XProtect On AWS - White Paper
XProtect On AWS - White Paper
White Paper
XProtect® on AWS
Prepared by:
Jan Lindeberg, Senior Product Manager, Milestone Systems
2 XProtect on AWS
Table of Content
Executive summary 5
Introduction 6
About AWS 7
Speed of Deployment 8
Elastic Scalability 8
Multi-site deployment 11
Global deployment 11
Cloud readiness 12
XProtect on AWS 13
Principal Architecture 13
System scaling 15
Geographical availability 17
Deployment considerations 18
Media storage 20
Data protection 22
SQL database 22
Deployment instructions 23
User Access 24
Adaptive Streaming 24
Operations Cost 29
Price calculator 29
Additional costs 33
Maintenance 35
Technical Support 35
Summary 37
Abbreviations 38
Executive summary
Businesses worldwide put their efforts in building organizational readiness that will enable them to grow
when conditions are right. When it comes to Video Management Software (VMS), deploying a large on-
premise system usually calls for a lengthy procurement process, costly hardware, and recurring
maintenance. XProtect on AWS removes this friction, enabling system integrators and end customers to
deploy XProtect in minutes, scale fast with no hardware or location dependencies, and cut down on
hardware and maintenance.
XProtect on AWS is a cloud deployment alternative to on-premises video surveillance systems. It utilizes
computing services in the AWS cloud such as compute, storage, and networking, to deliver an elastic
solution that can be scaled on demand to fit the business need. Milestone Systems now offers XProtect
Bring Your Own License (BYOL) CloudFormation product deployable directly from AWS Marketplace. It
can be activated to run any XProtect product, and requires a paid license sold through Milestone’s
existing distribution channels.
Single- and multi-site organizations across all AWS regions deploying XProtect on AWS can enjoy a
reliable solution with a user-experience identical to XProtect on premise and full feature-compatibility.
Such organizations can now scale easily to meet business demand and reduce risk of service disruptions
to enjoy a continuous operation. Reduced initial investment in hardware and AWS’s predictable cost
model further support businesses in optimizing costs and delivering better results.
This paper discusses how XProtect can be deployed on AWS, leveraging AWS global infrastructure and
platform services, and the advantages of such a deployment. With the outset in the Virtual Privat Cloud
(VPC) design orchestrated by the XProtect (BYOL) CloudFormation template, the paper further
elaborates on suitable architectures for specific customer deployments. As a part of this, the paper
discusses possible designs and considerations for the deployment. With the understanding of the
architecture and which AWS services that are applied, the paper is concluded with a discussion around
performance and operational topics: This includes AWS service costs and opportunities for post
deployment optimization.
6 XProtect on AWS
Introduction
Furthermore, this white paper will give recommendations for service and infrastructure designs and
dimensioning and provide references to more information on specific topics. This white paper should
enable the reader to understand the overall Milestone XProtect AWS Marketplace offering and how it
can be deployed and adapted to meet specific customer needs.
The primary audience for this white paper is system integrators and IT administrators with limited
experience of using Milestone XProtect VMS products who are in the process of selecting, deploying,
administrating, maintaining or expanding a VMS system. The reader is assumed to have a general
understanding of Milestone XProtect VMS, AWS cloud services and infrastructure concepts and
traditional on-premises IT and network installations. Specific knowledge about streamed media is
recommended but not required.
The paper only discusses the XProtect BYOL product. Although the XProtect Essential+ is deployed with
the same Milestone XProtect VMS software, the CloudFormation templates are different, resulting in a
different deployment in the end customer’s AWS service account.
Readers who are not familiar with Milestone XProtect can get an introduction to Milestone XProtect
video management software and its principal system architecture in Appendix A –Milestone XProtect
VMS on page 40.
7 XProtect on AWS
About AWS
In 2006, Amazon Web Services (AWS) began offering IT infrastructure services to businesses in the form
of web services -- now commonly known as cloud computing. One of the key benefits of cloud
computing is the opportunity to replace up-front capital infrastructure expenses with low variable costs
that scale with your business. With the Cloud, businesses no longer need to plan for and procure
servers and other IT infrastructure weeks or months in advance. Instead, they can instantly spin up
hundreds or thousands of servers in minutes and deliver results faster.
Today, Amazon Web Services provides a highly reliable, scalable, low-cost infrastructure platform in the
cloud that powers hundreds of thousands of businesses in 190 countries around the world. With data
center locations in the U.S., Europe, Brazil, Singapore, Japan, and Australia, customers across all
industries are taking advantage of the following benefits:
• Low Cost
AWS offers low, pay-as-you-go pricing with no up-front expenses or long-term commitments. AWS
are able to build and manage a global infrastructure at scale, and pass the cost saving benefits onto
you in the form of lower prices. Visit the AWS Economics Center to learn more.
• Secure
AWS is a secure, durable technology platform with industry-recognized certifications and audits: PCI
DSS Level 1, ISO 27001, FISMA Moderate, FedRAMP, HIPAA, and SOC 1 (formerly referred to as SAS
70 and/or SSAE 16) and SOC 2 audit reports. AWS services and data centers have multiple layers of
operational and physical security to ensure the integrity and safety of your data. Visit the AWS
Security Center to learn more.
8 XProtect on AWS
While the general advantages of AWS cloud deployment (see section: About AWS above) are assumed to
be known and appreciated, this section covers some of the derived and specific advantages with
deploying XProtect on an AWS infrastructure and service platform.
Speed of Deployment
Video surveillance systems are complex IoT systems that are both compute and storage intensive.
Commissioning such a system requires careful solution design, selection of server and storage
hardware, all the logistics with ordering, shipment, unpacking and installation of the hardware.
With a cloud deployment of XProtect, many of these actives can be vastly simplified, if not eliminated
altogether, allowing organizations to deploy XProtect VMS faster and cheaper. Without much of the
friction known from on-premises deployments, XProtect on AWS, can far easier support organizations
that operates with seasonal, or temporary deployments.
The actual deployment of the XProtect BYOL product from AWS Marketplace into a specific customer’s
AWS account is orchestrated by a CloudFormation template. The CloudFormation template deploys the
Windows operating system and the XProtect BYOL included in the AMI on the Elastic Compute Cloud
(EC2) instance selected for the deployment. This gives an instant and predicable deployment where the
CloudFormation template also defines a new dedicated VPC with subnets, Security Groups and Elastic
Block Store (EBS) for VMS configuration data and short-term storage of video data.
Elastic Scalability
Needs and operational circumstances change. AWS cloud infrastructure allows customers to seamlessly
grow their XProtect deployment with their needs. An XProtect VMS deployment can seamlessly scale
from 10 to 500 cameras on a single EC2 instance. Leveraging the ability to shift EC2 compute platform
during operation makes the scaling instant while maintaining an attractive balance between
performance and cost.
