EMQX Platform Docs

English

简体中文

English

简体中文

Appearance

Contact Us
Edit this page

Deployment Prerequisites

Before deploying EMQX Cloud Bring Your Own Cloud (BYOC), make sure to complete the following preparations:

  • Familiarize yourself with the basic concepts of public cloud services and network structures, such as VPC, subnet, ECS, etc.
  • Have a public cloud account and an EMQX Cloud account.
  • Prepare relevant cloud resources and cloud account permissions.
  • Set up the deployment bootstrap environment.
  • Prepare a domain name and the corresponding TLS/SSL certificate for EMQX service.
  • Prepare an EMQX Cloud BYOC license.

Account Preparation

The EMQX Cloud BYOC deployment will be created in your cloud account. If you do not have a corresponding public cloud account, you can create an account according to the official documentation of the cloud platform you preferred, for example:

Currently, BYOC supports the following public clouds and regions. If you need support from other cloud service providers or regions, you can submit a ticket or send an email to contact us.

Cloud ProviderRegion
AWSUS: US East (N. Virginia), US East (Ohio), US West (N. California), US West (Oregon)
EU: EU (Ireland), EU (Frankfurt)
Aisa: Asia Pacific (Singapore), Asia Pacific (Mumbai), Asia Pacific (Hong Kong), Asia Pacific (Tokyo)
Google CloudUS: us-east1 (South Carolina), us-west1 (Oregon), us-central1 (Iowa)
EU: europe-west3 (Frankfurt), europe-north1 (Finland)
Asia: asia-south1 (Mumbai), asia-southeast1 (Singapore), asia-east1 (Taiwan)

In addition, you also need an EMQX Cloud account to complete the deployment. If you have not registered, please go to the EMQX Cloud account registration page to register an account.

Resources and Permissions

EMQX Cloud BYOC deployment requires you to create various cloud resources and services in your cloud account. Make sure that the relevant cloud account has reserved enough resources quota and completed the setting of relevant permissions.

Resource Quotas

The following table shows the cloud resources and services required for EMQX Cloud BYOC deployment. If the resources in the current account are insufficient, please contact the cloud account administrator to increase the relevant service quotas.

TIP

Your cloud administrator can quickly view the usage and quotas of resources and services in the cloud quota.

Resources and ServicesRequired Quantity for Deployment
VPC1
Subnets3
Security groups1
Route tables*3
Load balancers1
LB listeners6
Target groups6
Internet gateways1
Key pairs1
EC2 instancesN*+1
Amazon Machine Images (AMIs)1
IAM policies1

*Route tables: Include a default routing table which is not used.

*N: Refers to the number of EMQX nodes.

Notice

If you're using Google Cloud, it's important to verify the presence of the default network in your GCP account. If it's not already in place, please create it. During the deployment process, packer will be used as the system image packaging tool. This requires the creation of necessary resources for packaging within the default network of the Virtual Private Cloud (VPC).

If the default network cannot be created due to security policies, you can submit a ticket or send an email to contact us.

IAM Permissions

Your role needs to have the necessary Identity and Access Management (IAM) permissions to run commands to create the cloud resources in your cloud account. You need to ask your cloud administrator to assign sufficient permissions for creating BYOC deployments and generate the corresponding credentials.

To create a custom policy, you can utilize the provided policy definition by following the steps in the Creating policies using the JSON editor documentation. After creating the custom policy, you can attach it to an IAM user or a group of users. Finally, generate the access key for the IAM user by following the steps in the Managing access keys for IAM users documentation.

Here is the policy definition in JSON (for creating deployment):

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "ec2:AssociateRouteTable",
        "ec2:AttachInternetGateway",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateInternetGateway",
        "ec2:CreateImage",
        "ec2:CreateKeyPair",
        "ec2:CreateRoute",
        "ec2:CreateRouteTable",
        "ec2:CreateSecurityGroup",
        "ec2:CreateSubnet",
        "ec2:CreateTags",
        "ec2:CreateVpc",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeInstanceCreditSpecifications",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeImages",
        "ec2:DescribeRegions",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSecurityGroupRules",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVolumes",
        "ec2:DescribeVpcs",
        "ec2:DescribeVpcAttribute",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteKeyPair",
        "ec2:ImportKeyPair",
        "ec2:RunInstances",
        "ec2:ModifyImageAttribute",
        "ec2:ModifySubnetAttribute",
        "ec2:ModifyVpcAttribute",
        "elasticloadbalancing:AddTags",
        "elasticloadbalancing:CreateListener",
        "elasticloadbalancing:CreateLoadBalancer",
        "elasticloadbalancing:CreateTargetGroup",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeLoadBalancerAttributes",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetGroupAttributes",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:ModifyLoadBalancerAttributes",
        "elasticloadbalancing:ModifyTargetGroupAttributes",
        "elasticloadbalancing:RegisterTargets"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "ec2:StopInstances",
        "ec2:TerminateInstances"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/used-by": "emqx-cloud"
        }
      }
    }
  ]
}

Here is the policy definition in JSON (for deleting deployment):

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeInstanceCreditSpecifications",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeImages",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVolumes",
        "ec2:DescribeVpcs",
        "ec2:DescribeVpcAttribute",
        "ec2:DetachInternetGateway",
        "ec2:DisassociateRouteTable",
        "ec2:ModifyInstanceAttribute",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeLoadBalancerAttributes",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetGroupAttributes"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteInternetGateway",
        "ec2:DeleteKeyPair",
        "ec2:DeleteVpc",
        "ec2:DeleteRouteTable",
        "ec2:DeleteSubnet",
        "ec2:DeregisterImage",
        "ec2:TerminateInstances",
        "elasticloadbalancing:DeleteLoadBalancer",
        "elasticloadbalancing:DeleteListener",
        "elasticloadbalancing:DeleteTargetGroup"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/used-by": "emqx-cloud"
        }
      }
    }
  ]
}

Here is the policy definition in JSON (for stopping and starting deployment):

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/used-by": "emqx-cloud"
        }
      }
    }
  ]
}

Prepare the Startup Environment

To deploy EMQX Cloud BYOC, you need an Ubuntu 20.04 LTS (AMD64) environment that can be connected to the public network. Either of the following ways works:

  • (Recommended) Use the Ubuntu 20.04 LTS image to create a virtual machine instance in the cloud account. The memory of the instance must be more than 1 GiB.
  • Use a local Ubuntu 20.04 LTS environment.

Domain Name and Certificate

Prepare a domain name and TLS/SSL certificate for the EMQX service in advance. EMQX Cloud BYOC supports custom one-way TLS/SSL authentication and only supports specifying TLS/SSL certificates during the deployment.

WARNING

The certificate needs to be a CA-signed certificate. Please refer to the TLS/SSL Configuration for BYOC Plan for TLS/SSL certificate format requirements.

BYOC License

Prepare the EMQX Cloud BYOC license. You can contact sales to apply for a BYOC license. Our sales team will determine the license specifications based on the number of devices connected and the number of Pub&Sub transactions per second (TPS).

© 2013-2025 EMQ Technologies Inc. All rights reserved