Configuring AWS


You must run PE on an approprate EC2 instance, and manage nodes within a securely configured EC2 VPC to accomodate PE's required network ports.

EC2 instance types

You must run PE on an EC2 instance with sufficient memory and processing power.

To fulfill the hardware requirements, use an m4.xlarge instance as a minimum baseline. The PE installation contained in this image does not include additional Puppet compile masters and therefore should not manage more than 4,000 nodes.

EC2 security groups

Use this image to manage nodes within a securely configured EC2 VPC and security group.


When enabling network ports for inbound connections to the Puppet master, refer to the table below, and see the EC2 security group policy example for this configuration in EC2-style JSON.

TCP port Description VPC Access
22 SSH Outside VPC
443 Puppet Enterprise console (HTTPS) Outside VPC
8140 Puppet master Inside VPC only
8142 Orchestration services Inside VPC only
8143 Orchestration services Inside VPC only
61613 MCollective Inside VPC only

For more information about PE's required network availability, see the PE firewall configuration guide for the version of PE you are using.

Configuring the metered billing service (PAYG)

When launching the pay-as-you-go (PAYG) AMI, your EC2 instance and VPC must be configured for outbound (egress) access to the public internet, or an internet gateway allowing it to communicate with the AWS metering service. The EC2 instance must be launched with an IAM role permitted to use the metering service. For more details, see the AWS metering service guide, and the IAM role documentation.

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.