cfn

About CloudFormation templates

Notice

Operating systems such as AlmaLinux, Debian, Kali Linux, and those that have reached end of life are not supported by DCV and may not work.

Refer to DCV Requirements page for list of supported operating systems.

Requirements

• EC2 instances must be provisioned in a subnet with IPv4 internet connectivity.

Availability

• Verify Region and AZ availablity of the instance type that you specify. Refer to Why am I receiving the error "Your requested instance type is not supported in your requested Availability Zone" when launching an EC2 instance? for more information.
• Subscribe before using a MarketPlace AMI (such as Rocky Linux, AlmaLinux, CentOS or Kali Linux). Marketplace AMIs may only support specific instance types, visit the corresponding Marketplace page to view available options.
• Check the On-Demand Instance quota value of your desired instance type and request quota increase where necessary.

License Agreement

• NVIDIA GRID, NVIDIA Gaming and AMD drivers are for AWS customers only. You are bound by their respective End User License Agreements upon installation of software.
• Templates may offer the option to install Webmin and/or Docker Engine, which are released under BSD-3-Clause and Apache License, Version 2.0 respectively.
• The DLAMI template installs Visual Studio Code which is released under MIT-0 license, and includes AWS Toolkit for Visual Code and other useful extensions.
• Usage indicates acceptance of DCV EULA and license agreements of all software that is installed in the EC2 instance.

Deploying from CloudFormation console

Download <OS>-NICE-DCV.yaml CloudFormation file where <OS> is the desired operating system.

Login to AWS CloudFormation console.

Creating CloudFormation stack

To create CloudFormation stack, choose Create stack at top right of the Stacks page, and then choose With new resources (standard). Choose Upload a template file, click Choose File to select your downloaded .yaml file, and click Next. Enter a Stack name and specify parameters values.

CloudFormation Parameters

In most cases, the default values are sufficient. You will need to specify values for vpcID, subnetID and ec2KeyPair (Linux). For security reasons, configure ingressIPv4 and ingressIPv6 to your IP address.

EC2

• ec2Name : name of EC2 instance
• ec2KeyPair (Linux) : EC2 key pair for SSH access. Create a key pair if you do not have one
• osVersion (where applicable) : operating system version and processor architecture (Intel/AMD x86_64 or Graviton arm64). Default is latest version and arm64
• imageId (where applicable) : System Manager Parameter path to AMI ID
• instanceType : appropriate instance type. The instance type you specify must matches the selected processor architecture. Default is t4g.medium and t3.medium for arm64 and x86_64 architecture respectively
• ec2TerminationProtection : enable EC2 termination protection to prevent accidental deletion. Default is Yes

DCV

• driverType (Windows) : graphics driver to install
  • DCV-IDD (Windows Server 2019 or later) : Indirect Display Driver (IDD) that optimizes the graphics pipeline for higher frame rates and significantly reduces overall CPU usage (default)
  • DCV (Windows Server 2016)
  • NVIDIA-GRID (G4dn, G5, G6, G6e, Gr6 instance) : for professional visualization applications
  • NVIDIA-Gaming (G4dn, G5 instance) : contain optimizations for gaming
  • NVIDIA-Tesla (NVIDIA GPU instance) : for compute workloads. Windows graphics will be handled by IDD driver
    • Use teslaDriverVersion to specify the driver version to install.
  • AMD (G4ad instance)
  • none : do not install any driver

IDD, DCV and NVIDIA GRID driver supports custom display resolution, up to four monitors and 4K resolution.

NVIDIA Tesla driver operates in headless TCC (Tesla Compute Cluster) mode, and only support compute workloads. NVIDIA GRID and Gaming drivers operate in WDDM (Windows Display Driver Model) mode, and support both compute and graphics workloads.

If GPU driver installation does not work, you can select DCV-IDD or none option, and install driver manually. Refer to Prerequisites for accelerated computing instances for GPU driver installation and configuration guidance.

