Deploying OpenVidu CE on AWS



Deployment instructions 🔗

The deployment of OpenVidu can be a piece of cake if you have an AWS account. Just follow these steps:

1. Access to the console of AWS Cloud Formation 🔗

Go to CloudFormation



2. Select Create StackWith new resources 🔗



3. Option Specify templateAmazon S3 URL with the following URL 🔗

https://s3-eu-west-1.amazonaws.com/aws.openvidu.io/CF-OpenVidu-latest.yaml

To deploy a fixed version, including previous ones, replace latest with the desired version number.
For example: https://s3-eu-west-1.amazonaws.com/aws.openvidu.io/CF-OpenVidu-2.29.0.yaml



4. Specify stack details 🔗

First of all, indicate a name for your deployment. Next fill each section of the Parameters formulary:

Domain and SSL certificate configuration 🔗

Configuration for your CloudFormation stack certificate. We provide 3 different scenarios: you can use the default SELF-SIGNED CERTIFICATE stored in the application (users will need to accept the browser security alert) or if you have a custom domain, either allow LET'S ENCRYPT to automatically generate a valid and free certificate for your domain or use your own CUSTOM CERTIFICATE if you already have one (and for some unknown reason you still want to use that).

Self-Signed certificate Let's Encrypt certificate Custom certificate (Commercial CA)
Certificate Type selfsigned letsencrypt owncert
AWS Elastic IP (EIP) One AWS Elastic IP you generated
(check AWS Docs to generate a new one)
One AWS Elastic IP you generated
(check AWS Docs to generate a new one)
Domain Name pointing to Elastic IP Your fully qualified domain
For example: openvidu.company.com
Your fully qualified domain
For example: openvidu.company.com
URL to the CRT file URL to your public key file
The CloudFormation stack must have access to this URL, at least temporarily
URL to the key file URL to your private key file
The CloudFormation stack must have access to this URL, at least temporarily
Email for Let's Encrypt Your choice

If you have questions about how to configure your Domain and SSL certificates, you can check these examples:

OpenVidu configuration 🔗

Here you will only be able to configure OpenVidu secret, but there are many other configuration values that can be set once the deployment has completed. Visit Administration section after your deployment is successful to update OpenVidu configuration.

Openvidu Secret
Secret to connect to this OpenVidu Platform. Cannot be empty and must contain only alphanumeric characters [a-zA-Z0-9], hypens "-" and underscores "_"
Your choice

EC2 Instance configuration 🔗

These properties configure specific details of the EC2 machine that will be launched by CloudFormation.

Instance type
Type of EC2 Instance where to deploy OpenVidu
Choose from the drop-down button
SSH Key
SSH key for your EC2 Instance
Choose from the drop-down button
(check AWS Docs to create a new one)

Other configuration 🔗

These properties configure some other options of your stack.

Deploy OpenVidu Call application
Choose if you want to deploy OpenVidu Call application alongside OpenVidu platform
Choose from the drop-down button
Send deployment info to OpenVidu team
Choose if you don't mind sending to OpenVidu team the version deployed and AWS region
Choose from the drop-down button



5. Create your stack 🔗

No extra options are necessary. Click on NextNextCreate stack

CREATE_IN_PROGRESS status will show up. You will now have to wait about 2 minutes until it shows CREATE_COMPLETE. If status reaches CREATE_FAILED, check out this section.

After status changes to CREATE_COMPLETE, go to Outputs tab to get your brand new IP and click on it (or if you have deployed under your own custom domain, then you should access through it instead).


That URL is the one to be used to consume OpenVidu REST API. Besides:

  • If you have deployed OpenVidu Call (see Other configuration) you can also access to it through that same URL.
  • You can access OpenVidu Server dashboard to make a quick test of your deployment through /dashboard. Credentials to access to it are OPENVIDUAPP as username and your OpenVidu secret as password.

You can now add your own application to your instance. To learn how check out section Deploy OpenVidu based applications.

While deploying the stack, you will see a warning with this message:

The following resource(s) require capabilities: [AWS::IAM::Role]

You need to accept it for OpenVidu CE deployment to work. The CloudformationLambdaRole role is only used by a Lambda resource to copy the original AMI of OpenVidu to your account. In this way, we can ensure that your deployment will still work even if the AMI is deprecated or removed officially, so your deployment will always work.

