Skip to content


This page describes the infrastructure and other prerequisites for deploying Tower on Amazon Web Services (AWS).

Tower container images#

Seqera Labs publishes Nextflow Tower Enterprise containers to a private Elastic Container Registry (ECR) on AWS.

  1. Provide Seqera Labs with your AWS Account ID

    Supply this value to the Seqera representative managing your onboarding and wait for confirmation that it has been added to the ECR repository policy as an approved Principal.

  2. Retrieve a local copy of the container

    Clients using the docker-compose deployment method must retrieve container copies for local use.

    1. Install the AWS CLI on the target machine.

    2. Configure the AWS CLI with an IAM User with at least the following privileges.


    3. Authenticate Docker against the Seqera ECR.

      # AWS CLI v2
      aws ecr get-login-password --region eu-west-1 | \
      docker login --username AWS --password-stdin
      # AWS CLI v1
      $(aws ecr get-login --registry-ids 195996028523 --region eu-west-1 --no-include-email)

    4. Pull the containers to your machine:

      export REPOSITORY_URL=""
      export TAG="v22.1.5"
      docker pull ${REPOSITORY_URL}/backend:${TAG}
      docker pull ${REPOSITORY_URL}/frontend:${TAG}

Mandatory prerequisites#

SMTP server#

Required to send email login links and workflow notifications.

If you do not have access to a pre-existing email server, you may wish to use Amazon Simple Email Service.


Amazon blocks EC2 traffic over port 25 by default. Please ensure your integration uses a port that can successfully reach your SMTP server.

MySQL database#

An external database is required by container-orchestration solutions like ECS and EKS, and highly recommended for all production deployments.

If you do not have access to a pre-existing database server, you may wish to use Amazon Relational Database Service.


You must run a custom SQL command to create a tower user and database once the database server is instantiated.

EC2 instance (Docker Compose)#

An EC2 instance is required for deploying Tower via Docker Compose. Refer to the Detailed Instructions section for instructions on how to provision an EC2 instance for this purpose.

EKS cluster (Kubernetes)#

An Elastic Kubernetes Service (EKS) cluster is required for deploying Tower via Kubernetes. Refer to the EKS documentation for instructions on how to provision your own cluster. Please ensure your EKS cluster satisfies the following requirements:

Ingress and optional prerequisites

The ingress that we provide for EKS assumes that your cluster supports:

  1. ALB provisioning via the AWS Load Balancer Controller
  2. ALB integration with the Amazon Certificate Manager

Additionally, the ingress assumes the presence of SSL certificates, DNS resolution, and ALB logging.

If you have chosen not to use some or all of these features, you will need to modify the manifest accordingly before applying it to the cluster.

Optional prerequisites#

SSL certificate#

Required to handle HTTPS to your Tower instance.

If you do not have a pre-existing SSL certificate, you may wish to request or import an SSL certificate into the Amazon Certificate Manager (ACM).


As of Tower Enterprise v22.1.x, HTTP-only implementations must set the following environment variable in their Tower hosting infrastructure in order for users to be able to successfully log in: TOWER_ENABLE_UNSAFE_MODE=true.


Required to support human-readable domain names and load-balanced traffic.

If you do not have access to a pre-existing DNS service, you may wish to use Amazon Route53.

S3 bucket for Application Load Balancer (ALB) logs#

Required to write ALB logs to an S3 Bucket.

If you do not have a pre-configured S3 Bucket for ALB access log storage, you will need to specify and configure a target Bucket.

Detailed Instructions#

Amazon SES#


If you're using Simple Email Service in sandbox mode, please make sure that both the sender and the receiver emails addresses are verified via AWS SES. Be aware, sandbox is not recommended for production usage, please refer the AWS docs for moving out of the sandbox.

Tower requires access to a mail server to send notifications. Should you lack access to an existing corporate email service, you may wish to use SES.

  1. Navigate to Amazon Simple Email Service.

  2. In the navigation menu, click on SMTP Settings.

  3. Afterwards, select Create my SMTP Credentials

  4. Click on Create.

  5. Proceed to select Show User SMTP Credentials to be able to copy your credentials or click on the Download Credentials button.


    The credentials (username and password) will not be shown to you again after this instance.

