Reference Cloud for Jetson devices running Metropolis Microservices
As part of this release, we provide software for a reference cloud that offers various functionalities for realizing production-grade capabilities with devices, including:
Remote access to devices by clients; specifically, remote invocation of device APIs.
Authentication and authorization of users when accessing the devices through the cloud.
A mechanism to assist in setting up peer-to-peer video streaming between the device and the client application.
A separate, secure, encrypted “always connected” network link between the cloud and each device.
Developers can adapt, extend, customize, and deploy their own instance of the reference cloud based on the provided deployment artifacts. These include containers for constituent software, deployment scripts, and associated services. Currently, the deployment is supported on AWS but can be easily extended to other cloud or on-premises deployment platforms as well.
Following diagram captures reference cloud in relation to various other components involved in managing and operating Jetson devices running Metropolis Microservices.
In the above diagram, “Client App” refers to either a mobile or web application that end-users can use to interact with the device running Metropolis microservices. The cloud acts as an intermediary between the client application and the device. Client applications can access the REST APIs exposed by various microservices on the device via the cloud in a secure and distributed manner.
An End-User Identity Service Provider (IdP) is responsible for verifying the identity of a user and providing that information to the Cloud, typically using standard authentication protocols like OAuth. Examples of End-User Identity Service Providers include services like Microsoft Azure Active Directory, Google Identity Platform, and AWS Cognito. Cloud provided by Nvidia is a reference cloud implementation in AWS for connecting and working with your Jetson devices running Metropolis Microservices. User can deploy his or her own instance of cloud in AWS using the deployment scripts provided by NVIDIA.
Cloud setup
To start using the cloud, first deploy it based on the instructions in Installation and Setup to set it up within your AWS account. Once the cloud is set up and available, users can use it to connect, manage, and interact with their devices through the presented APIs.
This section describes the typical workflow followed to connect to and use Jetson devices running Metropolis Microservices. Users can choose to explore the device’s capabilities using a mobile app or directly via the supported APIs.
Connecting device to Cloud
Once the cloud is set up, the next step is to connect devices to it securely. Follow the steps in the AI NVR to connect your device to the cloud. Pay special attention to the ‘Reference Cloud’ section of the document, which describes the OTP setup for cloud connection. At this stage, your device should be running and connected to the cloud.
Claim the device ownership in Cloud
To use a device, the end-user must first claim ownership of their device using the cloud.
The user should already have a claim code to claim a device for access. Refer to Device ownership in reference Cloud for details on how to obtain the claim code from the device. Device ownership can only be claimed once by a user. The end-user can use the mobile app or the device claim API to claim a device. For additional details, refer to the section on device claim via the cloud.
Note the below requirements for a user to claim a device:
Device should be online and connected to the Cloud
Device ownership not already claimed
Note
The device claim code is considered a security asset. Until device ownership is claimed, it is strongly recommended to keep the device claim code safe and not share it with others.
Cloud interaction with Using mobile App or Cloud /device APIs
Users can either use a mobile app or directly utilize APIs to connect with and explore the device’s capabilities.
Cloud interaction using APIs
In general, cloud APIs can be classified into two broad categories:
Device bound APIs exposed by services like VST, Metropolis microservices etc., running on the device
Cloud bound APIs implemented and supported by Cloud
When the user invokes the device specific API, Cloud will simply act as a proxy and route the request all the way to the connected device after authenticating and authorizing the request.
For additional details on accessing the device APIs via Cloud refer to Cloud APIs.
Reference Cloud APIs are mainly used for user management and setup.
Cloud interaction with using mobile App
To interact with the cloud using the mobile app, the reference mobile app must be recompiled to point to your deployment’s cloud endpoint. Refer to the AI-NVR Mobile Application Build for instructions on how to do this.
The mobile app enables users to enter a device-specific claim code, generated as per the instructions provided above, to gain access to the device. Once connected, users can interact with the device using the full range of functionalities provided in the mobile app.
Note that for video streaming to work out-of-the-box through WebRTC, the mobile device and the Jetson device must be located on the same network to enable peer-to-peer streaming functionality. To facilitate video streaming when the devices are not co-located, relay-based streaming needs to be set up using a provider such as Twilio.
Fullstack cloud
This mode of installation and operation of cloud refers to the case where ODM/OEM operator chooses to use all the cloud components along with any standard OAuth 2.0 IDP provider for the deployment. NVIDIA provides fullstack Cloud as a reference implementation for how to setup, connect and mange devices and user accounts.
Refer Full Stack reference Cloud Deployment for additional details on fullstack cloud deployment and callflow between the different cloud micro services.
Refer Cloud components for details on each of the individual cloud microservice.
Cloud with Bring-Your-Own-Security (BYOS)
This mode of deployment and operation of cloud provides extreme customization and integration flexibility for ODM/OEM operators. Significantly, this mechanism enables them to bring in their own identity management, authentication and authorization (user permissions to perform operations on specific device) logic to the cloud deployment, and thereby facilitates operators’ integration of the reference cloud with their existing backend infrastructure.
In this mode of deployment and operation cloud will only use minimal micro services and cloud components required to securely connect to the device, while allowing rest of the cloud security and other backend operations to be taken care by ODM/OEM operators.
Refer Cloud customization for details on how to customize the system with your own security module.