Amazon Web Services
You can use Cloud 66 to provision and deploy your code to servers in any Amazon Web Services (AWS) region. Cloud 66 supports both VPC and (for AWS accounts created before 2014) EC2-Classic. We also support reserved instances. To use a VPC, your account must conform with the default VPC guidelines.
If you delete your application from Cloud 66, your servers will not be deleted on your cloud provider unless the physical server deletion setting is turned on.
Granting Cloud 66 access to AWS
You need to configure AWS so that Cloud 66 to access your account. To to this:
- Log into the web interface for your AWS account
- Click on the name of your account in the top right corner of your AWS account, and select My Security Credentials.
On the next screen, some users will be asked to choose between Security Credentials and IAM users. We support both methods but we recommend that experienced users select IAM for better security.
IAM stands for Identity and Access Management. It allows you to set permissions for specific users. We will guide you through generating access keys based on both of these methods:
Option A: Using root credentials
After selecting the Security Credentials option:
- Select the Access Keys option from the menu.
- Click Create new access key
- Either download the key file or click Show access key and take note of your access key ID and secret access key. These are the credentials needed for Cloud 66 to access your account.
Option B: Identity Access Management (IAM)
Step 1: Create a user
After selecting the IAM option follow this guide in AWS docs to set up a new IAM user for Cloud 66. We recommend naming the user
cloud66 for clarity.
Be sure to copy or save the Access Key ID and Secret Access Key for this user - you will need these credentials to connect your Cloud 66 account.
Step 2: Set up access policies
You’ll need to assign access policies for the
cloud66 user so that it will have the access it requires to provision and manage your servers.
You can see them here: recommended minimum policies.
There are two method for assigning policies: using the AWS CLI or the web console:
Using the AWS CLI
If you have the AWS CLI tool installed, you can set up your access policies by running this command:
curl https://help.cloud66.com/c66_aws_iam_policy.json > c66_aws_iam_policy.json && aws iam put-user-policy --user-name cloud66 --policy-name ExamplePolicy --policy-document file://c66_aws_iam_policy.json
This downloads our JSON template to your machine and then submits it via the CLI. Note that this assumes you have named your user
cloud66 as recommended. You can find more info in the AWS docs if you need it.
Using the web console
You can add policies via the IAM management console.
- Click on Access management → Users
- Click on your
- Click the Add inline policy button
- In another browser tab Open our JSON template copy the whole page to your clipboard
- Back in the IAM console, click the JSON tab and paste in the template you just copied
- Click Review Policy
- Give your policy a name
- Click Create Policy
If you need more detail please read the AWS docs on this subject.
Using IAM instance profiles with your servers
Instance profiles are a way to set specific roles on new servers that you spin up with AWS. You can read more about creating your own instance profiles in the AWS docs.
You can use your instance profiles via Cloud 66 by calling them in the manifest file of your application. You can set a different profile for each component of an application (e.g. MySQL or Redis). We will then use that profile whenever we provision a server for that component.
Cloud 66 Security Groups on AWS
Whenever we provision servers for a new application on AWS, we configure separate AWS Security Groups for each type of server (e.g. application servers or database servers).
This requires Cloud 66 to have IAM permissions on your AWS account, so please be sure to set them up as explained above.
If new servers are added to a group on Cloud 66 (e.g. scaling up your web servers), then they are added to the corresponding Security Group on AWS. If servers are removed from Cloud 66, they are also removed from their Security Group on AWS.
AWS reserved instances enable users to reserve instances for one to three years, which has pricing benefits when compared to on-demand instances.
To use Cloud 66 with AWS reserved instances:
- Reserve an instance with your size/region requirements.
- Use Cloud 66 to deploy to a server of that size in the same region, and we’ll use your reserved instance.
If your AWS account was created before 2014 you can choose to create servers on the EC2-Classic platform. Cloud 66 does support EC2-Classic, however we strongly recommend using VPC instead. Several instance types, such as the T2, require the use of VPC.
Please be sure to read the documentation for EC2-Classic before deploying to that platform.
ELB Websocket support
AWS Classic Load Balancers do not support Websocket natively. We recommend switching to one of Amazon’s newer load balancers - either Application Load Balancer or Network Load Balancer depending on your specific use-case.
Cloud 66 tag propagation
AWS supports the propagation of (some) component tags from Cloud 66. This means that if you tag your servers or load balancers in Cloud 66, those tags will be added to the corresponding components on your AWS account (after some transformations).
For more details on how this works please read our full guide on the propagation of tags to cloud providers.