Installing Enterprise Server on AWS

To install Enterprise Server on Amazon Web Services (AWS), you must launch an Amazon Elastic Compute Cloud (EC2) instance and create and attach a separate Amazon Elastic Block Store (EBS) data volume.

In this article

Prerequisites

This guide assumes you are familiar with the following AWS concepts:

For a diagram that provides an architectural overview, see the AWS Architecture Diagram for Deploying Enterprise Server.

This guide recommends the principle of least privilege when setting up your Enterprise Server instance on AWS. For more information, refer to the AWS Identity and Access Management (IAM) documentation.

Hardware considerations

We recommend different hardware configurations depending on the number of user licenses for your Enterprise Server instance. If you provision more resources than the minimum recommended requirements, your instance will perform and scale better.

User licensesx86-64 vCPUsMemoryRoot storageAttached (data) storageIOPS
Trial, demo, or 10 light users432 GB400 GB500 GB600
Up to 1,000848 GB400 GB500 GB3000
1,000 to 3,0001664 GB400 GB1000 GB6000
3,000 to 5,00032128 GB400 GB1500 GB9000
5,000 to 8,00048256 GB400 GB3000 GB12000
8,000 to 10,000+64512 GB400 GB5000 GB15000

If you plan to enable Actions or Advanced Security for the users of your instance, more resources are required.

  • Actions - increase both CPU and memory by at least 25%
  • Advanced Security - increase both CPU and memory by at least 25%

These adjustments should be applied to the base requirements for each user tier. We recommend monitoring all changes to your resources, as further increases may be needed.

For more information about these requirements, see Getting started with Actions for Enterprise Server.

If you plan to enable Container registry for the users of your instance, more resources are required. For more information about these requirements, see Getting started with Packages for your enterprise.

For more information about adjusting resources for an existing instance, see Increasing storage capacity and Increasing CPU or memory resources.

Storage

We recommend a high-performance SSD with high input/output operations per second (IOPS) and low latency for Enterprise Server. Workloads are I/O intensive. If you use a bare metal hypervisor, we recommend directly attaching the disk or using a disk from a storage area network (SAN).

Your instance requires a persistent data disk separate from the root disk. For more information, see System overview.

Warning

Root storage refers to the total size of your instance's root disk. When the instance is booted you will see 200GB available on the root filesystem. The remaining 200GB is reserved for upgrades. For more information, see System overview.

To configure Actions, you must provide external blob storage. For more information, see Getting started with Actions for Enterprise Server.

The available space on the root filesystem will be 50% of the total disk size. You can resize your instance's root disk by building a new instance or using an existing instance. For more information, see System overview and Increasing storage capacity.

CPU and memory

The CPU and memory resources that Enterprise Server requires depend on the levels of activity for users, automations, and integrations.

Any VMs you provision for your Enterprise Server instance must use the x86-64 CPU architecture. Other architectures are not supported, such as AArch64 or arm64.

If you plan to enable Actions for the users of your Enterprise Server instance, you may need to provision additional CPU and memory resources for your instance. For more information, see Getting started with Actions for Enterprise Server.

When you increase CPU resources, recommends adding at least 6.5 GB of memory for each vCPU (up to 16 vCPUs) that you provision for the instance. When you use more than 16 vCPUs, you don't need to add 6.5 GB of memory for each vCPU, but you should monitor your instance to ensure it has enough memory.

Warning

We recommend that users configure webhook events to notify external systems of activity on Enterprise Server. Automated checks for changes, or polling, will negatively impact the performance and scalability of your instance. For more information, see About webhooks.

For more information about monitoring the capacity and performance of Enterprise Server, see Monitoring your instance.

You can increase your instance's CPU or memory resources. For more information, see Increasing CPU or memory resources.

Determining the instance type

Before launching your Enterprise Server instance on AWS, you'll need to determine the machine type that best fits the needs of your organization. To review the minimum recommended requirements for Enterprise Server, see Minimum recommended requirements.

You can always scale up your CPU or memory by resizing your instance. Changing the resources available to your instance requires downtime for your users, so recommends over-provisioning resources to account for scale.

recommends a memory-optimized instance for Enterprise Server. For more information, see Amazon EC2 Instance Types on the Amazon EC2 website.

Selecting the Enterprise Server AMI

You can select an Amazon Machine Image (AMI) for Enterprise Server using the Enterprise Server portal or the AWS CLI.

AMIs for Enterprise Server are available in the AWS GovCloud (US-East and US-West) region. This allows US customers with specific regulatory requirements to run Enterprise Server in a federally compliant cloud environment. For more information on AWS's compliance with federal and other standards, see AWS's GovCloud (US) page and AWS's compliance page.

Using the Enterprise Server portal to select an AMI

  1. Navigate to the image you want to use for your new instance.

    • Navigate to Release notes.
    • In the right sidebar, click the version you want to download.
    • Click Download Enterprise Server X.X.X.