AMIs will be copied once, and their names start with [ OpenVidu CE AMI Copy ]. This is the AMI that will be used in your deployment. You can check the Role in the Cloudformation template.



6. Administration 🔗

AWS deployments of OpenVidu CE are internally identical to on premises deployments. This means that you can manage OpenVidu platform very easily by connecting to your instances through SSH. Located at the default installation path /opt/openvidu as root user ($ sudo su) you will be able to:



Domain and SSL Configuration Examples 🔗

These examples are focusing in the Domain and SSL certificate configuration section of the Deploying OpenVidu on AWS instructions to clarify any doubt on how to configure it.

As OpenVidu is deployed with default sane configuration, your domain and SSL certificate configuration are the most important parameters to deploy your stack correctly.

Let's see all different scenarios:

1) Self-signed certificate 🔗

This example should be used only for development environments. Don't use it in production.

This scenario is meant for you if you want to:

  • Deploy OpenVidu quickly for testing or developing purposes.
  • Deploy OpenVidu without a Fully Qualified Domain Name (FQDN).

1.1) Cloudformation parameters 🔗

Let's see an example of this scenario for the Cloudformation parameters section:

  1. Select as Certificate type: selfsigned
  2. Keep empty all the parameters in the Domain and SSL certificate configuration section, because we don't have any Elastic Ip, domain or other SSL configuration to specify in this scenario.

2) Let's Encrypt certificate 🔗

This scenario is meant for you if you want to:

  • Deploy OpenVidu for production or even developing purposes.
  • Deploy OpenVidu with a Fully Qualified Domain Name (FQDN).
  • Use a valid SSL certificate.

For this specific scenario you will need to:

2.1) Create an Elastic IP 🔗

  1. Go to your EC2 AWS section, and click here:
  1. Click on Allocate Elastic IP address
  1. This will generate an Elastic IP that you will be able to use for your OpenVidu deployment with letsencrypt

2.2) Register a FQDN pointing to the Elastic IP 🔗

This step will depend of the DNS register you want to use. You need to create a DNS register of type A pointing to the Elastic IP created before. For the next steps, let's suppose that our domain is: example.openvidu.io.

2.3) Cloudformation parameters 🔗

Let's see an example of this scenario for the Cloudformation parameters section:

The important fields of this section are:

  • The AWS Elastic IP (EIP) with the Elastic IP created in step 2.1
  • The Domain Name pointing to Elastic IP with the FQDN created at step 2.2
  • The Email for Let's Encrypt with the email you want to use for your Let's Encrypt certificate.

3) Custom Certificate (Commercial CA) 🔗

This scenario is meant for you if you want to:

  • Deploy OpenVidu for production.
  • Deploy OpenVidu with a Fully Qualified Domain Name (FQDN).
  • Use a valid SSL certificate from a Commercial CA.

For this specific scenario you will need to:

3.1) Generate certificates files 🔗

To use this kind of certificate, you need to generate two files, certificate.cert (public keys of the certificate) and certificate.key (private key), and upload them to an HTTP server to make it available for the Cloudformation parameters. But first, follow these steps to generate these files:

1) Create a CSR and a private key. This can be easily done by executing:

openssl req -newkey rsa:2048 -nodes -keyout certificate.key -out certificate.csr

While executing this command, you will be asked to enter some information to generate the files certificate.key and certificate.csr. Ensure that all these information are correctly inserted (Common Name, Organization Name, etc...). The most important parameter is the Common Name field which should match the name that you want to use for your certificate.

For example, let's suppose that your domain is example.openvidu.io. The parameter Common Name could be: example.openvidu.io or www.example.openvidu.io. Otherwise, if you're using a WildCart certificate, the Common Name parameter would be ** .openvidu.io*.

2) The previous command generated the certificate.key and certificate.csr files. The certificate.csr is the one that you need to provide to your CA. Depending of your CA this step can differ. Check your CA documentation about this topic.

3) Usually the files to generate the certificate.cert can be downloaded or are sent via email from the CA. These files are:

  • The intermediate certificate. (It usually have more than one key with ---BEGIN CERTIFICATE--- This file will be called as intermediate.cert in following steps.
  • Your ssl certificate. An unique certificate key with ---BEGIN CERTIFICATE---. This file will be called as public.cert in following steps.

