本文介绍如何在亚马逊弹性计算云（Amazon EC2）上部署NVIDIA Omniverse Enterprise Nucleus Server，包括其要求、技术步骤、优势及相关配置等内容。

NVIDIA Omniverse是基于Pixar的USD和NVIDIA RTX技术的实时平台，Nucleus是其数据库和协作引擎，具有多种功能，如多用户实时连接、高效同步、多种管理和安全特性等。

AWS作为部署平台的原因包括可连接全球分布式用户、安全控制及可按需调整基础设施和性能等。部署方案中，通过配置NGINX反向代理处理用户通信，Enterprise Nucleus Server部署在私有子网中。

部署前需注册域名并创建托管区域，配置CDK栈，包括创建项目文件夹、初始化CDK应用、进行测试、设置环境值、移除样本资源及添加所需库等步骤。

定义部署所需的自定义基础设施资源，如创建用于传输工件的Amazon S3存储桶、添加Amazon VPC配置、设置安全组入站规则、添加TLS证书及设置域名验证、添加反向代理资源等。

<section class="blog-post-content"><h2>Introduction</h2><p>This post aims to get users up and running with NVIDIA Omniverse Enterprise Nucleus Server on <a href="https://aws.amazon.com/ec2/&quot;&gt;Amazon Elastic Compute Cloud (Amazon EC2)</a>. Here I’ll outline the requirements for Enterprise Nucleus Server deployment and dive deep into the technical steps for getting Nucleus running in your <a href="https://aws.amazon.com/&quot;&gt;Amazon Web Services (AWS)</a> account.</p><h2>What is Omniverse?</h2><p>NVIDIA Omniverse is a scalable, multi-GPU, real-time platform for building and operating metaverse applications, based on Pixar’s Universal Scene Description (USD) and NVIDIA RTX technology.</p><p>NVIDIA Omniverse Nucleus is the database and collaboration engine of Omniverse. With Omniverse Nucleus, teams can have multiple live users connected using different applications at once. This allows people to use the application they are most comfortable with and opens a lot of doors for rapid iteration. <a href="https://docs.omniverse.nvidia.com/prod_nucleus/prod_nucleus/overview.html&quot;&gt;Learn more on the NVIDIA Omniverse Introduction Documentation</a>.</p><p>Nucleus operates under a publish-and-subscribe model and enables efficient live synchronization between NVIDIA Omniverse applications. Changes to USD scenes are transmitted in real-time between connected Omniverse clients. Clients connect using the publish-and-subscribe pattern, which makes it possible for them to receive changes submitted in near real-time.</p><p>Other Nucleus features include users and group management, assets access control lists (ACLs) for fine-grained access control, versioning with checkpoints, single sign-on (SSO) with SAML Authentication, and TLS encryption support.</p><h2>Why AWS?</h2><p>There are multiple reasons to deploy Nucleus on the AWS Global Cloud Infrastructure. With AWS you can connect distributed users all over the globe. Our security, identity, and access management controls allow you to retain complete control over your data. Also, with the variety of compute instance types and storage solutions AWS offers, you can right size your infrastructure and fine tune performance as needed.</p><h2>Solution Overview</h2><p>The following steps outline a solution that implements the basic components of a Nucleus deployment. To handle communication from end users an Amazon EC2 instance configured as a NGINX reverse proxy is deployed in a public subnet. The reverse proxy accepts TLS traffic and has a TLS certificate from <a href="https://aws.amazon.com/certificate-manager/&quot;&gt;Amazon Certificates Manager (ACM)</a>. Typically, this component would be an <a href="https://aws.amazon.com/elasticloadbalancing/&quot;&gt;Elastic Load Balancer (ELB)</a>, but the Nucleus Server requires path rewrites in the request which is not currently supported by an ELB.</p><p>The Enterprise Nucleus Server is an Amazon EC2 instance deployed to a private subnet that only accepts traffic from the reverse proxy subnet. The Enterprise Nucleus Server is running the Nucleus Enterprise Stack, which is deployed as a Docker Compose Stack. The Nucleus instance will need a NAT Gateway and Internet Gateway to communicate with the NVIDIA NGC. This procedure uses the basic Nucleus stack with TLS support, and not SSO.