cfn

Notice

Operating systems such as AlmaLinux, Debian, Kali Linux, and those that have reached end of life are not supported by NICE DCV and may not work. Usage indicates acceptance of NICE DCV EULA and license agreements of all software that is installed in the EC2 instance. Refer to NICE DCV documentation site for list of supported operating systems.

About CloudFormation templates

EC2 instances must be provisioned in a subnet with IPv4 internet connectivity.

When using a MarketPlace AMI such as Rocky Linux, AlmaLinux, CentOS or Kali Linux, subscribe before using.

Verify availablity of the instance type that you specify. (Refer to Why am I receiving the error "Your requested instance type is not supported in your requested Availability Zone" when launching an EC2 instance?) Marketplace AMIs may only support specific instance types, visit the corresponding Marketplace page to view available options.

For templates that offers both x86_64 and arm64 options, ensure that the instance type you specify matches your selected processor architecture.

Deployment via CloudFormation console

Download <OS>-NICE-DCV.yaml CloudFormation file where <OS> is the desired operating system, and login to AWS CloudFormation console. Start the Create Stack wizard by choosing Create Stack. Select stack template by selecting Upload a template file, Choose File, select your .yaml file and click Next. Enter a Stack name and specify parameters values.

CloudFormation Parameters

In most cases, the default values are sufficient. You will need to specify values for vpcID, subnetID and ec2KeyPair (Linux only).

Version

• osVersion (where applicable): operating system version and processor architecture (Intel/AMD x86_64 or Graviton arm64). Default is latest version and arm64
• imageId (where applicable): System Manager Parameter path to AMI ID

EC2

• ec2Name: name of EC2 instance
• ec2KeyPair (Linux): EC2 key pair for SSH access. Create a key pair if you do not have one
• instanceType: appropriate instance type. Default is t4g.medium and t3.medium for arm64 and x86_64 architecture respectively

NICE DCV

• driverType (Windows): graphics driver to install

  • NICE-DCV-IDD: Indirect Display Driver (IDD) that optimizes the graphics pipeline for higher frame rates and significantly reduces overall CPU usage (default)
  • NICE-DCV (Windows Server 2016)
  • NVIDIA-GRID (G4dn, G5, G6, Gr6 instance): for professional visualization applications
  • NVIDIA-Gaming (G4dn, G5 instance): contain optimizations for gaming
  • NVIDIA-Tesla (NVIDIA GPU instance): for compute workloads. Use teslaDriverVersion to specify the driver version to install. As driver operates in TCC mode, IDD driver will be installed in addition to Tesla driver.
  • AMD (G4ad instance)
  • none: do not install any driver

• sessionType (Linux): virtual (default) or console session type. GPU driver installation option may be available for some Linux OSs (AlmaLinux, Amazon Linux 2, RHEL, Rocky Linux, SLES, Ubuntu) as follows

  • console-with-NVIDIA_GRID_Driver (G4dn, G5, G6, Gr6 instance)#: install NVIDIA GRID drivers (NVIDIA RTX Virtual Workstation (vWS) mode)

  • console-with-NVIDIA_Gaming_Driver (G4dn, G5 instance)#: install NVIDIA Gaming drivers

  • console-with-Ubuntu_repo_Driver (Ubuntu only): install NVIDIA Enterprise Ready Drivers (ERD) from Ubuntu repository.

  • *-with-NVIDIA_repo_Driver (NVIDIA GPU instances such as G5g instance): uses the operating system package manager to install latest NVIDIA Tesla (also known as NVIDIA Data Center GPU) drivers from NVIDIA repository, and provides access to CUDA and cuDNN packages

  • *-with-NVIDIA_runfile_Driver: install NVIDIA Tesla driver using runfile installer from driver downloads. Use teslaDriverVersion to specify the driver version to install

  • *-with-AMD_ROCm_repo_Driver(G4ad instance) : uses the operating system package manager to install AMD GPU drivers from AMD repository, and provides access to ROCm packages

  Note that due to different combinations of drivers, OSs and instance types, GPU driver installation via CloudFormation template may not work. You can select console option and install driver manually. Refer to Prerequisites for Linux NICE DCV servers for details about NICE DCV GPU driver installation and configuration.

• teslaDriverVersion (where applicable): Tesla driver version to install when NVIDIA-Tesla or *-NVIDIA_runfile_Driver option is selected for driverType or sessionType respectively.

