AWS
Last updated
Was this helpful?
Last updated
Was this helpful?
The following deployment diagram shows an example architecture and the necessary resources for the XMPro platform in AWS.
The solution is deployed as an auto-scaling Elastic Beanstalk Application with 3 environments:
SM – Subscription Manager
AD – Application Designer
DS – Data Stream Designer & API
These environments use Redis for a centralized Cache and RDS for database storage.
All data transfers are done via HTTPS and the SSL certificates are managed in AWS Certificate Manager.
There are two accounts set up: one for production and one for non-production. Both of these environments follow the above architecture and deployment.
In order to proceed with the deployment, you are required to complete the steps in the 1. Preparation guide:
Resources
We are going to be deploying the following resources, please ensure you have the desired domain names ready.
SQL RDS
Parameter Store
Elastic Beanstalk Application
Elastic Beanstalk Environment – Subscription Manager
Elastic Beanstalk Environment – App Designer
Elastic Beanstalk Environment – Data Stream Designer & API
An example of preferred domain names is as follows; each set is for a specific account as per the architecture diagram.
For production:
https://sm-xmpro․domain․com
https://ad-xmpro․domain․com
https://ds-xmpro․domain․com
For non-production:
https://sm-nonprod-xmpro․domain․com
https://ad-nonprod-xmpro․domain․com
https://ds-nonprod-xmpro․domain․com
In the AWS Management Console, search for ElastiCache and navigate to it
Click Create (or Get Started Now if visible).
Select Redis, and click Create
Configure Redis Cache:
Provide a name for the cache.
Select the node type based on workload requirements.
Configure replication and parameter groups if needed.
Leave other Redis options as defaults unless specific tuning is required.
Network Configuration:
Provide Subnet details.
Select the VPC where Redis will be deployed.
Ensure security group settings allow necessary access.
Finalize Creation:
Click Create to deploy the Redis cache
Security Group Configuration:
Navigate to EC2 in AWS Services.
Under Network & Security, select Security Groups.
Edit the relevant security group and add inbound rule for Redis Port 6379.
Retrieve Redis Endpoint
Once the cache is created, locate the Redis endpoint.
This will be used later in the Redis Connection String.
Log into Your Domain Registrar
Access the DNS management section for your domain.
Create a CNAME Record (For Subdomains)
If you're pointing a subdomain (e.g., app.example.com), create a CNAME record.
Set the CNAME value to your ALB’s DNS name (e.g., dualstack.albname.region.elb.amazonaws.com).
Create an A Record (For Root Domains, If Supported)
Some registrars allow A records to point to AWS ALBs, but many do not.
If supported, create an A record and set it to the IP address of your ALB (not always recommended due to dynamic IP changes).
Update Nameservers (If Needed)
If your registrar requires external DNS management, you may need to update nameservers to AWS or another provider.
Wait for DNS Propagation
Changes may take a few minutes to 24 hours to fully propagate.
CNAME records work best for ALBs since AWS load balancers don’t have static IPs.
If your registrar doesn’t support CNAME at the root domain, you may need a third-party DNS provider like Cloudflare or Route 53.
In the AWS Management Console navigate to Aurora and RDS.
In the navigation pane, click Databases and then click Create database.
Select Standard create, SQL Server, and the desired Template for the database instance.
Provide the DB instance Identifier, Username, and Password for the RDS database instance
Click create.
Once created, under Connectivity & Security, take note of the DB Identifier created.
6. The security group will need to be modified to allow inbound traffic this is done as follows:
6.1. Click the VPC security groups.
6.2. Select the Default security group, click Inbound then click Edit.
6.3. Add a new rule called MS SQL, with Protocol as TCP and Port Range as 1433; and click Save.
In the AWS Management Console navigate to IAM.
Create a New IAM Policy:
Click Policies, then select Create Policy.
Select Import managed policy.
Import a Managed Policy for SSM Access:
Search for AmazonSSMManagedInstanceCore and select it.
Click Import.
Add Additional Permissions for Parameter Store Access:
Click Add additional permission.
Choose Systems Manager as the service.
Under Actions, select the following Read permissions:
ssm:GetParameter
ssm:GetParameters
ssm:GetParametersByPath
If write access is needed, also select ssm:PutParameter.