4) You need to concat these two files in an unique certificate.cert file in this way:

cat public.cert intermediate.crt > certificate.cert

5) Now you have the certificate.key generated in step 1) and the certificate.cert generated in step 4).

If you're still having doubts about how to generate the certificates files, you can follow this guide for a further understanding.



3.2) Upload your certificate files into an HTTP server. 🔗

Now that you have both certificate files, you need to make it available via HTTP for the Cloudformation template. Let's suppose that you upload both files and the URLs are:

  • http://example-http-server.io/certificate.cert
  • http://example-http-server.io/certificate.key

3.3) Create an Elastic IP and a FQDN pointing to it. 🔗

Just follow the same steps of the Let's Encrypt section: 2.1 and 2.2

3.4) Cloudformation parameters 🔗

Let's see an example of this scenario for the Cloudformation parameters section:

These are the important fields of the cloudformation parameters:

  • The AWS Elastic IP (EIP) with the Elastic IP created in step 2.1
  • The Domain Name pointing to Elastic IP with the FQDN created at step 2.2
  • The URL to the CRT file (owncert) with the URL to the certificate.cert file created at step 3.1 and uploaded to an HTTP server in step 3.2.
  • The URL to the key file (owncert) with the URL to the certificate.key file created at step 3.1 and uploaded to an HTTP server in step 3.2.

3.5) Remove your certificates files from the HTTP server of step 3.2 🔗

It is very important after the deployment to invalidate the URLs created at step 3.2 after the stack is successfully deployed. These files available via HTTP are only necessary for CloudFormation EC2 instances to be able to download the certificate files and configure it into the system and are no longer necessary after the deployment process.

Common problems 🔗


Troubleshooting 🔗

AWS deployments of OpenVidu CE work under the hood in the exact same manner as on premises deployments. So everything explained in Troubleshooting section of on premises deployments also applies to AWS deployments. There you have detailed instructions on how to debug all of OpenVidu services in case some unexpected problem appears.

CREATE_FAILED CloudFormation stack 🔗

First of all, an AWS CloudFormation stack may reach CREATE_FAILED status for missing a default VPC.

You can inspect your default VPCs like this: https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html#view-default-vpc
And you can create a default VPC like this: https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html#create-default-vpc

If that is not the problem, then follow these steps:

  • 1) Try to deploy again, but this time disabling option Rollback on failure (Configure stack options 🡆 Advanced Options 🡆 Stack creation options). This will prevent the instance to be terminated in case of failure so logs can be gathered. Once you re-deploy with this option, the stack will still fail but you’ll be able to access instances through SSH and retrieve some files to debug the problem.
  • 2) We will also need the parameters you've used to deploy, to check possible problems in their values
  • 3) Once you have performed step 1) and the stack creation has failed, please SSH into the created EC2 instance and share with us CloudFormation logs

    • /var/log/cloud-init.log
    • /var/log/cloud-init-output.log

  • 4) Get also the log output of all the services. Check this section to see services logs:



Kurento Media Server crash 🔗

Sometimes Kurento Media Server (the service in charge of streaming media inside of Media Nodes) may crash. If this happens on a regular basis, or better, you have isolated a specific use case where KMS always crashes, then perform the following steps to collect a crash report that will help us fix the issue.

In AWS deployments of OpenVidu CE, KMS crash reports are enabled by default. You can directly get them with the following steps:

1) Download the KMS crash report 🔗

ssh -i AWS_SSH_KEY ubuntu@OPENVIDU_IP "sudo tar zcvfP ~/core_dumps.tar.gz /opt/openvidu/kms-crashes/*"
scp -i AWS_SSH_KEY ubuntu@OPENVIDU_IP:~/core_dumps.tar.gz .

Replace AWS_SSH_KEY with the path to the SSH key of the EC2 instance and OPENVIDU_IP with its IP address.

2) Clean the KMS crash report 🔗

So as not to consume too much hard drive, delete the crash report once you have downloaded it. IMPORTANT: obviously, do NOT do this before downloading the report.

ssh -i AWS_SSH_KEY ubuntu@OPENVIDU_IP "sudo rm /opt/openvidu/kms-crashes/* && sudo rm ~/core_dumps.tar.gz"

Replace AWS_SSH_KEY with the path to the SSH key of the EC2 instance and OPENVIDU_IP with its IP address.