  • To obtain a suitable version, go to NVIDIA Driver Downloads. Select the Product Type, Product Series, and Product values for your instanceType as per To download a public NVIDIA driver table, and select the correct Operating System. Click Search and copy Version value

• listenPort: NICE DCV server TCP and UDP listen ports. Number must be higher than 1024 and default is 8443

Networking

• vpcID: VPC with internet connectivity. Select default VPC if unsure
• subnetID: subnet with internet connectivity. Select subnet in default VPC if unsure. If you specify a different instanceType, ensure that it is available in AZ subnet you select
• displayPublicIP: set this to No for EC2 instance in a subnet that will not receive public IP address. EC2 private IP will be displayed in CloudFormation Outputs section instead. Default is Yes
• assignStaticIP: associates a static public IPv4 address using Elastic IP address to prevent assigned IPv4 address from changing every time EC2 instance is stopped and started. There is a hourly charge when instance is stopped as listed at Elastic IP Addresses on Amazon EC2 Pricing, On-Demand Pricing page. Default is Yes

Allowed IP prefix and ports

• ingressIPv4: allowed IPv4 source prefix to NICE DCV, SSH(Linux) and RDP(Windows) ports, e.g. 1.2.3.4/32. Get source IP from https://checkip.amazonaws.com. Default is 0.0.0.0/0
• ingressIPv6: allowed IPv6 source prefix to NICE DCV, SSH(Linux) and RDP(Windows) ports. Use ::1/128 to block all incoming IPv6 access. Default is ::/0
• allowRDPport (Windows): allow inbound RDP. Option is not related to Fleet Manager Remote Desktop access. Default is No
• allowSSHport (Linux): allow inbound SSH. Option is not related to EC2 Instance Connect access. Default is Yes
• allowWebServerPorts: allow inbound HTTP and/or HTTPS. Use this option if you intend to setup web server. Default is No

EBS Volume

• volumeSize: EBS root volume size in GiB
• volumeType: gp2 or gp3 general purpose EBS type. Default is gp3

Continue Next with Configure stack options, Review Stack, and click Submit to launch your stack.

It may take more than 30 minutes to provision the EC2 instance. After your stack has been successfully created, its status changes to CREATE_COMPLETE.

CloudFormation Outputs and Exports

The following URLs are available in Outputs section

• SSMsessionManager: SSM Session Manager URL link. Use this to change login user password. Password change command is in Description field.
• DCVwebConsole: NICE DCV web browser console URL link. Login as user specified in Description field.
• EC2console: EC2 console URL link to manage EC2 instance or to get the latest IPv4 (or IPv6 if enabled) address.
• EC2instanceConnect (if available, Linux): in-browser SSH URL link. Functionality is only available under certain conditions.
• RDPconnect (Windows): in-browser Fleet Manager Remote Desktop URL link. Use this to update NICE DCV server.

The following values are available as CloudFormation Exports

• <Stack Name>-IAMRole: IAM role name
• <Stack Name>-InstanceID: EC2 instance ID
• <Stack Name>-SecurityGroup: Security group ID

Using NICE DCV

Refer to NICE DCV User Guide

NICE DCV clients

Besides web browser client, NICE DCV offers Windows, Linux, and macOS native clients with additional features such as QUIC UDP, multi-channel audio and printer redirection support. Native clients can be download from https://download.nice-dcv.com/.

Remove web browser client

On Linux instances, the web browser client can be disabled by removing nice-dcv-web-viewer package. On Windows instances, download nice-dcv-server-x64-Release.msi and run the command msiexec /i nice-dcv-server-x64-Release.msi REMOVE=webClient from administrator command prompt.

USB remotization

NICE DCV supports USB remotization, allowing use of specialized USB devices, such as 3D pointing devices and two-factor authentication USB dongles, on Windows and Linux OSs. To use feature on a supported Linux OS, run the command sudo dcvusbdriverinstaller and restart EC2 instance. Note that USB remotization is supported on installable Windows clients only.

About Windows template

Default Windows AMI is now Windows Server 2022 English-Full-Base. You can retrieve SSM paths to other AMIs from Parameter Store console, AWS CloudShell or AWS CLI. Refer to Query for the Latest Windows AMI Using Systems Manager Parameter Store blog for more information.

To update NICE DCV Server, connect via Fleet Manager Remote Desktop console using RDPconnect link and run C:\Users\Administrator\update-DCV.cmd

GPU Windows instances

The blog Building a high-performance Windows workstation on AWS for graphics intensive applications walks through use of Windows Server template to provision and manage a GPU Windows instance.

Note that the NVIDIA GRID, NVIDIA Gaming and AMD drivers are for AWS customers only and you are bound by conditions and terms as per Install NVIDIA drivers on Windows instances and Install AMD drivers on Windows instances.

For NVIDIA GPU instances, CUDA® Toolkit and cuDNN can be downloaded and installed from https://developer.nvidia.com/cuda-downloads and https://developer.nvidia.com/cudnn-downloads respectively.

About Linux templates

The login user name depends on Linux distributions as follows:

• AlmaLinux, Amazon Linux 2, CentOS Stream 9, RHEL, SLES : ec2-user
• CentOS 7, CentOS Stream 8 : centos
• Debian : admin
• Kali Linux : kali
• Rocky Linux : rocky
• Ubuntu, Ubuntu Pro : ubuntu

You can use update scripts (update-dcv, update-awscli) in /home/{user name} folder via SSM Session Manager or EC2 Instance Connect to update NICE DCV and AWS CLI.

Console and virtual sessions

NICE DCV offers two types of sessions: console sessions and virtual sessions. With console sessions, NICE DCV directly captures the content of the desktop screen. With virtual sessions, NICE DCV starts an X server instance, Xdcv, and runs a desktop environment inside the X server. Multiple user sessions on a single server are allowed for virtual sessions. Refer to Introduction to NICE DCV sessions for more details.

