Run Airy Core on AWS with one command.
The goal of this document is to provide an overview of how to run Airy Core on AWS cloud platform, using the AWS Elastic Kubernetes Service.
Once you have installed the AWS CLI, you now need to configure the application to be able to connect to your AWS account:
aws configure, the AWS CLI will prompt you for four pieces of
information. The first two are required. These are your AWS access key ID and
AWS secret access
which serve as your account credentials. You can generate new credentials within
AWS Identity and Access Management (IAM), if you do not already have them. The
other information you will need is region and output format, which you can leave
as default for the time being.
Apart from an EKS cluster,
airy create will create of all the necessary AWS
resources for Airy Core to run:
|Service & pricing||Resources created by default||Description||Overwrite 1|
|VPC||1 VPC, 2 subnets with allowed Public IPs, 1 additional route table, 1 Internet gateway, DNS enabled||VPC which will contain all the created compute and network resources||Yes|
|IAM 2||1 IAM role with attached policies 3||IAM role used for managing the EKS cluster and the node groups||No|
|EKS||1 EKS cluster||Kubernetes cluster to store all the Airy Core resources||No|
|EC2||2 EC2 instances, 4 EBS Volumes (10GB gp2 each)||The instances are a part of the ||Yes|
|S3||/||Optional for the "Media resolver" component. Should be created independently. 4||Yes|
|ELB||1 Elastic Load Balancer||Network Load Balancer created by the ingress controller Kubernetes service||No|
Airy Core doesn't require extensive resources to run. However, you should consider the
AWS Service Limits or
AWS Service Quotas when deploying on AWS. If some of the resources cannot be created due to existing quotas in your AWS account, refer to the following dashboard to modify them.
Refer to the following links for more information on AWS Service Limits:
To create the cluster you must setup your local AWS environment, by configuring your local AWS profile for the AWS account where all the resources will be created.
Download and install the Airy CLI.
Export your AWS_PROFILE and AWS_REGION as described in the AWS documentation.
If you want to use Airy Core with auto-generated HTTPS certificates, refer to the Let's Encrypt section for customizing your
airy.yaml file before proceeding.
Now you can run this command, which will create
Airy Core in your AWS account:
You can also use an existing VPC, without creating additional VPC resources:
By default the command creates an AWS NodeGroup with two
For customizing the instance type run:
This will execute the following actions:
- Create the
my-airydirectory and populate it with the configuration that the CLI will need. All subsequent commands need to either be run from this directory or use the
- Start an Airy Core cluster in your AWS account.
- Print URLs for accessing the UIs and APIs (see recording).
By default, the installation will create a single EC2 Kubernetes node, as part of a single node group. You can scale your EKS cluster by adding more nodes or node groups through the AWS web console or the AWS CLI.
If you want to customize your
Airy Core instance please see our Configuration
After the installation, you can also interact with the components of
with the kubectl command line
utility. You can find the kubeconfig of your Airy Core instance in
After the installation process, you can verify that all the pods are running with
AWS has a limit on the number of objects you can create depending on your account.
When encountering this, you can delete some of the resources just as described on here
Authentication and HTTPS are disabled by default in Airy Core.
As this is intended only for testing purposes,
it is mandatory that you to secure your Airy Core installation as explained in this section.
To enable authenticaiton to the API and in the UI, refer to our Authentication configuration section
This section guides you through the necessary steps to configure HTTPS on your
Airy Core instance.
You should use a valid HTTPS certificate to secure your
Airy Core instance. This certificate is created for and can only be used with a specific hostname. This hostname will be the FQDN on which
Airy Core will be reachable.
Usually these HTTPS certificates come as a bundle of:
- private key (private.key)
- public certificate (public.crt)
- public certificate authority bundle file (ca-bundle.crt)
Use the following command to upload your HTTPS certificate files to AWS ACM, so that they can be used by the AWS LoadBalancer.
After the certificate has been uploaded to AWS ACM, you will need the unique ARN of the certificate,for the next step.
If you don't have your own HTTPS certificate you can request one from AWS ACM.
airy.yaml file and add the following configuration:
Upgrade your Airy Core instance
You should create a CNAME DNS record for the specified public FQDN to point to the hostname of the LoadBalancer, created by AWS for the ingress service:
At this point, the frontend and the API services of
Airy Core should be accessible through HTTPS on the specific hostname:
You can customize your installation of
Airy Core to install an ingress controller which has an enabled
Let's Encrypt capability. The ingress controller will register and renew the certificates for you automatically.
To customize your Airy Core installation, you need to create an initial config file using the following command
Then edit your
airy.yaml file and add the following configuration
ingress.host value should be set to your desired hostname. Configure the e-mail address you want to use for your Let's Encrypt registration under
After setting these parameters, create your
Airy Core instance with the following option:
In case you have created your Airy Core instance without Let's Encrypt and want to add it later, modify your
airy.yaml file accordingly and continue with the process from the next section.
You should create a CNAME DNS record for the hostname that you set under
ingress.host in the previous step to point to the hostname of the LoadBalancer, created by AWS for the ingress service:
If the ingress controller is started before the DNS record is added, the initial Let's Encrypt requests will fail and then all the following registration attempts will be blocked and throttled. That is why the generation of the Let's Encrypt certificates is disabled by default. In order to complete the setup, you must run the upgrade command.
After this, your
Airy Core will be reachable under HTTPS and on your desired hostname (for example https://myairy.myhostname.com).
The public webhooks will be accessible on the public hostname, at a path specific for each source individually. Refer to the sources documentation for more information.
To get the public URL of your AWS Airy Core installation run:
Now that you have a running installation of
Airy Core on AWS you can connect it
to messaging sources. Check out our Quickstart guide to learn more:
To the Quick Start
Learn the Airy Basics with our Quick Start
Third party tools can be activated in the
airy.yaml configuration file, under the
For more details please see our Configuration Section.
You can remove the Airy Core AWS installation by deleting the Airy Core AWS resources with the AWS CLI.
Retrieve the ID of the installation, in this case
my-airy is the name of the installation that was passed on the creation process:
Make sure that the ID was printed back to you, before proceeding with the deletion of the resources.
Delete the EKS nodegroup:
Delete the EKS cluster:
Delete the created IAM Role:
If you used an existing VPC, then you already removed
Airy Core from your infrastructure and there is no need to run any additional commands.
If not, you can proceed with removing all the VPC resources, created exclusively for
Get the ID of the VPC:
Delete all the load-balancers:
Delete all used network interfaces (iIf the command fails, check if all the
loadbalancers are deleted and run the previous command one more time):
Delete the security groups created by the load-balancers:
Delete all the subnets in the VPC:
Delete the gateways and the routes in the VPC:
Delete the route tables (the command will always fail for the default route table, but you can still delete the VPC in the next step):
At the end, delete the VPC:
- The s3 bucket will should have PublicRead privileges. For writing to the S3 bucket, AWS credentials must be configured in the
- Attached policies: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy".↩
- IAM roles are free of charge.↩
- Options which can be overwritten with flags to the