Click Review Policy.
Specify Resources to Limit Access Scope:
Expand Resources.
Instead of selecting All Resources, specify exact ARNs for the parameters needing access to ensure least privilege.
Finalize the Policy Creation:
Enter a Name and Description for the policy.
Click Create Policy.
Attach the Policy to the Appropriate Role:
Search for the newly created policy.
Select it and click Policy Actions.
Choose Attach from the dropdown menu.
Attach the policy to aws-elasticbeanstalk-service-role or another appropriate IAM role.
Click Attach Policy.
By following these refined steps, you ensure that access to AWS Systems Manager Parameter Store is both controlled and optimized while maintaining security best practices.
The first step in using AWS Elastic Beanstalk is to create an application, which represents your web application in AWS. In Elastic Beanstalk an application serves as a container for the environments that run your web app and for versions of your web app's source code, saved configurations, logs, and other artifacts that you create while using Elastic Beanstalk.
Open the Elastic Beanstalk console, and then, in the regions drop-down list, select your region.
In the navigation pane, choose Applications, and then click Create Application.
Use the on-screen form to provide an application name and click Create.
Select the Application, click on Actions then click Create environment.
Configure environment:
Select Web server environment as the Environment tier.
Provide the Environment name for Subscription Manager.
Select .NET on Windows Server and select the supported version.
Select Sample Application and under Presets, select Custom configuration.
Click Next.
Configure service access:
Configure and click Next.
Setup networking, database, and tags - optional:
Configure and click Next.
Configure Instance traffic and scaling:
For the Listener Section, add a new listener with the following configure:
Port: 443
Protocol: HTTPS
SSL certificate: Select the SSL certificate you added in the Certificate Manager earlier.
For the Processes Section, select the default Process and under Actions click Edit and update to:
Port: 443
Protocol: HTTPS
Health check\Path: /favicon.ico
Sessions\Stickiness policy enabled: True
Click Next
Configure updates, monitoring, and logging – optional:
Configure and click Next.
Review:
Review the previous configuration and click Submit.
While the environment is created, take note of the load balancer created in the logs.
e.g Created Load Balancer listener named: arn:aws:elasticloadbalancing:us-west-1:142725982179:listener/app/awseb-- AWSEB- itYC8AXwyswd/a0e5dc6a6ad0a418/fcd8ccc52761bd5d.
In the AWS Management Console navigate to Route 53.
In the navigation pane, click Hosted Zones and find the one created for SM.
Create a new record with the following configuration.
Record name: keep blank
Record type: A – Routes traffic to an IPv4 address and some AWS resources
Alias: True
Route trafic to:
Endpoint: Alias to Application and Classic Load Balancer
Region: The region of where the Environment was deployed
Now supply the load balance created when Environment was deployed earlier.
In the AWS Management Console, navigate to S3
Click Create Bucket.
Enter a unique bucket name and select your AWS region.
Scroll down to the Block Public Access settings section.
Uncheck "Block all public access" (AWS strongly recommends keeping this enabled for security reasons).
Click Create bucket.
Open your newly created bucket. 2. Go to the Permissions tab. 3. Under Bucket policy, click Edit and enter this policy:
replace your-bucket-name with your actual bucket name.
Click Save changes.
Navigate to the Objects tab inside your bucket.
Upload a file and select it.
Click Permissions and set Public access.
Confirm changes.
Security Considerations
AWS strongly discourages making entire buckets publicly accessible due to security risks.
Run the installation wizard for Subscription Manager.
Run the Subscription Manager installer as Administrator.
Follow the instruction in the installation wizard: click Next.
Select the Install option (1) and click Next (2).
Tick Database (1), Web Application (2), select AWS Package (3), and click Next (4).
Enter the secret store prefix (1), the S3 Bucket name from earlier (2), and click Next (3).
Provide the Database connection details noted in the database creation steps:
Provide the SQL endpoint (1)
Change the SQL user to SQL Authentication and provide credentials (2)
Optional: provide a new DB name or use the one provided (3)
Select the installation path (1), the DNS name for the site (2), and click Next (3).