</p><h2>Prerequisites</h2><h2>Deploying Omniverse Nucleus on Amazon EC2</h2><p><img class="aligncenter wp-image-63 size-large" src="https://d2908q01vomqb2.cloudfront.net/a17554a0d2b15a664c0e73900184544f19e70227/2022/09/22/Deploying-NVIDIA-Omniverse-Nucleus-on-Amazon-EC2-architecture-1024x687.png&quot; alt="Omniverse Enterprise Nucleus on Amazon EC2 Architecture" width="1024" height="687" /></p><h3>Register a domain and create a hosted zone with Amazon Route 53</h3><p>First, you will need a hosted zone and a domain for the Nucleus Server. <a href="https://aws.amazon.com/route53/&quot;&gt;Amazon Route 53 (Route 53)</a> allows registration of a domain, such as my-omniverse.com, and creation of a subdomain, such as nucleus.my-omniverse.com, for the Nucleus Server. When registering a domain, communication occurs with the domain registrar. It is best to do this step manually and then reference the Hosted Zone ID, created by Route 53, in the subsequent configuration steps.</p><p>See this page for more information on registering a domain and creating a hosted zone: <a href="https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html&quot;&gt;Registering a new domain</a>.</p><h3>Configure the CDK Stack</h3><p>Next, you will configure a CDK stack with basic resources for the Nucleus deployment.</p><p><strong>Step 1.</strong> Open a terminal and create a project folder for your CDK app</p><p>The name of the folder will become the application name. For this procedure, nucleus-app is the name used.</p><p><strong>Step 2.</strong> Change directory into the folder created in Step 1 and initialize your CDK app with the following command:</p><p>Now your project structure should be the following:</p><p><code>nucleus-app.ts</code> is the main entry point for the app and the file that subsequent CDK commands will reference. When viewing this file, you can see it imports <code>lib/nucleus-app-stack.ts</code>, which is where you’ll put custom code for your deployment.</p><p><strong>Step 3.</strong> Run a basic “Hello World” test</p><p>Deploy the starter CDK stack with <code>cdk deploy</code>. This will produce a basic stack and confirm your CLI and CDK are properly configured.</p><p><strong>Step 4.</strong> Set default account and AWS Region environment values</p><p>Open <code>bin/nucleus-app.ts</code> and set the default account and Region environment (env) values. The contents of the file should look like the following:</p><p><strong>Step 5.</strong> Remove sample resources</p><p>Open <code>lib/nucleus-app-stack.ts</code> and remove the sample <a href="https://aws.amazon.com/sqs/&quot;&gt;Amazon Simple Queue Service (SQS)</a> and <a href="https://aws.amazon.com/sns/&quot;&gt;Amazon Simple Notification Service (SNS)</a> resources. Your file should now look like the following:</p><p><strong>Step 6.</strong> Add the below CDK libraries, as these are required in subsequent steps</p><h3>Define Stack Resources</h3><p>Next, you will define custom infrastructure resources required for the deployment. Code samples in this section need to be added inside the constructor of the NucleusAppStack class</p><p><strong>Step 1.</strong> Create an <a href="https://docs.aws.amazon.com/s3/?id=docs_gateway&quot;&gt;Amazon Simple Storage Service (Amazon S3)</a> bucket for artifacts</p><p>First, create a simple Amazon S3 bucket that will be used to transfer artifacts from our local client to Amazon EC2 instances. As per security best practices, enable encryption, enforce SSL, and block public access. Then create an <a href="https://aws.amazon.com/iam/&quot;&gt;AWS Identity and Access Management (IAM)</a> policy that allows access to list bucket and get objects from the bucket. This policy will be attached to our Amazon EC2 instance profile role.</p><p><strong>Step 2.</strong> Add an <a href="https://aws.amazon.com/vpc/&quot;&gt;Amazon Virtual Private Cloud (VPC)</a> configuration</p><p>Specify the private subnet that contains the NAT gateway with a route to the internet. Then provision two security groups that the proxy server and the Nucleus Server will use.