Roadrunner SMB

Quick Start Guide

Time to first share: about 20–30 minutes after the stack reaches CREATE_COMPLETE.

Quick Start � six steps to your first share 1 Subscribe AWS Marketplace 2 Launch stack CloudFormation 3 Open Admin UI HTTPS from AdminCidr 4 First-Time Setup Bootstrap + join AD 5 Create share Admin UI / Shares 6 Mount share \\NlbDnsName\share

Before you start

Confirm these once (details in VPC Prerequisites):

  • AWS® account with permissions to launch CloudFormation® stacks — see Identity and permissions for deployer IAM tiers
  • VPC ready (subnets, NAT, S3 + DynamoDB® endpoints — see checklist)
  • Active Directory® domain + a join account (computer-join permission)
  • A browser that can reach the Admin UI — public by default (the stack uses safe networking defaults; Admin UI is reachable from the internet unless you change advanced settings later)

Identities and permissions (planning)

Roadrunner SMB™ uses three separate identities. Plan credentials before deploy:

Three identity domains  separate trust, separate credentials Identity 1 builds it � Identity 3 runs it � Identity 2 rescues it when AD is down Install time Runtime (ongoing) 1 � AWS Deployer IAM user / role Marketplace subscribe CloudFormation launch RRSMB stack ECS � EFS � NLB � DynamoDB parent + nested CFN Stack-created runtime IAM  not your deployer TaskRole � TaskExecutionRole � InstanceRole Appliance uses these at runtime; deployer creds are not used day-to-day 3 � AD Admin Domain join FTS � once net ads join Day-to-day admin Admin UI � Settings SMB client auth (AD) Active Directory Computer object RRSMB-NODE<n> Users � groups � ACLs 2 � Appliance Owner rrsmb-admin (local) Break-glass Admin UI only � not SMB � not AWS AWS IAM Active Directory Appliance local
Identity Who Used for
1 — AWS Deployer IAM user/role in your AWS account Marketplace subscribe + CloudFormation launch (install-time only)
2 — Appliance Owner Local account rrsmb-admin (set in FTS) Break-glass Admin UI when AD is unreachable
3 — AD Administrator Domain account or group Domain join (once) + day-to-day Admin UI

Identity 1 builds it. Identity 3 runs it day-to-day. Identity 2 rescues it when AD is down.

Evaluation (POC): Broad AWS admin + Domain Admin for join and Admin UI is acceptable for time-boxed trials.

Secure production: Scoped CloudFormation deployer IAM, delegated AD join account (not Domain Admin), dedicated admin AD group with Domain Admins disabled in Settings.

Full detail: Identity and permissions · Deployer permission matrix · AD domain join delegation

Step 1 — Subscribe and launch

Choose Single-AZ or Dual-AZ (Marketplace delivery option)

You pick the deployment delivery option when you subscribe in AWS Marketplace — not on the CloudFormation form. The launch template you receive determines subnet layout and the parent stack name:

Marketplace delivery option Parent stack name (example) VPC layout Typical use
Roadrunner SMB Single-AZ RoadrunnerSMB-SingleAZ 1 private subnet Evaluation, lab, non-HA
Roadrunner SMB Dual-AZ RoadrunnerSMB-DualAZ 2 private subnets in 2 AZs Production HA

Cluster Node Count is a separate choice on the Create stack page (1–4 nodes). Common patterns:

  • Single-AZ + 1 node — lowest-cost evaluation (no AZ-level redundancy)
  • Dual-AZ + 2 nodes — production HA minimum (default for Dual-AZ)

Dual-AZ with a single node is supported for test scenarios but does not provide multi-node high availability.

  1. Open Roadrunner SMB in AWS Marketplace and Subscribe to the delivery option that matches your target (Single-AZ or Dual-AZ).

  2. Click Continue to Configuration → pick your RegionContinue to Launch.

  3. Choose Launch CloudFormationLaunch.

  4. On the Create stack page you should see three parameters:

    Parameter What to enter
    VPC ID Select your VPC from the dropdown (CloudFormation lists VPCs in the Region)
    Cluster Node Count 2 (default) · 1 for evaluation only · up to 4
    EC2 Instance Type c6i.2xlarge (default) · pick a cost-effective c6i (up to ~12.5 Gbps, good for evals) or high-networking c6in/m6in (up to ~200 Gbps) size from the dropdown

    Private and public subnets are auto-discovered inside the VPC you select. The Marketplace container image and other advanced settings are pre-filled by the release — you do not set them at launch.

    Active Directory is not a CloudFormation parameter. You join the domain in Step 4.

  5. Acknowledge both capability checkboxes, then Create stack:

    • IAM resources with custom names — the appliance creates standard IAM roles.
    • CAPABILITY_AUTO_EXPAND — required because the launch template uses a nested stack (see below).

  6. Wait for the parent stack to reach CREATE_COMPLETE (typically 5–10 minutes). It creates a nested child stack that deploys ECS, EFS, the NLB, and the rest of the appliance.