• sessionType (Linux) : virtual (default) or console session type. Virtual sessions support custom resolution, multi-screen across up to four monitors, and up to 4K resolution per display. GPU driver installation option may be available for some Linux OSs (AlmaLinux, Amazon Linux 2, RHEL, Rocky Linux, Ubuntu) as follows:

  • console-with-NVIDIA_GRID_Driver (G4dn, G5, G6, G6e, Gr6 instance) : install NVIDIA GRID drivers (NVIDIA RTX Virtual Workstation (vWS) mode)
  • console-with-NVIDIA_Gaming_Driver (G4dn, G5 instance) : install NVIDIA Gaming drivers
  • *-with-NVIDIA_repo_Driver (NVIDIA GPU instance, e.g. G5g) : uses the operating system package manager to install latest NVIDIA Tesla (also known as NVIDIA Data Center GPU) driver from NVIDIA repository, and provides access to CUDA Toolkit, NVIDIA Container Toolkit and other software. Refer to NVIDIA Driver Installation Guide for supported OS ($distro) and architecture ($arch)
  • *-with-NVIDIA_runfile_Driver (NVIDIA GPU instances) : install NVIDIA Tesla driver using runfile installer from driver downloads.
    • Use teslaDriverVersion to specify the driver version to install
  • virtual-with-NVIDIA_GRID_Driver-GPU_Sharing (G4dn, G5, G6, G6e, Gr6 instance) : install NVIDIA GRID drivers (NVIDIA RTX Virtual Workstation (vWS) mode) with GPU sharing enabled
  • virtual-with-NVIDIA_repo_Driver-GPU_Sharing (NVIDIA GPU x86_64 instance) : install latest NVIDIA Tesla driver from NVIDIA repository with GPU sharing enabled
  • console-with-Ubuntu_repo_Driver (Ubuntu) : install NVIDIA Enterprise Ready Drivers (ERD) from Ubuntu repository

Due to various combinations of drivers, OSs and instance types, GPU driver installation may not work. You can troubleshoot the installation, or select console or virtual option to install driver manually. Refer to Prerequisites for Linux DCV servers for GPU driver installation and configuration guidance.

• teslaDriverVersion (where applicable) : Tesla driver version to install when NVIDIA-Tesla or *-NVIDIA_runfile_Driver option is selected

  • To obtain a suitable version, go to NVIDIA Driver page. Select the Product Type, Product Series, and Product values for your instanceType as per To download a public NVIDIA driver table, and select the correct Operating System. Click Search and copy Version value

• listenPort : DCV server TCP and UDP listen ports. Number must be higher than 1024 and default is 8443

Network

• vpcID : VPC with internet connectivity. Select default VPC if unsure
• subnetID : subnet with internet connectivity. Select subnet in default VPC if unsure. If you specify a different instanceType, ensure that it is available in AZ subnet you select
• displayPublicIP : set this to No for EC2 instance in a subnet that will not receive public IP address. EC2 private IP will be displayed in CloudFormation Outputs section instead. Default is Yes
• assignStaticIP : associates a static public IPv4 address using Elastic IP address to prevent assigned IPv4 address from changing every time EC2 instance is stopped and started. There is a hourly charge when instance is stopped as listed on Elastic IP Addresses on Amazon EC2 Pricing, On-Demand Pricing page. Default is Yes

Remote Access

• ingressIPv4 : allowed IPv4 source prefix to DCV, SSH(Linux), RDP(Windows) and Webmin(Linux) ports, e.g. 1.2.3.4/32. Get your source IP from https://checkip.amazonaws.com. Default is 0.0.0.0/0
• ingressIPv6 : allowed IPv6 source prefix to DCV, SSH(Linux), RDP(Windows) and Webmin(Linux) ports. Use ::1/128 to block all incoming IPv6 access. Default is ::/0
• allowRDPport (Windows) : allow inbound RDP. Option is not related to Fleet Manager Remote Desktop access. Default is No
• allowSSHport (Linux) : allow inbound SSH. Option is not related to EC2 Instance Connect access. Default is Yes
• installWebmin (some Linux OS) : install Webmin web-based system administration tool. Default is No