The CloudFormation template configure multi-user.target and graphical.target as default run level for virtual and console session type options respectively.

GPU driver installation

On GPU EC2 instances with GPU drivers installed and configured, NICE DCV console sessions have direct access to the GPU, providing features such as GPU accelerated OpenGL and hardware accelerated video streaming encoding (screen shot below). For best results, connect to your EC2 instance using native client.

#NVIDIA GRID and NVIDIA gaming drivers are for AWS customers only. You are bound by conditions and terms as per Install NVIDIA drivers on Linux instances.

NVIDIA CUDA Toolkit, cuDNN and NVIDIA Container Toolkit installation

CUDA® Toolkit, cuDNN (CUDA® Deep Neural Network library) and NVIDIA Container Toolkit can subsequently be installed in EC2 instance based on selected sessionType option:

• *-Ubuntu_repo_Driver

  • CUDA: sudo apt install -y nvidia-cuda-toolkit
  • cuDNN: sudo apt install -y nvidia-cudnn
  • Container Toolkit: refer to https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html

• *-NVIDIA_repo_Driver

  <packmgr_cli> below is the OS package manager command-line tool, e.g.apt, zypper or yum/dnf for Ubuntu, SLES and other Linux OSs respectively.

  • CUDA: sudo <packmgr_cli> install -y cuda-toolkit

    Refer to CUDA documentation site for installation options

  • cuDNN: sudo <packmgr_cli> install -y cudnn

    Refer to cuDNN documentation site for installation options

  • Container Toolkit: sudo <packmgr_cli> install -y nvidia-container-toolkit

    Refer to NVIDIA Container Toolkit documentation site for installation details

• *-NVIDIA_runfile_Driver, *-NVIDIA_GRID_Driver or *-NVIDIA_Gaming_Driver

  • CUDA: refer to https://developer.nvidia.com/cuda-downloads
  • cuDNN: refer to https://developer.nvidia.com/cudnn-downloads
  • Container Toolkit: refer to https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html

Refer to CUDA, cuDNN and NVIDIA Container Toolkit documentation sites for more details.

About EC2

Private subnet

The CloudFormation templates are designed to provision EC2 instances in public subnet. To use them for EC2 instances in private subnets with internet connectivity, set displayPublicIP and assignStaticIP parameter values to No.

Local Zones

To use templates in AWS Local Zones, verify available services features and adjust CloudFormation parameters accordingly. You may have to change osVersion, instanceType and volumeType, and set assignStaticIP to No.

Securing

To futher secure your EC2 instance, you may want to

• Remove web browser client and use native client
• Restrict NICE DCV and SSH access to your IP address only (ingressIPv4 and ingressIPv6).
• Disable SSH (allowSSHport) access from public internet. Use EC2 Instance Connect or SSM Session Manager for in-browser terminal access. If you have AWS CLI and Session Manager plugin for the AWS CLI installed, you can start a session using AWS CLI or SSH.
• Backup data in your EC2 instances with EBS snapshots. You can setup automatic snapshots using Amazon Data Lifecycle Manager or AWS Backup (with AWS Backup Vault Lock for enhanced security posture).
• Enable Amazon GuardDuty security monitoring service with Malware Protection to detect the potential presence of malware in EBS volumes.
• If you are hosting a website, use Amazon CloudFront with AWS WAF to protect your instance from DDoS and common web attacks. The Accelerate and protect your websites using Amazon CloudFront and AWS WAF blog post and CloudFront dynamic websites CloudFormation template may help with CloudFront distribution setup. When using CloudFront, you can restrict your EC2 instance HTTP and HTTPS port access to CloudFront IPs only. The CloudFormation template creates additional inbound HTTP and HTTPS security groups with AWS-managed prefix list for Amazon CloudFront as source where possible.

Using Cloudwatch agent

Amazon CloudWatch agent is installed in the EC2 instance, and enables collection of EC2 system-level metrics and AWS X-Ray traces.

Create agent configuration file

Before running, create agent configuration file. You can use agent configuration file wizard:

• Linux:
  • sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
• Windows PowerShell:
  • cd "C:\Program Files\Amazon\AmazonCloudWatchAgent"
  • .\amazon-cloudwatch-agent-config-wizard.exe

Start Cloudwatch agent

After config.json file is created, start CloudWatch agent:

• Linux:
  • sudo systemctl enable amazon-cloudwatch-agent
  • sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json
• Windows PowerShell:
  • sc.exe config AmazonCloudWatchAgent start=auto
  • cd "C:\Program Files\Amazon\AmazonCloudWatchAgent"
  • .\amazon-cloudwatch-agent-ctl.ps1 -a fetch-config -m ec2 -c file:config.json
  • net.exe start AmazonCloudWatchAgent

Refer to How do I install and configure the unified CloudWatch agent to push metrics and logs from my EC2 instance to CloudWatch? for more details.

Clean Up

The created resources can be removed by deleting the CloudFormation stack. Go to CloudFormation console, choose the stack you created and choose Delete