Skip to content


This page describes the infrastructure and other prerequisites for deploying Tower on Amazon Web Services (AWS).

Tower container images#

Seqera Labs publishes the Tower Enterprise containers to a private Elastic Container Registry (ECR) on AWS.

  1. Provide Seqera Labs with your AWS Account ID

    Supply this value to the Seqera representative managing your onboarding and wait for confirmation that it has been added to the ECR repository policy as an approved Principal.

  2. Retrieve a local copy of the container

    Clients using the docker-compose deployment method must retrieve container copies for local use.

    1. Install the AWS CLI on the target machine.

    2. Configure the AWS CLI with an IAM User with at least the following privileges.


    3. Authenticate Docker against the Seqera ECR.

      # AWS CLI v2
      aws ecr get-login-password --region eu-west-1 | \
      docker login --username AWS --password-stdin
      # AWS CLI v1
      $(aws ecr get-login --registry-ids 195996028523 --region eu-west-1 --no-include-email)

    4. Pull the containers to your machine:

      export REPOSITORY_URL=""
      export TAG="v22.3.1"
      docker pull ${REPOSITORY_URL}/backend:${TAG}
      docker pull ${REPOSITORY_URL}/frontend:${TAG}

Mandatory prerequisites#

SMTP server#

If you do not have an email server, you can use Amazon Simple Email Service.


Amazon blocks EC2 traffic over port 25 by default. Please ensure your integration uses a port that can successfully reach your SMTP server.

MySQL database#

An external database (i.e. external to your Docker Compose or Kubernetes deployment) is highly recommended for production deployments. If you don't have your own database service, you can use Amazon Relational Database Service.

If you decide to use an external database, you must create a MySQL user and database manually. Refer to the Configuration section for more details.

EC2 instance (Docker Compose)#

An EC2 instance is required to deploy Tower via Docker Compose. Refer to the Detailed Instructions section for instructions on how to provision an EC2 instance for this purpose.

EKS cluster (Kubernetes)#

An Elastic Kubernetes Service (EKS) cluster is required to deploy Tower via Kubernetes. Refer to the EKS documentation for instructions on how to provision your own cluster. Please ensure your EKS cluster satisfies the following requirements:

Ingress and optional prerequisites

The ingress that we provide for EKS assumes that your cluster supports:

  1. ALB provisioning via the AWS Load Balancer Controller
  2. ALB integration with the Amazon Certificate Manager

Additionally, the ingress assumes the presence of SSL certificates, DNS resolution, and ALB logging.

If you have chosen not to use some or all of these features, you will need to modify the manifest accordingly before applying it to the cluster.

Optional prerequisites#

SSL certificate#

Required to allow your Tower instance to handle HTTPS traffic.

If you do not have a pre-existing SSL certificate, you can request or import an SSL certificate into the Amazon Certificate Manager (ACM).


Starting in Tower 22.1.1, HTTP-only implementations must set the following environment variable in their Tower hosting infrastructure in order for users to be able to successfully log in: TOWER_ENABLE_UNSAFE_MODE=true.


Required to support human-readable domain names and load-balanced traffic.

If you do not have access to a pre-existing DNS service, you can use Amazon Route53.

S3 bucket for Application Load Balancer (ALB) logs#

Required to write ALB logs to an S3 Bucket.

If you do not have a pre-configured S3 Bucket for ALB access log storage, you will need to specify and configure a target Bucket.

Detailed Instructions#

This section provides step-by-step instructions for some commonly used AWS services for Tower deployment. Please consult the AWS documentation for the most up-to-date instructions, and please contact AWS support if you have any issues with provisioning AWS resources.

Amazon SES#


If you're using Simple Email Service in sandbox mode, please make sure that both the sender and the receiver emails addresses are verified via AWS SES. Be aware, sandbox is not recommended for production usage, please refer the AWS docs for moving out of the sandbox.

  1. Navigate to Amazon Simple Email Service.

  2. In the navigation menu, click on SMTP Settings.

  3. Afterwards, select Create my SMTP Credentials

  4. Click on Create.

  5. Proceed to select Show User SMTP Credentials to be able to copy your credentials or click on the Download Credentials button.


    The credentials (username and password) will not be shown to you again after this instance.

