Overview

A range of options are available for deploying Connectors on AWS depending on your particular environment and needs. In all cases, deployed Connectors need to be configured with a pair of access and refresh tokens that are specific to that Connector. These tokens can be generated and retrieved as described in our deployment automation article.

EC2

If you are deploying on an EC2 instance, you can follow the general Linux Connector deployment instructions for full details. In summary:

  • Docker-based deployment is compatible with any Linux distribution that Docker supports (except for ARM-based architecture).
  • The Connector systemd service is currently supported on Ubuntu, Fedora, and CentOS. Additional platform support may be available on request.

AMI

We offer an AMI that has the Connector systemd service pre-installed on a base Linux Ubuntu x86 image. You need to first create a new EC2 instance using the Twingate AMI, and next you will need to configure and start the Connector service.

[Option 1] EC2 Management Console

Deploy the AMI

  1. When creating a new EC2 instance, select "Community AMIs" in the first step.
  2. Search for "Twingate", and select the latest version.
  3. Deploy your EC2 instance as normal. Hardware recommendations can be found under Deploying Connectors.

Configure and start the Connector

The Connector service is pre-installed on our AMI, so to complete installation you will need to:

  1. Edit (or create) the connector configuration file at /etc/twingate/connector.conf
  2. Start and enable the twingate-connector service.

For detailed instructions on using our systemd Connector service, see our Linux instructions.

[Option 2] AWS CLI

If you prefer to use the AWS CLI for deployment, substitute the following values into the AWS CLI command below:

  • Your complete TWINGATE_URL, eg. https://autoco.twingate.com
  • Access and refresh tokens for the Connector, obtained from the Connector provisioning workflow in the Admin console.
  • The AWS subnet ID that the EC2 instance will be deployed in.
IFS= USER_DATA=$(cat <<EOF
#! /bin/bash
[ ! -d "/etc/twingate" ] && sudo mkdir /etc/twingate
echo TWINGATE_URL="https://<YOUR TWINGATE SUBDOMAIN>.twingate.com" > /etc/twingate/connector.conf
echo TWINGATE_ACCESS_TOKEN="" >> /etc/twingate/connector.conf
echo TWINGATE_REFRESH_TOKEN="" >> /etc/twingate/connector.conf
sudo systemctl enable twingate-connector
sudo systemctl start twingate-connector
EOF
)

export TWINGATE_AMI=$(aws ec2 describe-images --owners 617935088040 --filters "Name=name,Values=twingate/images/hvm-ssd/twingate-amd64-*" --query 'sort_by(Images, &CreationDate)[].ImageId' | fgrep ami | cut -d '"' -f2 | tail -1)

aws ec2 run-instances --image-id $TWINGATE_AMI --user-data $USER_DATA --count 1 --instance-type t3a.micro --subnet-id <YOUR SUBNET ID>

ECS Fargate

AWS Fargate provides a convenient way to run containers within an AWS VPC without launching EC2 instances. Using the AWS CLI, there are two steps to deploying a Connector on ECS Fargate:

  1. Register a new task definition for the Connector. Because authentication tokens are specific to each running Connector, we recommend creating separate task definitions for each Connector instance you plan to run.
  2. Launch the Connector service on ECS Fargate using the newly-created task definition.

Create the task definition

The JSON object below is a template task definition that you can use to launch Connectors on ECS Fargate. You will need to substitute your own values for the following:

  • Your complete TENANT_URL, eg. https://autoco.twingate.com
  • The ACCESS_TOKEN and REFRESH_TOKEN values for the Connector, obtained from the Connector provisioning workflow in the Admin console.
  • A unique name for the Connector where we have used twingate-connector-<NAME> below.
{
  "requiresCompatibilities": [
    "FARGATE"
  ],
  "containerDefinitions": [
    { 
      "name": "twingate-connector",
      "image": "twingate/connector:1",
      "memory": 2048,
      "cpu": 1024,
      "environment" : [
        { "name" : "TENANT_URL", "value" : "https://<YOUR TWINGATE SUBDOMAIN>.twingate.com"},
        { "name" : "ACCESS_TOKEN", "value" : "eyJ0eXAiOiJEQVQiLCJh..."},
        { "name" : "REFRESH_TOKEN", "value" : "suoodqhy0niwjzpY_ki8..."}
      ]
    }
  ],
  "volumes": [],
  "networkMode": "awsvpc",
  "placementConstraints": [],
  "family": "twingate-connector-<NAME>",
  "memory": "2048",
  "cpu": "1024"
}

You can then register the above ECS task definition using the following AWS CLI command, converting the JSON object above into a single line enclosed in single quotes.

  • You will also need to add the region for the task definition, where we have <REGION> in the command below:
aws ecs register-task-definition --region <REGION> --cli-input-json '{"requiresCompatibilities":["FARGATE"],"containerDefinitions":[{"name":"twingate-connector","image":"twingate\/connector:latest"...'

Create a new ECS Fargate Connector service

With the task definition created, you can now launch the Connector as a Fargate service. You will need to substitute your own values for the following:

  • The name of the service within your cluster where we have used twingate-connector, below.
  • The name of the task definition you created above where we have used twingate-connector-<NAME> below.
  • The subnet ID within your VPC where you would like to launch the service.
  • The security group ID you would like to apply to the connector.
  • The name of the ECS cluster you are launching the service within.
  • The region that the ECS cluster and task definition exist within.
aws ecs create-service --service-name twingate-connector --desired-count 1 --launch-type "FARGATE" --task-definition twingate-connector-<NAME> --network-configuration "awsvpcConfiguration={subnets=[subnet-deadbeef],securityGroups=[sg-deadbeef]}" --cluster <YOUR ECS CLUSTER> --region <REGION>

📘

Check your subnet configuration

The subnet you attach the service to requires outbound internet access, both to download the Connector container image and to connect to Twingate. No inbound connectivity is required.


Did this page help you?