AWS Reference Architecture

This guide presents a reference architecture for Pivotal Cloud Foundry (PCF) on Amazon Web Services (AWS). It builds on the common base architectures described in Platform Architecture and Planning.

See PCF on AWS Requirements for general requirements for running PCF and specific requirements for running PCF on AWS.


The following diagram illustrates the reference architecture for PCF on AWS.

This diagram illustrates PCF on AWS. For specific details about the components and communication represented by the diagram, see the base and AWS reference architectures.

View a larger version of this diagram.


The following sections provide guidance about networking resources.


You can use AWS Route 53 for DNS resolution to host your PCF domains.

Load Balancing

AWS offer Application Load Balancers (ALBs) and Network Load Balancers (NLBs). Pivotal recommends using NLBs because of the simplicity and security of leaving all encrypted traffic in place until it reaches the Gorouters. If you require Amazon Certificate Management or more complex layer 7 routing rules, you can front or replace the NLB with an ALB.

Networks, Subnets, and IP Spacing Planning

The follow list provides considerations related to networks, subnets, and IP spacing planning.

  • In AWS, each AZ requires its own subnet of which the first 5 IPs are reserved.
  • Your organization may not have the IP space necessary to deploy PCF in a consistent manner. To alleviate this, Pivotal recommends using the 100.64 address space to deploy a NAT instance and router so that the PCF deployment can use few IP addresses.
  • If you want the front-end of PCF to be accessible from your corporate network or the services running on PCF to be able to access corporate resources, you must either provide routable IPs to your VPC or use NAT.
  • If you want a VPC that is only public-facing, no special consideration is necessary for the use of IPs.
  • See the following table to understand the action required depending on the type of traffic you want to allow for your PCF deployment.
    If you want… then…
    Internet ingress Create the load balancers with Elastic IPs.
    Internet egress Create the NAT Gateway towards the Internet.
    Corporate Ingress Create load balancers on your corporate subnet.
    Corporate Egress (For accessing corporate resources) Create the NAT instance on your corporate subnet or if business requirements dictate, make the entire VPC corporate-routable.
  • If you plan to install PCF Service Broker for AWS, you may want to create another set of networks in addition to those outlined in the base reference architecture. This set of networks would be for for RDS and other AWS managed instances.

Alternative Network Layouts

The following options are available for choosing your network topology:

Type of Traffic Options
Internet Ingress
  • Allow Internet ingress by associating load balancers with elastic IPs.
  • Do not allow Internet Ingress.
Internet Egress
  • Allow PCF to access the Internet through a NAT gateway.
  • Do not allow PCF to access the Internet. Use only a Corporate network.
  • Isolated. This is normally Internet-only facing.
  • Peered with corporate or other VPCs through Transit Gateway.
  • Peered directly with other VPCs and corporate connections.
Corporate Peering
  • SNAT for corporate resources. This requires 3 corporate IPs.
  • Routable IP Addresses for VPC using /20 or a larger CIDR block necessary.


Use a single RDS instance for BOSH and PAS. This instance requires several databases. See the following sections of the installation documentation for more information:

Blobstore Storage Accounts

Ops Manager requires a bucket for the BOSH blobstore.

PAS requires the following buckets:

  • Buildpacks
  • Droplets
  • Packages
  • Resources

These buckets require an associated role for read/write access.

Identity Management

For identity management, use Instance Profiles whenever possible

. For example, the AWS Config Page of the BOSH Director tile provides a Use AWS Instance Profile option. See Step 2: AWS Config Page.

Create a pull request or raise an issue on the source for this page in GitHub