Roadrunner SMB™ — Deployment Guide

Last Updated: 2026-06-06

Who this is for

This guide is for AWS® administrators and DevOps engineers deploying Roadrunner SMB from the AWS Marketplace into an existing VPC. It assumes familiarity with CloudFormation®, VPC networking, and Active Directory®.

Not a fit for this guide: customers who want to evaluate RRSMB before having an AD domain ready. See Quick Start for the end-to-end first-deployment flow.

Marketplace launch: two CloudFormation stacks

AWS Marketplace launch uses a launcher (parent) template plus a nested appliance (child) template. Buyers interact with the parent; the parent creates the child automatically.

Stack	Typical name	Role
Parent (launcher)	`RoadrunnerSMB-SingleAZ` or `RoadrunnerSMB-DualAZ`	Entry point from Marketplace. You set VPC ID and cluster node count only.
Nested (appliance)	`RoadrunnerSMB-SingleAZ-InnerStack-<id>` (auto-generated)	Full product stack: ECS, EFS, NLB, DynamoDB®, IAM, metering, and the RRSMB container.

Day-one outputs (Admin UI, FTS link, NLB DNS, bootstrap secret): CloudFormation console → parent stack → Outputs tab. The parent re-exports the values you need from the nested stack.

Advanced / ops outputs (subnet IDs chosen, EFS IDs, ECS names, validation summaries): nested stack → Outputs tab. Use these for troubleshooting and automation, not for first-time setup.

Launch requires acknowledging IAM custom names and CAPABILITY_AUTO_EXPAND (nested stack creation).

IAM planning: The deployer principal (your IAM user/role) is install-time only — not used by the appliance at runtime. For permission tiers, deployer vs runtime roles, and the template-derived permission matrix, see Identity and permissions and Deployer permission matrix.

Cluster ID vs stack names

Marketplace deploys use a fixed cluster ID of rrsmb-prod for all DynamoDB-backed resources. This is separate from CloudFormation stack names:

Identifier	Example	Used for
Cluster ID	`rrsmb-prod`	DynamoDB tables (`rrsmb-acl-rrsmb-prod-*`, `rrsmb-ctdb-mutex-rrsmb-prod`, `rrsmb-billing-rrsmb-prod`), CTDB identity, billing
Parent stack name	`RoadrunnerSMB-SingleAZ`	Buyer-facing CloudFormation stack; Outputs tab for Admin UI and FTS
Nested stack name	`RoadrunnerSMB-SingleAZ-InnerStack-<id>`	Auto-update, ECS/EFS/NLB resources, advanced ops outputs

One appliance per AWS Region per account is the supported deployment model today (Single-AZ and Dual-AZ both use cluster ID rrsmb-prod).

Architecture Overview

Roadrunner SMB deploys a configurable 1–4 node active-active SMB cluster into your AWS VPC. During deployment, select a node count from 1 to 4: use 1 node for evaluation and non-HA testing; use multiple nodes for HA production workloads. All nodes serve SMB traffic simultaneously; the Network Load Balancer distributes connections across them.

Your VPC (example topology; node count is 1–4)
│
├── AZ-1 (private subnet)         AZ-2 (private subnet)
│   └── RRSMB node(s)             └── RRSMB node(s)
│
├── AZ-1 / AZ-2 public subnets
│   └── Network Load Balancer (NLB in public subnets)
│       ├── Port 443 (TLS)  → Admin UI (restrict with AdminIngressCidr)
│       └── Port 445 (TCP)  → SMB from SmbClientCidr (VPC/private clients; not public internet by default)
│
├── Amazon EFS (shared storage — all nodes mount it)
│   ├── Share data (one EFS access point per share)
│   └── CTDB cluster coordination files
│
└── Amazon DynamoDB (regional, no AZ boundary)
    ├── NT ACL store
    └── CTDB cluster mutex

Key components

Component	Role
RRSMB nodes	ECS tasks running the RRSMB container: Samba (smbd), CTDB cluster daemon, winbind (AD), and Go management server
CTDB	Cluster Trivial Database — clustered Samba state coordination across nodes. Customer-facing routing and failover use AWS load balancing, ECS health checks, and Roadrunner SMB readiness/fencing
Amazon EFS®	Persistent share storage; all nodes see the same files via EFS access points
Amazon DynamoDB®	Stores NT ACLs durably; used as CTDB distributed reclock
Network Load Balancer (NLB)	NLB in public subnets. TLS/443 for Admin UI and First-Time Setup (`AdminUIUrl`). TCP/445 for SMB (`NlbDnsName`) from sources allowed by `SmbClientCidr` (default private ranges such as `10.0.0.0/8` — not the public internet unless you widen it). TLS terminates on the NLB for Admin; tasks receive Admin traffic on port 8888 internally
Active Directory	All user authentication uses AD Kerberos/NTLM; domain join is required before shares can be accessed