</p><p><strong>Step 3.</strong> Add security group ingress rules</p><p>Configure the proxy and Nucleus security groups to allow traffic on required ports. The Nucleus security group only allows traffic from the proxy security group. The proxy security group allows traffic from a specific CIDR range. You’ll want to set this to a range you will use to connect to the server. For example, you can use the IP address of the client machine you plan to connect from. Then, you enter that IP appended with a network mask as the CIDR range. For this solution, the recommended network mask is /32.</p><p><strong>Step 4.</strong> Add TLS Certificate and set the domain from Step 1 for validation</p><p>Note: the root-domain variable must be set to the domain registered with the Route 53 hosted zone from Step 1.</p><p>Note: Currently there is no additional management of this CNAME record. Meaning when you no longer require it, you’ll have to remove it manually from your Route 53 Hosted Zone.</p><p><strong>Step 5.</strong> Add reverse proxy resources</p><p>For the reverse proxy, configure it with Nitro Enclaves enabled. Enclaves provides features to create isolated compute environments to protect and securely process highly sensitive data. In this case that’s our TLS certificate. On top of that, Nitro Enclaves has support for integration with Amazon Certificates Manager. This means Certificates Manager can automatically handle the rotation of the certificate. For more information, see <a href="https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html&quot;&gt;AWS Nitro Enclaves User Guide</a>.</p><p>Starting from the Certificate Manager for Nitro Enclaves AMI, create a c5.xlarge instance with 32GB of storage. In this case c5.xlarge was chosen as one of the smallest available instances required for the Nitro Enclaves AMI. Configure a basic instance role with the AmazonSSMManagedInstanceCore policy. This allows you to connect to the instance with <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html&quot;&gt;AWS Systems Manager (SSM)</a> and avoid opening the instance to SSH traffic over the internet.</p><p>Finally, attach a “dummy” IAM policy to the reverse proxy. This is an empty policy which will get updated with the configuration scripts.</p><p>Note, if your Region is not in the list of Regions below, review the AMI listing on the AWS Marketplace <a href="https://aws.amazon.com/marketplace/pp/prodview-f4gcl7narsmle&quot;&gt;AWS Certificate Manager for Nitro Enclaves</a> or the AWS Documentation for finding the correct AMI ID, <a href="https://docs.aws.amazon.com/managedservices/latest/userguide/find-ami.html&quot;&gt;Finding AMI IDs</a>.</p><div class="hide-language"><pre class="lang-ts">// AWS Certificate Manager for Nitro Enclaves AMI const proxyServerAMI = new ec2.GenericLinuxImage({ 'us-west-1': 'ami-0213075968e811ea7', //california 'us-west-2': 'ami-01c4415fd6c2f0927', //oregon 'us-east-1': 'ami-00d96e5ee00daa484', //virginia 'us-east-2': 'ami-020ea706ac260de21', //ohio 'ca-central-1': 'ami-096dd1150b96b6125', //canada 'eu-central-1': 'ami-06a2b19f6b97762cb', //frankfurt 'eu-west-1': 'ami-069e205c9dea19322', //ireland 'eu-west-2': 'ami-069b79a2d7d0d9408' //london }) const proxyInstanceRole = new iam.Role(this, 'proxyInstanceRole', { assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'), description: 'EC2 Instance Role', managedPolicies: [ iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore') ], inlinePolicies: { getBucketObjectsPolicy: getBucketObjectsPolicy } }); const cfnInstanceProfile = new iam.CfnInstanceProfile(this, 'proxyInstanceProfile', { roles: [proxyInstanceRole.roleName], }); // using CfnInstance because it exposes enclaveOptions const cfnInstance = new ec2.CfnInstance(this, 'reverseProxyServer', { blockDeviceMappings: [{ deviceName: '/dev/xvda', ebs: { encrypted: true, volumeSize: 32, } }], enclaveOptions: { enabled: true, }, imageId: