R-Server

R and RStudio, Shiny and Positron on EC2

Description

This solution provisions EC2 instance with R, and optionally installs RStudio Server, Shiny Server and both RStudio Deskop and Positron IDEs. The web and desktop applications can be accessed securely through Amazon CloudFront and Amazon DCV respectively. Template will install GPU driver and provide access to additional NVIDIA software if a NVIDIA GPU instance is specified.

Demo

Video showing RStudio Desktop, Positron, Shiny Server, RStudio Server, and Paws library accessing Amazon S3

R-Server.mp4

Architecture Diagram

Overview of features

The CloudFormation template provides the following features:

• Ubuntu or Ubuntu Pro 24.04 LTS
  • Python 3
  • Docker Engine
  • NVIDIA driver and NVIDIA Container Toolkit (NVIDIA instance types)
• R Applications
  • R from CRAN (Comprehensive R Archive Network) project
    • r2u (CRAN as Ubuntu Binaries) project with bspm (Bridge to System Package Manager): apt integration for fast R package install
    • Paws (SDK for R): access to AWS services
    • reticulate (R interface to Python): interoperability between R and Python
    • tidyverse: simplify and streamline data science workflows
  • RStudio Server (optional)
  • RStudio Desktop and Positron (optional)
  • Shiny Server (optional)
• AWS Applications
  • Mountpoint for Amazon S3: mount an Amazon S3 bucket as local file system
  • AWS CLI with partial mode auto-prompt
• AWS Services
  • Amazon CloudFront: secure web access to RStudio Server and Shiny Server (optional)
  • Amazon DCV: secure high-performance remote graphical desktop access (optional)
  • AWS Backup: EC2 instance data protection (optional)
• Administration
  • AWS Systems Manager Session Manager: browser-based terminal access
  • EC2 Instance Connect: browser-based SSH (Linux)
  • EC2 IAM role: access to AWS services

License Agreement

Although this repository is released under the MIT-0 license, its CloudFormation template installs third party components. Usage indicate license agreement acceptance of all software that is installed on EC2 instance, which include (but is not limited to) the following

• R Project : GPL-2 | GPL-3
• r2u Project : GPL (>=2)
• RStudio Server : AGPL v3
• RStudio Desktop : AGPL v3
• Shiny Server : AGPL v3
• Positron : Elastic License 2.0
• Paws package : Apache 2.0
• Amazon DCV : DCV EULA

About Posit Software

Template installs free versions of RStudio, Shiny Server and Positron, which are created by Posit Software, PBC. Company offers enterprise versions including RStudio IDE integration with Amazon SageMaker AI

Other options

• Amazon Lightsail for Research supports RStudio Desktop. Refer to Getting started with Amazon Lightsail for Research: A tutorial using RStudio for more information
• Amazon SageMaker AI supports notebook instance with R and RStudio. Refer to blog post Get started with RStudio on Amazon SageMaker for more information
• Blog post Scaling RStudio/Shiny using Serverless Architecture and AWS Fargate discuss a scalable, secure, and serverless architecture pattern to host RStudio Server
• Blog post Deploying a Statistical Compute Environment using R on Amazon EKS describes how to deploy a statistical compute environment (SCE) that uses Posit Workbench, Connect and Package Manager.

Requirements

• EC2 instance must be provisioned in a subnet with outbound IPv4 internet connectivity.
• To use Amazon CloudFront, VPC attributes enableDnsSupport and enableDnsHostnames must be enabled

Above configuration are enabled in default VPC

Deploying using CloudFormation console

Download Ubuntu-R-server.yaml. Login to AWS CloudFormation console. To create a stack, select Create Stack, Upload a template file, Choose File, select your Ubuntu-R-server.yaml file and choose Next. Enter a Stack name and specify parameters values.

CloudFormation Parameters

The default values will install RStudio Server with Amazon CloudFront. You need to specify values for ec2KeyPair, vpcID and subnetID.