In surveillance installations with higher needs, the deployment can be scaled out on additional EC2
instances to support thousands of cameras and IoT devices.
Such errors can result in system suboptimal system performance. To make an on-prem installation
robust against these kinds of miscalculations or errors in the design assumptions, end-customers and
system integrators prefer to factor some degree of system overprovisioning as a good system design
principle.
This, however, often results in over dimensioned systems with expensive underused hardware aging
without providing full return on its investment. In a cloud deployment, excess system capacity can be
eliminated as a part of a post deployment cost optimization, which results in reduces AWS service
charges. The elastic scalability discussed in the earlier section also works the other way. If you have
allocated a too powerful EC2 instance for your deployment, you can change it to a smaller more price
effective instance type within minutes.
As an alternative to on-premises deployment of the XProtect® Smart Client, AWS offers the possibility to
run client applications as hosted user sessions in the AWS cloud using the Amazon AppStream 2.0
service. This makes it possible to use the full Smart Client on virtually any device, including browsers,
Macs, and tablets. AppStream 2.0 is also be a good and secure way of providing full Smart Client access
for remote users, and law enforcement bodies, without the need to install any XProtect software.
10 XProtect on AWS
The cloud only deployment is the default deployment scenario when deploying XProtect from AWS
Marketplace, and it is suitable in regions with reliable high-speed internet connectivity. A customer with
single site deployment would normally deploy XProtect in the AWS Region with closest proximity to the
customer’s physical location. However, network connectivity and data privacy matters may influence the
selection of deployment regions.
and IoT deices is very large, or when it is difficult to obtain sufficient and reliable network connectivity to
the AWS datacenter.
This deployment architecture is recommended in regions with lower penetration and availability of
reliable highspeed internet connectivity. This architecture is also a natural steppingstone for migrating
existing on-premises XProtect installations for an AWS cloud infrastructure.
Multi-site deployment
Many companies and organization operate across two or more geographically dispersed sites where the
video surveillance system needs to seamlessly span multiple sites. The advantages of cloud deployment
video management solutions become very evident for these types of customer deployments, as a cloud
hosted VMS application not only provides a centrally managed video surveillance platform covering all
sites uniformly, but the cloud architecture also allows the on-premises deployment to be simplified and
leaned. This not only optimizes the initial deployment time and cost, but it also significantly reduces the
maintenance costs as less on-premises hardware immediately translates into less maintenance and less
on-site visits.
Customers with multi-site deployment would normally deploy XProtect in an AWS Region located
centrally to the customer’s geographically dispersed sites. If some sites are larger than others, it can be
an advantage to deploy XProtect in the AWS Region in the closest proximity to the largest site. However,
network connectivity and data privacy matters may influence the selection of deployment region.
Additionally, multi-site deployment can be realized with hybrid deployment on one or more sites, where
XProtect recording servers are outplaced on the individual location(s) to provide local compute and
storage capabilities or to mitigate capacity and reliability issues in the internet connectivity. Hybrid
deployments are also a natural step on a cloud migration path, where some sites can continue to use
existing hardware in god condition, while other sites can be served by a cloud only infrastructure (see
earlier discussion: Single site – cloud and on-.
Global deployment
Some enterprises and organizations have a need to coordinate and align video security operation on a
global level, spanning sites in multiple countries and across different continents. In these cases, AWS is
the ideal cloud provider with true global presence and their global network infrastructure, where every
data center, availability zone (AZ), and AWS Region is interconnected via a purpose-built, highly available,
and low-latency private global network infrastructure.
This means that customers can utilize AWS global, fully redundant, parallel 100 GbE metro fiber network
to interlink different sites of operation. For more information about AWS global network infrastructure,
please refer to: https://aws.amazon.com/about-aws/global-infrastructure/global_network/.
When designing a truly global XProtect deployment, there are several relevant principal design options:
12 XProtect on AWS
• Single XProtect VMS system with regionally deployed XProtect recording servers
In this design, the main parts of the XProtect VMS system would be deployed in one primary AWS
Region, while offices in remote countries and continents would be served by XProtect recording
servers deployed in an AWS Region nearby the customer’s remote location. The remote XProtect
recording servers would then be connected to the XProtect VMS system in the primary AWS Region
using AWS global network infrastructure.
Cloud readiness
Milestone XProtect VMS is a compute- and data intensive workload, which due to its real-time
processing needs to be designed and deployed with professional considerations. Deployment of
XProtect on an AWS is therefore particularly relevant for enterprises and organizations with a cloud first
strategy, or a clear migration path to cloud. Organizations with high cloud readiness and established
AWS IT competences are best destined to fully explore the synergies between Milestone’s open and
scalable VMS solution and the elastic scaling, reliable operation offered by AWS infrastructure and
platform services.
1
Please note that it is only XProtect Corporate that can be the head end system in a federated hierarchy, while the federated (child) systems can be
XProtect Corporate or XProtect Expert.
13 XProtect on AWS
XProtect on AWS
A cloud deployment of Milestone XProtect VMS on AWS takes full advantage of the XProtect software
architecture, enabling a flexible and diverse usage of XProtect across various functions in the customer’s
organization. This allows enterprises and organizations with operations distributed across multiple sites
to centralize and manage their video surveillance installation as one system.
Figure 2. AWS cloud infrastructure unlocks the full potential of XProtect VMS in distributed deployment and usage
Cloud deployment further unlocks the full potential of the XProtect client suite, where remote users can
access the video management system through secure connections using the XProtect Mobile
application or the XProtect Web client. This means that roaming users and connections to law
enforcement and monitoring stations can be facilitated without opening firewalls in the different sites.
This section elaborates on the system and service architecture when utilizing AWS global cloud
infrastructure as platform for the XProtect video management system.
Principal Architecture
A deployment of Milestone XProtect video management software on AWS cloud infrastructure implies
that all XProtect server components are deployed on a managed compute and storage infrastructure in
a Virtual Private Cloud (VPC). Cameras, sensors and other IoT devices making up the surveillance
solution on the customer’s premise are connected to the cloud environment via secure connections
carried over VPN connections or dedicated direct connections into the AWS cloud. The on-premises
security devices transmit video, audio, metadata, and other streams to the cloud deployed XProtect VMS
without the need for any additional on-premises hardware or gateway equipment for aggregation or
buffering.
