Roadrunner SMB — Deployment Guide
Last Updated: 2026-04-20
Who this is for
This guide is for AWS administrators and DevOps engineers deploying Roadrunner SMB from the AWS Marketplace into an existing VPC. It assumes familiarity with CloudFormation, VPC networking, and Active Directory.
Not a fit for this guide: customers who want to evaluate RRSMB before having an AD domain ready. See Quick Start for the end-to-end first-deployment flow.
Architecture Overview
Roadrunner SMB deploys a fixed-size, active-active SMB cluster into your AWS VPC. All nodes serve SMB traffic simultaneously; the Network Load Balancer distributes connections across them.
Your VPC
│
├── AZ-1 (private subnet) AZ-2 (private subnet)
│ └── RRSMB Node 1 └── RRSMB Node 2
│ └── RRSMB Node 3
│
├── Network Load Balancer (NLB)
│ └── Port 445 → all RRSMB nodes (SMB)
│
├── Application Load Balancer (ALB)
│ └── Port 443 → all RRSMB nodes port 8888 (Admin UI, HTTPS)
│
├── Amazon EFS (shared storage — all nodes mount it)
│ ├── Share data (one EFS access point per share)
│ └── CTDB cluster coordination files
│
└── Amazon DynamoDB (regional, no AZ boundary)
├── NT ACL store
└── CTDB cluster mutex
Key components
| Component | Role |
|---|---|
| RRSMB nodes | ECS tasks running the RRSMB container: Samba (smbd), CTDB cluster daemon, winbind (AD), and Go management server |
| CTDB | Cluster Trivial Database — provides active-active clustering, IP failover, and share consistency across nodes |
| Amazon EFS | Persistent share storage; all nodes see the same files via EFS access points |
| Amazon DynamoDB | Stores NT ACLs durably; used as CTDB distributed reclock |
| Network Load Balancer (NLB) | DNS endpoint for SMB client connections (port 445); routes to healthy nodes only |
| Application Load Balancer (ALB) | DNS endpoint for Admin UI (port 443 external → port 8888 on nodes); terminates TLS |
| Active Directory | All user authentication uses AD Kerberos/NTLM; domain join is required before shares can be accessed |
AWS Prerequisites
Account quotas
Verify your account has sufficient quota for:
- EC2: 3 instances (m5.large by default)
- EFS: 1 file system, 2+ mount targets
- DynamoDB: 2 tables
- ECS: 1 cluster, 1 service, 3 tasks
- NLB: 1 load balancer, 2 listeners, 2 target groups
- Secrets Manager: 2 secrets (bootstrap secret created by stack + optional AD join secret for re-join reference)
- CloudWatch Logs: 1 log group
Networking requirements
| Requirement | Detail |
|---|---|
| Private subnets | At least 2 subnets in different AZs; RRSMB nodes must NOT have public IPs |
| Outbound internet | Nodes need outbound HTTPS (443) for: ECR image pull, DynamoDB, EFS, Secrets Manager, CloudWatch. Use NAT Gateway or VPC endpoints. |
| AD DNS resolution | VPC DHCP options must point to domain controllers, OR Route 53 Resolver must forward the AD domain to DC IPs |
| AD reachability | Nodes must reach domain controllers on TCP/UDP 88 (Kerberos), 389/636 (LDAP), 445 (SMB/RPC) |
VPC endpoints (optional but recommended)
To avoid NAT Gateway costs for AWS API traffic, create VPC interface endpoints for:
com.amazonaws.<region>.ecr.apicom.amazonaws.<region>.ecr.dkrcom.amazonaws.<region>.ecscom.amazonaws.<region>.ecs-agentcom.amazonaws.<region>.secretsmanagercom.amazonaws.<region>.logscom.amazonaws.<region>.dynamodb(gateway endpoint, no cost)com.amazonaws.<region>.elasticfilesystem
CloudFormation Parameters
All parameters are set during the Marketplace launch flow. Required parameters:
| Parameter | Description |
|---|---|
VpcId |
Your VPC ID |
PrivateSubnetIds |
≥2 private subnet IDs across ≥2 AZs (comma-separated) |
AdDomainFqdn |
AD domain FQDN (e.g. corp.example.com) |
DcDnsIp1 |
Primary domain controller IP |
DcDnsIp2 |
Secondary domain controller IP (optional) |
AdminCidr |
CIDR block for Admin UI access (ALB, port 443) |
BackendImageUri |
RRSMB container image URI (pre-filled from Marketplace) |
Note: Active Directory join credentials are entered interactively in the First-Time Setup wizard — no pre-created secret is required as a deployment parameter.
