Overview

A range of options are available for deploying Connectors on AWS depending on your particular environment and needs. In all cases, deployed Connectors need to be configured with a pair of access and refresh tokens that are specific to that Connector. These tokens can be generated and retrieved as described in our deployment automation article.

EC2

If you are deploying on an EC2 instance, you can follow the general Linux Connector deployment instructions for full details.

In summary:

• Docker-based deployment is compatible with any Linux distribution that Docker supports (except for ARM-based architecture).
• The Connector systemd service is currently supported on Ubuntu, Fedora, and CentOS. Additional platform support may be available on request.

AMI

We offer an AMI that has the Connector systemd service pre-installed on a base Linux Ubuntu x86 image. You need to first create a new EC2 instance using the Twingate AMI, and next you will need to configure and start the Connector service.

[Option 1] EC2 Management Console

Deploy the AMI

• When creating a new EC2 instance, select “Community AMIs” in the first step.
• Search for “Twingate”, and select the latest version.
• Deploy your EC2 instance as normal. Hardware recommendations can be found under Deploying Connectors.

Configure and start the Connector

The Connector service is pre-installed on our AMI, so to complete installation you will need to:

• Edit (or create) the connector configuration file at /etc/twingate/connector.conf
• Start and enable the twingate-connector service.

For detailed instructions on using our systemd Connector service, see our Linux instructions.

[Option 2] AWS CLI

If you prefer to use the AWS CLI for deployment, substitute the following values into the AWS CLI command below:

• Your complete TWINGATE_URL, eg. https://autoco.twingate.com
• Access and refresh tokens for the Connector, obtained from the Connector provisioning workflow in the Admin console.
• The AWS subnet ID that the EC2 instance will be deployed in.

 CopyIFS= USER_DATA=$(cat <<EOF
#! /bin/bash
[ ! -d "/etc/twingate" ] && sudo mkdir /etc/twingate
echo TWINGATE_URL="https://<YOUR TWINGATE SUBDOMAIN>.twingate.com" > /etc/twingate/connector.conf
echo TWINGATE_ACCESS_TOKEN="<YOUR ACCESS TOKEN>" >> /etc/twingate/connector.conf
echo TWINGATE_REFRESH_TOKEN="<YOUR REFRESH TOKEN>" >> /etc/twingate/connector.conf
sudo systemctl enable twingate-connector
sudo systemctl start twingate-connector
EOF
)

export TWINGATE_AMI=$(aws ec2 describe-images --owners 617935088040 --filters "Name=name,Values=twingate/images/hvm-ssd/twingate-amd64-*" --query 'sort_by(Images, &CreationDate)[].ImageId' | fgrep ami | cut -d '"' -f2 | tail -1)

aws ec2 run-instances --image-id $TWINGATE_AMI --user-data $USER_DATA --count 1 --instance-type t3a.micro --subnet-id <YOUR SUBNET ID>

Remote shell for AMI image

Twingate AMIs come pre-installed with Amazon AWS SSM Agent, allowing you to remotely manage and access the Connector host instance. For more information on how to setup AWS Systems Manager, including assigning IAM roles, please refer to the System Manager user guide.

ECS Fargate

AWS Fargate provides a convenient way to run containers within an AWS VPC without launching EC2 instances. Using the AWS CLI, there are two steps to deploying a Connector on ECS Fargate:

• Register a new task definition for the Connector. Because authentication tokens are specific to each running Connector, we recommend creating separate task definitions for each Connector instance you plan to run.
• Launch the Connector service on ECS Fargate using the newly-created task definition.

Create the task definition

The JSON object below is a template task definition that you can use to launch Connectors on ECS Fargate. You will need to substitute your own values for the following:

• Your complete TWINGATE_NETWORK, eg. autoco if your account is on https://autoco.twingate.com.
• The TWINGATE_ACCESS_TOKEN and TWINGATE_REFRESH_TOKEN values for the Connector, obtained from the Connector provisioning workflow in the Admin console.
• A unique name for the Connector where we have used twingate-connector-<NAME> below.

 Copy{
  "requiresCompatibilities": ["FARGATE"],
  "containerDefinitions": [
    {
      "name": "twingate-connector",
      "image": "twingate/connector:1",
      "memory": 2048,
      "cpu": 1024,
      "environment": [
        { "name": "TWINGATE_NETWORK", "value": "<YOUR TWINGATE SUBDOMAIN>" },
        { "name": "TWINGATE_ACCESS_TOKEN", "value": "<YOUR ACCESS TOKEN>" },
        { "name": "TWINGATE_REFRESH_TOKEN", "value": "<YOUR REFRESH TOKEN>" }
      ]
    }
  ],
  "volumes": [],
  "networkMode": "awsvpc",
  "placementConstraints": [],
  "family": "twingate-connector-<NAME>",
  "memory": "2048",
  "cpu": "1024"
}

You can then register the above ECS task definition using the following AWS CLI command, converting the JSON object above into a single line enclosed in single quotes.

• You will also need to add the region for the task definition, where we have <REGION> in the command below:

 Copyaws ecs register-task-definition --region <REGION> --cli-input-json '{"requiresCompatibilities":["FARGATE"],"containerDefinitions":[{"name":"twingate-connector","image":"twingate/connector:1"...'

Create a new ECS Fargate Connector service

With the task definition created, you can now launch the Connector as a Fargate service. You will need to substitute your own values for the following:

• The name of the service within your cluster where we have used twingate-connector, below.
• The name of the task definition you created above where we have used twingate-connector-<NAME> below.
• The subnet ID within your VPC where you would like to launch the service.
• The security group ID you would like to apply to the connector.
• The name of the ECS cluster you are launching the service within.
• The region that the ECS cluster and task definition exist within.

 Copyaws ecs create-service --service-name twingate-connector --desired-count 1 --launch-type "FARGATE" --task-definition twingate-connector-<NAME> --network-configuration "awsvpcConfiguration={subnets=[subnet-deadbeef],securityGroups=[sg-deadbeef]}" --cluster <YOUR ECS CLUSTER> --region <REGION>