14 XProtect on AWS
Figure 3. Principal system architecture of an AWS cloud deployment of XProtect VMS, with the option for steamed client access via
Amazon AppStream 2.0
Users access the XProtect VMS system through the normal suite of XProtect client applications. As a
design option it is possible to run XProtect Smart Client and the Management Client applications as
hosted applications using the Amazon AppStream 2.0 service. AppStream 2.0 not only makes it possible
to use the full Smart Client on virtually any device, including Chromebooks, Macs, and PCs, thin clients
and tablets, it is an easy and secure way of providing remote users with the full Smart Client experience.
To read more about AppStream 2.0, please see section: Amazon AppStream 2.0 on page32.
The CloudFormation template deploys the XProtect VMS software in a new Virtual Private Cloud (VPC)
with subnet and security group topology within the AWS service infrastructure on the customer’s
account, in the selected AWS Region and Availability Zone. The template also configures an Elastic
Compute Cloud (EC2) instance based on the customer’s selection, on which all XProtect VMS server
components are installed on, including the management server, recording server, event server, mobile
server. Please refer to Appendix B – XProtect BYOL CloudFormation Template on page 43 for complete
overview of the CloudFormation template.
Figure 4. Default deployment of the XProtect CloudFormation product (blue area) and recommended customer extensions (yellow
area)
Two Elastic Block Store general purpose SSD volumes linked to the EC2 instance are orchestrated by the
template, for:
As illustrated in Figure 4, the CloudFormation template orchestrates the topology depicted with blue
color. In addition to this automated orchestration, customer specific extensions need to be made
covering VMS video archive storage and establishment of connectivity to the customer’s on-premises
site(s). These customer specific extensions are marked with yellow. Please refer to relevant sections
under Deployment considerations, for further information on these two architectural aspects.
The installed XProtect VMS software can be used to run any XProtect product variant, by applying an
applicable XProtect Software License Code (refer to section: XProtect VMS licensing, below).
System scaling
As mentioned in the section above, the default deployment of the XProtect BYOL CloudFormation
orchestrates a single server installation of the XProtect VMS software on the EC2 instance selected for a
deployment. This means that all XProtect VMS server components are installed on the selected EC2
instance, including the management server, recording server, event server, and mobile server.
16 XProtect on AWS
Hence, the deployment can be scaled easily to be cost efficient across a wide range of solutions from
small deployments with 10-20 cameras with the smallest EC2 instances, to 400-500 cameras solutions
with the largest EC2 instance type. Please refer to Appendix C – EC2 performance, for detailed
performance measurements of different EC2 instance types.
A second level scaling is made possible by distributing the XProtect VMS server components on different
EC2 instances. By installing the recording server service on additional EC2 instances, the XProtect
deployment can grow to serve ten thousand cameras, or more. In deployments with significant use of
XProtect Mobile and XProtect Web client, the overall system performance can be optimized by running
the mobile server on one or more dedicated EC2 instances, as illustrated in Figure 5. The scaling out can
be made in the same VPC as the original deployment or deployed in a different Availability Zone (AZ), or
a different Region altogether. It is of course also possible to scale-out by deploying physical servers on-
premises hosting the XProtect recording server service.
The installation of XProtect server components on additional EC2 instances are not controlled by the
CloudFormation template. Instead, this deployment is made manually by simply selecting desired
XProtect server components from the XProtect download manager software repository and installing
them on additional EC2 instance(s) created via the AWS Management Console.
The BYOL concept offers full license portability between on-premises and cloud deployments. Meaning
that customers with existing XProtect on-premises installations can reuse their existing licenses when
moving to a complete or partial AWS cloud deployment. In the same way, customers will be able to
redeploy their XProtect license if they for one reason or another want to move off the cloud. Hence, any
existing XProtect license can be used to activate XProtect on AWS.
Please note that the license may need to be upgraded to match the XProtect release versions available
on AWS Marketplace.
Geographical availability
The Milestone XProtect BYOL CloudFormation product is available for deployment in all AWS Regions,
except AWS China regions: Beijing and Ningxia, and US GovCloud. This makes the offering globally
applicable, and enables truly distributed and international organizations and companies to deploy a
centrally managed and fully integrated video surveillance solution utilizing AWS backbone network (see
section: Global on page 11).
As AWS is expending their cloud data center infrastructure continuously, please refer to AWS
(https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) for the latest
information about active regions and the offered services in the specific Regions. Please note that AWS
managed application streaming service, AppStream 2.0, only is available in a subset of AWS global
regions.
18 XProtect on AWS
Deployment considerations
Prior to the publication of the XProtect on AWS Marketplace, Milestone has conducted extensive system
performance tests to short list a set of EC2 instances recommended for XProtect VMS deployments. This
has resulted in seven EC2 instances offering the most advantageous cost per connected camera across
the range of 10 to 500 cameras per XProtect recording server.
Appendix C – EC2 performance presents the recommended EC2 instances and the performance metrics
measured for these instance types.
Figure 6. Principal design of a redundant Site-to-Site VPN topology for a single site deployment
Designing the network topology connecting the customer site(s), one should consider required
bandwidth for video streams and client access, and factor in peak situations and the need for
redundancy. Figure 6 presents a principal redundant VPN design for a single site deployment. It should
be noted that each VPN connection is made up by two separate IPsec tunnels, which represent the first
level of redundancy in the event of a device failure within AWS. Second level redundancy is achieved by
the two separate VPN connections, each handled by its dedicated customer gateway device. It is further
recommended that these two VPN connections are routed via two different Internet Service Providers to
ensure maximal redundancy. The VPN gateway that facilitates the Site-to-Site connectivity is attached to
the XProtect VPC via the routing table.
Enterprises and organization often have geographically dispersed facilities and offices, where the
security operation is to be coordinated in one centrally managed video management system. To support
this, the individual sites can be connected to the XProtect VPC using the AWS Site-to-Site VPN service, as
illustrated in Figure 7. Please note that the figure does not consider redundancy in the VPN topology.
20 XProtect on AWS
In larger deployments it is important to consider that the maximum throughput of an individual VPN
tunnel is 1,25 Gbps, and that the Virtual Private Gateway are bound by an aggregate throughput limit
from AWS to on-premises of up to 1,25 Gbps. For AWS Direct Connect connection on a Virtual Private
Gateway, the throughput is bound by the Direct Connect physical port itself. To connect to multiple VPCs
and achieve higher throughput limits, use AWS Transit Gateway.
The AWS Transit Gateway connects to the customer’s on-premises environment using the same VPN
mechanisms as the Virtual Privat Gateway. This white paper will not cover designs including the Transit
Gateway further. Instead system integrators and end customers are advised to study AWS’
documentation on the Transit Gateway (see: https://docs.aws.amazon.com/vpc/latest/tgw/what-is-
transit-gateway.html). While designing the VPN infrastructure system, integrators should also consider
AWS Site-to-Site VPN quotas, which can be increased upon request:
https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-limits.html
Please note that customer gateway devices used with both the VPN Gateway and the Transit Gateway
must support the Internet Key Exchange (IKE) protocol, which is used to exchange keys during the
establishment of the IPsec security association. AWS also requires special configuration of the customer
gateway devices. For more information and a list of tested customer gateway devices, please refer to
AWS Site-to-Site VPN user guide (https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html).