Web Server

• enableCloudFront: create a Amazon CloudFront distribution to your EC2 instance. Associated charges are listed on Amazon CloudFront pricing page. Default is No
• originType: either EC2 custom origin or VPC origin. Most AWS Regions support VPC Origins, which allow CloudFront to deliver content even if your EC2 instance is in a VPC private subnet. Default is EC2
• allowWebServerPorts : allow inbound HTTP/HTTPS to EC2 instance. This option is not related to enableCloudFront Default is No

CloudFormation template does not install web server on EC2 instance

EBS

• volumeSize : EBS root volume size in GiB
• volumeType : gp2 or gp3 general purpose EBS type. Default is gp3

Backup

• enableBackup : EC2 data protection with AWS Backup. Associated charges are listed on AWS Backup pricing page. Default is No
• scheduleExpression : start time of backup using CRON expression. Default is 1 am daily
• scheduleExpressionTimezone : timezone in which the schedule expression is set. Default is Etc/UTC
• deleteAfterDays : number of days after backup creation that a recovery point is deleted. Default is 35

Verify AWS Backup Region availability before enabling this service.

AWS Global Accelerator (AGA)

• enableAGA : deploy AWS Global Accelerator (AGA) network accelerator, which can optimize streaming traffic especially when connecting over long distances or over unreliable networks. You can use the AWS Global Accelerator Speed Comparison Tool to see the performance difference when transferring data using Global Accelerator. Associated charges are listed on AWS Global Accelerator pricing page. Default is No

Verify AGA Region and Availability Zone (AZ) availability before enabling this service.

Others

• installDocker : install Docker Engine (also known as Docker CE) from Docker repository or Linux OS package repository. On Linux, NVIDIA Container Toolkit will be installed and configured if *-with-NVIDIA-* option is selected. On Windows, you can run Windows containers in process isolation mode. Default is No

Docker Engine is not Docker Desktop. Docker on Linux will use 172.17.0.0/16 subnet.

• r53ZoneID : Amazon Route 53 hosted zone ID to grant EC2 IAM Role access to. To be used for Route 53 DNS-01 challenge by Certbot (or other ACME clients), to obtain certificates for DCV server and/or other applications. A * value will grant access to all Route 53 zones in your AWS account. Permission is restricted to _acme-challenge.* TXT DNS records using resource record set permissions. Default is empty string for no access.

Route 53 must be configured as DNS service for your domain.

Continue Next with Configure stack options, Review Stack, and click Submit to launch your stack.

It may take more than 15 minutes to provision the EC2 instance. After your stack has been successfully created, its status changes to CREATE_COMPLETE.

CloudFormation Outputs and Exports

The following URLs are available in Outputs section

• SSMsessionManager* : SSM Session Manager URL link. Use this to set a strong DCV login user password. Password change command is in Description field.
• DCVwebConsole : DCV web browser console URL link. Login as user specified in Description field.
• EC2console : EC2 Console URL link to manage EC2 instance.
• EC2iamRole : EC2 IAM role URL link to manage permission.
• EC2instanceConnect* (if available, Linux) : EC2 Instance Connect URL link. Functionality is available under certain conditions.
• EC2serialConsole (Linux): EC2 Serial Console URL link. Functionality is available under certain conditions.
• RDPconnect (Windows) : in-browser Fleet Manager Remote Desktop URL link. Use this to update DCV server.

* SSM session manager and EC2 Instance Connect are primarily for remote terminal administration purposes. For best user experience, connect to DCV server using native clients.

The following is available if installWebmin is Yes

• WebminUrl : Webmin URL link. Set the root password by running sudo passwd root from EC2instanceConnect, SSMsessionManager or SSH session, and login as root.

