AWS EC2 Deployment
How to deploy OpenOps on an AWS EC2 instance
This guide is for testing and evaluation purposes only and is not intended for production deployments. Please reach out to us at support@openops.com if you’d like to learn how to set up OpenOps in a production environment.
This guide explains how to install the OpenOps Docker Compose release on a newly created EC2 instance.
It assumes you have appropriate permissions on an existing AWS account.
Initial deployment
Create a new EC2 instance
- On the EC2 home page, click Launch Instance:
- Choose a name for your instance and configure the following settings:
- Application and OS Images (Amazon Machine Image)
- Choose Ubuntu as the instance image, as it simplifies Docker installation. Ubuntu Server 24.04 LTS was the latest available version when this guide was written.
- Keep 64-bit (x86) as the instance architecture.
- Instance Type. The t3.large instance type provides decent performance. You can choose a different type according to your needs, but it’s not recommended to select a size smaller than t3.medium.
- Key Pair. Creating a new SSH key pair is recommended but not mandatory.
- Network Settings. Allow SSH traffic from your own IP address:
- Configure Storage. Choose 50GB to ensure you have enough space for Docker images and databases.
- Application and OS Images (Amazon Machine Image)
- Launch the instance and navigate to it once it’s created by clicking on the instance ID.
- Configure the network settings and open the necessary ports. Under Security, click on the security group.
Click Edit inbound rules, then Add rule, and add two rules:
- In the first rule, for Type, choose HTTP, and under Source, select My IP.
- In the second rule, for Type, choose SSH. Click the text box next to Source, and select the prefix list that contains the words “ec2-instance-connect”. The full name should be similar to
com.amazonaws.us-east-1.ec2-instance-connect
, depending on your region. This allows you to connect to the instance via AWS CloudShell. The final rules should look like this:
- Click Save rules to finish the configuration.
Connect to the instance with CloudShell
- Navigate to your EC2 instance and click Connect to open an in-browser CloudShell session.
- Click Connect and wait for CloudShell to initialize.
Automatically install OpenOps
Run the following command to install, configure and run OpenOps:
Manually install OpenOps
Alternatively, you can follow the manual installation steps:
- Install the
unzip
utility: - In CloudShell, create a new directory and download the release files:
- Update the application URL to use the instance’s public IP address:
- Open the
.env
file in the OpenOps installation folder. Change the values of the following variables that represent credentials. Do it now, as you won’t be able to change these values after the initial deployment:OPS_OPENOPS_ADMIN_EMAIL
: the email of your OpenOps installation’s root admin account.OPS_OPENOPS_ADMIN_PASSWORD
: the password of your OpenOps installation’s root admin account.OPS_POSTGRES_USERNAME
: the username of the Postgres database that OpenOps uses.OPS_POSTGRES_PASSWORD
: the password of the Postgres database that OpenOps uses.OPS_ANALYTICS_ADMIN_PASSWORD
: the password of the OpenOps Analytics admin account (the username is hardcoded toadmin
).
- Install Docker using Snap:
- Pull the images and start the Docker containers:
If you encounter a rate limit, rerun the pull command. Note that pulling images may take several minutes.
You can now access the OpenOps application by navigating to the public IP address of your EC2 instance (e.g., http://20.20.20.20
). If you did not update credentials in the .env
file, the default username is admin@openops.com
and the password is please-change-this-password-1
.
External databases
To use external PostgreSQL or Redis databases, modify the relevant variables in the .env
file. You can disable the corresponding containers by adding a profile in the docker-compose.yml
file:
After making changes, restart the Docker Compose containers:
Configuring TLS (HTTPS) and a custom domain
For production usage, it’s recommended to enable TLS (HTTPS). In addition to the security aspect, this also ensures that workflow templates load properly in all browsers.
TLS requires configuring a custom domain (e.g., https://openops.your-company.com
) to serve your OpenOps installation instead of its public IP address.
To get a custom domain with TLS up and running, you need to set up an AWS Application Load Balancer (ALB) with a valid TLS certificate from AWS Certificate Manager (ACM), then create a new DNS record and update your OpenOps configuration.
Request an ACM certificate
- Open the ACM console.
- Request a public certificate for your domain (e.g.,
openops.your-company.com
). - Validate the domain using DNS. If you’re using Route 53, ACM can create the necessary records automatically.
- Wait until the certificate status changes to Issued.
Create an Application Load Balancer
- In the EC2 > Load Balancers section, click Create Load Balancer.
- Choose Application Load Balancer, and configure the following:
- Scheme: Internet-facing
- Listeners:
- Add a listener for HTTPS (443) using the ACM certificate.
- Optionally, add a listener on port 80 with a rule to redirect HTTP traffic to HTTPS.
- Under Security Groups, create a security group that allows inbound traffic on port 443.
- Create a target group:
- Target type: Instance
- Protocol: HTTP
- Port: 80
- Health check path:
/api/v1/health
- Register your EC2 instance as a target.
- Finish creating the ALB and wait for its status to become Active.
Create a DNS record
- In Route 53 (or your DNS provider), create a DNS record:
- Name:
openops.your-company.com
- Type:
A
(Alias) orCNAME
- Value: The DNS name of your ALB (for example,
openops-alb-123456789.us-east-1.elb.amazonaws.com
)
- Name:
- Save and wait for DNS changes to propagate.
Update OpenOps configuration
- SSH into your EC2 instance or use CloudShell.
- Update the
.env
file to reflect your new domain: - Restart the containers:
Troubleshooting
If you encounter a 503 error:
- Ensure you restarted Docker containers after updating
.env
. - Confirm that the ALB’s health check is configured with the correct path (
/api/v1/health
). - Make sure the EC2 instance’s security group allows traffic from the ALB.
- Look for more cues in the Nginx container logs:
For more troubleshooting guidance, see this AWS troubleshooting guide.
Updating OpenOps to a newer version
See Updating OpenOps.
Support
Feel free to join our Slack community if you have any questions or need help with the installation.