AWS Prerequisites

Account quotas

Verify your account has sufficient quota for:

EC2: up to 4 instances (matches ClusterSize; m5.large by default)
EFS: 1 file system, 2+ mount targets
DynamoDB: 2 tables
ECS: 1 cluster, 1 service, up to 4 tasks (matches ClusterSize)
NLB: 1 load balancer, 2 listeners, 2 target groups
Secrets Manager: 1 secret (bootstrap secret created by stack for First-Time Setup)
CloudWatch Logs: 1 log group

Networking requirements

Roadrunner SMB deploys into your existing VPC. Before any product resources are created, the stack runs read-only VPC discovery and validation (and optional AD discovery hints). If your VPC does not meet requirements, the stack fails immediately with VPC Unsuitable: … and rolls back.

See VPC prerequisites for the full Step 0 flow, enforced checks, warnings, and stack outputs.

Requirement	Detail
Private subnets	2 subnets in 2 AZs; no auto-assign public IP (validated at deploy)
Outbound (default)	Per-subnet `0.0.0.0/0` → NAT Gateway in the same AZ; S3 + DynamoDB Gateway endpoints on private route tables (defaults)
Public subnets	≥2 public subnets in ≥2 AZs for the NLB (Admin UI listener); auto-discovered or `PublicSubnetIds`
Active Directory	Not validated at deploy. Either private subnets route and resolve AD, or supply a valid DC IP in First-Time Setup. CloudFormation does not take AD FQDN or DC IPs as parameters.
AD reachability	From each private subnet used by RRSMB, domain controllers must accept domain-join traffic (typically TCP/UDP 88, 389/636, 445, and DNS).

VPC endpoints (optional but recommended)

The deploy-time checker warns (but does not block by default) if these Interface endpoints are missing; add them to reduce NAT usage:

com.amazonaws.<region>.ecr.api
com.amazonaws.<region>.ecr.dkr
com.amazonaws.<region>.secretsmanager
com.amazonaws.<region>.logs
com.amazonaws.<region>.sts

S3 and DynamoDB Gateway endpoints are required by default (RequireS3Endpoint / RequireDynamoDbEndpoint).

CloudFormation Parameters

At Marketplace launch (parent stack)

The buyer launch form exposes only:

Parameter	Description
`VpcId`	Your VPC ID (selector in the CloudFormation console)
`ClusterSize`	Number of RRSMB nodes (1–4). Default `2`.

Subnets, container image, and all other settings use release-baked defaults on the nested stack. Private and public subnets are auto-discovered from the VPC.

Note: Active Directory join credentials (and optional manual DC IP) are entered in the First-Time Setup wizard — not as CloudFormation parameters.

Advanced parameters (nested stack only)

The nested appliance template supports additional parameters (PrivateSubnetIds, PublicSubnetIds, AdminIngressCidr, AdminCidr, BackendImageUri, ApplianceState, sizing overrides, and more). These are not shown at Marketplace launch. To change them:

CloudFormation → open the nested stack (…-InnerStack-…) → Update.
Modify the parameter(s) you need → submit the stack update.

Common nested parameters:

Parameter	Default	Description
`EnvironmentName`	`prod`	Label used in resource names and log groups
`AdminIngressCidr`	`0.0.0.0/0`	CIDR allowed to reach Admin UI HTTPS/443 on the NLB
`SmbClientCidr`	`10.0.0.0/8`	CIDR allowed to reach SMB TCP/445 on the NLB (VPC/private client networks)
`AdminCidr`	`0.0.0.0/0`	CIDR allowed to scrape Prometheus metrics TCP/9090 on cluster nodes — not the Admin UI

Naming trap: AdminCidr does not control Admin UI access. Use AdminIngressCidr for HTTPS/443 to the Admin UI. Use AdminCidr only for metrics scraping from your observability network. | PrivateSubnetIds / PublicSubnetIds | (auto) | Optional comma-separated subnet IDs; blank = auto-discovery | | ApplianceState | Running | Running or Stopped — update via CloudFormation stack update | | BackendImageUri | (release default) | Marketplace ECR image for this version; updated automatically by in-appliance auto-update |