  2. Under " in the Cloud", select the "Select your platform" dropdown menu, and click Amazon Web Services.

  3. Select the "Select your AWS region" drop-down menu, and click your desired region.

  4. Take note of the AMI ID that is displayed.

Using the AWS CLI to select an AMI

  1. Using the AWS CLI, get a list of Enterprise Server images published by 's AWS owner IDs (025577942450 for GovCloud, and 895557238572 for other regions). For more information, see describe-images in the AWS documentation.

    aws ec2 describe-images \
--owners OWNER_ID \
--query 'sort_by(Images,&Name)[*].{Name:Name,ImageID:ImageId}' \
--output=text

  2. Take note of the AMI ID for the latest Enterprise Server image.

Creating a security group

If you're setting up your AMI for the first time, you will need to create a security group and add a new security group rule for each port in the table below. For more information, see the AWS guide Using Security Groups.

  1. Using the AWS CLI, create a new security group. For more information, see create-security-group in the AWS documentation.

    aws ec2 create-security-group --group-name SECURITY_GROUP_NAME --description "SECURITY GROUP DESCRIPTION"

  2. Take note of the security group ID (sg-xxxxxxxx) of your newly created security group.

  3. Create a security group rule for each of the ports in the table below. We recommend opening network ports selectively based on the network services you need to expose for administrative and user purposes. For more information, see Network ports, and authorize-security-group-ingress in the AWS documentation.

    aws ec2 authorize-security-group-ingress --group-id SECURITY_GROUP_ID --protocol PROTOCOL --port PORT_NUMBER --cidr SOURCE IP RANGE

    This table identifies what each port is used for.

    PortServiceDescription
    22SSHGit over SSH access. Clone, fetch, and push operations to public/private repositories supported.
    25SMTPSMTP with encryption (STARTTLS) support.
    80HTTPWeb application access. All requests are redirected to the HTTPS port when SSL is enabled.
    122SSHInstance shell access. The default SSH port (22) is dedicated to application git+ssh network traffic.
    161/UDPSNMPRequired for network monitoring protocol operation.
    443HTTPSWeb application and Git over HTTPS access.
    1194/UDPVPNSecure replication network tunnel in high availability configuration. Encrypted using WireGuard.
    8080HTTPPlain-text web based Management Console. Not required unless SSL is disabled manually.
    8443HTTPSSecure web based Management Console. Required for basic installation and configuration.
    9418GitSimple Git protocol port. Clone and fetch operations to public repositories only. Unencrypted network communication. If you have enabled private mode on your instance, then opening this port is only required if you also enabled anonymous Git read access. For more information, see Enforcing repository management policies in your enterprise.

Creating the Enterprise Server instance

To create the instance, you'll need to launch an EC2 instance with your Enterprise Server AMI and attach an additional storage volume for your instance data. For more information, see Hardware considerations.

Note

You can encrypt the data disk to gain an extra level of security and ensure that any data you write to your instance is protected. There is a slight performance impact when using encrypted disks. If you decide to encrypt your volume, we strongly recommend doing so before starting your instance for the first time. For more information, see the Amazon guide on EBS encryption.

Warning

If you decide to enable encryption after you've configured your instance, you will need to migrate your data to the encrypted volume, which will incur some downtime for your users.

Launching an EC2 instance

In the AWS CLI, launch an EC2 instance using your AMI and the security group you created. Attach a new block device to use as a storage volume for your instance data, and configure the size based on your user license count. For more information, see run-instances in the AWS documentation.

aws ec2 run-instances \
  --security-group-ids SECURITY_GROUP_ID \
  --instance-type INSTANCE_TYPE \
  --image-id AMI_ID \
  --block-device-mappings '[{"DeviceName":"/dev/xvdf","Ebs":{"VolumeSize":SIZE,"VolumeType":"TYPE"}}]' \
  --region REGION \
  --ebs-optimized

Allocating an Elastic IP and associating it with the instance

If this is a production instance, we strongly recommend allocating an Elastic IP (EIP) and associating it with the instance before proceeding to Enterprise Server configuration. Otherwise, the public IP address of the instance will not be retained after instance restarts. For more information, see Allocating an Elastic IP Address and Associating an Elastic IP Address with a Running Instance in the Amazon documentation.

Both primary and replica instances should be assigned separate EIPs in production High Availability configurations. For more information, see Configuring high availability.

Configuring the Enterprise Server instance

To configure the instance, you must upload a license file, set the root Management Console password, configure the instance's settings, and restart the instance.

Warning

To prevent an attacker from compromising the new instance, ensure that you personally set the root Management Console password and create the first user as soon as possible.

  1. Copy the virtual machine's public DNS name, and paste it into a web browser.
  2. At the prompt, upload your license file and set a management console password. For more information, see Managing your license for Enterprise.
  3. In the Management Console, configure and save your desired settings. For more information, see Configuring Enterprise.
  4. The instance will restart automatically.
  5. Click Visit your instance.

Further reading