proxyServerAMI.getImage(this).imageId, instanceType: 'c5.xlarge', securityGroupIds: [proxySG.securityGroupId], subnetId: vpc.selectSubnets({subnetGroupName: 'publicSubnetNatGateway'}).subnetIds[0], tags: [{ key: 'Name', value: 'Nucleus-ReverseProxy', }], iamInstanceProfile: cfnInstanceProfile.ref }) new route53.CnameRecord(this, CnameApiRecord, { recordName: fullDomain, zone: hostedZone, domainName: cfnInstance.attrPublicDnsName, }); const revProxyCertAssociationPolicy = new iam.ManagedPolicy(this, 'revProxyCertAssociationPolicy', { statements: [ new iam.PolicyStatement({ actions: ["s3:GetObject"], resources: ["*"] }) ] }) proxyInstanceRole.addManagedPolicy(revProxyCertAssociationPolicy)</pre></div><p><strong>Step 6.</strong> Add Nucleus Server resources</p><p>Next, configure the Nucleus Server. Start with the Ubuntu, 20.04 LTS AMI with c5.4xlarge as the instance type. C5 instances are optimized for compute-intensive workloads and deliver cost-effective high performance at a low price per compute ratio. The instance has 16 vCPUs and 32GB of Memory. An <a href="https://aws.amazon.com/ebs/&quot;&gt;Amazon Elastic Block Store (EBS)</a> volume is attached to the instance with 512GB of storage. These specs were chosen to be sufficiently large for a proof of concept.</p><p>The instance user data script is configured to install docker, docker-compose, and the AWS CLI.</p><p><strong>Step 7.</strong> Configure stack outputs</p><p>Next, add output values so you can easily reference them later.</p><p><strong>Step 8.</strong> Deploy the stack</p><p>Once this is complete, you will have the basic resources required and next you will configure them.</p><p>If you encounter the following CDK deploy error:</p><p>Check that you have the correct domain specified and that your hosted zone exists in the Route 53 console <a href="https://us-east-1.console.aws.amazon.com/route53/v2/hostedzones&quot;&gt;Route 53 Hosted zones</a>.</p><p><strong>Step 9.</strong> Note the stack output values. You’ll use them in the future</p><h3>Configure The Reverse Proxy Server</h3><p><strong>Step 1.</strong> Associate Enclave certificate with proxy instance IAM role</p><p>The first thing you have to do with the reverse proxy is associate your certificate with the IAM role that the Nitro Enclave uses. In the following code, please replace <code>tls-certificate-arn</code>, <code>proxy-instance-role-arn</code>, <code>proxy-cert-association-policy-arn</code>, and <code>region</code> in the below script with stack output values from above.</p><p>Note: The following script was written in Python 3.9. If you have issues with conflicting python versions. It’s recommended that you set a local <code>virtualenv</code>. For more information, see <a href="https://docs.python.org/3/tutorial/venv.html&quot;&gt;Python Tutorial Virtual Environments and Packages</a>.</p><p>This script associates an identity and IAM role with an <a href="https://aws.amazon.com/certificate-manager/&quot;&gt;AWS Certificate Manager (ACM)</a> certificate. This enables the certificate to be used by the ACM for Nitro Enclaves application inside an enclave. For more information, see <a href="https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html&quot;&gt;Certificate Manager for Nitro Enclaves</a> in the Amazon Web Services Nitro Enclaves User Guide. The script then updates the IAM role policy with permissions to get its own role, download the certificate, and decrypt it.</p><p>Save the script to a file and run it from the terminal:</p><p><strong>Step 2.</strong> Configure Nginx conf</p><p>NVIDIA provides a sample Nginx config for the Nucleus deployment. It is packaged within a provided archive file. At the time of writing this, the latest was <code>nucleus-stack-2022.1.0+tag-2022.1.0.gitlab.3983146.613004ac.tar.gz</code></p><p>Open the archive and look for: ssl/nginx.ingress.router.conf</p><p>This file needs to be updated and then placed at /etc/nginx/nginx.conf on the reverse proxy instance.