The following are available if enableAGA is Yes

• DCVwebConsoleAGA : DCV web browser console URL link through AGA
• AGAconsole : Global Accelerator console URL link
• AGAipv4Addresses : IPv4 addresses

When connecting to AGA using native Windows, Linux or macOS clients, you may want to explicitly select WebSocket (TCP) protocol. QUIC (UDP) is only supported for direct client-server communication where there are no intermediate proxies, gateways, or load balancers.

The following are available if enableCloudFront is Yes

• CloudFrontConsole : CloudFront console URL link
• CloudFrontURL : CloudFront distribution URL link

The following are available as CloudFormation Exports

• <Stack Name>-IAMRole : IAM role name
• <Stack Name>-InstanceID : EC2 instance ID
• <Stack Name>-SecurityGroup : Security group ID

Using DCV

Refer to DCV User Guide

DCV clients

Besides web browser client, DCV offers Windows, Linux and macOS native clients that support additional features such as QUIC UDP transport protocol, multi-channel audio, and printer redirection. Native clients can be download from https://www.amazondcv.com/.

Remove web browser client

On Linux instances, the web browser client can be disabled by removing nice-dcv-web-viewer package. On Windows instances, download nice-dcv-server-x64-Release.msi and run the command msiexec /i nice-dcv-server-x64-Release.msi REMOVE=webClient from administrator command prompt.

USB remotization

DCV supports USB remotization, allowing use of specialized USB devices, such as 3D pointing devices and two-factor authentication USB dongles, on Windows and Linux OSs. To use feature on a supported Linux server OS, run the command sudo dcvusbdriverinstaller and restart EC2 instance. Feature is for installable Windows clients only.

Secure centralized access

If you have a fleet of Amazon DCV servers, you can use Amazon DCV Connection Gateway to centralize access. Refer to blog Getting started with managing NICE DCV sessions secured behind a NICE DCV Connection Gateway and dcv-samples for more information. Consider Amazon WorkSpaces Family if you are looking for a fully managed VDI (virtual desktop infrastructure) service.

About Windows template

Default Windows AMI is now Windows Server 2022 English-Full-Base. You can retrieve SSM paths to other AMIs from Parameter Store console, AWS CloudShell or AWS CLI. Refer to Query for the Latest Windows AMI Using Systems Manager Parameter Store blog for more information.

GPU Windows instances

The blog Building a high-performance Windows workstation on AWS for graphics intensive applications walks through use of Windows Server template to provision and manage a GPU Windows instance.

For NVIDIA GPU instances, CUDA® Toolkit and cuDNN (CUDA® Deep Neural Network library) can be downloaded and installed from https://developer.nvidia.com/cuda-downloads and https://developer.nvidia.com/cudnn-downloads respectively.

Windows screen resolution

Template configures a default Windows screen resolution of 1920 by 1080. If you wish to modify resolution settings, refer to community article Change Windows EC2 instance default screen resolution

Updating DCV server on Windows

To update DCV Server, connect via Fleet Manager Remote Desktop console using RDPconnect link and run C:\Users\Administrator\update-DCV.cmd

About DLAMI template

DLAMI-NICE-DCV.yaml uses AWS Deep Learning AMI (DLAMI) with Ubuntu OS, and can help machine learning practitioners and researchers build a deep learning desktop on AWS.

Template offers two main AMI options:

• DLAMIs: preconfigured with NVIDIA GPU driver, NVIDIA CUDA, NVIDIA cuDNN, AWS OFI NCCL plugin, Docker with NVIDIA Container Toolkit, and popular deep learning frameworks such as PyTorch and TensorFlow.
  • Go to Release notes for DLAMIs, and view AMI specific release notes (e.g. AWS Deep Learning Base GPU AMI (Ubuntu 22.04)) for supported EC2 instance types.
• Neuron DLAMIs: preconfigured with Neuron SDK and Neuron framework/libraries, and support AWS Trainium and AWS Inferentia instance types. Refer to Neuron DLAMI User Guide for more information.

