XProtect on AWS

A cloud deployment of Milestone XProtect VMS on AWS takes full advantage of the XProtect software architecture, enabling a flexible and diverse usage of XProtect across various functions in the customer’s organization. This allows enterprises and organizations with operations distributed across multiple sites to centralize and manage their video surveillance installation as one system.

Figure 2. AWS cloud infrastructure unlocks the full potential of XProtect VMS in distributed deployment and usage

Cloud deployment further unlocks the full potential of the XProtect client suite, where remote users can access the video management system through secure connections using the XProtect Mobile application or the XProtect Web client. This means that roaming users and connections to law enforcement and monitoring stations can be facilitated without opening firewalls in the different sites.

This section elaborates on the system and service architecture when utilizing AWS global cloud infrastructure as platform for the XProtect video management system.

Principal Architecture

A deployment of Milestone XProtect video management software on AWS cloud infrastructure implies that all XProtect server components are deployed on a managed compute and storage infrastructure in a Virtual Private Cloud (VPC). Cameras, sensors and other IoT devices making up the surveillance solution on the customer’s on-premise are connected to the cloud environment via secure connections carried over VPN connections or dedicated direct connections into the AWS cloud. The on-premises security devices transmit video, audio, metadata, and other streams to the cloud deployed XProtect VMS without the need for any additional on-premises hardware or gateway equipment for aggregation or buffering.

A screenshot of a computer Description automatically generated

Figure 3. Principal system architecture of an AWS cloud deployment of XProtect VMS, with the option for steamed client access via Amazon AppStream 2.0

Users access the XProtect VMS system through the normal suite of XProtect client applications. As a design option, it is possible to run XProtect Smart Client and the Management Client applications as hosted applications using the Amazon AppStream 2.0 service. AppStream 2.0 not only makes it possible to use the full Smart Client on virtually any device, including Chromebooks, Macs, and PCs, thin clients and tablets, it is an easy and secure way of providing remote users with the full Smart Client experience. To read more about AppStream 2.0, please see section: Amazon AppStream 2.0 .

As shown in the figure above, it is also possible to run Smart Client on-premises and access the recording servers running on EC2 instances remotely. CloudFormation Template will not instantiate AppStream, instead the users can install and utilize AppStream feature if they choose to do so.

XProtect BYOL CloudFormation Product

Milestone distributes its XProtect VMS software as CloudFormation stack delivery in AWS Marketplace. The product is made up by the following four main components:

  • XProtect VMS software

  • Windows Server Operating System

  • CloudFormation Template

  • Optional 3rd party Plugins and Addons (For instance, Surveillance Bridge from Tiger Surveillance)

The CloudFormation template deploys the XProtect VMS software in a new Virtual Private Cloud (VPC) with subnet and security group topology within the AWS service infrastructure on the customer’s account, in the selected AWS Region and Availability Zone. The template also configures an Elastic Compute Cloud (EC2) instance based on the customer’s selection, on which all XProtect VMS server components are installed on, including the management server, recording server, event server, mobile server. Also, CloudFormation template provides an option to install plugin for S3-enablement. Please refer to Appendix B – XProtect BYOL CloudFormation Template for complete overview of the CloudFormation template.

A screenshot of a computer Description automatically generated

Figure 4. Default deployment of the XProtect CloudFormation product (blue area) and recommended customer extensions (yellow area)

Two Elastic Block Store (EBS) general purpose SSD volumes linked to the EC2 instance are orchestrated by the template, for:

  • XProtect VMS configuration data and Windows operating system

  • XProtect VMS media database

As illustrated in Figure 4, the CloudFormation template orchestrates the topology depicted with blue color. In addition to this automated orchestration, customer specific extensions need to be made covering VMS video archive storage and establishment of connectivity to the customer’s on-premises site(s). Please refer to relevant sections under Deployment Considerations, for further information on these architectural aspects.

The installed XProtect VMS software can be used to run any XProtect product variant, by applying an applicable XProtect Software License Code (refer to section: ).

System scaling

As mentioned in the section above, the default deployment of the XProtect BYOL CloudFormation orchestrates a single server installation of the XProtect VMS software on the EC2 instance selected for a deployment. This means that all XProtect VMS server components are installed on the selected EC2 instance, including the Management Server, Recording Server, Event Server, and Mobile Server.

Hence, the deployment can be scaled easily to be cost efficient across a wide range of solutions from small deployments with 10-20 cameras with the smallest EC2 instances, to 400-500 cameras solutions with the largest EC2 instance type. Please refer to Appendix C – EC2 performance, for detailed performance measurements of different EC2 instance types.

A screenshot of a computer Description automatically generated

Figure 5. Scaled out XProtect VMS deployment in a single VPC deployment

A second level scaling is made possible by distributing the XProtect VMS server components on different EC2 instances. By installing the Recording Server service on additional EC2 instances, the XProtect deployment can grow to serveral ten thousand cameras, or more. In deployments with significant use of XProtect Mobile and XProtect Web Client, the overall system performance can be optimized by running the mobile server on one or more dedicated EC2 instances, as illustrated in Figre 5. The scaling out can be made in the same VPC as the original deployment or deployed in a different Availability Zone (AZ), or a different Region altogether. It is of course also possible to scale-out by deploying physical servers on-premises hosting the XProtect Recording Server service.

Additional instances can also be initiated through CloudFormation template or manually in the AWS management console.

XProtect VMS Licensing

The XProtect BYOL CloudFormation product is licensed under the same license terms with the same Software License Code (SLC) as used for traditional on-premises deployments. The XProtect BYOL product is offered on AWS Marketplace under Bring-Your-Own-License (BYOL) terms. This does not imply that Milestone XProtect licenses are sold in AWS Marketplace, but rather obtained through Milestone’s existing channel network of distributors and system integrators. The deployed XProtect VMS software can be used to run any XProtect product variant (see list of products in section: Appendix A) by applying a valid SLC for the desired XProtect product variant.

The BYOL concept offers full license portability between on-premises and cloud deployments. Meaning that customers with existing XProtect on-premises installations can reuse their existing licenses when moving to a complete or partial AWS cloud deployment. In the same way, customers will be able to redeploy their XProtect license if they for one reason or another want to move off the cloud. Hence, any existing XProtect license can be used to activate XProtect on AWS.

Please note that the license may need to be upgraded to match the XProtect release versions available on AWS Marketplace.

Geographical availability

The Milestone XProtect BYOL CloudFormation product is available for deployment almost all AWS regions. This makes the offering globally applicable, and enables truly distributed and international organizations and companies to deploy a centrally managed and fully integrated video surveillance solution utilizing AWS backbone network (see section: Global deployment).

As AWS is expending their cloud data center infrastructure continuously, please refer to AWS (https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) for the latest information about active regions and the offered services in the specific Regions. Please note that AWS managed application streaming service, AppStream 2.0, is only available in a subset of AWS global regions.