  6. You will be automatically redirected to the IAM dashboard. Log back into the Amazon SES Console.

  7. Select Email Addresses in the navigation menu. Then, click on Verify a new Email Adress.

  8. A pop-up asking for your email should automatically appear. Once you type in your email address and click on Verify This Email Address, you should receive a verification message from Amazon SES asking you to confirm whether you are the owner of the email address.

  9. Make sure to click the verification link in the message.


    The verification link is only valid for 24 hours after your original request for verification.

You can now use Amazon SES to send email messages from this address.

Stop E-Mails from going to the Spam folder

To avoid issues such as emails you send from SES landing in the Spam folder, refer to this link.

For more options, such as setting up an Easy DKIM for a Domain or Authentication Email with SPF, please visit the referenced AWS documentation.

Amazon RDS#

  1. Open the Amazon RDS console.

  2. Scroll down and click on Create database.

  3. Select the following options:

    • Standard Create
    • Amazon Aurora

  4. Make sure that under Edition, the Amazon Aurora with MySQL compatibility option is selected.

  5. Select the Capacity type as Serverless.

  6. Under Settings, add a DB cluster identifier such as nftower-db.

  7. Under Master Username, enter a name for the master user or leave the default name.

  8. To use an automatically generated master password for the database instance, choose the Auto generate a password check box.

    If you want to manually enter your master password, you have to clear the Auto generate a password check box, and then enter the same password in Master password and Confirm Password.

  9. In the Capacity settings section, select 4 GB RAM as the minimum and 16 GB RAM as the maximum capacity units.

  10. Under Connectivity make sure to have configured the right security-group, please confirm these with your AWS admin.

  11. Use the Additional Configurations to create the initial database for tower.

  12. After your database is created, please update the inbound rules for connection Aurora/MySQL with the EC2 private IP instance.

  13. Then, update the TOWER_DB_URL in your configuration and replace its value with the RDS endpoint.

Amazon EC2#

If you have never set up an Amazon EC2 instance for Linux, refer to this guide for step-by-step instructions and tips on how to get started with Amazon EC2.

  1. Open the AWS Management console.

  2. Log in as an IAM user with your credentials.

  3. Under AWS services, click on All Services.

  4. Under Compute, select EC2.

  5. Click on Instances, followed by Launch instances.

  6. You will be asked to choose an Amazon Machine Image (AMI). In this case, scroll to the middle of the page and select Amazon Linux 2.

  7. Once you click the Select button, you will be redirected to Step 2: Choose an Instance Type.

  8. Scroll down and select either c5a.xlarge or c5.large so that you have 4 CPUs and 8GB RAM.

  9. Click on Next: Configure Instance Details.

  10. If required, configure the instance details settings. Afterwards, select Next: Add Storage.

  11. The root storage should be 20GB. Configure this under Size (GiB).

  12. Click Add Tags, if required to add case-sensitive key-value pairs. For example, you could define a tag with key = Name and value = Webserver.

  13. Then, proceed to select Next: Configure Security Group.

  14. Input nftower-sg as the Security Group's name.

  15. Optionally, you can enter a description for your Security Group's name.

  16. Configure the type of protocol settings.


    The security group port range needs to be configured to 8000.

  17. Select Review and Launch.

  18. As soon as you have reviewed your instance, click on Launch.

  19. A pop-up will appear asking you to select an existing key pair or to create one.

    If you already have an existing key pair, select "Choose an existing key pair and all available options should show up in a drop-down menu.

    If you do not have a key pair yet, select "Create a new keypair". Input the name and then, click on "Download Key Pair".


    Once you download the key pair, make sure to store it in a secure and accessible location. You will not be able to download the file again after it's created.

  20. Select Launch Instances.

  21. Use the key pair to SSH into the server using its public IP.


    The terminal-based SSH is easier to use than the browser-based SSH for copying and pasting text.

  22. Enter the following commands to set up docker and docker-compose.

    # Switch to root user
    sudo su
    # Install and start the docker engine
    sudo yum install docker git -y
    sudo service docker start
    sudo usermod -a -G docker ec2-user
    sudo chkconfig docker on
    # Setup docker-compose
    sudo curl -L$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
    sudo chmod +x /usr/local/bin/docker-compose
    mv /usr/local/bin/docker-compose /bin/docker-compose
  23. Configure the AWS CLI and Docker as described in the Tower container images section. The AWS CLI (v1) is pre-installed in Amazon Linux.

Back to top