Skip to content

Amazon Web Services

This document shows how to set up new environment on Amazon Web Services (AWS).

Step 1: Prepare an AWS Account

If you do not have an AWS account, create one.

To configure your AWS account:

Obtain AWS Credentials

Your AWS credentials consist of an Access Key ID and a Secret Access Key. Follow Creating IAM Users to create a new IAM user.

Create a Virtual Private Cloud (VPC)

  1. In the upper-right corner of the AWS Console, select a Region.


  2. On the AWS Console, select VPC to get to the VPC Dashboard.


  3. Click Start VPC Wizard.


  4. Select VPC with a Single Public Subnet and click Select.

  5. Complete the VPC form with the following information:

    • IP CIDR block:
    • VPC name: bosh
    • Public subnet:
    • Availability Zone: us-east-1a
    • Subnet name: public
    • Enable DNS hostnames: Yes
    • Hardware tenancy: Default


  6. Click Create VPC and click OK once VPC is successfully created.

  7. Click Subnets and locate the "public" subnet in the VPC. Replace SUBNET-ID and AVAILABILITY-ZONE in your deployment manifest with the "public" subnet Subnet ID, Availability Zone and Region (AZ without the trailing character).


Create an Elastic IP

  1. On the VPC Dashboard, click Elastic IPs and click Allocate New Address.


  2. In the Allocate Address dialog box, click Yes, Allocate.

  3. Replace ELASTIC-IP in your deployment manifest with the allocated Elastic IP Address.


Create a Key Pair

  1. In the AWS Console, select EC2 to get to the EC2 Dashboard.

  2. Click Key Pairs and click Create Key Pair.


  3. In the Create Key Pair dialog box, enter "bosh" as the Key Pair name and click Create.


  4. Save private key to ~/Downloads/bosh.pem.

Create and Configure Security Group

  1. On the EC2 Dashboard, click Security Groups and then click Create Security Group.


  2. Complete the Create Security Group form with the following information:

  3. Click Create


  4. Select the created security group with group name "bosh", click the Inbound tab and click Edit.


  5. Fill out the Edit inbound rules form and click Save.


    It highly discouraged to run any production environment with source or to make any BOSH management ports publicly accessible.

    Type Port Range Source Purpose
    Custom TCP Rule22(My IP)SSH access from CLI
    Custom TCP Rule6868(My IP)BOSH Agent access from CLI
    Custom TCP Rule25555(My IP)BOSH Director access from CLI
    All TCP0 - 65535ID of this security groupManagement and data access
    All UDP0 - 65535ID of this security groupManagement and data access


    To enter your security group as a Source, select Custom IP, and enter "bosh". Note: The AWS Console should autocomplete the security group ID (e.g. "sg-12ab34cd").


Step 2: Deploy

  1. Install CLI v2.

  2. Use bosh create-env command to deploy the Director.

    # Create directory to keep state
    mkdir bosh-1 && cd bosh-1
    # Clone Director templates
    git clone
    # Fill below variables (replace example values) and deploy the Director
    bosh create-env bosh-deployment/bosh.yml \
        --state=state.json \
        --vars-store=creds.yml \
        -o bosh-deployment/aws/cpi.yml \
        -v director_name=bosh-1 \
        -v internal_cidr= \
        -v internal_gw= \
        -v internal_ip= \
        -v access_key_id=AKI... \
        -v secret_access_key=wfh28... \
        -v region=us-east-1 \
        -v az=us-east-1a \
        -v default_key_name=bosh \
        -v default_security_groups=[bosh] \
        --var-file private_key=~/Downloads/bosh.pem \
        -v subnet_id=subnet-ait8g34t

    If running above commands outside of an AWS VPC, refer to Exposing environment on a public IP for additional CLI flags.

    See AWS CPI errors for list of common errors and resolutions.

  3. Connect to the Director.

    # Configure local alias
    bosh alias-env bosh-1 -e --ca-cert <(bosh int ./creds.yml --path /director_ssl/ca)
    # Log in to the Director
    export BOSH_CLIENT=admin
    export BOSH_CLIENT_SECRET=`bosh int ./creds.yml --path /admin_password`
    # Query the Director for more info
    bosh -e bosh-1 env
  4. Save the deployment state files left in your deployment directory bosh-1 so you can later update/delete your Director. See Deployment state for details.