Media storage
The XProtect recording server operates with a tiered storage architecture made up by a media database
and one, or more, levels of archives, which enables optimization of system performance and storage
costs. Media archived to an archive storage remains on-line and is seamlessly accessible for navigation
and playback by any client application. Please see the XProtect Storage Architecture and
Recommendations white paper for complete information around media storage in XProtect.
In deployments where video is to be retained for longer than just a few days, Milestone recommends
the use of a two-tiered storage with the short-term storage (media database) and long-term archive
storage.
21 XProtect on AWS
Figure 8. XProtect media storage utilizes a combination of EBS and FSx storage for optimal combination of storage performance
and cost
Figure 8 above depicts the recommended storage infrastructure when running XProtect on AWS, where
the recording server’s media database is hosted in an EBS general purpose SSD (gp2) storage volume
and the media archives are stored in one of more Amazon FSx for Windows File Server storage volumes,
dependent on the amount of video and other media data that is to be stored. In this setup the native
XProtect video archiving function is used to move, and life cycle manage the video across the EBS and
the FSx storage arrays.
The default deployment of XProtect BYOL CloudFormation configures the Elastic Block Store (EBS) for
the media database only. This means that the FSx storage shall be added to the installation when and as
needed. The FSx storage is available in single-AZ and multi-AZ deployment options, which offers an
additional level of redundancy for end-customers with high demands on data resilience.
To obtain maximum system performance while keeping the AWS service costs to a minimum, Milestone
recommends keeping minimum amount of video (normally around 24 hours of recordings) in the EBS
based media database, with frequent archiving to the long-term FSx HDD based storage. The overall
performance of the combined EBS and FSx storage infrastructure is constrained by baseline bandwidth
and IOPS allocations for not only the EBS and FSx storages, but also the specific EC2 instance used. It is
therefore important to consider the combined performance of all these three elements, when
dimensioning the storage infrastructure. Appendix D – Media storage dimensioning, details the specific
dimensioning considerations.
Please not that FSx requires an active directory (AD) to be defined. The XProtect VPC should therefore
be connected to an AD before the FSx storage is defined.
An additional option to the EBS storage that the CloudFormation template defines for the media
database is to define a second EBS storage for archiving. The block storage should be throughput
22 XProtect on AWS
optimized HDD (st1) volumes and could be particularly relevant for deployments with shorter retention
times (less than 1 week), cf. Appendix D – Media storage dimensioning, page 47.
The AWS Simple Storage Service (S3) can be used as an alternative or complement to the FSx based
archive storage. The S3 storage can be particularly relevant when on-premises recording servers are
configured to archive to an AWS cloud storage. The XProtect recording server does not integrate natively
with the S3 object storage through its storage APIs. Therefore, a separate AWS Storage Gateway service
needs to represent the object storage bucket as an addressable network drive for the VMS software.
Dependent on the retention time and access patterns to recorded video data, customers can optimize
their storage costs by selecting the most optimal S3 storage class. XProtect VMS works with all S3
storage classes, except S3 Glacier and S3 Glacier Deep Archive.
The use of camera-based storage is an ideal solution as it ensures that video and other data is
continuously recorded even in the event of shorter interruptions in the connectivity between the
customer’s on-premises environment and AWS cloud environment. Once the connection is restored,
recordings will be automatically transferred to the XProtect recording server in the AWS cloud, thus
ensuring continuous recording of video despite possible intermissions in the connectivity.
For details about the use of edge storage, please refer to the Edge Storage with flexible retrieval white
paper.
Data protection
Video surveillance data is sensitive data that need to be protected from unauthorized access and use.
Unlike a Software as a Service offering, in which the customer has no or little control over where the
applications run and data is stored, XProtect on AWS puts the customer in full control of where the
video data is stored and how it is protected. That means, no video data leaves the specific AWS data
center (Availability Zone) in which the XProtect VMS is deployed at, unless otherwise is configured
specifically in the actual customer architecture.
SQL database
The XProtect VMS system stores and maintains all its configurations, event data and logs in Microsoft
SQL databases. As a part of the deployment of the XProtect BYOL CloudFormation, a local Microsoft SQL
Express database is installed in the EC2 instance. This database is configured as the default SQL
database for the vital XProtect VMS system data. This database shall be backed up and managed
manually. In larger installation, where a dedicated SQL server may exist, the XProtect system can be
23 XProtect on AWS
configured to use a separate EC2 instance to host a dedicated SQL server, as illustrated in Figure 5 on
page 16.
Please note that XProtect VMS is not compatible with Amazon Relational Database Service (RDS).
Deployment instructions
System integrators and end-customer considering a deployment of XProtect on AWS are advised to
study eLearning courses and deployment guides provided by Milestone. The material is published on
the Milestone website, and available as a part of the XProtect BYOL listing in AWS Marketplace.
eLearning courses
Manuals
• Getting started guide – XProtect Bring Your Own License (BYOL) 2020 R2
24 XProtect on AWS
User Access
The deployment of XProtect on AWS cloud infrastructure opens for a wide set of ways to provide flexible
access to the XProtect VMS system for both on-premises users, remote users and roaming users (cf.
Figure 2 on page 13). This section discusses these access options and suitable architectures for the user
access provisioning. No single client access architecture is the right solution, as the choice is highly
dependent on the individual user’s access and usage patterns.
As illustrated in Figure 4 (page 15), the XProtect clients are using the network topology connecting the
customer’s on-premises environment(s) to the AWS cloud to access the VMS system in the XProtect VPC.
This setup is to a large degree similar to a traditional on-premises deployment, with the difference that
the XProtect VMS servers resides in the AWS cloud, rather than as physical servers on-premises.
However, as there is an AWS service charge for transmitting data out of a VPC, the consumption of data
egress should be carefully considered in this setup.
Adaptive Streaming
To optimize the Smart Client performance and reduce the AWS data egress costs, Milestone
recommends the use of the Adaptive Streaming feature, available in XProtect Corporate and XProtect
Expert. Adaptive Streaming enables the Smart Client to automatically select the media video stream with
the most appropriate resolution2 for a given camera view. By selecting the stream that is most optimal,
the amount of data to be transferred to and handled by the Smart Client is reduced, thus increasing the
performance of the Smart Client.