Stack Outputs

Parent stack (use these first)

After deployment, open the parent stack (RoadrunnerSMB-SingleAZ or RoadrunnerSMB-DualAZ) → Outputs:

Output	Description
`AFirstTimeSetupInstructions`	START HERE — copy the one-click First-Time Setup URL (~24h validity)
`AdminUIUrl`	Admin UI URL (`https://<nlb-dns>`)
`NlbDnsName`	NLB DNS for SMB (`\\<NlbDnsName>\<sharename>`)
`BootstrapSecretConsoleUrl`	Opens the bootstrap secret in Secrets Manager (recovery / manual entry)
`BootstrapSecretArn`	ARN of the bootstrap secret (automation)

Nested stack (advanced / ops)

The nested stack (…-InnerStack-…) also exposes detailed outputs:

Output	Description
`ValidationStatus` / `ValidationSummary`	VPC pre-check result (see VPC prerequisites)
`SelectedPrivateSubnetIds`	Private subnets chosen for RRSMB nodes
`AdDiscoverySummary` / `AdDiscoveryWarning`	AD auto-discovery hints for First-Time Setup
`OneClickSetupUrl`	Same FTS link as embedded in `AFirstTimeSetupInstructions`
`SmbSharePath`	UNC path template for share access
`ClusterId`	Cluster ID (used in DynamoDB table names)
`EfsFileSystemId`	EFS file system ID
`CloudWatchLogGroup`	CloudWatch log group for all nodes
`EcsClusterName` / `EcsServiceName`	ECS identifiers

Public endpoints (NLB)

The Marketplace stack uses one Network Load Balancer in public subnets. AdminUIUrl and NlbDnsName share the same DNS hostname.

Admin UI (TLS/443): Reachable from the internet by default (AdminIngressCidr defaults to 0.0.0.0/0). Narrow to office, VPN, or bastion CIDRs for production.
SMB (TCP/445): Restricted to SmbClientCidr (default 10.0.0.0/8 — your VPC and private client networks). SMB is not exposed to the public internet unless you deliberately widen SmbClientCidr.

Administrators use AdminUIUrl. SMB clients on allowed networks mount \\<NlbDnsName>\<sharename>.

RRSMB nodes and EFS stay in private subnets. The NLB is placed in public subnets (or subnets you supply via PublicSubnetIds).

To find endpoints later in the AWS Console:

Open CloudFormation → parent stack (RoadrunnerSMB-SingleAZ / RoadrunnerSMB-DualAZ) → Outputs → copy AdminUIUrl, AFirstTimeSetupInstructions, or NlbDnsName.
Open EC2 → Load Balancers and locate the stack NLB (name includes your environment label).
Confirm listeners: TCP/445 (SMB) and TLS/443 (Admin UI).
If the Admin UI is unreachable, verify your client IP is inside AdminIngressCidr, then check EC2 → Security Groups → rrsmb-<EnvironmentName>-nlb → inbound 443, and Target Groups for healthy Admin tasks.

Multi-AZ Topology

The stack distributes nodes across the provided subnets. AWS attempts to balance instances across AZs automatically.

Resilience: with subnets in 2+ AZs, tasks spread across zones. On multi-node deployments, AWS load balancing and ECS health checks steer SMB traffic away from unhealthy tasks; CTDB coordinates clustered Samba state while Roadrunner SMB enforces readiness/fencing.

AZ placement rules:

Provide subnets in at least 2 AZs
The stack creates one EFS mount target per subnet
On multi-node clusters, the loss of a single node is absorbed by surviving nodes; single-node (1) deployments have no HA within the appliance tier

Scaling

Cluster size is 1–4 nodes. Set or change it in either of these equivalent ways:

Admin UI (recommended after deploy):

Open AdminUIUrl → Cluster
Set Customer Cluster Node Target (1–4) with the slider
Click Apply — CloudFormation updates ClusterSize; ASG and ECS converge asynchronously

CloudFormation:

Update the parent stack Cluster Node Count (ClusterSize) — the launcher passes it to the nested stack
The ASG and ECS service update via rolling replacement

Supported deployment size: 1–4 nodes. 1-node mode is for evaluation, trial, and non-HA use. Production HA deployments should use multiple nodes. Deployments outside 1–4 are not validated and not supported.

EC2 hosts and ECS tasks

At steady state, ECS DesiredCount and ASG DesiredCapacity both equal ClusterSize (ClusterSize is the CloudFormation Cluster Node Count). Roadrunner SMB runs one ECS task per EC2 host.

