all Conferencing Nodes must be able to communicate with each other.
For further information on the ports and protocols specified here, see Pexip Infinity port usage.
IP addressing
Within a VPC, private IP addresses may be allocated dynamically (using DHCP) or statically, by defining an instance's IP address at launch time. After a private IP address has been assigned to an instance, it will remain associated with that instance until the instance is terminated. The allocated IP address is displayed in the AWS management console.
Public IP addresses may be associated with an instance dynamically (at launch/start time) or statically through use of an Elastic IP. Dynamic public IP addresses do not remain associated with an instance if it is stopped — and thus it will receive a new public IP address when it is next started.
Pexip Infinity nodes must always be configured with the private IP address associated with its instance. The association of its public IP address is performed by configuring the public IP address as the Static NAT address for the node ( via ).
Assumptions and prerequisites
The deployment instructions assume that within AWS you have already:
- signed up for AWS and created a user account, administrator groups etc
- created a Virtual Private Cloud network and subnet
- configured a VPN tunnel from the corporate/management network to the VPC
- created or imported an SSH key pair to associate with your VPC instances
- created a security group (see AWS security groups for port requirements)
- decided in which AWS region to deploy your Pexip Infinity platform (one Management Node and one or more associated Conferencing Nodes).
For more information on setting up your AWS environment, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html.
To deploy and manage your Pexip Infinity platform nodes see:
To look at the steps taken in setting up an example lab deployment of a Management Node in AWS, see http://www.graham-walsh.com/2016/01/deploying-pexip-management-node-in-amazon-web-services/, and to see an example of deploying a Conferencing Node in AWS, see http://www.graham-walsh.com/2016/01/deploying-pexip-conference-node-in-amazon-web-services/.