Figure 9. Adaptive streaming is used to start the camera stream that is most suitable for the displayed view
2
Most appropriate resolution means the stream with the lowest resolution, which is greater than the size of the Smart Client view item in which the
stream is to be shown.
25 XProtect on AWS
The graph below illustrates the reduction in data egress from the XProtect VPC, when using adaptive
streaming to select the most suitable stream for the Smart Client, rather than transmitting the full 1080p
stream. The graph depicts the reduction in data throughput of adapted streams compared with the
throughput when transmitting a full 1080p stream for different number of video streams displayed on a
Smart Client workstation with a HD 1080p monitor and an UHD 2160p monitor, respectively. The graph
assumes that the default camera resolution for all cameras in the XProtect VMS system is 1080p, while
each camera has a set of additional lower resolution streams (720p, 480p, 360p and 240p) defined too,
that can be used when the camera is included in a camera view containing several other cameras.
An example of the potential savings that can be achieved with the Adaptive Streaming capability is when
a Smart Client user is viewing 16 cameras (in a four by four view) on a display with HD (1080p)
resolution. Without Adaptive Streaming, 16 1080p streams would need to be transmitted. However, as a
four by four camera split on a HD monitor with 1080 x 1920 pixels would only leave each camera tile
with less than 270 x 480 pixels, the Adaptive Streaming function can select the 360 x 480 video streams
from the cameras. This corresponds to a 92% reduction in data egress from the AWS Cloud, which
translates to an equally large saving in data egress costs.
In addition to providing substantial savings on data egress costs, Adaptive Streaming reduces the video
processing load on the workstation used to host the Smart Client, which opens for additional savings on
hardware as powerful workstations are needed.
Please note that Adaptive Streaming requires definition of multiple stream resolutions for each camera
device that dynamically can be selected by the Smart Client. For playback of recorded video, it is only
possible to view the video in the resolution it was recorded in.
26 XProtect on AWS
Users can access AppStream 2.0 hosted applications either view a browser, or an AppStream 2.0 client
application. AppStream 2.0 is compatible with all major browsers and is hence an ideal solution for
remote access by both the end-customers own personnel and trusted third parties such as monitoring
stations and law enforcement. The AppStream 2.0 client exposes workstation peripherals as USB
connected joysticks and input keyboards to the Smart Client application
One of the primary reasons for AppStream 2.0 being an interesting architecture for user access is that
the AppStream 2.0 service pricing includes the AWS cloud egress costs. As discussed in the earlier
section (Adaptive Streaming), transferring multiple raw high resolution video streams from the cloud to
on-premises can be relatively costly, and a cost that can be eliminated with AppStream 2.0.
In addition to the savings on data out transfer, AppStream 2.0 offers several additional advantages for
efficient and secure user access to the XProtect VMS system, including:
As illustrated in the figure above, AppStream 2.0 is deployed in a separate VPC outside the customer’s
AWS account offered as an AWS managed service connected to the XProtect VPC. User instances of the
XProtect Smart Client and management client applications run on a so-called Fleet of AppStream 2.0
EC2 instances, where streamed client experiences are provided through a Streaming Gateway to the
user. The use of AppStream 2.0 is governed by a Stack definition, which includes available AppStream
2.0 images, user access policies, storage configurations and an associated AppStream 2.0 Fleet.
Appendix E – AppStream 2.0 includes performance test results for Smart Client execution on AppStream
2.0, as well as recommendations for suitable EC2 AppStream 2.0 Fleet instance types.
Milestone does not provide client images for AppStream 2.0. Instead system integrators and end-
customers are advised to use the AppStream 2.0 image builder, which is a tool used for creating
AppStream 2.0 images, and available as part of the AppStream 2.0 console. Please refer to AWS service
information for more details about AppStream 2.0: https://aws.amazon.com/appstream2/
The XProtect mobile server facilitates secure and encrypted HTTPS communication with the web and
mobile clients. Dependent on the specific customer use case and IT policies, the mobile server can be
co-hosted in the XProtect VMS on AWS or placed on the customer’s premise. A cloud deployed mobile
server would provide the greatest flexibility and scalability in most customer deployments.
28 XProtect on AWS
As illustrated in Figure 5 on page 16, Milestone recommends deploying the XProtect mobile server
component on one, or more, dedicated EC2 instances. It is also recommended to configure the EC2
instance(s) for the mobile server in a separate public subnet attached to an internet GW. The mobile
server subnet shall be secured with proper Security Group settings on both the incoming side and on
the attachment towards the subnet used for the core XProtect VMS services.
In situations where the users of the Mobile and Web Clients primarily reside within the customers on-
premises LAN environment, the mobile server used to facilitate the user remote access can be deployed
on the customer’s preemie.
The mobile server offers two principal methods to optimize the communication and the data
throughput for the web and mobile clients:
• Adaptive transcoding
The mobile server transcodes video streams to a lower bandwidth intense format that adapts to the
pace the clients can consume the video. This gives a robust communications and fluent rendering
when used across low bandwidth connections. In this mode, it is possible to define thresholds for
maximum framerate and throughput, which provides excellent means of controlling VPS data egress
costs.
• Adaptive streaming
In adaptive streaming mode, the mobile server applies the same stream handling methodology as
the Smart Client (discussed in section: Adaptive Streaming, page 24), when sending streams to the
XProtect Web Client3.
Both these methods provide excellent opportunities for optimizing the data throughput used by remote
users, and hence are a good way for cost control of data egress costs.
When utilizing adaptive transcoding Milestone recommends using EC2 GPU enabled instances, where
the g4dn family is a good option.
3
XProtect 2020 R2 supports adaptive streaming for XProtect Web Clients, only. Corresponding support for XProtect Mobile, is planned for future
release of XProtect.
29 XProtect on AWS
Operations Cost
Cloud deployment of Windows applications, like XProtect VMS, is different from on-premises
deployment especially concerning how the IT operation is orchestrated and structured. Cloud not only
enables significant opportunities for outsourcing and optimization of the IT operations, but it changes
the way that compute and storage infrastructure is acquired; from upfront purchase of static hardware,
to a flexible pay-per use purchase of hardware as a service.
As the list of parameters that impacts the operational cost is long, and it varies from enterprise to
enterprise depending on nature of business, industry, and geographical location, it is difficult make an
exact calculation of the operational costs. This section will therefore only discuss the direct operational
costs associated with a deployment of XProtect on AWS.
The following subsections discuss the cost of AWS services when used with XProtect VMS.
Price calculator
To simplify the price calculation of running XProtect on AWS, Milestone provides a price calculator. The
XProtect on AWS calculator is available on Milestone Documentation portal. Please note that this
calculator is intended to provide an indicative price only. As it is based on a set of service execution
assumptions, the final cost can only be determined by the final deployment and the contractual
agreements with AWS.
