Code Ocean VPC Administration Guide
v2.3
v2.1v2.2v2.3v2.4v2.5v2.6v2.7v2.8v2.9v2.10v2.11v2.12v2.13v2.14v2.15v2.16v2.17v2.18v2.19v2.20v2.21v2.22v3.0v3.1v3.2v3.3
v2.3
v2.1v2.2v2.3v2.4v2.5v2.6v2.7v2.8v2.9v2.10v2.11v2.12v2.13v2.14v2.15v2.16v2.17v2.18v2.19v2.20v2.21v2.22v3.0v3.1v3.2v3.3
  • Code Ocean VPC Administration Guide
  • Overview
    • System Overview
    • System Capacity and Sizing
  • Installation Guide
    • Prerequisites
    • CloudFormation Deployment
    • Deployment Parameters
    • Deployment IAM role
    • Subdomain Delegation
    • Create an Admin Account
    • Upgrade Code Ocean
    • Remove Code Ocean
  • Management Guide
    • User Management
      • Admin Signup
      • Adding/Removing an Administrator
      • Inviting New Users
      • Generating a Reset Password Link
      • Deactivate User
    • Set up a User Banner Message
    • Enable Git Integration
    • Starter Environments
      • Deploy Base Image
      • Image Actions
      • Deploying Private Docker Base Images
    • SCIM Provisioning using Azure Active Directory
    • Set up an Authentication
    • SCIM Provisioning using Okta
    • Configure Worker Parameters
    • ACM Certificate Renewal
  • Troubleshooting Guide
    • Collecting Logs with the Support Bundle
    • Searching Logs in AWS CloudWatch
    • Alarms
Powered by GitBook
On this page
  • Request Code Ocean AMIs
  • Create AWS IAM Service Linked Roles
  • Choose a Hosting Domain
  • Ensure Access to Hostmaster/System Administrator Email
  • AWS Account Requirements

Was this helpful?

  1. Installation Guide

Prerequisites

Learn what is required to prepare for deployment.

PreviousInstallation GuideNextCloudFormation Deployment

Last updated 2 years ago

Was this helpful?

Request Code Ocean AMIs

To share Code Ocean AMIs with your company's AWS account, contact our support or email with your company's AWS account ID. We currently support us-east-1, us-east-2, us-west-2, eu-central-1, eu-west-2, and ca-central-1 AWS regions so please include your preferred region in the request. After you get the confirmation from Code Ocean, you can check for shared AMIs in your AWS account by following the instructions in . You should see the following two AMIs:

  1. codeocean-enterprise-services-amzn2-[timestamp]

  2. codeocean-enterprise-worker-amzn2-[timestamp]

Create AWS IAM Service Linked Roles

The next step is to create AWS IAM service-linked roles for RDS and Elasticsearch. Execute the following AWS CLI commands, make sure to use your selected region:

aws iam create-service-linked-role --aws-service-name autoscaling.amazonaws.com
aws iam create-service-linked-role --aws-service-name batch.amazonaws.com
aws iam create-service-linked-role --aws-service-name elasticache.amazonaws.com
aws iam create-service-linked-role --aws-service-name elasticfilesystem.amazonaws.com
aws iam create-service-linked-role --aws-service-name elasticloadbalancing.amazonaws.com
aws iam create-service-linked-role --aws-service-name es.amazonaws.com
aws iam create-service-linked-role --aws-service-name rds.amazonaws.com

The commands might return an error if the roles already exist in the AWS account, in which case the error can be ignored.

Choose a Hosting Domain

If you choose an internet-facing deployment type you will need to configure the parent domain (in our example, XYZ.com) to delegate the Code Ocean subdomain to Route53 by adding an NS record to the parent domain, so access to configure DNS on the parent domain is required.

Ensure Access to Hostmaster/System Administrator Email

  • administrator@your_root_domain_name

  • hostmaster@your_root_domain_name

  • postmaster@your_root_domain_name

  • webmaster@your_root_domain_name

  • admin@your_root_domain_name

Alternatively, it is possible to provide the deployment with a pre-validated ACM certificate ARN as a parameter. In this case, no email address access is required.

AWS Account Requirements

  1. Region and Availability Zones - Make sure the following resources are available for provisioning in your region and availability zones:

    1. Elasticsearch instance type t3.small.elasticsearch

    2. ElasticCache instance type cache.t3.micro

    1. Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances

    2. Running On-Demand P instances

    3. Running On-Demand G and VT instances

      1. All P Spot Instance Requests

      2. All Standard (A, C, D, H, I, M, R, T, Z) Spot Instance Requests

      3. All G and VT Spot Instance Requests

      4. All X Spot Instance Requests

  4. If you are deploying into an existing AWS VPC please make sure that the VPC is configured with both DNS Resolution and DNS Hostnames enabled.

The deployment will create a new AWS Route53 hosted zone to host the Code Ocean deployment. The domain name for this hosted zone is made up of the Code Ocean application subdomain (codeocean by default) and a root (parent) domain. For example, company XYZ has root domain XYZ.com, therefore the hosting domain for Code Ocean will be

Alternatively, you can use your own Route53 hosted zone and have the Code Ocean deployment add DNS records under it. This Route53 hosted zone must reside in the same deployed AWS account. You can specify your Route53 hosted zone under "Existing Route 53 Hosted Zone ID" in the .

The deployment provisions an SSL certificate for the Code Ocean hosting domain and uses . To approve the certificate, you must have access to one of the following email addresses:

Go to to learn more.

Service Quotas If you are deploying a new AWS VPC please make sure that your AWS account allows an additional VPC to be created. This includes other VPC resources such as NAT Gateways, Internet Gateway, EIPs, etc. You can check your current quotas and request a quota increase in the . In addition, make sure that the following service quotas have sufficient capacity:

Optional - If you wish to use Code Ocean's , you should also check for sufficient quota for:

The default DHCP option set in your AWS account needs to be configured with DNS servers that can resolve internal AWS hostnames, such as EFS-file-system-id.efs.aws-region.amazonaws.com, for example, by using .

If you are deploying into an existing AWS VPC and the VPC is configured with VPC endpoints for SSM or EC2 (PrivateLink) using a you'll need to add an ingress rule in the security group for the Code Ocean services security group and the Code Ocean workers security group. This will allow the Code Ocean instances to make the required SSM and EC2 API calls.

If your AWS account is configured with you will need to add permissions for the Code Ocean services IAM role in the or for that role.

support@codeocean.com
Find Shared AMIs
codeocean.XYZ.com
email to validate domain ownership
AWS Service Quotas console
dedicated machines feature with spot instance option
AmazonProvidedDNS
security group that restricts access to these endpoints
AWS KMS Customer-managed CMKs
CMK key policy,
create grants
deployment parameters
SSL Certificate Approval