High Availability Setup (AWS) 2021-Dec


The multi-node AWS setup is a standard high-availability/scalability AWS setup that involves:

  • Getting a domain name using Route53

  • Getting a SSL certificate using Certification Manager

  • Create S3 to hold packages

  • Create Cloudfront to serve packages held in S3 to provider high availability/scalability

  • Create DB to hold user information, etc.

  • Create Elasticache to hold background jobs

  • Creating a VPC with public and private subnets

  • Create an EC2 server in VPC private subnets to run packagecloud on-premise

  • Create load balancers in VPC public subnet to serve the SSL certificate and provide high availability/scalability

  • Creating an image of the EC2 instance running packagecloud on-premise and use it for autoscaling more EC2 servers depending on load to provide high availability/scalability

Step 1: Registering a Route53 Domain / Getting SSL Certificate

Route53 has a unique integration with Elastic Load Balancer that makes routing requests to our cluster a lot simpler. We recommend a Route53 even if you already have a domain you plan to use.

Register a Route53 Domain

For this guide we'll be using the domain name my-pcloud.be

Request Certificate

Receive Certificate Validation Email

In order for the Amazon issued certificate to work, we need to click on the validation link that Amazon sends to the following addresses:






The easiest way to receive this email on a Route 53 domain is to temporarily setup AWS Workmail.

Setting up AWS Workmail

Proving Ownership of Domain

Configure your Route53 records to match the values desired by the AWS Workmail verification screen. Note that 'Hostname' field already contains your domain name, but the interface for Route53 already suffixes your domain for you. Ensure you only copy+paste up to your domain. For example:

Final result:

If all your Record sets were configured correctly, then you should see this:

Create the hostmaster user

Inside of AWS Workmail, add a user named hostmaster (this is the email that receives the validation email from the Certificate Manager)

Go to Organization Settings to get the login URL for your organization

Login as the hostmaster user with the password given above

After hitting Resend, you should an email from Amazon Certificates

Open the email and approve the Certificate.

Now we have a working Domain and Certificate! Feel free to delete the AWS Workmail account and organization.

Step 2: Create VPC and two subnets

We're going to create a VPC with two subnets, since we'll be using a minimum of two availability zones. We will be using us-west-1a and us-west-1c.

Create the first subnet, on the block and the second subnet on the block.

Final result should be two subnets in two different availability zones.

Step 3: Create Security Groups

Frontend security group:

RDS security group:

Redis security group:

ELB security group:

Step 4: Create Amazon Aurora RDS Database

Before creating the database, create a Parameter Group for the database family you are using. We are using Aurora in MySQL 5.7: https://packagecloud.atlassian.net/wiki/spaces/ENTERPRISE/pages/15269940

Step 5: Create Elasticache Instance

Create a subnet group:

Create Redis instance:

Step 6: Launching ec2 instance 

Create public instance

Create private instance

Step 7. Create NAT gateway

This is to enable servers in private network to reach the internet, but not vice-versa.

Create route table:


Edit route table of private subnet:

Step 8: Install packagecloud enterprise

Follow the guide for Single Node Setup paying special attention to the External Database, External Redis, and Session Secret options. This also involves setting up Cloudfront.

NOTE: To reach the EC2 in VPC private subnet, you will need to setup a jump/bastion host in the VPC public subnet.

Step 9: Create Target Group

Step 10: Configure Elastic Load Balancer

Step 11: Create Autoscaling Group

Create Image from Running EC2 Instance

Create Launch Configuration



  • If the site is not working, make sure the instances registered for that load balancer are healthy (this may take a few minutes). Amazon will only forward requests to healthy instances.