Applications

• installRStudioServer: install RStudio Server. Default is Yes
• installRStudioDesktop: install RStudio Desktop and Positron IDEs. Default is No. For Yes, template will also install Amazon DCV server for remote graphical desktop access. Select Yes-with-HTTPS-reverse-proxy to use DCV over HTTPS TCP port 443 in addition to default DCV TCP and UDP port 8443
• installShinyServer: install Shiny Server. Default is No

EC2

• ec2Name: EC2 instance name
• ec2KeyPair: EC2 key pair name. Create key pair if necessary
• osVersion : Ubuntu 24.04 or Ubuntu 24.04 Pro. Default is Ubuntu 24.04 (x86_64)
• instanceType: EC2 instance type. Default is m7i.large. Do verify instance family Region availability
• ec2TerminationProtection: enable EC2 termination protection to prevent accidental deletion. Default is Yes

Network

• vpcID: VPC with internet connectivity. Select default VPC if unsure
• subnetID: subnet in selected VPC with internet connectivity. Select subnet in default VPC if unsure
• displayPublicIP: set this to No only if your EC2 instance will not receive public IP address. EC2 private IP will be displayed in CloudFormation Outputs section instead. Default is Yes
• assignStaticIP: associates a static public IPv4 address using Elastic IP address. Default is Yes

Remote access

• ingressIPv4: allowed IPv4 source prefix to EC2 instance, e.g. 1.2.3.4/32. You can get your source IP from https://checkip.amazonaws.com. Default is 0.0.0.0/0
• ingressIPv6: allowed IPv6 source prefix to EC2 instance. Default is ::/0. Subnets in default VPC do not have IPv6 CIDR blocks associated. Specify ::1/128 to block all inbound IPv6 access
• allowSSHport: allow inbound SSH. Option does not affect EC2 Instance Connect access. Default is Yes

EC2 inbound SSH, DCV and HTTPS access from public internet are restricted to ingressIPv4 and ingressIPv6 IP prefixes

EBS volume

• volumeSize : EBS root volume size in GiB
• volumeType : gp2 or gp3 general purpose EBS type. Default is gp3

Amazon CloudFront

• enableCloudFront: create Amazon CloudFront distribution(s) to RStudio Server and/or Shiny Server. Associated charges are listed on Amazon CloudFront pricing page. Default is Yes
• originType: either Custom Origin or VPC Origin. Default is Custom Origin which requires EC2 instance to have public internet IPv4 address. Most AWS Regions support VPC Origins, which allow CloudFront to deliver content even if your EC2 instance is in a VPC private subnet. Ensure assignStaticIP is Yes if using Custom Origin.
• cloudFrontLogging: enable CloudFront standard logging to new S3 bucket. Default is No

AWS Backup

• enableBackup : EC2 data protection with AWS Backup. Associated charges are listed on AWS Backup pricing page. Default is No
• scheduleExpression : start time of backup using CRON expression. Default is 1 am daily
• scheduleExpressionTimezone : timezone in which the schedule expression is set. Default is Etc/UTC
• deleteAfterDays : number of days after backup creation that a recovery point is deleted. Default is 35

Posit download URLs

• RStudioServerURL : RStudio Server install URL
• RStudioDesktopURL : Rstudio Desktop install URL
• PositronURL : Positron IDE install URL
• ShinyServerURL : Shiny Server install URL

Template will use the above links to download and install Posit software

Others

• enableR53acmeSupport: grant EC2 instance IAM permission for ACME clients such as Certbot to use DNS-01 challenge with your Amazon Route 53 public hosted zone to obtain free HTTPS/TLS certificates. For security reasons, DNS record access is restricted to _acme-challenge.* TXT records using resource record set permissions. Default is Yes

CloudFormation Outputs

The following are available in Outputs section

EC2 administration

• EC2console: EC2 console URL to manage your EC2 instance
• EC2instanceID: EC2 Instance ID
• EC2instanceConnect: EC2 Instance Connect URL. Functionality is only available under certain conditions
• EC2serialConsole: EC2 Serial Console URL. Functionality is available under certain conditions
• SSMsessionManager: SSM Session Manager URL

EC2 IAM

• EC2iamRole: EC2 IAM role. Modify this to grant AWS service access

Application access

• RStudioServerUrl: RStudio Server CloudFront URL
• ShinyServerUrl: Shiny Server CloudFront URL
• DCVUrl: Amazon DCV web browser client and native client URLs to access desktop IDEs. Native clients can be installed from https://www.amazondcv.com/

Default login and password is ubuntu and EC2InstanceID value. To change password, login to EC2 instance (e.g. through EC2instanceConnect or SSMSessionManager) and run the command sudo passwd ubuntu

