Prerequisites
Learn what is required to prepare for deployment.
Last updated
Was this helpful?
Learn what is required to prepare for deployment.
Last updated
Was this helpful?
This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see and . These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.
To share Code Ocean AMIs with your company's AWS account, contact our support or email with your company's AWS account ID. We currently support us-east-1, us-east-2, us-west-2, eu-central-1, eu-west-2, ap-southeast-2 and ca-central-1 AWS regions so please include your preferred region in the request. After you get the confirmation from Code Ocean, you can check for shared AMIs in your AWS account by following the instructions in . You should see the following two AMIs:
codeocean-vpc-services-amzn2-[timestamp]
codeocean-vpc-worker-amzn2-[timestamp]
The next step is to create AWS IAM service-linked roles for the various AWS services in use by the Code Ocean deployment, such as AWS Batch, RDS, and OpenSearch. Execute the following AWS CLI commands, make sure to use your selected region:
The commands might return an error if the roles already exist in the AWS account, in which case the error can be ignored.
If you choose an internet-facing deployment type you will need to configure the parent domain (in our example, XYZ.com) to delegate the Code Ocean subdomain to Route53 by adding an NS record to the parent domain, so access to configure DNS on the parent domain is required.
For other types of deployments, email validation is used. To approve the certificate, you must have access to one of the following email addresses:
administrator@your_root_domain_name
hostmaster@your_root_domain_name
postmaster@your_root_domain_name
webmaster@your_root_domain_name
admin@your_root_domain_name
You or your IT administrator must have access to one of these email addresses when certificate email validation is used. The Code Ocean deployment will eventually fail if you are unable to approve the certificate request.
Region and Availability Zones - Make sure the following resources are available for provisioning in your region and availability zones:
OpenSearch instance type t3.small.search
ElasticCache instance type cache.t3.micro
Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances
Code Ocean default general purpose worker instance type is r5d.4xlarge and it utilizes 16 vCPUs. In order to deploy with the default configuration you must have at least 32 vCPUs in Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances quota.
Running On-Demand G and VT instances
Code Ocean default GPU worker instance type is g4dn.4xlarge and it utilizes 16 vCPUs. In order to deploy with the default configuration you must have at least 32 vCPUs in Running On-Demand G and VT instances quota.
All P Spot Instance Requests
All Standard (A, C, D, H, I, M, R, T, Z) Spot Instance Requests
All G and VT Spot Instance Requests
All X Spot Instance Requests
If you are deploying into an existing AWS VPC please make sure that the VPC is configured with both DNS Resolution and DNS Hostnames enabled.
The deployment will create a new AWS Route53 hosted zone to host the Code Ocean deployment. The domain name for this hosted zone is made up of the Code Ocean application subdomain (codeocean by default) and a root (parent) domain. For example, company XYZ has root domain XYZ.com, therefore the hosting domain for Code Ocean will be
Alternatively, you can use your own Route53 hosted zone and have the Code Ocean deployment add DNS records under it. This Route53 hosted zone must reside in the same deployed AWS account. You can specify your Route53 hosted zone under "Existing Route 53 Hosted Zone ID" in the .
The deployment provisions an SSL certificate through AWS ACM for the Code Ocean hosting domain and uses either or to validate domain ownership.
DNS validation is used for deployments that are both internet facing and use an . In that case, the certificate validation will happen automatically and the certificate will be eligible for automatic renewal.
Alternatively, it is possible to provide the deployment with a pre-validated ACM certificate ARN as a CloudFormation template parameter. In this case, no further certificate validation is required. See the for details.
Service Quotas If you are deploying a new AWS VPC please make sure that your AWS account allows an additional VPC to be created. This includes other VPC resources such as NAT Gateways, Internet Gateway, EIPs, etc. You can check your current quotas and request a quota increase in the . In addition, make sure that the following service quotas have sufficient capacity. (If you require a quota increase and your request is declined, a smaller instance type should be configured ):
Optional - If you wish to use Code Ocean's , you should also check for sufficient quota for:
The default DHCP option set in your AWS account needs to be configured with DNS servers that can resolve internal AWS hostnames, such as EFS-file-system-id.efs.aws-region.amazonaws.com, for example, by using .
If you are deploying into an existing AWS VPC and the VPC is configured with VPC endpoints for SSM or EC2 (PrivateLink) using a you'll need to add an ingress rule in the security group for the Code Ocean services security group and the Code Ocean workers security group. This will allow the Code Ocean instances to make the required SSM and EC2 API calls.
If your AWS account is configured with you will need to add permissions for the Code Ocean services IAM role in the or for that role.