</p><p>First, you need to update the config with configuration outlined in the AWS Certificate Manager for Nitro Enclaves guide: <a href="http://%20https//docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html&quot;&gt;Nitro Enclaves application: AWS Certificate Manager for Nitro Enclaves</a>.</p><p>At the top of the file, in the main context add the following:</p><p>After the line, # Configure your SSL options as required by your security practices, add the below snippet:</p><p>Next, update the config file with the Nucleus Server private DNS address and the fully qualified domain for your server. Replace instances of <code>my-ssl-nucleus.my-company.com</code> with your domain. Then, replace instances of <code>BASE_STACK_IP_OR_HOST</code> with the <code>nucleusServerPrivateDnsName</code> from the stack outputs above.</p><p><strong>Step 3.</strong> Copy the .conf file to Amazon S3</p><p><strong>Step 4.</strong> Connect to the proxy instance</p><p>From your web browser, navigate to the <a href="https://console.aws.amazon.com/ec2/v2/home&quot;&gt;EC2 Dashboard</a> in the AWS Console, select the Nucleus-ReverseProxy instance, and press the <strong>Connect</strong> button.</p><p>Select the <strong>Session Manager</strong> tab, then press the <strong>Connect</strong> button.</p><p><img class="aligncenter wp-image-62" src="https://d2908q01vomqb2.cloudfront.net/a17554a0d2b15a664c0e73900184544f19e70227/2022/09/22/Deploying-NVIDIA-Omniverse-Nucleus-on-Amazon-EC2-image-1.png&quot; alt="Session Manager tab of the Nucleus Reverse Proxy instance" width="768" height="315" /></p><p><strong>Step 5.</strong> In the terminal, copy the <code>nginx.conf</code> file path from Amazon S3 to <code>/etc/nginx/</code></p><p><strong>Step 6.</strong> While still in the proxy server terminal, rename the sample ACM for Nitro Enclaves configuration file from <code>/etc/nitro_enclaves/acm.example.yaml</code> to <code>/etc/nitro_enclaves/acm.yaml</code> using the following command:</p><p><strong>Step 7.</strong> Update the <code>acm.yaml certificate_arn</code> value</p><p>Using your preferred text editor, open <code>/etc/nitro_enclaves/acm.yaml</code>. In the ACM section, update <code>certificate_arn</code>, with the ARN of the certificate from our stack. This is the <code>tls-certificate-arn</code> from the stack outputs above. Save and close the file.</p><p><strong>Step 8.</strong> Start the Nginx server</p><p><strong>Step 9.</strong> Confirm the server is accepting TLS requests to your domain</p><p>You’ll see a generic HTML template as output.</p><h3>Configure Nucleus Server</h3><p>Much of the following comes from NVIDIA’s documentation on deploying a Nucleus Server. Review these docs for more information: <a href="https://docs.omniverse.nvidia.com/prod_nucleus/prod_nucleus/enterprise/installation/quick_start_tips.html#enterprise-nucleus-server-quick-start-tips&quot;&gt;Enterprise Nucleus Server Quick Start Tips</a>.</p><p><strong>Step 1.</strong> From your local computer using the AWS CLI, copy the Nucleus Stack archive to Amazon S3</p><p><strong>Step 2.</strong> Connect to the Nucleus Server with EC2 Session Manager</p><p>With your web browser, navigate to the EC2 Dashboard in the AWS Console, select the Nucleus-Server instances, press the <strong>Connect</strong> button, and then press the <strong>Connect</strong> button again on the <strong>Session Manager</strong> tab.</p><p><strong>Step 3.</strong> In the Nucleus-Server terminal, change directory to the home directory, and then copy the Nucleus Stack from S3</p><p><strong>Step 4.</strong> Unpack the archive to an appropriate directory, then <code>cd</code> into that directory</p><p><strong>Step 5.</strong> Update nucleus-stack.env</p><p>With your preferred text editor, review the nucleus-stack.env file. It is recommended that you review this file in its entirety. You will use this file to confirm that you accept the NVIDIA Omniverse end user license agreement.