  6. You will be automatically redirected to the IAM dashboard. Log back into the Amazon SES Console.

  7. Select Email Addresses in the navigation menu. Then, click on Verify a new Email Adress.

  8. A pop-up asking for your email should automatically appear. Once you type in your email address and click on Verify This Email Address, you should receive a verification message from Amazon SES asking you to confirm whether you are the owner of the email address.

  9. Make sure to click the verification link in the message.


    The verification link is only valid for 24 hours after your original request for verification.

You can now use Amazon SES to send email messages from this address.

Stop E-Mails from going to the Spam folder

To avoid issues such as emails you send from SES landing in the Spam folder, refer to this link.

For more options, such as setting up an Easy DKIM for a Domain or Authentication Email with SPF, please visit the referenced AWS documentation.

Amazon RDS#

  1. Open the Amazon RDS console.

  2. Select Create database, Standard create, MySQL.

  3. Under Edition, select MySQL Community and any version under 5.7.x or 8.0.x.

  4. Enter the DB cluster identifier such as nftower-db.

  5. Enter the Master username or leave the default name.

  6. Enter the Master password.

    • To use an automatically generated master password, select Auto generate a password.
    • To use a custom master password, unselect Auto generate a password and enter your password in Master password and Confirm password.
  7. Under Instance configuration, select the DB instance class and instance type.

  8. Under Connectivity, make sure to select the correct VPC security group, please confirm with your AWS administrator.

  9. Under Additional configuration, enter the Initial database name (e.g. tower).

  10. Select Create database.

After your database is created:

  1. Update the inbound rules for the underlying EC2 instance to allow MySQL connections.

  2. Update TOWER_DB_URL in your configuration value with the database hostname.

Amazon EC2#

If you have never set up an Amazon EC2 instance for Linux, refer to this guide for step-by-step instructions and tips on how to get started with Amazon EC2.

  1. Open the AWS Management console.

  2. Log in as an IAM user with your credentials.

  3. Under AWS services, click on All Services.

  4. Under Compute, select EC2.

  5. Click on Instances, followed by Launch instances.

  6. You will be asked to choose an Amazon Machine Image (AMI). In this case, scroll to the middle of the page and select Amazon Linux 2.

  7. Once you click the Select button, you will be redirected to Step 2: Choose an Instance Type.

  8. Scroll down and select either c5a.xlarge or c5.large so that you have 4 CPUs and 8GB RAM.

  9. Click on Next: Configure Instance Details.

  10. If required, configure the instance details settings. Afterwards, select Next: Add Storage.

  11. The root storage should be 20GB. Configure this under Size (GiB).

  12. Click Add Tags, if required to add case-sensitive key-value pairs. For example, you could define a tag with key = Name and value = Webserver.

  13. Then, proceed to select Next: Configure Security Group.

  14. Input nftower-sg as the Security Group's name.

  15. Optionally, you can enter a description for your Security Group's name.

  16. Configure the type of protocol settings.


    The security group port range needs to be configured to 8000.

  17. Select Review and Launch.

  18. As soon as you have reviewed your instance, click on Launch.

  19. A pop-up will appear asking you to select an existing key pair or to create one.

    If you already have an existing key pair, select "Choose an existing key pair and all available options should show up in a drop-down menu.

    If you do not have a key pair yet, select "Create a new keypair". Input the name and then, click on "Download Key Pair".


    Once you download the key pair, make sure to store it in a secure and accessible location. You will not be able to download the file again after it's created.

  20. Select Launch Instances.

  21. Use the key pair to SSH into the server using its public IP.


    The terminal-based SSH is easier to use than the browser-based SSH for copying and pasting text.

  22. Enter the following commands to set up docker and docker-compose.

    # Install and start the docker engine
    sudo yum install docker git -y
    sudo service docker start
    sudo usermod -a -G docker ec2-user
    sudo chkconfig docker on
    # Setup docker-compose
    sudo curl -L$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
    sudo chmod +x /usr/local/bin/docker-compose
    sudo mv /usr/local/bin/docker-compose /bin/docker-compose
  23. Configure the AWS CLI and Docker as described in the Tower container images section. The AWS CLI (v1) is pre-installed in Amazon Linux.

Back to top