Using AWS in R

• Blog post Getting started with R on Amazon Web Services walks through how to use RStudio and Paws package
• Paws documentation lists code examples, tutorials and workshops
• Using R with Amazon SageMaker outlines how to use the reticulate package with Amazon SageMaker AI
• Amazon SageMaker Example Notebooks has some R with SageMaker examples
• Implement RStudio on your AWS environment and access your data lake using AWS Lake Formation permissions shows how to integrate RStudio on SageMaker and EC2 into your data lake architectures

You will need to modify EC2 IAM permissions (EC2iamRole) to provide access to desired AWS services such as SageMaker and S3

About EC2 instance

Change instance size/type

To adjust your instance vCPUs count or memory size, you can change instance type

NVIDIA GPU instance

If you specify a NVIDIA GPU instanceType, template will install GPU driver and provide NVIDIA repository access, which you can use to install additional NVIDIA software such as CUDA Toolkit. Refer to community article Install NVIDIA GPU driver, CUDA Toolkit, NVIDIA Container Toolkit on Amazon EC2 instances running Ubuntu Linux for installation guidance

Updating software

R packages are updated by Ubuntu unattended upgrades. To update Posit software, download and install latest pacakges from the following links

• RStudio Server
• RStudio Desktop
• Positron
• Shiny Server

Restoring from backup

If you enable AWS Backup (enableBackup), you can restore your EC2 instance from recovery points (backups) in your backup vault. The CloudFormation template creates an IAM role that grants AWS Backup permission to restore your backups. Role name can be located in your CoudFormation stack Resources section as the Physical ID value whose Logical ID value is backupRestoreRole

Securing

To secure your EC2 instance, you may want to

• Set a strong ubuntu login user password
• Restrict direct EC2 access to your IP address only (ingressIPv4 and ingressIPv6)
  • Use Amazon CloudFront (enableCloudFront) with VPC Origin (originType) for public web access
  • Use AWS WAF to protect your CloudFront distribution
  • Consider CloudFront flat-rate pricing plans that combine CloudFront with multiple AWS services, and features monthly price with no overage charges regardless of whether your website goes viral or faces a DDoS attack
  • Use AWS Certificate Manager to request a non-exportable public HTTPS certificate at no additional charge, and associate it with your CloudFront distribution
• Disable SSH access from public internet (allowSSHport)
  • Use EC2 Instance Connect or SSM Session Manager for in-browser terminal access, or
  • Start a session using AWS CLI or SSH with Session Manager plugin for the AWS CLI
• For DCV (installRStudioDesktop)
  • Use native clients for remote access, and disable web browser client by removing nice-dcv-web-viewer package
  • Install a valid TLS domain certificate
• Protect EC2 instance data with AWS Backup (enableBackup)
  • Enable AWS Backup Vault Lock to prevent your backups from accidental or malicious deletion, and for protection from ransomware
• Enable Amazon Inspector to scan EC2 instance for software vulnerabilities and unintended network exposure
• Enable Amazon GuardDuty security monitoring service with Runtime Monitoring and Malware Protection for EC2

SSL/TLS certificate

Amazon CloudFront (enableCloudFront) supports HTTPS and alternative domain name. You can use AWS Certificate Manager to request a non-exportable public certificate at no additional cost and associate it with your CloudFront distribution.

Template will install a valid IPv4 address certificate for Amazon DCV and HTTPS reverse proxy if installRStudioDesktop and displayPublicIP are Yes. IP address certificates are valid for 160 hours, just over six days, and Certbot will attempt to renew them before expiry. To ensure proper operation, ensure assignStaticIP is set to Yes.

Cost

There is no additional charge for using AWS CloudFormation. You pay for AWS resources created using the template the same as if you had created them manually. You only pay for what you use, with no minimum fees and no required upfront commitments.

Where possible, template assigns all created resources with user-defined tags of key names StackName and StackId. You can activate them as cost-allocation tags to track your AWS costs on a detailed level. Refer to AWS Billing User Guide for more information.

Clean Up

To remove created resources, you will need to

• Delete any recovery points in created backup vault (if enabled)
• Disable EC2 instance termination protection (if enabled)
• Empty CloudFront logs S3 bucket (if enabled)
• Delete CloudFormation stack

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.