Reference Cloud for Jetson devices running Metropolis Microservices

As part of this release, we provide software for a reference cloud that offers various functionalities for realizing production-grade capabilities with devices, including:

  • Remote access to devices by clients; specifically, remote invocation of device APIs.

  • Authentication and authorization of users when accessing the devices through the cloud.

  • A mechanism to assist in setting up peer-to-peer video streaming between the device and the client application.

  • A separate, secure, encrypted “always connected” network link between the cloud and each device.

Developers can adapt, extend, customize, and deploy their own instance of the reference cloud based on the provided deployment artifacts. These include containers for constituent software, deployment scripts, and associated services. Currently, the deployment is supported on AWS but can be easily extended to other cloud or on-premises deployment platforms as well.

Following diagram captures reference cloud in relation to various other components involved in managing and operating Jetson devices running Metropolis Microservices.

../_images/cloud-overview1.png

In the above diagram, “Client App” refers to either a mobile or web application that end-users can use to interact with the device running Metropolis microservices. The cloud acts as an intermediary between the client application and the device. Client applications can access the REST APIs exposed by various microservices on the device via the cloud in a secure and distributed manner.

An End-User Identity Service Provider (IdP) is responsible for verifying the identity of a user and providing that information to the Cloud, typically using standard authentication protocols like OAuth. Examples of End-User Identity Service Providers include services like Microsoft Azure Active Directory, Google Identity Platform, and AWS Cognito. Cloud provided by Nvidia is a reference cloud implementation in AWS for connecting and working with your Jetson devices running Metropolis Microservices. User can deploy his or her own instance of cloud in AWS using the deployment scripts provided by NVIDIA.

Cloud setup

To start using the cloud, first deploy it based on the instructions in Installation and Setup to set it up within your AWS account. Once the cloud is set up and available, users can use it to connect, manage, and interact with their devices through the presented APIs.

This section describes the typical workflow followed to connect to and use Jetson devices running Metropolis Microservices. Users can choose to explore the device’s capabilities using a mobile app or directly via the supported APIs.

Connecting device to Cloud

Once the cloud is set up, the next step is to connect devices to it securely. Follow the steps in the AI NVR to connect your device to the cloud. Pay special attention to the ‘Reference Cloud’ section of the document, which describes the OTP setup for cloud connection. At this stage, your device should be running and connected to the cloud.

Claim the device ownership in Cloud

To use a device, the end-user must first claim ownership of their device using the cloud.

The user should already have a claim code to claim a device for access. Refer to Device ownership in reference Cloud for details on how to obtain the claim code from the device. Device ownership can only be claimed once by a user. The end-user can use the mobile app or the device claim API to claim a device. For additional details, refer to the section on device claim via the cloud.

Note the below requirements for a user to claim a device:

  • Device should be online and connected to the Cloud

  • Device ownership not already claimed

Note

The device claim code is considered a security asset. Until device ownership is claimed, it is strongly recommended to keep the device claim code safe and not share it with others.

Cloud interaction with Using mobile App or Cloud /device APIs

Users can either use a mobile app or directly utilize APIs to connect with and explore the device’s capabilities.

Cloud interaction using APIs

In general, cloud APIs can be classified into two broad categories:

  • Device bound APIs exposed by services like VST, Metropolis microservices etc., running on the device

  • Cloud bound APIs implemented and supported by Cloud

When the user invokes the device specific API, Cloud will simply act as a proxy and route the request all the way to the connected device after authenticating and authorizing the request.

For additional details on accessing the device APIs via Cloud refer to Cloud APIs.

Reference Cloud APIs are mainly used for user management and setup.

Cloud interaction with using mobile App

To interact with the cloud using the mobile app, the reference mobile app must be recompiled to point to your deployment’s cloud endpoint. Refer to the AI-NVR Mobile Application Build for instructions on how to do this.

The mobile app enables users to enter a device-specific claim code, generated as per the instructions provided above, to gain access to the device. Once connected, users can interact with the device using the full range of functionalities provided in the mobile app.

Note that for video streaming to work out-of-the-box through WebRTC, the mobile device and the Jetson device must be located on the same network to enable peer-to-peer streaming functionality. To facilitate video streaming when the devices are not co-located, relay-based streaming needs to be set up using a provider such as Twilio.

Fullstack cloud

This mode of installation and operation of cloud refers to the case where ODM/OEM operator chooses to use all the cloud components along with any standard OAuth 2.0 IDP provider for the deployment. NVIDIA provides fullstack Cloud as a reference implementation for how to setup, connect and mange devices and user accounts.

Cloud with Bring-Your-Own-Security (BYOS)

This mode of deployment and operation of cloud provides extreme customization and integration flexibility for ODM/OEM operators. Significantly, this mechanism enables them to bring in their own identity management, authentication and authorization (user permissions to perform operations on specific device) logic to the cloud deployment, and thereby facilitates operators’ integration of the reference cloud with their existing backend infrastructure.

In this mode of deployment and operation cloud will only use minimal micro services and cloud components required to securely connect to the device, while allowing rest of the cloud security and other backend operations to be taken care by ODM/OEM operators.

  • Refer Cloud customization for details on how to customize the system with your own security module.