Refer to DLAMI Developer Guide for usage guidance. Consider Amazon SageMaker if you are looking for a fully managed experience.

About Linux templates

The login user name depends on Linux distributions as follows:

• AlmaLinux, Amazon Linux 2, CentOS Stream 9, RHEL, SLES : ec2-user
• CentOS 7 : centos
• CentOS Stream 8 : cloud-user
• Debian : admin
• Kali Linux : kali
• Rocky Linux : rocky
• Ubuntu, Ubuntu Pro : ubuntu

Console and virtual sessions

DCV offers console and virtual sessions on Linux OS.

With virtual sessions (virtual, virtual-with-*), DCV starts an X server instance, Xdcv, and runs a desktop environment inside the X server. Multiple user sessions are supported for virtual sessions.

With console sessions (console, console-with-*), DCV directly captures the content of the desktop screen. Only one console session can be hosted at a time.

GPU Linux instances

On GPU EC2 instances with drivers installed (*-with-NVIDIA-*), DCV server (/usr/libexec/dcv/dcvagent) can use GPU for hardware based video streaming encoding. Console sessions have direct access to GPU accelerated OpenCL, OpenGL, and Vulkan graphics as illustrated in nvidia-smi screen shot below

There are limits to display resolution and multi-screen support per GPU for console sessions based on selected sessionType option:

• Tesla driver (console-with-NVIDIA_repo_Driver, console-with-NVIDIA_runfile_Driver, console-with-Ubuntu_repo_Driver) : one display of up to 2560x1600 resolution
• Gaming driver (console-with-NVIDIA_Gaming_Driver) : one display of up to 4K resolution
• GRID driver (console-with-NVIDIA_GRID_Driver) : four displays of up to 4K resolution

You can use virtual session option (virtual-with-NVIDIA-*) when using GPU primarily for compute workloads. The CloudFormation templates configure multi-user.target run level for virtual* session, and graphical.target run level for console* and virtual*GPU_sharing session types.

Installing NVIDIA CUDA Toolkit

The templates install and configure NVIDIA Container Toolkit if installDocker is enabled for *-NVIDIA-* session type options. CUDA® Toolkit may subsequently be installed on supported GPU EC2 instances for the following sessionType options:

• *-NVIDIA_repo_* : sudo <packmgr_cli> install -y cuda-toolkit

  • where <packmgr_cli> is the OS package manager command-line tool, e.g.apt or yum/dnf for Ubuntu, and other Linux OSs respectively
  • Refer to CUDA documentation for installation options and post-installation actions

• *-NVIDIA_runfile_*, *-NVIDIA_GRID_* or *-NVIDIA_Gaming_* : refer to CUDA Toolkit Downloads

• *-Ubuntu_repo_* : sudo apt install -y nvidia-cuda-toolkit

Driver and Toolkit installation scripts

NVIDIA driver, CUDA Toolkit, NVIDIA Container Toolkit, and Docker installation/configuration scripts are available from the following re:Post community articles:

• How do I install NVIDIA GPU driver, CUDA Toolkit, NVIDIA Container Toolkit on Amazon EC2 instances running Amazon Linux 2 (AL2)?
• How do I install NVIDIA GPU driver, CUDA toolkit, NVIDIA Container Toolkit on Amazon EC2 instances running Amazon Linux 2023 (AL2023)?
• How do I install NVIDIA GPU driver, CUDA Toolkit, NVIDIA Container Toolkit on Amazon EC2 instances running RHEL/Rocky Linux 8/9?
• How do I install NVIDIA GPU driver, CUDA Toolkit, NVIDIA Container Toolkit on Amazon EC2 instances running Ubuntu Linux?

Depending on use case, DLAMI template may be a more better option.

Updating DCV server on Linux

Use /home/{user name}/update-dcv script to update DCV server.