Enter the Signing Certificate details:
Browse to the certificate created earlier
Enter the certificate password
Select the subject name
Select Local Machine
Click Next
Enter the Encryption Certificate details
Browse to the certificate created earlier
Enter the certificate password
Select the subject name
Select Local Machine
Click Next
Click Next once the installation has completed.
Make a note of the Username and password, and click Finish.
In the AWS Management Console navigate to AWS Systems Manager
In the navigation pane, click Parameter Store, under Application Tools
Click Create parameter
Provide the name found in the App Secrets.xml file in the SM AWS Package previously created
Set the Type as a SecureString
For the value, provide the one found in App Secrets.xml
Click Create Parameter
Repeat for all values in the file
Browse to the folder where SM was installed.
Find the S3 Deployment Folder inside SM.
Duplicate the Certificate Files
Make a copy of the sign.pfx
file and rename it to ssl.pfx
.
Make a copy of the sign.password.txt
file and rename it to ssl.password.txt
.
Upload both ssl.pfx
and ssl.password.txt
to the S3 bucket you created earlier.
Navigate back to Elastic Beanstalk and open the Environment page
Click and navigate to the SM Environment you created earlier
Click Upload and deploy
Use the on-screen form to upload the zip file found in the SM AWS Package.
Update the Version label if needed and click Deploy
Navigate to the URL and log in using the following credentials:
admin@xmpro․onxmpro․com
Pass@word1
6. Reset the administrator password and store it securely in a password vault.
7. Click SM.
8. Click Products in the menu and click the Installation Profile button
Enter a File Key and press OK to download the file
In the AWS Management Console, navigate to Elastic Beanstalk.
In the navigation pane, choose Applications
Select the previously created application, expand Actions and choose Create environment.
Follow the same instructions on environment creation as done for the Subscription Manager.
Including the Hosting Zone Configuration section after the Load Balancer is created
Run the installation wizard for Data Stream Designer.
Run the Data Stream Designer installer as Administrator.
Follow the instruction in the installation wizard: click Next.
Select Install (1) and click Next (2).
Select the items as shown below and click Next.
Provide a Prefix and the S3 Bucket name
Provide the Database Details noted in the database creation steps:
Provide the SQL endpoint
Change the SQL user to SQL Authentication and provide credentials
Optional: provide a new DB name or use the one provided
Select the installation path (1), the DNS name for the site (2), and click Next (3).
Browse to the downloaded installation profile and select it
Login using the credentials for SM
Click Next
Once the installation completes, click Next
Click Finish
In the AWS Management Console, navigate to Elastic Beanstalk.
In the navigation pane, choose Applications
Select the previously created application, expand Actions and choose Create environment.
Follow the same instructions on environment creation as done for the Subscription Manager.
Including the Hosting Zone Configuration section after the Load Balancer is created
Run the installation wizard for App Designer.
Run the App Designer installer as Administrator.
Follow the instruction in the installation wizard: click Next.
Select Install and click Next.
Select the items as below and click Next.
Provide a Prefix and the S3 Bucket name
Provide the Database connection details noted in the database creation steps:
Provide the SQL endpoint
Change the SQL user to SQL Authentication and provide credentials
Optional: provide a new DB name or use the one provided
Select the installation path (1), the DNS name for the site (2), and click Next (3).
Provide the URL for the Data Stream Designer installed earlier, and click Next.
Browse to the downloaded installation profile and select it. Click Next.
Login with SM credentials to authenticate.
Click Next.
Click Next after the installation is complete.
Click Finish.
See troubleshooting if failed deployment
If the zip file created exceeds AWS 500mb upload limit, then the following steps can be taken:
Open the unzipped file of the AWS Package
Navigate to the following path, Package\ClientApp\dist
Delete additional language packs that are not required.
Navigate back to within the Package folder
Select all files within the folder and create a new Package.zip
Confirm size is less than the limit and redeploy with the new zip.
The following steps relate to upgrading an existing AWS deployment
This only applies if the machine used to generate the AWS package has older versions of the wizard installed.
From the start menu select one of the XMPro Products and right-click it.
Click Uninstall.
Select XMPro Subscription Manager from the list of programs displayed.
Click Uninstall.
