Contact Free trial Login

Create Anypoint Private Cloud Resources on Amazon Web Services (AWS)

This topic describes how to create the resources required to install Anypoint Platform Private Cloud Edition on Amazon Web Services (AWS). Anypoint Private Cloud supports 3-node and 6-node configurations in a production environment on AWS.


To install Anypoint Platform Private Cloud Edition on AWS, you must have an AWS account with the following:

  • Your account must have AWS keys with EC2FullAccess and S3FullAccess permissions.

  • When creating your AWS environment, the following resources are created:

    AWS Resource Number required (3-node) Number required (6-node)




    root disk @ 500 iops



    EBS volumes @ 1500 iops



    EBS volume @ 3000 iops



    Amazon ELB






Run the AWS Provisioner

MuleSoft provides a Docker image that you can use to provision the resources for your AWS account. You can also run custom shell scripts on the provisioned instances (see below).

  1. Create an initial instance (t2.small) on your AWS account on any VPC with internet access.

    This instance is used to run the actual provisioning of the cluster. You must use an AMI that has Docker installed by default or you must manually install Docker after creating the AWS instance.

    You can also run provisioner remotely from any other machine with Docker and internet access.

  2. Download the Private Cloud Provisioner (PCP) Docker image from

  3. Copy the provisioner Docker image to the instance via SCP

    scp -i <guest>.pem ~/Downloads/pcp-1.0.tar.gz ec2-user@
  4. SSH into the instance

    ssh -i 'anypoint.pem' ec2-user@
  5. Create the var file (pce.env) with the environment details using the template below:

    Name Description


    Specifies the AWS access ID Terraform uses to connect to your AWS account


    Specifies the AWS access key Terraform uses to connect to your AWS account


    Specifies the AWS SSH key. Do not include the .pem extension.


    Specifies the AWS region where Terraform creates the cluster. For example: us-east-2. Must have the same value as AWS_DEFAULT_REGION.


    Same as above. Must have the same value as AWS_REGION


    Specifies the ssh user. For example: ec2-user, centos, etc)


    Must be aws


    Must be pce


    Specifies the name of the cluster and the corresponding AWS resources


    Specifies the number of nodes in your cluster. Possible values are 3, and 6


    Must be m5.2xlarge


    Must be set to node


    Must be set to true for production environments


    Disables outside internet access using iptables rules. Defaults to true.

    You can also include the following set of optional environment variables:

    Name Description


    Enables you to specify the name of the AMI to be used for the instances. Use the AMI name and NOT the AMI Id. If you do not set this variable, the provisioner uses the folowing AMI by default: RHEL-7.4_HVM_GA-20170808-x86_64-2-Hourly2-GP2

    TF_VAR_monitoring=<true or false>

    If true it will create basic instance alarms in Cloudwatch.

    TF_VAR_use_bastion=<true or false>

    If true it will create a small instance (using an ASG) in a public subnet as a jumpbox and associate a public IP address, and launch the cluster instances in the private subnets

    TF_VAR_internal=<true or false>

    If true the cluster instances will be launched in private subnets and will not have public ips associated with them. Also, the provisioned load balancer will be internal only


    Specifies an existing VPC. It should already have an internet gateway attached to it. Subnets will still be provisioned within the existing VPC


    You can pass a preferred CIDR for the new VPC that will be provisioned. (Requires not to pass a AWS_VPC_ID)


    You can pass a list of subnets IDs where the instances will be launched on. If you reuse your own subnets, you need to set up Route Tables, NAT Gateways and Internet Gateway. For example: ["subnet-0a17317984065f98f", "subnet-0600b4befb27c7949", "subnet-02103e0c935eff75a"]


    You can optionally pass the preferred CIDRs blocks for the NEW subnets that will be provisioned. You must pass exactly the minimum number between the number of AZs of the region and the number of nodes you selected for your cluster. For example: '["", "", ""]'


    You can optionally pass the preferred CIDRs blocks for the NEW subnets that will be provisioned. You must pass exactly the minimum number between the number of AZs of the region and the number of nodes you selected for your cluster. For example: '["", "", ""]'


    You can provide a value for a ROLE tag that all AWS resources will have

  6. Load the provisioner Docker image into the local Docker registry:

    docker load -i pce2.0-aws-provisioner.gz
  7. Record the image ID after running the docker load command. This is required in the following step.

  8. Perform a dry-run

    docker run --rm --env-file pce.env IMAGE_ID dry-run
  9. Run the provisioner

    docker run --rm --env-file pce.env IMAGE_ID cluster-provision

    After the provisioner runs successfully, it displays information about your environment including IP addresses, DNS name of the load balancer, etc.

  10. Verify that the provisioning script ran successfully by checking the existence of /var/lib/bootstrap_complete on the instances

Custom provisioning scripts (Optional)

You can have your own shell scripts to run on the provisioned instances before and/or after the PCE provisioner scripts. In order to do so, place your shell scripts with .sh extension inside a folder named pre-user-data and/or post-user-data. Finally include the following volume mounts on the docker run command:

docker run --rm -v $(pwd)/pre-user-data:/usr/local/bin/provisioner/terraform/external/pre-user-data -v $(pwd)/post-user-data:/usr/local/bin/provisioner/terraform/external/post-user-data --env-file pce.env IMAGE_ID cluster-provision

Open Port 61009 Before Installation (Optional)

If you are installing Anypoint Private Cloud Edition using the GUI-based installer, you must enable this port before running the installer. You must open this port to the world in the cluster’s security group before running the installer using AWS Web Console.

Install Anypoint Platform Private Cloud Edition

After provisioning resources in your AWS environment and uploading the installer to one of the nodes, install Anypoint Platform Private Cloud Edition using one of the installers:

Disabling Port 61009 After Installation

After installation is finished you can close port 61009 in the cluster security group using the AWS Web console.


  • 403 Forbidden

Check that your keys policies are not denying access to any EC2 or S3 resource. You should be able to run the following basic command using AWS CLI with your keys:

aws sts get-caller-identity
  • Limit excedded

The AWS account might have some limits set on the amount of the resources you can create. Delete some unused resources or request a limit increason from AWS.

  • AMI not found

Make sure you are using the AMI name as the value for the environment variable and not the ID.

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.