Prerequisites
Learn what is required to prepare for deployment.
Request Code Ocean AMIs
To share Code Ocean AMIs with your company's AWS account, contact our support or email support@codeocean.com with your company's AWS account ID. We currently support us-east-1
, us-east-2
, us-west-2
, eu-central-1
, eu-west-2
, and ca-central-1
AWS regions so please include your preferred region in the request. After you get the confirmation from Code Ocean, you can check for shared AMIs in your AWS account by following the instructions in Find Shared AMIs. You should see the following two AMIs:
codeocean-enterprise-services-amzn2-[timestamp]
codeocean-enterprise-worker-amzn2-[timestamp]
Create AWS IAM Service Linked Roles
The next step is to create AWS IAM service-linked roles for RDS and Elasticsearch. Execute the following AWS CLI commands, make sure to use your selected region:
The commands might return an error if the roles already exist in the AWS account, in which case the error can be ignored.
Choose a Hosting Domain
The deployment will create a new AWS Route53 hosted zone to host the Code Ocean deployment. The domain name for this hosted zone is made up of the Code Ocean application subdomain (codeocean
by default) and a root (parent) domain. For example, company XYZ has root domain XYZ.com, therefore the hosting domain for Code Ocean will be codeocean.XYZ.com
If you choose an internet-facing deployment type you will need to configure the parent domain (in our example, XYZ.com) to delegate the Code Ocean subdomain to Route53 by adding an NS record to the parent domain, so access to configure DNS on the parent domain is required.
Alternatively, you can use your own Route53 hosted zone and have the Code Ocean deployment add DNS records under it. This Route53 hosted zone must reside in the same deployed AWS account. You can specify your Route53 hosted zone under "Existing Route 53 Hosted Zone ID" in the deployment parameters.
SSL Certificate Validation
The deployment provisions an SSL certificate through AWS ACM for the Code Ocean hosting domain and uses either DNS Validation or Email Validation to validate domain ownership.
DNS validation is used for deployments that are both internet facing and use an existing Route53 hosted zone. In that case, the certificate validation will happen automatically and the certificate will be eligible for automatic renewal.
For other types of deployments, email validation is used. To approve the certificate, you must have access to one of the following email addresses:
administrator@your_root_domain_name
hostmaster@your_root_domain_name
postmaster@your_root_domain_name
webmaster@your_root_domain_name
admin@your_root_domain_name
You or your IT administrator must have access to one of these email addresses when certificate email validation is used. The Code Ocean deployment will eventually fail if you are unable to approve the certificate request.
Alternatively, it is possible to provide the deployment with a pre-validated ACM certificate ARN as a CloudFormation template parameter. In this case, no further certificate validation is required. See the CloudFormation deployment parameter section for details.
AWS Account Requirements
Region and Availability Zones - Make sure the following resources are available for provisioning in your region and availability zones:
OpenSearch instance type t3.small.search
ElastiCache instance type cache.t3.micro
Service Quotas If you are deploying a new AWS VPC please make sure that your AWS account allows an additional VPC to be created. This includes other VPC resources such as NAT Gateways, Internet Gateway, EIPs, etc. You can check your current quotas and request a quota increase in the AWS Service Quotas console. In addition, make sure that the following service quotas have sufficient capacity:
Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances
CodeOcean default On-Demand Standard instances utilizes 16 vCPUs, it is mandatory to have at least 32 vCPUs service quotas available
Running On-Demand G and VT instances
CodeOcean default On-Demand G and VT instances utilizes 16 vCPUs, it is mandatory to have at least 32 vCPUs service quotas available
CodeOcean default On-Demand instances utilizes 16 vCPUs, it is recommended to have at least 32 vCPUs service quotas available for both G and VT and Standard instances.
Optional - If you wish to use Code Ocean's dedicated machines feature with spot instance option, you should also check for sufficient quota for:
All P Spot Instance Requests
All Standard (A, C, D, H, I, M, R, T, Z) Spot Instance Requests
All G and VT Spot Instance Requests
All X Spot Instance Requests
The default DHCP option set in your AWS account needs to be configured with DNS servers that can resolve internal AWS hostnames, such as
EFS-file-system-id
.efs.
aws-region
.amazonaws.com
, for example, by using AmazonProvidedDNS.If you are deploying into an existing AWS VPC please make sure that the VPC is configured with both DNS Resolution and DNS Hostnames enabled.
If you are deploying into an existing AWS VPC and the VPC is configured with VPC endpoints for SSM or EC2 (PrivateLink) using a security group that restricts access to these endpoints you'll need to add an ingress rule in the security group for the Code Ocean services security group and the Code Ocean workers security group. This will allow the Code Ocean instances to make the required SSM and EC2 API calls.
If your AWS account is configured with AWS KMS Customer-managed CMKs you will need to add permissions for the Code Ocean services IAM role in the CMK key policy, or create grants for that role.
Last updated