Troubleshooting

To troubleshoot any installation issue, you can view contents of the following log files

• /var/log/cloud-init-output.log
• /var/log/install-cfn-helper.log
• /var/log/install-dcv.log
• /var/log/install-sw.log
• if GPU driver install option is selected
  • /var/log/install-gpu-driver.log
  • /var/log/nvidia-installer.log (NVIDIA GRID, Gaming and Tesla driver)

About EC2

Restoring from backup

If you enable AWS Backup (enableBackup), you can restore your EC2 instance from recovery points (backups) in your backup vault. The CloudFormation template creates an IAM role that grants AWS Backup permission to restore your backup. Role name can be located in your CoudFormation stack Resources section as the Physical ID value whose Logical ID value is backupRestoreRole

Private subnet

The CloudFormation templates are designed to provision EC2 instances in public subnet. To use them for EC2 instances in private subnets with internet connectivity, set displayPublicIP and assignStaticIP parameter values to No.

Local Zones

To use templates in AWS Local Zones, verify available services features and adjust CloudFormation parameters accordingly. You may have to change osVersion, instanceType and volumeType, and set assignStaticIP to No.

Securing

To futher secure your EC2 instance, you may want to

• Remove web browser client and use native client.
• Restrict DCV/SSH/RDP/Webmin access to your IP address only (ingressIPv4 and ingressIPv6).
• Linux: Disable SSH access from public internet (allowSSHport)
  • Use EC2 Instance Connect or SSM Session Manager for in-browser terminal access, or
  • Start a session using AWS CLI or SSH with Session Manager plugin for the AWS CLI
• Windows: Disallow RDP (allowRDPport) access from public internet.
  • Use Fleet Manager Remote Desktop for in-browser RDP access.
• Use AWS Backup (enableBackup) data protection
  • Enable AWS Backup Vault Lock to prevent backups from accidental or malicious deletion, and for protection from ransomware.
  • If your Region does not support AWS Backup, you can setup automatic EBS snapshots using Amazon Data Lifecycle Manager.
• If hosting a website
  • Use Amazon CloudFront (enableCloudFront) with VPC Origin.
  • The CloudFormation template creates additional inbound HTTP and HTTPS security groups with AWS-managed prefix list for Amazon CloudFront as source where possible. You can remove HTTP and HTTPS public internet inbound (0.0.0.0/0) from your security group
  • Use AWS WAF to protect your CloudFront distribution
• Enable Amazon Inspector to scan EC2 instance for software vulnerabilities and unintended network exposure.
• Enable Amazon GuardDuty security monitoring service with Malware Protection for EC2

Using Cloudwatch agent

Amazon CloudWatch agent is installed in the EC2 instance, and enables collection of EC2 system-level metrics and AWS X-Ray traces. The template configures agent to collect memory utilization and some GPU (*-with-NVIDIA-*) metrics. You can configure Cloudwatch agent to collect other data as follows.

Create agent configuration file

Manually create agent configuration file or use agent configuration file wizard:

• Linux:
  • sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
• Windows PowerShell:
  • cd "C:\Program Files\Amazon\AmazonCloudWatchAgent"
  • .\amazon-cloudwatch-agent-config-wizard.exe

Start Cloudwatch agent

After config.json file is created, start CloudWatch agent:

• Linux:
  • sudo systemctl enable amazon-cloudwatch-agent
  • sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json
• Windows PowerShell:
  • sc.exe config AmazonCloudWatchAgent start=auto
  • cd "C:\Program Files\Amazon\AmazonCloudWatchAgent"
  • .\amazon-cloudwatch-agent-ctl.ps1 -a fetch-config -m ec2 -c file:config.json
  • net.exe start AmazonCloudWatchAgent

Refer to How do I install and configure the unified CloudWatch agent to push metrics and logs from my EC2 instance to CloudWatch? for details. To collect GPU metrics, refer to How do I send NVIDIA GPU metrics from my EC2 Linux instances to CloudWatch? and Collect NVIDIA GPU metrics

Clean Up

To remove created resources,

• Disable EC2 instance termination protection (if enabled)
• Delete any recovery points in created backup vault
• Delete CloudFormation stack