Skip to Content

Installing Vinyl in AWS (Windows)


This manual will cover several suggested methods of installation of Vinyl in AWS using Windows and SQL Server. There are many methods of configuring the underlying architecture for web hosting, networking and security aspects below can be tailored as needed.

This guide is primarily intended to help with a new blank AWS account, or an existing one that can be adapted to meet the basic requirements.

Two general methods of using AWS for hosting Vinyl on Windows are:

  • PaaS: ElasticBeanstalk - .NET as a platform (With and without High-Availability)
  • IaaS: VMs Ec2 instances - (Similar to on-premise)

This document focuses on using ElasticBeanstalk (EB), as this is the easiest method in AWS for long term management and ease of upgrades. For Ec2-only, see our VM/on-premise doc. In addition, this document will also focus on using RDS (Relational Database Service) for the DB.


You may save on cost and increase simplicity by placing all objects in Public subnets (Subnets that are in a Route Table where the default gateway (( is an Internet Gateway.); Negating the need for a NAT Gateway and Bastion host. Just note that the Security Groups will then be the only barrier from outside access and you will not be able to have a reliable outbound IP from Vinyl which to whitelist on external systems. (NAT Gateways have a static eIP which will be the outbound IP).

AWS elements

  • VPC with 4 or more subnets; Two or more associated with a route table containing an Internet Gateway as the default route (public) – Two or more associated with a route table using a NAT gateway as the default route (Private) Availability zones must mirror across Route Tables (IE: using Public: 1a,1b - Private: 1a,1b)
  • Certificate – You will need to create or import a cert to use SSL
  • IAM: Users, Roles*, Policies* – Granting service permissions
  • Security Groups* – Granting inbound and cross-server permissions
  • Ec2, Bastion host – Jump server for App server and DB admin access
  • S3 Bucket* - configured to allow Vinyl read/write access for the purpose of creating and sharing security keys
  • Database* - Can be run using RDS or installed on EC2 instances
  • Elastic Beanstalk* - Manages Vinyl Ec2 instances

*One per instance


Basic networking

VPC example:

Default VPC:

NAT Gateway (Optional): Subnet as public, Connectivity as Public, allocate eIP.



Public Route Table:


Private Route Table:



S3 setup for data encryption keys

Create an S3 bucket in your desired region; this will be used to store session state metadata and Vinyl column encryption:

Example name: *companyname*-vinyl-encryption-keys-*dev*

*Deny public access



S3 Access Policy:

Create new Policy with this JSON, edit Resource with above name:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": "s3:*",
      "Effect": "Allow",
      "Action": [
    "Resource": "*"

Example Name: *companyname*-vinyl-encryption-keys-s3-*dev*

Example Desc: Grants EC2 access to S3 Bucket


Create new Role: Type=EC2 -> Add policies:

  • <S3 Policy Above>
  • AWSElasticBeanstalkMulticontainerDocker
  • AWSElasticBeanstalkWebTier
  • AWSElasticBeanstalkWorkerTier

Name: *companyname*-eb-*dev*


Within the EC2 service, go to each of the below sections and create the following:

Security Groups:

Create at least two groups, one for EC2/EB (Applied in EB) and one for RDS. The EB group will be added as a source in the RDS group, as seen below. The these grant permissions to RDP to the EC2 instance and for the EC2 instance to access the RDS instance:

Security Group Configuration
Name: EB-DEV (Allows ports to EC2)
RDP TCP 3389 <VPN Endpoint> Company VPN
RDP TCP 3389 <Yourself> RDP
RDP TCP 3389 sgr-091a912ec59ae4184 Bastion
Name: RDS-DEV (Allows ports to RDS)
MSSQL TCP 1433 <VPN Endpoint> Company VPN
MSSQL TCP 1433 sgr-082d6e34327ee6b9c8 (EB-DEV)
MSSQL TCP 1433 <Yourself> RDS
MSSQL TCP 1433 sgr-091a912ec59ae4184 Bastion
Name: Bastion (Optional) (Is added to above to allow it access to instances on Private Subnets)
MSSQL TCP 1433 <VPN Endpoint> Company VPN

Key Pairs:
Create key pair -> <companyname-%dev%> -> PEM -> Create

Instances: Create a Bastion host (Optional)
Launch a Windows 2019 basic instance for use as an RDP jump-host if using private subnets for Vinyl instances.