</p><p>Then update the following <code>nucleus-stack.env</code> variables as needed</p><p><strong>Step 6.</strong> Generate secrets required for authentication</p><p>Note the following is required because you are not using SSO integration at this time. See the security notes in nucleus-stack.env for more information.</p><p><strong>Step 7.</strong> Pull the Nucleus docker imagessudo docker-compose –env-file ${omniverse_root}/base_stack/nucleus-stack.env -f ${omniverse_root}/base_stack/nucleus-stack-ssl.yml pull</p><p><strong>Step 8.</strong> Start the Nucleus stack</p><h3>Usage</h3><p>Back on your local machine, test a connection to your Nucleus Server by pointing your web browser to the domain you specified in the <code>.env</code> file. You should be greeted with the following login dialog:</p><p><img class="aligncenter wp-image-64 size-medium" src="https://d2908q01vomqb2.cloudfront.net/a17554a0d2b15a664c0e73900184544f19e70227/2022/09/22/Deploying-NVIDIA-Omniverse-Nucleus-on-Amazon-EC2-image-2-263x300.png&quot; alt="Omniverse Login Window" width="263" height="300" /></p><p>Here you can use the Master or Service Username and Password configured in the <code>nucleus-stack.env</code>, or press <strong>Create Account</strong>. Then you’ll be presented with a navigator view of your Nucleus Server content</p><p><img class="aligncenter wp-image-65 size-full" src="https://d2908q01vomqb2.cloudfront.net/a17554a0d2b15a664c0e73900184544f19e70227/2022/09/22/Deploying-NVIDIA-Omniverse-Nucleus-on-Amazon-EC2-image-3.png&quot; alt="Omniverse Nucleus Server content window" width="936" height="210" /></p><h3>Cleanup</h3><p><strong>Step 1.</strong> Disassociate the Nitro Enclave certificate by running the dissacociate_enclave_cert.py script</p><p><strong>Step 2.</strong> Delete the stack by running <code>cdk desktroy</code> from the nucleus-app application folder.</p><h3>Conclusion</h3><p>This post provides the basics to get up and running with NVIDIA Omniverse Nucleus on Amazon EC2 using the Docker Compose container. This post walked through the setup procedures of the Amazon EC2 Nucleus and reverse proxy servers, implemented S3 for storage and retrieval of configuration files, and Route 53 private hosted zones for secure, private access to your Omniverse data.</p><p>This deployment of Nucleus on Amazon EC2 allows your teams, no matter where they are located, to collaborate and interact in real-time while building 3D products, applications, and experiences.</p><p>To learn more about spatial computing at AWS, continue following along here on the Spatial Computing Blog channel.</p><h2>Additional Reading</h2><p>This information may also be found on the AWS GitHub repository, <a href="https://github.com/aws-samples/nvidia-omniverse-nucleus-on-amazon-ec2&quot;&gt;NVIDIA Omniverse Nucleus on Amazon EC2</a>.</p><h3>AWS Services</h3><p><a href="https://aws.amazon.com/ec2/&quot;&gt;Amazon EC2</a>, secure and resizable compute capacity for virtually any workload<a href="https://aws.amazon.com/route53/&quot;&gt;Amazon Route 53</a>, a reliable and cost-effective way to route end users to Internet applications<a href="https://aws.amazon.com/s3/&quot;&gt;Amazon S3</a>, object storage built to retrieve any amount of data from anywhere<a href="https://aws.amazon.com/ebs/&quot;&gt;Amazon EBS</a>, easy to use, high performance block storage at any scale<a href="https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html&quot;&gt;AWS Certificates Manager for Nitro Enclaves</a>, public and private TLS certificates with web servers running on Amazon EC2 instances</p><h3>NVIDIA Omniverse Nucleus</h3><p><a href="https://docs.omniverse.nvidia.com/prod_nucleus/prod_nucleus/overview.html&quot;&gt;Nucleus Overview</a><a href="https://docs.omniverse.nvidia.com/prod_nucleus/prod_nucleus.html&quot;&gt;Nucleus Documentation</a></p></section>