When prompted to confirm uninstall click Yes.
Click Next
When prompted to select the install to modify click Cancel. We do not want to remove the installed XMPro site, only the installer.
Repeat for all the installers.
In AWS Console navigate to Aurora and RDS
In the navigation pane, click Databases
Select the existing instance, expand Actions and click Take snapshot
Provide a Snapshot name and click Take snapshot.
Run the installation wizard for Subscription Manager.
Run Subscription manager as Administrator.
Follow the instruction in the installation wizard: click Next.
Select the Install option (1) and click Next (2).
Do not select Upgrade
Tick Web Application(1), select AWS Package (2), and click Next (3)
Exclude the Database component
Enter the secret store prefix (1), the S3 Bucket name from earlier (2), and click Next (3)
Provide the Database connection details noted in the database creation steps:
Provide the SQL endpoint (1)
Change the SQL user to SQL Authentication and provide credentials (2)
Select existing SM database created earlier (3)
Click Next (4)
Select the installation path (1), the DNS name for the site (2), and click Next (3).
Enter the Signing Certificate details:
Browse to the certificate created earlier
Enter the certificate password
Select the subject name
Select Local Machine
Click Next
Enter the Encryption Certificate details
Browse to the certificate created earlier
Enter the certificate password
Select the subject name
Select Local Machine
Click Next
Click Next once the installation has completed.
Click Finish
Navigate back to Elastic Beanstalk and open the Environment page
Click and navigate to the SM Environment you created earlier
Click Upload and deploy
Use the on-screen form to upload the zip file found in the SM AWS Package.
Update the Version label if needed and click Deploy
If deployment fails due to locked SM log files, follow these steps:
Open the configuration of the Subscription Manager environment
Click and navigate to Service access.
Add EC2 key pair and click Apply
Wait for the environment to complete auto-healing - the load balancer will automatically start a new app service.
In AWS Console, navigate to EC2 and click Instances in the navigation pane
Observe the Environment may appear twice, select the one with a Running for its Instance state.
as mentioned in Step 4, the duplicate is because of the termination.
Click the RDP client tab and click Download remote desktop file
Now click Get password
On the Get Windows password page
Upload a private key file paired with that EC2 Key pair
Click Decrypt password
Now copy the now visible password, where Get password was previously
Connect to the service using the downloaded RDP file
Open IIS, and click Stop on the server level
Repeat Deployment steps (IIS will restart after deployment)
Run the installation wizard for Data Stream Designer.
Run Data Stream Designer as Administrator.
Follow the instruction in the installation wizard: click Next.
Select the Install option (1) and click Next (2).
Do not select Upgrade
Tick Web Application(1), select AWS Package (2), and click Next (3)
Exclude the Database component
Also, Leave Configure Subscription Manager
Enter the secret store prefix (1), the S3 Bucket name from earlier (2), and click Next (3).
Select the installation path (1), the DNS name for the site (2), and click Next (3).
Click Next once the installation has completed.
Click Finish
Navigate back to Elastic Beanstalk and open the Environment page
Click and navigate to the DS Environment you created earlier
Click Upload and deploy
Use the on-screen form to upload the zip file found in the DS AWS Package.
Update the Version label if needed and click Deploy
Run the installation wizard for App Designer.
Run the App Designer installer as Administrator.
Follow the instruction in the installation wizard: click Next.
Select the Install option (1) and click Next (2).
Do not select Upgrade
Tick Web Application(1), select AWS Package (2), and click Next (3)
Exclude the Database component and Configure Subscription Manager
Enter the secret store prefix (1), the S3 Bucket name from earlier (2), and click Next (3).
Select the installation path (1), the DNS name for the site (2), and click Next (3).
Click Next once the installation has completed.
Click Finish.
Navigate back to Elastic Beanstalk and open the Environment page
Click and navigate to the AD Environment you created earlier
Click Upload and deploy
Use the on-screen form to upload the zip file found in the AD AWS Package.
Update the Version label if needed and click Deploy
In the AWS console go to the Certificate Manager
Select the region the SSL Certificate is required in
The certificate can be either imported or a new certificate can be requested.