Create a database using RDS

  1. Open the RDS service in the AWS console
  2. Choose Subnet groups > Create DB subnet group > Label either private or public, depending on if you want the ability for outside access (security groups permitting) > Choose your VPC and add select the Availability Zone pair you used when setting up the subnets for the VPC above > Now select the correct two subnets that are both either the private, or the public set. > Create
  3. Choose Create Database > Microsoft SQL Server > Choose license:

    • SQL Server Express Edition *(Acceptable for small DBs under 10GB and instances sized 'large' or smaller.)
    • SQL Web Edition (For DBs > 10GB; for instance sizes > 'large')
    • SQL Standard Edition (For Multi-AZ; Very expensive)
  4. DB instance identifier: IE: companyname-db-dev

  5. Master username: Vinyl
  6. Master password: Generate a strong random pass that excludes symbols (IE: zpZvLtLmRmrrE68T)
  7. Instance size: T3.Medium or greater, depending on workload (M5.Large or > for sustained high CPU.)
  8. Allocated storage: 20GB to start for dev; recommend 200GB or more for Prod due to greate IOPS allocation
  9. Subnet group: Choose the one you created above.

    • Public access: Yes if above group used Public Subnets; otherwise no.
    • Existing VPC security groups: Choose the RDS group created earlier.

Set remaining values as desired (Keep 1433 as the DB port).


If hosting Vinyl with Jitterbit, SQL Server Express is not a supported database option.

Elastic Beanstalk setup (EB)

  • App Name: Vinyl
  • Env Name: *companyname*-app-*dev*
  • Platform: .NET on Windows; IIS 10 Windows 2019, Latest platform
  • Upload Vinyl .zip package with the '-eb' filename ending. For example:
  • Select Configure More Options - Scroll to top of page Select: Custom configuration For the below, click Edit on each section and save in the following order:

    Elastic Beanstalk Setup
    Capacity: Load Balanced; min 1/max 1 (See High-Availability manual for higher);
    Instance Type: T3.medium or greater (Depending on load);
    AMI ID: Use default AMI ID
    Network: Select created VPC
    Load balancer subnets: Select 2 Public Subnets
    Instance Subnets: Select 2 Private Subnets
    Database Subnets: Unused
    Instances: Size: 150GB; Groups: EB group created in EC2 section.
    Load Balancer: Type: Application -> Processes; Edit default;
    HTTP code: 200; Path /ping
    For SSL: (See Configuring HTTPS) Add listener - 443/HTTPS - Your Cert - TLS-1-2-Ext-2018-06
    Security: <EC2 Key pair from above>; IAM Instance profile as created above. Leave Service Role as-is (autogenerated)
  • Create!

EB post configuration

The environment will take approximately 15 to 20 minutes to come up.

Once EB has completed standing up the components, it's normal for the status to be red at this phase, as need to update the default EB environment properties.

In the ElasticBeanstalk Environment: Go to: Configuration -> Software -> Edit:



Scroll down to Environment properties:

Property Name Default Example
ConnectionInfo DatabaseType=SQLServer;HostName=;DatabaseName=Vinyl;UserName=vinyl;Password=password DatabaseType=SQLServer;;DatabaseName=Vinyl;UserName=vinyl;Password=P@SSW**RD~!!
DataEncryption:S3BucketEndpoint https://{bucket}s3{-aws-region} https://companyname-vinyl-encryption-keys-dev
DataEncryption:S3KeyPrefix {elastic-beanstalk-environment-name} Companyname-app-Dev
  1. ConnectionInfo: Edit string portions to match your db hostname, username and password.
  2. DataEncryptionKeyS3BucketEndpoint: Set to the bucket name created earlier.
  3. DataEncryptionKeyS3KeyPrefix: Set to the Elastic Beanstalk environment name.

After these steps are applied and the updates complete, go to the Vinyl site URL in EB. This will trigger a database installation or upgrade if required.

Configuring HTTPS

By default, new Elastic Beanstalk environments are not configured for HTTPS. As noted in the Vinyl documentation, HTTPS is strongly recommended for all new Elastic Beanstalk environments.

Elastic Beanstalk environments terminate the HTTPS connection at the Elastic Load Balancer.


For the below process, you must have created or imported a certificate in to the Certificate Manager service already.

Configuring Elastic Beanstalk to accept HTTPS requests

  1. Log into the Amazon Web Services Console
  2. Under Services, choose Elastic Beanstalk
  3. Select the environment you are updating
  4. Select Configuration on the left menu
  5. At Load Balancer choose Edit
  6. If not present, add Listener Port 443, HTTPS:


  7. Select the SSL Certificate ID that is applicable *For the 'SSL policy'; As for Windows 2019, TLS 1.2 must be used

  8. Click the Save button, and then Apply on the Load Balancer page:


Enforce HTTPS and FQDN redirect

Ensure you have created and tested a DNS CNAME entry for your domain with your registrar or current Name Servers before configuring the below. The ElasticBeanstalk URI will be the target value your DNS entry must use. It must also match the SSL Certificate you are using.


  • Host/Name:
  • Type: CNAME
  • Target/Value:
  1. From Vinyl, go to the IDE > Security Providers
  2. From the Configuration panel, click the More button and select Sites:


  3. Double-click the default entry

  4. Click the Edit button
  5. Enter your FQDN url with https in the URL field
  6. Check to enable Redirect
  7. In the Redirect If Header Exists field, enter X-Forwarded-For:


  8. Click Save