AWS
This page describes the infrastructure and other prerequisites for deploying Seqera Platform Enterprise on Amazon Web Services (AWS).
Run the Seqera container with Docker on an AWS EC2 instance, or with Kubernetes on an Amazon EKS cluster. You must satisfy the requirements for your installation target:
-
SMTP server: If you don't have an email server, use Amazon Simple Email Service.
Amazon blocks EC2 traffic over port 25 by default. Your integration must use a port that can successfully reach your SMTP server.
-
MySQL database: An external database, such as one provided by Amazon Relational Database Service, is highly recommended for production deployments.
-
(Optional) SSL certificate: HTTP must not be used in production environments. An SSL certificate is required for your Seqera instance to handle HTTPS traffic. See SSL/TLS configuration for more information.
HTTP-only implementations must set the
TOWER_ENABLE_UNSAFE_MODE=true
environment variable in the Seqera hosting infrastructure to enable user login. HTTP must not be used in production environments. -
(Optional) AWS Parameter Store: Store sensitive Seqera configuration values as SecureString AWS Parameter Store parameters. See AWS Parameter Store configuration for instructions. This is recommended for production environments.
-
(Optional) DNS: DNS is required to support human-readable domain names and load-balanced traffic. If you don't have access to a pre-existing DNS service, use Amazon Route 53.
Prerequisites for Docker
An EC2 instance is required. See Amazon EC2 for instructions to provision an EC2 instance for this purpose.
Prerequisites for EKS
If you're installing Seqera Enterprise with Kubernetes, an Elastic Kubernetes Service (EKS) cluster is required. See the EKS documentation to provision your own cluster.
EKS cluster requirements
-
Kubernetes 1.19 or later
-
Subnet requirements
- At least 2 subnets across two different Availability Zones
- Subnets must be tagged for AWS Load Balancer Controller auto-discovery
- Public subnets must be configured to auto-assign IPs on launch
- Public and private subnets must allow egress traffic to the public internet
-
RBAC requirements
- The cluster must be created by a non-root user
aws-auth
must be updated to allow access to additional IAM users/roles (if needed)
-
Addons
- Install the cert-manager
- Install the AWS Load Balancer Controller
-
Ingress
- ALB provisioning via the AWS Load Balancer Controller
- ALB integration with the Amazon Certificate Manager
Additionally, the ingress assumes the presence of SSL certificates, DNS resolution, and ALB logging. If you've chosen not to use some or all of these features, you'll need to modify the manifest accordingly before applying it to the cluster.
AWS setup
Set up commonly-used AWS services for Seqera deployment.
Fetch Seqera config values from AWS Parameter Store
From version 23.1, you can retrieve Seqera Enterprise configuration values remotely from the AWS Parameter Store. See AWS Parameter Store configuration for instructions.
Amazon SES
Seqera Enterprise supports AWS Simple Email Service (SES) as an alternative to traditional SMTP servers for sending application emails.
If you use AWS SES in sandbox mode, both the sender and the receiver email addresses must be verified via AWS SES. Sandbox is not recommended for production use. See the AWS docs for instructions to move out of the sandbox.
-
See Obtaining SES SMTP credentials using the SES console for instructions to set up SES to send emails from your preferred address.
-
To prevent emails from SES being flagged as spam, see these AWS instructions for setting up an email authentication method:
Amazon RDS
External databases for Seqera Enterprise deployments require:
- A MySQL8 Community DB instance
- At least 2 vCPUs, 8 GB memory, and 30 GB SSD storage
- Manual MySQL user and database schema creation. See Database configuration for more details.
Recommended instance class and storage requirements depend on the number of parallel pipelines you expect to run.
- AWS console
- AWS CLI
See Creating an Amazon RDS DB instance to guide you through the external database setup for your production deployment.
To create a DB instance with the AWS CLI, call the create-db-instance command, replacing INSTANCE_NAME
, SECURITY_GROUP
, DB_USER
, and DB_PASSWORD
with your unique values:
aws rds create-db-instance \
--engine mysql \
--db-instance-identifier INSTANCE_NAME \
--allocated-storage 30 \
--db-instance-class db.m5d.large \
--vpc-security-group-ids SECURITY_GROUP \
--db-subnet-group SUBNET_GROUP \
--master-username DB_USER \
--master-user-password DB_PASSWORD \
After your database is created:
- Update the inbound rules for the underlying EC2 instance to allow MySQL connections.
- Update your Seqera configuration with the database hostname, username, and password.
Amazon EC2
See Getting started with Amazon EC2 for instructions to create your EC2 instance.
Create an instance with these attributes:
- Amazon Machine Image (AMI): Amazon Linux 2023 Optimized
- Instance type: c5a.xlarge or c5.large with 4 CPUs and 8 GB RAM
- Root storage: 30 GB
- Tags: It is helpful to use a descriptive
Name
value for your instance, such asseqera-app-server
. - Security Group name: Seqera deployment manifests provided in this installation guide use
tower-sg
by default. If you choose to use a custom name, this must be updated consistently across your deployment files. - Keypair: It is security best practice to use a new keypair for your production deployment instance.
After your instance is launched:
-
Use the key pair to connect to the server with SSH and its public IP address. Terminal-based SSH is easier to use than browser-based SSH for copying and pasting text.
-
Confirm that Docker Compose is installed:
docker compose version
Seqera container images
Seqera Platform Enterprise is distributed as a collection of Docker containers available through the Seqera container registry (cr.seqera.io). Contact support to get your container access credentials. Once you've received your credentials, retrieve the Seqera container images on your EC2 instance:
-
Retrieve the username and password you received from Seqera support.
-
Authenticate to the registry:
docker login -u 'username' -p 'password' cr.seqera.io
-
Pull the Seqera container images:
docker pull cr.seqera.io/private/nf-tower-enterprise/backend:v24.2.1
docker pull cr.seqera.io/private/nf-tower-enterprise/frontend:v24.2.1
Next steps
See Configuration.