AWS Installation Prerequisites

This document describes prerequisites for installing the Apcera Platform on AWS.

Create and upload public/private SSH key pair

The Orchestrator host is a EC2 Linux instance. To deploy the cluster, you connect to the Orchestrator instance using SSH and run the orchestrator-cli utility.

Amazon EC2 uses public key cryptography to encrypt and decrypt login information. Linux instances have no password, and you use a key pair to log in using SSH.

To generate an SSH key pair on Unix machines (Mac and Linux):

  1. Run ssh-keygen.
  2. Enter file in which to save the key, such as: /Users/lparis/apcera-aws-mpd/mysshkey
  3. Enter passphrase (empty for no passphrase).
  4. Add the key to your local SSH agent.

     ssh-add ./mysshkey
     Enter passphrase for ./mysshkey:
     Identity added: ./mysshkey (./mysshkey)
     ssh-add -l
  5. Upload the public key to AWS.
    • Select "Key Pairs" from the EC2 Dashboard.
    • Click "Import Key Pair"
    • Browse to and select the public SSH key, such as ./
    • Upload the public key to AWS

To generate an SSH key pair on Windows, use PuTTYgen:

  1. Download and install Putty.
  2. Launch PuTTYgen
  3. Under Parameters, select SSH-2 RSA for the Type of key to generate.
  4. Click Generate under Actions.
  5. When prompted to enter the file to save the key, press Enter to accept the default.
  6. Enter the passphrase of your choice in the Key passphrase and Confirm passphrase fields.
  7. Right-click inside the Public key for pasting into OpenSSH authorized_keys file text field, and choose Select All and then Copy.
  8. Open Notepad and paste in the public key you copied.
  9. Save the file as
  10. Click Save private key and store the key as id_rsa.
  11. Upload the public key as described above (the last step for Unix users).

NOTE: The public SSH key mut be in the PEM file format. When you upload the public key to AWS it will be properly formatted. If necessary copy it from there.

Create and download user access keys

To deploy cluster components to AWS, you must populate the configuration file with your AWS access keys (account credentials). You have two options:

  • Option 1: For production deployments, as a best practice you should create an AWS Identity & Access Management (IAM) user that has the necessary access keys.
  • Option 2: Provide the root AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY values for your AWS account (not recommended).

Create and download IAM user access keys

To create an IAM user and policy, follow these steps:

  • Log into the AWS console.
  • Select IAM under Security, Identity & Compliance.
  • Select Users.
  • Click Add user.
  • Enter one or more user names to create.
  • Under Select AWS access type, select the check-box for Programmatic access and AWS Management Console access.
  • Select your desired option for the Console password.
  • Click Next: Permissions.
  • Select Attach existing policies directly.
  • Select the check-box next to each of the following:
    • AmazonVPCFullAccess
    • AmazonEC2FullAccess
    • AmazonS3FullAccess
    • AmazonRDSFullAccess
    • IAMFullAccess (so the PM can talk to Amazon S3)
  • Click Next: Review to verify the user information.
  • Click Create user.
  • Click Download.csv; a file named credentials.csv is downloaded to your computer and contains the AWS user name, access key and secret access key for each user created; this file is only available once.
  • Click Close.

Alternative to using IAM user credentials

Although not recommended, you can use your root AWS access keys instead of an IAM user:

To create and download the root access key for your AWS account:

  • Select [account-name] > Security Credentials from the upper right of the AWS menu bar
  • Select Access Keys (Access Key ID and Secret Access Key)
  • Click Create New Access Key
  • Download the file rootkey.csv.txt

Select AWS region with 3 AZs

An Apcera cluster is installed into an AWS Region.

When you deploy a cluster to AWS, you will need to specify the AWS region you are deploying to.

For minimum production deployment (MPD) on AWS, the region you select must support 3 availability zones. The following AWS regions provide 3 avaialability zones:

US West (Oregon) 			us-west-2
US East (N. Virginia) 		us-east-1
US East (Ohio) 				us-east-2
EU (Ireland) 				eu-west-1
Asia Pacific (Sydney)		ap-southeast-2
South America (São Paulo) 	sa-east-1

Note that the terraform.tfvars file specifies a, b, and c avilability zones. You will need to update this if the region you choose uses different identifiers for the AZ, such as b, c, d.

When you configure the S3 bucket for remote package store, you will need to specify the endpoint for your region (

Generate SSL certificate and key for HTTPS

You can user either HTTP or HTTPS for your cluster. As a best practice you should use HTTPS for production clusters

By default the Terraform module that we provide assumes that that you are using HTTPS. If you are not using HTTPS, you can comment out this block.

In addition, you need an SSL/TLS private key, a Certificate Signing Request (CSR), a certificate from the Certificate Authority, and the intermediate trust chain as well. You use this information to populate the cluster.conf.erb file.

Refer to Using HTTPS for details on how to create and provide this information.

Configure Google Auth or Other Identity Provider

For production deployments Apcera supports various third-party identity providers, including Google auth, Crowd, LDAP, and Microsoft Active Directory.

For new production clusters without access to an existing LDAP or Active Directory server, to get started it is recommended that you use Google Auth because it is comparatively easy to set up. Refer to these instructions to configure Google Auth for your Apcera Platform deployment. For LDAP and Active Directory set up, refer these instructions.

Configure DNS

You need to configure DNS to point to the cluster. DNS setup is not contingent on the cluster being up, but you will need to update DNS after you have deployed the Apcera Platform to AWS.

Refer to the DNS configuration documentation.