Figure 12. The XProtect BUYOL price calculator makes it easy to calculate the AWS service costs for running XProtect on AWS
30 XProtect on AWS
Appendix C – EC2 performance discusses the details around the selection of the EC2 instance.
The EBS storage used for the Windows OS and the XProtect VMS configuration data is defined as 100
GB as default.
The EBS volume defined for the media database shall, as discussed in Appendix D – Media storage
dimensioning (page 47), be defined to accommodate roughly 24 hours of recordings, where the actual
size will depend on degree of recording and video stream properties such as resolution, framerate and
image complexity. One should aim to optimize the allocation of the EBS storage, as it is relatively costly
compared to the far more cost efficient FSx storage used for archiving databases.
• Storage capacity
The average amount of storage provisioned in the file systems per month, measured in gigabyte-
months "GB-Months".
• Throughput capacity
The price of throughput capacity depends on the deployment type (single-AZ or multi-AZ) that is
selected. The charge covers the average throughput capacity provisioned for the file systems per
month, measured in “MBps-months”. For multi-AZ file systems, the cost to transfer data between
Availability Zones for replication of data is included in the throughput capacity price.
AWS offers two different storage types: SSD or HDD. With reference to Appendix D – Media storage
dimensioning, Milestone recommends HDD.
• Single-AZ
Redundancy on disk level
• Multi-AZ
Redundancy on data center (AZ) level, where media archives are replicated across two different data
centers.
AWS FSx further operates with a data backup offering and a Data Deduplication capability, which
reduces costs associated with redundant data by storing duplicated portions of your files only once. Due
to the nature of video data, neither of these two services are relevant for XProtect video archives.
The amount of data egress is highly dependent on user behavior patterns, where the following aspects
are the primary parameters in estimating the amount of egress data:
• Number of users
Figure 13 illustrates the complexity in estimating the data egress costs, and the importance of optimizing
these costs. The graph presents the yearly cost for one user accessing the XProtect VMS system through
different methods at different usage patterns both in terms of average usage time per day (the x-axis)
and how many camera streams that are viewed (4 and 36 cameras respectively). The three user access
methods illustrated in the graph are:
• XProtect Smart Client with full HD (H.264 at1080p) streams at 30 frames per second, corresponding
to 4 Mbit/s per viewed stream.
• XProtect Smart Client with adaptive Streaming, where alternative streams with lower resolution have
been selected. When viewing 4 streams, 720p streams have been selected, and when viewing 36
cameras, 240p streams have been selected.
32 XProtect on AWS
• AppStream 2.0 with XProtect Smart Client hosted on a g4dn.xlarge EC2 instance type.
Figure 13. Accumulated yearly user access cost for different user access methods at different levels of average daily usage. The
cost includes VPC data egress costs (US East (N. Virginia) and workstation hardware costs4, and presented for 4 and 32 H.264
streams at original stream size of 4 Mbit/s
The graph shows that the yearly cost is a linear function of how many hours a user accesses the system.
While the cost grows dramatically when using non adaptive stream access, the adaptive streaming
feature keeps the data egress cost at a reasonable level, even when the usage is extensive measured
both in number of access hours a day, and number of viewed cameras. Amazon AppStream 2.0 is a
viable alternative.
• Duration of usage
While the use of AppStream imposes additional AWS service costs, there is no data egress costs for the
data transmitted as a part of the AppStream client streaming session. In addition to this, AppStream has
4
The hardware cost is based on a 3-year depreciation period.
33 XProtect on AWS
the potential to unlock additional savings on workstation hardware and reduced desktop IT
administration effort.
It is therefore important to emphasize that even though the dimensioning of an AWS deployed XProtect
system needs to follow the same principal design steps as a traditional on-premises system, the
consequences of an error in the assumptions or in the actual design calculations are far for as fatal and
in the physical deployment. When deploying a XProtect system on AWS, there are wide range of
opportunities optimize and finetune the design when the system is in production, as a part of a post
deployment optimization.
Additional costs
In addition to the AWS service charges one should add the Internet access service provided by the
regional Internet Service Provider or network carrier, and the on-premises router equipment needed.
The internet access costs are difficult to estimate, as there are major regional differences in availability,
up-link speed, and pricing.
There are however some of the fundamental AWS pricing concepts that can be relevant to point out
when using AWS as infrastructure platform for XProtect:
• Region used
Prices on AWS services vary between Regions, dependent on availability and other factors.
Although the differences are not significant, one should make sure to apply the specific Region
in which the XProtect BYOL CloudFormation is to be deployed.
• Saving plans
AWS offers a wide range of saving plans for its different services. The most relevant for
deployments of XProtect on AWS is the Reserved Instance (RI) plan for the EC2 instance used for
the XProtect deployment. As video surveillance installations in most cases are intended for long-
term continuous usage considerable savings can be obtained by making either a one or a three-
year reservation of the EC2 instance. AWS offers different RI Classes, where the Standard
provides enough flexibility to shift EC2 instance, when and as the installation grows or is
optimized.
35 XProtect on AWS
Maintenance
AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud.
This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud
services, and include all AWS services used in a XProtect VMS deployment. The customer assumes
responsibility and management of the Windows operating system (including updates and security
patches), the XProtect VMS software, as well as the configuration of the AWS provided security group
firewall.
Technical Support
While AWS provides technical support on the infrastructure services provided by AWS under the AWS
agreement, Milestone will provide technical support on the XProtect VMS software through the
Milestone channel partner, from whom the XProtect software license was obtained.
upgrade procedures. It is currently not possible to upgrade an existing deployment via AWS
Marketplace.
Customers with Care Plus service coverage can upgrade to the latest version of the XProtect VMS
software without any additional charge, in the same way as when the software is deployed on a physical
infrastructure on the customer’s premises.
Summary
XProtect on AWS is a perfect mix of scalable video management software and an elastic, redundant and
secure infrastructure- and service platform. In this paper we have described how cloud deployment re-
duces friction that is normally encountered in on-premises deployment. The paper has further ex-
plained how the cloud elasticity enables customers to both grow their installations with their needs, but
also how it allows for post deployment optimization to optimize cost and eliminate any over provision-
ing.
The paper has explained how the CloudFormation template ensures instant and predictable deploy-
ment of XProtect, and how the default deployment easily can be extended to include customer specific
ASW services. Thanks to the elastic scalability in the compute layer, we have concluded that a system can
be cost efficiently scaled from 10 to 500 cameras5 on s single AWS EC2 instance with server-side motion
detection applied, where GPU enabled EC2 instance types provide excellent price performance ratio.