Click Get started under Provision Certificate
2. Click Request a certificate
3. Enter the certificate domain name and click Next
4. Select the DNS validation method and click Next
5. Review your settings and click Confirm and request if correct
6. Once the DNS configuration file becomes available, click Continue
7. Contact your IT administrator to complete the DNS verification by adding the CNAME record to your website DNS
8. Once the DNS verification is complete the SSL certificate is added to your certificate manager for the specified region
Click Get started under Provision Certificate
2. Click Import a certificate
3. Complete the certificate detail and click Next to import the certificate
Search for ElastiCache in the Services dropdown and select it.
2. In the left-hand panel, click Hosted Zones.
3. Click Create Hosted Zone.
In the right-hand panel complete the Domain Name using the domain name you created the SSL certificate for and click Create.
5. Click Create Record Set.
6. Change Alias to Yes, then go to EC2 in AWS services and scroll down to Load Balancing and click Load Balancers.
7. Select a Load Balancer and click Tags to identify what Application is serviced by the selected Load Balancer.
8. When the correct Load Balancer for the Application is identified, click the Description Tab.
9. Copy the DNS Name for the Load Balancer. Go back to the Record Set you created in Route 53.
10. Paste the Load Balancer DNS address in the Alias Target field and click Create.
This needs to be completed for each ELB Application.
11. The NS values must be provided to you by the DNS Administrator to create the NS records in the Domain DNS records. This needs to be completed for each ELB Application.
In the AWS Management Console, choose EC2 under Compute in the Services drop-down.
Click Security Groups under the NETWORK & SECURITY option.
3. Click Create security group.
4. Create the RDS_security_group and select the VPC.
5. Add the following rules and replace the source with the security groups assigned to the environments you created earlier.
6. Create an additional security group called REDIS_Cache_security_group.
7. Add these rules again using the security groups for the environments created earlier as the source.
8. In Elastic Beanstalk, select the environment you want to change.
9. Click Configuration in the left pane
10. Remove the default security group and click Apply. Do this for all the environments.
11. In Services, selects RDS and click Databases.
12. Select your RDS database and click Modify.
13. Scroll down to Network and Security. Select the RDS security group you created earlier and remove the default security group.
14. Scroll down and click Continue.
15. Select Apply Immediately and click Modify DB Instance.
16. Select ElastCache from Services and click Redis.
17. Select the Redis Cache you created earlier and from Actions click Modify.
18. Edit the Security Groups
19. Remove the default security groups and add the Redis Cache security group created earlier. Click save and modify.
The installation of the XMPro Platform is now complete, but there are some environment setup steps before you can use the platform. Please click the below link for further instructions:
Meet the
Install the
Follow the
An SSL Certificate in AWS Certificate Manager, used by IIS (See the guide).\
An SSL Certificate, used by the SM instance (added to the during the installation). Create or ask your administrator for an SSL certificate with the correct DNS name. A self-signed certificate is good enough. There are many ways to generate this certificate, one of which is described in the above guide. Please note the file names must be called ssl.pfx and ssl.password.txt.
Log on to the and switch to the region you want to deploy the solution in, you will need Administrative rights to the subscription to complete the deployment.
Currently, SignalR doesn’t support Redis Clusters ()
Sticky Sessions must be used for SignalR ()
If scaling is required, consider Cluster Mode enabled for Redis ().
For the Capacity section, select Load Balanced under Environment Type and set the required Instance Min and Max to 1. (More information can be found ).
Enter the SMTP details referenced in the guide and click Test SMTP settings (1), If successful, click Next (2).
Repeat same steps as SM for the
Repeat steps 1 - 4 as SM for
Enter the SMTP details referenced in the guide and click Next.
Enter the Twilio details referenced in the guide and click Next. If you don't want SMS notifications you can select "None" from the "Select Provider" dropdown.
Repeat same steps as SM for the
Repeat steps 1 - 4 as SM for
Enter the SMTP details referenced in the guide and click Test SMTP settings (1), If successful, click Next (2).
Enter the SMTP details referenced in the guide and click Test SMTP settings (1), If successful, click Next (2).
Enter the Twilio details referenced in the guide and click Next. If you don't want SMS notifications you can select "None" from the "Select Provider" dropdown.