Is there an active AWS Cloudformation template to launch UE5?

The AWS deployment docs references a Cloudformation template that no longer works in section Launch the Instance > Launch Option 1: CloudFormation > Step 3.

Is there a working CloudFormation template that the community can use?

I don’t know about a cloud formation template, but there is an AMI that will work well.

I occasionally use the ami ami-0c3c64a18a915467c in us-west-1 and run it on a g4dn.4xlarge` instance. (I’ve set it up to shut down at midnight automatically if I forget – those guys can become expensive if you just leave them running!) I also map an elastic IP to the instance (so it stays the same when suspended) and set the security group to only allow the necessary RDP ports in, but all ports out. That would be more convenient with a cloud formation template, but it’s not that much to specify manually when creating it.

Also, the g4dn comes with a “local disk,” but each time you start the instance, the disk shows up un-formatted (because it may move between physical machines) so I would recommend against using it other than for very temporary scratch space. Use a provisioned iops gp3 EBS device instead for the root file system and it’ll perform OK.

2 Likes

Thanks for the advice!

I wanted to use the CloudFormation template because it includes some setup to use the NICE DCV client (I’m on a mac). I’ll give connecting via RDP client a shot, but I’ll leave this thread unresolved in case a functioning CloudFormation template is provided as mentioned in the docs.

1 Like

@jwatte This is good info. I hate to divert the subject at all, but I also run a large AWS instance on the east coast and I was having trouble connecting with the security group for the ports. So I have opened up the security for all incoming connections on the public connections because I couldn’t pin point which port was conflicting with the connections. I can freely connect at this point and I have a range of ports I run on the software instances and that doesn’t post any connection issues, but I feel I’m leaving myself open for ddos attacks or whatnot.

Do you have any suggestions or knowledge if this is a security issue for my server to have them open like that? Outside of connecting to my servers on the machine through the games running on it I can’t establish any kind of connection through a browser or anything which I assume is good. Unless I’m directly connected via remote desktop on the instance with my pem key it doesn’t seem like a security issue, but I’d like to iron this out before I launch publicly and I can’t say for sure. AWS is an animal in itself.

1 Like

@jwatte @Humanasset same inbound rules issue here. I launched the UE5 AMI with the suggested security group settings, but I’m unable to connect via RDP client.

There are inbound rules on the instance I know at first gave me issues on the console itself that although confusing at first were relatively straight forward. But there is some additional configuration that needs to be done in the advanced firewall settings on the machine itself that block connections. That is if you’re using a windows instance… I ended up saving the security group on the console and using that as a template once I got that worked out.

The firewall settings on the machine I’m kind of lost since there are so many more things that are blocked by default. That’s where I just allowed everything and it resolved that case, but I kind of used it as a blanket or sorts to just get the connections established and I haven’t taken the time to identify things that need to be disallowed for security.

@Humanasset I figured out my issue regarding firewalls. You need to update the route table to send all traffic outside the vpc to the internet gateway (assuming you had installed via Epic’s AMI).

The troubleshooting instructions mention this:

  • Verify that the route table for the subnet has a route that sends all traffic destined outside the VPC to the internet gateway for the VPC. For more information, see Creating a custom route table (Internet Gateways) in the Amazon VPC User Guide.

After I updated the route table, I was able to connect via RDP with the default inbound connection settings in my security group rather than allowing all connections.

Hope that helps

1 Like

I’m using NICE DCV too! It works fine without a cloud formation template. You do need to “decrypt the administrator password” once using some process that the help files talk about if you google for it.

I believe running a Windows machine on the open internet with all ports open used to be a really bad idea. These days it’s no worse an idea than doing the same thing for a Linux box, but I wouldn’t do that for Linux, either :slight_smile:

I was mistaken in what ports you need in the comment above. Here’s my security group definition (with IDs masked for paranoia):

{
    "SecurityGroups": [
        {
            "Description": "Windows RDP",
            "GroupName": "ue-windows-rdp",
            "IpPermissions": [
                {
                    "FromPort": 8443,
                    "IpProtocol": "udp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 8443,
                    "UserIdGroupPairs": []
                },
                {
                    "FromPort": 3389,
                    "IpProtocol": "udp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 3389,
                    "UserIdGroupPairs": []
                },
                {
                    "FromPort": 8443,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 8443,
                    "UserIdGroupPairs": []
                },
                {
                    "FromPort": 3389,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 3389,
                    "UserIdGroupPairs": []
                }
            ],
            "OwnerId": "XXXX",
            "GroupId": "sg-XXXX",
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": []
                }
            ],
            "VpcId": "vpc-XXXX"
        }
    ]
}

It’s ports 8443 and 3389 on TCP and UDP.

2 Likes

@jwatte Thank you for the information! I guess I might have mis-distinguished my own thoughts on the port issue. I’m not having too much trouble setting the port range on the security group in the console…

However, I guess my largest concern are the security settings on the machine itself inside the advanced firewall settings on the instance. There is a TON of inbound and outbound rules to wade through. This is where I have just allowed them all in and out to establish a basic connection for the games lol. The ports on the instance on the console were relatively straightforward in those terms. Fortunately for now, my IP is obscure, undistributed and there is no data being held on the server whatsoever beside the game instances, but this will certainly not fly in the end product.

I felt it was a port issue on the security settings on the firewall blocking connections, so I allowed them all for testing. Works great now lol. It has a selection to allow for “game port 7777”, but I will be using dozens if not hundreds of different ports across the same IP elasticity on the east and west coast and central parts of the US and 7777 isn’t going to cut it alone lol. I have several ported games like 7000-7010 that run there and successfully accept connections on the same machine through the game at the moment.

I guess my most basic question is, what are your thoughts on the security settings on the firewall on allowing a specific port range and in and outbound rules only for the games?

I’d like to disallow everything not critical to connecting to the game… RDP client needs to use the decryption methods, so I feel that security is pretty strong connecting directly through RDP, but I fear the network wizard hackers have their magic and could exploit me through those rules? Eventually very soon I will have a highly paid dedicated network expert working on these issues, but I’m working solely at the time being to iron this out.

@mtnlabs Thank you for that information. I’ll look into that I’m not currently using Epic’s AMI at the moment, but I’ll be looking into that and also in regard to the route table. I was able to connect freely with RDP directly to the instance without issues.

I’ve been held up by the inbound and outbound rules for the advanced firewall settings when connecting to the games on the instance which I just allowed them all which isn’t good. I just need to disallow anything noncritical to the game connections. I should post a screenshot of the rules and maybe someone could help me run through them so I can understand them better…

FWIW, The security rules on the machine itself don’t matter much, unless you don’t trust software running in the same VPC (AWS account.)
In some corporate settings, where you want to limit lateral movement of an attacker, this is important, but if you’re not in a large enterprise, no worries :slight_smile:

Thank you! I wasn’t too sure. But that is great news lol. I’ll definitely be getting a better grasp on those rules, but it’s nice to know I can focus on the security groups on the aws console.

Hey mtnlabs. Thanks for reporting this, and I’m sorry I didn’t see your post sooner. It looks like something happened on the backend that restricted public access to the Cloud Formation template. We just opened it back up.

The CF template does make it simpler to deploy in my opinion, and should include the relevant security rules to allow NICE DCV access and RDP.