With a range of storage options for long term video archiving, AWS FSx provides a secure and managed
video storage. FSx can be configured in a multi availability zone configuration, where video is archived
into two separate datacenters to obtain high level of redundancy.
Deploying XProtect on AWS opens a wide range of possibilities including flexible user access using both
XProtect clients, Amazon AppStream 2.0, and the ability to apply a centrally managed video surveillance
solution for geographically disperse sites. Deploying XProtect on AWS, customers can apply hybrid archi-
tectures, with some XProtect services running in the cloud, and some on-premises.
XProtect on AWS is ideal for organizations and enterprises with a cloud first strategy, which allows them
to deploy and manage their XProtect in the same way as any other businesses systems, leveraging their
existing AWS infrastructure and IT competences.
5
4Mbit/s, H.265 stream with 30 FPS.
38 XProtect on AWS
Abbreviations
AD Active Directory
AMD Advanced Micro Devices
AMI Amazon Machine Image
AWS Amazon Web Services
AZ Availability Zone
BYOL Bring Your Own License
CAPEX CAPital EXpenditures
CPU Central Processor Unit
CUDA Compute Unified Device Architecture
39 XProtect on AWS
Figure 15 below provides a principal overview of the XProtect system architecture and its main system
components when deployed in a distributed configuration. Please note that that not all components are
needed in all installations but can be installed if the functionality they offer is needed. For example,
failover recording servers (not depicted in the system drawing) and mobile server for hosting and
providing access to both the XProtect® Web Client and XProtect® Mobile client.
Figure 15. The principal XProtect VMS architecture with server components and client applications
The table below provides a brief description of the key server components and client applications in the
XProtect VMS system architecture. Please note that this list is not exhaustive, please refer to the
following white paper: XProtect VMS system architecture document 2020 R1, for a complete technical
introduction to Milestone XProtect VMS system.
41 XProtect on AWS
Recording The recording server is responsible for all communication with devices (cameras, video, and audio
Server encoders, IoT devices such as input/output (I/O) modules, metadata sources, etc.). It records received
media and metadata streams and makes both live streams and recorded streams available for viewing
in the XProtect client application and other applications integrated via the Milestone Integration
Platform Software Development Kit (MIP SDK).
The recording server is responsible for a wide set of functions related to device and event handling and
SERVER COMPONENTS
can be configured to conduct motion detection on received video streams. The motion detection
analysis includes video decoding using hardware (GPU) accelerated decoding and/or software (CPU)
decoding.
Management The management server central component of the VMS and is responsible for handling the system
Server configuration, distributing configuration to other system components, such as recording servers, and
for facilitating user authentication. The configuration data is stored in a standard Microsoft SQL server
installed either on the management server itself or on a separate dedicated server.
Event Server The event server handles various tasks related to events, alarms, maps, and third-party integrations via
the MIP SDK.
Mobile Server The mobile server is responsible for hosting the XProtect Web Client and for providing access to the
VMS for the XProtect Web Client and Milestone Mobile client users.
Smart Client XProtect Smart Client is the Windows based main client for XProtect VMS offering a full set of advanced
video surveillance and incident management features. The XProtect Smart Client is designed to be run
remotely on the operator’s computer and decodes video streams and renders these on the Smart
Client workstation using hardware (GPU) accelerated decoding and/or software (CPU) decoding.
CLIENT APPLICATIONS
XProtect Web The XProtect Web Client is the client designed for the occasional or remote user that needs easy access
Client to the VMS system, including live monitoring, playback, investigation, export, and light alarm
management.
XProtect XProtect Mobile provides a flexible way of accessing a XProtect VMS for users on-the-go using
Mobile Client smartphones and tablets. The application provides all essential functions for live viewing, playback, and
incident management. The application is available for both Android and iOS devices.
Management The management client is a Windows based client administration interface for all parts of the VMS.
Client
Table 3. Description of key XProtect VMS system components and client applications
• XProtect® Essential+
XProtect Essential+ is a full-featured version of Milestone’s market-leading video management
software (VMS) at no cost. With support for up to eight cameras and devices, XProtect Essential+
is the perfect match for smaller businesses who want basic video surveillance to protect
employees and assets.
• XProtect® Express+
Protect Express+ is designed for smaller, single-site companies with a light need for live video
42 XProtect on AWS
monitoring. Supporting up to 48 cameras and the ability to integrate with existing operations,
such as access control and people counting, XProtect Express+ is the perfect match for retail
shops, parking lots or office buildings.
• XProtect® Professional+
XProtect Professional+ is IP video management software (VMS) designed for mid-sized
businesses, supporting an unrestricted number of cameras, devices, and servers. Including
multi-layered maps and full alarm management capabilities operators have a complete overview
of the entire installation making it the ideal choice for institutions such as schools, retail chains,
and production plants.
• XProtect® Expert
Designed for mid-size and large-scale installations, XProtect Expert ensures end-to-end
protection of video integrity while maximizing hardware performance. Central management,
access through failover recording servers and an optional video wall make it ideal for
installations with active live monitoring such as warehouses and stadiums.
• XProtect® Corporate
Designed for large scale high security installations, XProtect Corporate ensures end-to-end
protection of video integrity while maximizing hardware performance. Central management,
built-in video wall and support for failover recording servers make it ideal for mission-critical
installations such as airports and cities.
43 XProtect on AWS
• Data throughput, which is dependent on the number of connected cameras, the bandwidth of the
video streams from these cameras and the degree of recording and archiving.
• Compute resources for decoding of streamed video formats such as H.264, with is needed when
applying server-side video motion detection (VMD) analysis. XProtect VMS can utilize GPU resources
available with some EC2 instance families.
The recording server performance is also determined by the performance of the storage used for
media- and archive databases. The throughput and IPOS performance can influence the scaling of the
recording server, for more information about storage performance, refer to: Appendix D – Media
storage dimensioning, page 47.
The primary purpose of these tests has been to provide system integrators and end-customers with
guidance on which EC2 instance type to deploy the XProtect CloudFormation on. Based on this testing,
Milestone recommends the EC2 instance types presented in Table 4 below, when operating with
different degrees of recording6.
6
Degree of recording refers to how much the VMS system is recording during a day. 10% recording thus corresponsive to 2 hours and 24 minutes
recording per day.
45 XProtect on AWS
RECOMMENDED
DEGREE OF RECORDING
MAX. AVG.. CPU
INSTANCE TYPE 100% 50% 25% 10% LOAD
t3.large 7 7 8 8 35%
c5.large 16 17 17 18 50%
c5.xlarge 36 38 39 40 50%
c5.2xlarge 92 94 95 96 70%
g4dn.xlarge 97 106 110 113 50%
g4dn.2xlarge 133 242 268 275 70%
g4dn.4xlarge 427 468 480 480 70%
Table 4. Validated maximum cameras per XProtect recording server, for recommended EC2 instance. Measurements are based on
H.264 video streams with 1080p resolution and 30 FPS, with a constant throughput of 4,0 Mbps per camera. Server-side VMD7 is
applied on all streams and all recordings are archived to AWS FSx storage.