ASG MaxSize is ClusterSize + 1 (for example 2 nodes → max 3 instances). The extra slot is for rolling container or host updates only — the ASG returns to ClusterSize when the update completes. You do not run a permanently idle spare node under normal operation.

Stop and start (scale to zero)

The Admin UI Cluster slider supports 1–4 only. To stop all compute during evaluations or periods of inactivity:

Method	How
Recommended	CloudFormation stack update with `ApplianceState=Stopped` — scales ECS and ASG min/desired/max to 0 while retaining EFS and DynamoDB
Manual (Console)	Set ASG desired capacity to 0, then terminate any remaining EC2 instances

To bring the cluster back online:

Update the CloudFormation stack with ApplianceState=Running and the desired Cluster Node Count; or
Set ASG desired capacity back to ClusterSize (and min/max to match the stack) if you stopped manually — then align ApplianceState on the stack so future stack updates stay consistent.

EC2 and ECS task charges stop while at zero. EFS, DynamoDB, NLB, and other retained AWS resources may still incur charges. See FAQ — scale to zero.

The Admin UI slider does not support scaling to zero. See Admin Guide — Cluster.

Admin UI access

Marketplace: Open AFirstTimeSetupInstructions or AdminUIUrl from the parent stack Outputs tab. The Admin UI is served over HTTPS on port 443 on the NLB.

Security groups and parameters

Control	Security group (typical name)	Parameter	Port
Admin UI HTTPS	`rrsmb-<EnvironmentName>-nlb` (NLB)	`AdminIngressCidr`	443/TCP
SMB on NLB	Same NLB security group	`SmbClientCidr`	445/TCP
Prometheus / SSH ops on nodes	`rrsmb-<EnvironmentName>-nodes`	`AdminCidr`	9090, 22222

AdminCidr does not control Admin UI access. To restrict who can open the Admin UI from the public internet (or to limit access to a VPN or jump box), update AdminIngressCidr on the nested stack. CloudFormation updates inbound 443 on the NLB security group.

Port 8888 on RRSMB tasks is the internal Admin API port (NLB → task path only). Customers use AdminUIUrl (HTTPS/443), not task port 8888 directly.

Patterns (office IP, VPN, jump box) and Console steps: Security overview — Restricting Admin UI access · Quick Start — Harden for production.

Non-Marketplace dev topologies may differ; always follow the AdminUIUrl output for your stack.

Updating the Software

Roadrunner SMB automatically checks for newer approved releases (release manifest + Marketplace release ECR repository) about every 90 seconds. When a newer approved build is detected and automatic updates are enabled, Roadrunner SMB schedules a rolling update for the next local midnight after detection — the start of the next calendar day in the deployed AWS Region’s timezone. The rolling update replaces nodes sequentially to preserve service availability on multi-node deployments.

Use the Admin UI Software Update page to apply immediately (Apply latest approved version), defer a scheduled update by 24 hours, or disable automatic updates.

Change control: Customers should still review release notes before allowing production updates when operational change control is required.

Advanced recovery (for example rollback coordinated with support) may involve CloudFormation parameters; routine updates do not require manually editing BackendImageUri.

Post-Deployment Checklist

After the stack reaches CREATE_COMPLETE:

Admin UI is accessible at AdminUIUrl
Bootstrap secret retrieved from AWS Secrets Manager using BootstrapSecretConsoleUrl / BootstrapSecretArn outputs
First-Time Setup wizard completes successfully
Domain join succeeds (Setup page shows domain joined)
Cluster page shows all nodes as healthy (green)
Create a test share and mount from a Windows® machine
Verify file read and write in the mounted share

Cluster Stop/Start for Planned Downtime

Use a CloudFormation stack update to change ApplianceState — do not change ECS or ASG capacity directly unless you follow the manual scale-to-zero path in Stop and start. All data on EFS and DynamoDB is retained while stopped.

Stop the appliance:

In CloudFormation, open your Roadrunner SMB stack (RoadrunnerSMB-SingleAZ / RoadrunnerSMB-DualAZ).
Update → set ApplianceState (under Advanced) to Stopped.
Wait for UPDATE_COMPLETE. ECS desired count and ASG min/desired/max scale to 0.

Start the appliance:

Update the same stack → ApplianceState = Running (confirm Cluster Node Count is set as needed).
Wait for ECS tasks to reach ClusterSize and NLB target groups to show healthy targets.

See FAQ — scale to zero for billing and metering notes during stop periods.