Optional parameters (have defaults):
| Parameter | Default | Description |
|---|---|---|
EnvironmentName |
prod |
Label used in resource names and log groups |
ClusterSize |
3 |
Number of RRSMB nodes (validated range: 1–4) |
BackendCpuUnits |
2048 |
ECS task CPU units |
BackendMemoryMiB |
4096 |
ECS task memory (MiB) |
Stack Outputs
After deployment, the following outputs are available in the CloudFormation console under the Outputs tab:
| Output | Description |
|---|---|
AdminUIUrl |
URL for the Admin UI — open this to begin First-Time Setup |
BootstrapSecretConsoleUrl |
Direct link to the one-time bootstrap secret in Secrets Manager |
BootstrapSecretArn |
ARN of the bootstrap secret (for programmatic retrieval) |
NlbDnsName |
NLB DNS name for SMB client connections (\\<NlbDnsName>\<sharename>) |
SmbSharePath |
UNC path template for share access |
ClusterId |
Cluster ID (used in DynamoDB table names) |
EfsFileSystemId |
EFS file system ID |
CloudWatchLogGroup |
CloudWatch log group for all nodes |
EcsClusterName |
ECS cluster name |
EcsServiceName |
ECS service name |
Multi-AZ Topology
The stack distributes nodes across the provided subnets. AWS attempts to balance instances across AZs automatically.
Minimum resilience: with 2 AZs and 3 nodes, at least 2 nodes survive an AZ failure. CTDB maintains quorum and the cluster remains fully operational.
AZ placement rules:
- Provide subnets in at least 2 AZs
- The stack creates one EFS mount target per subnet
- CTDB tolerates the loss of any single node; SMB traffic continues on surviving nodes
Scaling
Scaling is controlled exclusively by AWS infrastructure, not the Admin UI.
To adjust cluster size:
- Update the CloudFormation stack with a new
ClusterSizeparameter value - The ASG and ECS service update automatically via rolling replacement
Validated range: 1–4 nodes. Deployments outside this range are not validated and not supported.
The Admin UI shows the current node count but does not provide scaling controls.
Admin UI Access
In Marketplace (multi-AZ) deployments, the Admin UI is accessed via the ALB on port 443 (HTTPS). The ALB terminates TLS and forwards traffic internally to RRSMB nodes on port 8888. The AdminUIUrl CloudFormation output contains the ALB DNS name.
Access is restricted to the AdminCidr security group on the ALB.
Single-node / EasyButton mode: In non-Marketplace single-node deployments, the NLB handles both SMB (port 445) and Admin UI traffic directly on port 8888 without ALB TLS termination.
Updating the Software
Updates are delivered as new container image tags via the AWS Marketplace or your ECR registry.
Update procedure:
- A new RRSMB image version is released
- In the CloudFormation console, click your stack → Update
- Change
BackendImageUrito the new image URI - Submit the stack update
The ASG performs a rolling node replacement maintaining at least 2 of 3 nodes healthy throughout the update. No downtime for SMB clients during a rolling update under normal conditions.
Post-Deployment Checklist
After the stack reaches CREATE_COMPLETE:
- Admin UI is accessible at
AdminUIUrl - Bootstrap secret retrieved from
BootstrapSecretConsoleUrl - First-Time Setup wizard completes successfully
- Domain join succeeds (Setup page shows domain joined)
- Cluster page shows all nodes as healthy (green)
- Create a test share and mount from a Windows machine
- Verify file read and write in the mounted share