To help system integrators and end-customers selecting the most optimal compute-infrastructure for
their XProtect deployment Figure 17 presents the price performance ration for the recommended EC2
instance types listed in Table 4 above. The dark blue line and the gray line lists the annual cost per
camera for US East (N. Virginia) and Europe (Ireland), respectively at maximum recommended utilization,
at 25% recording, and archiving to AWS FSx storage.
500 200
450 180
400 160
Annual cost per camera (USD)
350 140
Number of cameras
300 120
250 100
Number of supported cameras
200 80
Europe (Irland)
150 60
US East (N. Virginia)
100 40
50 20
0 -
c5.2xlarge
t3.large
c5.large
c5.xlarge
g4dn.xlarge
g4dn.2xlarge
g4dn.4xlarge
t3 c5 g4dn
Figure 17. Price-performance ration of recommended EC2 instances for deployments with H.264 video streams with 1080p
resolution and 30 FPS, with a constant throughput of 4,0 Mbps per camera. Server-side VMD is applied on all streams, with 25%
recording, and archiving to AWS FSx storage.
7
Tests results apply to XProtect product variants supporting GPU based video decoding, i.e. XProtect Expert and XProtect Corporate.
46 XProtect on AWS
the VMD decoding and analysis can represent as much as 80% of the overall CPU load on EC2 instances
with no GPU resources, or when using XProtect product variants not supporting GPU based decoding
(i.e. XProtect Express+ or XProtect Professional+).
Milestone therefore recommends the XProtect Expert or XProtect Corporate VMS product variants and
GPU enabled instance EC2 instance types, where the g4dn family has been verified by Milestone.
If no server side VMD is to be applied, smaller and non-GPU enabled EC2 instance types can be
considered,
47 XProtect on AWS
This appendix discusses the high-level design principles for the storage infrastructure used by XProtect
when deployed on AWS.
It is recommended that the media database is configured to hold 24 hours of video storage in the media
database.
Figure 18. Detailed FSx file storage architecture illustrating the difference between network throughput/IOPS and disk
throughput/IOPS
The type and amount of storage capacity impacts the performance of the FSx file system. The FSx stor-
age is defined in steps of 1 GiB with a minimum size of 2 TiB and a maximum size of 64 TiB, where the
disk performance for HDD based storage is proportional to the volume size.
48 XProtect on AWS
Table 5. FSx HDD performance and throughput and IOPS baseline allocation
The graph below illustrates the dependencies between the required FSx storage volume for different
retention times (calculated based on the video data volume to be archived), required throughput (yellow
line) and required number of IOPS (light blue line), and the allocated disc throughput and IOPS baseline
(dark blue line). More specifically this graph represents a deployment with 100 cameras, each generating
4 Mbit/s. The assumption is that the VMS system on average records 10% during a day. This means that
the required throughput is 5 MB/s and the required IOPS to write the video data to the FSx disk system
is 49 operations per second line.
Given the volume of video data to be archived (5 MB/s) the required storage per retention day is 0,37
TiB (gray area). In this example we assume that the FSx storage definition is fully optimized to match the
required storage exactly. Based on the FSx storage definition a disc throughput and IOPS baseline allo-
cation is given, as discussed in Table 5.
18 180
16 160
14 140
10 100
8 80
6 60
4 40
2 20
0 0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Retention Time (Days)
Defined Storage TiB Required Throughput MB/s Required IOPS Allocated FSx IOPS/Throughput Baseline
Figure 19. FSx performance at different size definitions, compared with required performance for archiving in a system with 100
cameras generating 4 Mbit/s, with 10% recording
From Figure 19 it can be derived that special care needs to be taken when dimensioning an HDD based
FSx file system with short retention times. We can see that the allocated disk IOPS is lower that the
required number of disk operations, for FSx storage volumes smaller than 4,12 TiB. This will result in a
situation where the media storage on the EBS disc cannot be archived fast enough, which will eventually
cause the storage system to overflow where video data will be lost.
49 XProtect on AWS
To secure a sustained operation in this specific case the FSx storage should in this particular case not be
smaller than 4,12 TiB, even for the shorter retention times, to obtain a sufficient IOPS baseline. In a real-
life deployment, Milestone of course recommends a reasonable margin on the storage definitions, to
not end up with system bottlenecks.
Milestone recommends system integrators and end customers to thoroughly acquaint themselves with
the performance dynamics of FSx to ensure correct storage design. For more information refer to:
https://docs.aws.amazon.com/fsx/latest/WindowsGuide/performance.html.
50 XProtect on AWS
Based on extensive performance testing of the various EC2 streaming instance types, Milestone recom-
mends the Graphics G4 family (stream.graphics.g4dn) only. With its native Nvidia Tesla T4 GPU support
and reasonable pricing, it supports the Smart Client even in usage situations with views consisting of 50,
or more, video streams. Please note that end-customers may need to request access to this EC2
streaming instance family via AWS Support.
Other EC2 streaming instance families are available for AppStream, but not recommended to use with
the XProtect Smart Client:
The smallest instance size in the stream.graphics.g4dn family delivers remarkably good performance,
and should be sufficient in most common usage scenarios. With reference to the table the
stream.graphics.g4dn.xlarge instance supports decoding and rendering of approximately 49 camera
streams at 15 FPS, or 35 streams at 25 FPS. If users view more cameras in a single view, the larger
streaming instance types can be considered.
8
Milestone Smart Client requires CUDA version 10.1.
51 XProtect on AWS
120 12,00
100 10,00
Number of cameras displayed
80 8,00
USD
60 6,00
40 4,00
20 2,00
0 -
4xlarge, 1080p
8xlarge, 1080p
2xlarge, 1080p
8xlarge, 1080p
12xlarge, 480p
12xlarge, 720p
xlarge, 480p
xlarge, 720p
12xlarge, 1080p
16xlarge, 480p
16xlarge, 720p
16xlarge, 1080p
xlarge, 1080
4xlarge, 480p
4xlarge, 720p
8xlarge, 480p
8xlarge, 720p
2xlarge, 480p
2xlarge, 720p
8xlarge, 480p
8xlarge, 720p
stream.compute stream.graphics.g4dn
Figure 20. Amazon AppStream 2.0 – Smart Client performance at different user scenarios and different EC2 streaming instances
measured on a HD display, and hourly instance price US East (N. Virginia)
1