Prerequisites

Learn what is required to prepare for deployment.

Request Code Ocean AMIs

To share Code Ocean AMIs with your company's AWS account, contact our support or email support@codeocean.com with your company's AWS account ID. We currently support us-east-1, us-east-2, us-west-2, eu-central-1, eu-west-2, and ca-central-1 AWS regions so please include your preferred region in the request. After you get the confirmation from Code Ocean, you can check for shared AMIs in your AWS account by following the instructions in Find Shared AMIs. You should see the following two AMIs:

  1. codeocean-enterprise-services-amzn2-[timestamp]

  2. codeocean-enterprise-worker-amzn2-[timestamp]

Create AWS IAM Service Linked Roles

The next step is to create AWS IAM service-linked roles for RDS and Elasticsearch. Execute the following AWS CLI commands, make sure to use your selected region:

aws iam create-service-linked-role --aws-service-name autoscaling.amazonaws.com
aws iam create-service-linked-role --aws-service-name batch.amazonaws.com
aws iam create-service-linked-role --aws-service-name elasticache.amazonaws.com
aws iam create-service-linked-role --aws-service-name elasticfilesystem.amazonaws.com
aws iam create-service-linked-role --aws-service-name elasticloadbalancing.amazonaws.com
aws iam create-service-linked-role --aws-service-name es.amazonaws.com
aws iam create-service-linked-role --aws-service-name rds.amazonaws.com

The commands might return an error if the roles already exist in the AWS account, in which case the error can be ignored.

Choose a Hosting Domain

The deployment will create a new AWS Route53 hosted zone to host the Code Ocean deployment. The domain name for this hosted zone is made up of the Code Ocean application subdomain (codeocean by default) and a root (parent) domain. For example, company XYZ has root domain XYZ.com, therefore the hosting domain for Code Ocean will be codeocean.XYZ.com

If you choose an internet-facing deployment type you will need to configure the parent domain (in our example, XYZ.com) to delegate the Code Ocean subdomain to Route53 by adding an NS record to the parent domain, so access to configure DNS on the parent domain is required.

Ensure Access to Hostmaster/System Administrator Email

The deployment provisions an SSL certificate for the Code Ocean hosting domain and uses email to validate domain ownership. To approve the certificate, you must have access to one of the following email addresses:

  • administrator@your_root_domain_name

  • hostmaster@your_root_domain_name

  • postmaster@your_root_domain_name

  • webmaster@your_root_domain_name

  • admin@your_root_domain_name

Go to SSL Certificate Approval to learn more.

Alternatively, it is possible to provide the deployment with a pre-validated ACM certificate ARN as a parameter. In this case, no email address access is required.

AWS Account Requirements

  1. Region and Availability Zones - Make sure the following resources are available for provisioning in your region and availability zones:

    1. Elasticsearch instance type t3.small.elasticsearch

    2. ElasticCache instance type cache.t3.micro

  2. Service Quotas If you are deploying a new AWS VPC please make sure that your AWS account allows an additional VPC to be created. This includes other VPC resources such as NAT Gateways, Internet Gateway, EIPs, etc. You can check your current quotas and request a quota increase in the AWS Service Quotas console. In addition, make sure that the following service quotas have sufficient capacity:

    1. Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances

    2. Running On-Demand P instances

    3. Running On-Demand G and VT instances

    4. Optional - If you wish to use Code Ocean's dedicated machines feature with spot instance option, you should also check for sufficient quota for:

      1. All P Spot Instance Requests

      2. All Standard (A, C, D, H, I, M, R, T, Z) Spot Instance Requests

      3. All G and VT Spot Instance Requests

      4. All X Spot Instance Requests

  3. The default DHCP option set in your AWS account needs to be configured with DNS servers that can resolve internal AWS hostnames, such as EFS-file-system-id.efs.aws-region.amazonaws.com, for example, by using AmazonProvidedDNS.

  4. If you are deploying into an existing AWS VPC please make sure that the VPC is configured with both DNS Resolution and DNS Hostnames enabled.

  5. If you are deploying into an existing AWS VPC and the VPC is configured with VPC endpoints for SSM or EC2 (PrivateLink) using a security group that restricts access to these endpoints you'll need to add an ingress rule in the security group for the Code Ocean services security group and the Code Ocean workers security group. This will allow the Code Ocean instances to make the required SSM and EC2 API calls.

  6. If your AWS account is configured with AWS KMS Customer-managed CMKs you will need to add permissions for the Code Ocean services IAM role in the CMK key policy, or create grants for that role.

Predefined Alarms

Code Ocean natively reports metrics to Cloudwatch. These include system metrics such as disk space, CPU, memory usage and application metrics. As part of the deployment, alarms are provisioned.

For additional information on the alarms refer to Alarms

Subscribe to Alarms

You can be notified of alarms by using AWS SNS. All of the Code Ocean alarms are reported to the alarms<id> SNS topic, which you can subscribe to.

Email subscription to an SNS topic

Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home.

  1. In the navigation pane, select Topics. Find the pre-defined topic named alarms<id>, copy the ARN value.

  2. In the navigation pane, click Subscriptions, select Create subscription.

  3. In Create subscription, for Topic ARN, paste the topic ARN copied in step 1.

  4. For Protocol, select Email.

  5. For Endpoint, enter an email address that can be used to receive the notification.

  6. Click Create subscription.

  7. Open the email from AWS Notifications and confirm your subscription.

  8. Your web browser will display a confirmation response from Amazon SNS.

Connect AWS SNS to Slack or Microsoft Teams.

Last updated