If the stack fails with VPC Unsuitable, open the nested stack’s Events tab for the detailed reason, fix your VPC per VPC Prerequisites, delete the failed stacks, and relaunch.

Your two CloudFormation stacks

Marketplace launch creates two stacks. This is normal.

Stack Name (example) What it is
Parent (launcher) RoadrunnerSMB-SingleAZ or RoadrunnerSMB-DualAZ The stack you created. Shows only VPC + node count at launch.
Nested (appliance) RoadrunnerSMB-SingleAZ-InnerStack-… (auto-generated) Created by the parent. Contains ECS, EFS, NLB, DynamoDB, and all product resources.

Where to find URLs and setup instructions: always use the parent stack’s Outputs tab (RoadrunnerSMB-SingleAZ / RoadrunnerSMB-DualAZ). Do not open the nested …-InnerStack-… stack for day-one setup unless you need advanced troubleshooting outputs.

Cluster ID: Marketplace sets a fixed cluster identifier rrsmb-prod for DynamoDB tables and cluster state. Stack names are for CloudFormation operations only — they do not appear in table names like rrsmb-acl-rrsmb-prod-<share>. One Roadrunner SMB appliance per AWS Region is supported today.

Step 2 — Open the Admin UI

The Admin UI is served on your stack’s internet-facing Network Load Balancer. You must use HTTPS — HTTP is not supported.

  1. Open the AWS CloudFormation console in the same Region as your stack.

  2. Click the parent stack: RoadrunnerSMB-SingleAZ or RoadrunnerSMB-DualAZ (not the nested …-InnerStack-… stack).

  3. Open the Outputs tab.

  4. Use one of these outputs:

    Output Use it for
    AFirstTimeSetupInstructions START HERE — copy the one-click setup URL from this output (valid ~24 hours)
    AdminUIUrl Admin console URL (https://…) after setup, or to open the wizard landing page
    NlbDnsName SMB hostname (\\<NlbDnsName>\<sharename>)

  5. From AFirstTimeSetupInstructions, copy the https://…/api/fts/initial-setup?… line into your browser (or use AdminUIUrl). Confirm the URL starts with https:// (do not change it to http://).

  6. The First-Time Setup wizard opens.

By default the Admin UI is reachable from the public internet on HTTPS/443. If you later restrict access (advanced), connect only from allowed networks.

Find the NLB DNS name in EC2 (alternate)

  1. Open EC2Load Balancers (same Region).
  2. Select the load balancer created by your stack (name includes your stack name).
  3. On the Details tab, copy DNS name (same hostname as AdminUIUrl / NlbDnsName).
  4. In your browser, go to https://<dns-name> (HTTPS required).

Step 3 — Get the bootstrap credentials

First-Time Setup is gated by a JSON secret in AWS Secrets Manager. The wizard asks for one field from this secret (or you can use the one-click URL below).

Secret location

Item Value
Secret name rrsmb/<EnvironmentName>/bootstrap-secret (default: rrsmb/prod/bootstrap-secret)
Stack outputs On the parent stack Outputs tab: BootstrapSecretConsoleUrl — opens the secret in the Secrets Manager console · BootstrapSecretArn — ARN for automation

EnvironmentName is a CloudFormation parameter (default prod). If you changed it at launch, substitute your value in the secret name.

Open the secret in AWS

  1. CloudFormation → parent stack (RoadrunnerSMB-SingleAZ or RoadrunnerSMB-DualAZ) → Outputs.
  2. Click BootstrapSecretConsoleUrl (or open Secrets Manager and search for rrsmb/prod/bootstrap-secret).
  3. Choose Retrieve secret value. The secret is JSON (not a single plain-text password).

JSON fields (schema version 2)

Field Purpose When to use
schemaVersion Format identifier (2) Informational — do not paste into the wizard
initialSetupToken Short-lived token (~24 hours after stack create or appliance reset) First-time setup — paste into the wizard Bootstrap step, or use OneClickSetupUrl (same token embedded in the link)
initialSetupTokenExpiresAt UTC expiry time for initialSetupToken Check if the initial token is still valid
recoverySecret Durable recovery material (rotates after FTS completes) Use only if initialSetupToken has expired before you finish setup, or for documented recovery/reset flows — not for normal first launch

Fastest path: On the parent stack Outputs tab, open AFirstTimeSetupInstructions and copy the https:// link into your browser. It exchanges initialSetupToken automatically and opens the wizard. More detail: Quick Start.

Security: Retrieve values only from Secrets Manager. Roadrunner SMB does not print these fields in CloudWatch or application logs when the secret ARN is configured.

After First-Time Setup completes

The service removes initialSetupToken from the JSON and writes a new recoverySecret. The initial token cannot be reused. Use recoverySecret only for recovery or reset procedures described in the Admin Guide.

Step 4 — Complete First-Time Setup

Work through the wizard in order:

Step What you do
Bootstrap Paste initialSetupToken from Step 3 (or recoverySecret if the initial token expired)
HTTPS Click Generate TLS Certificate; accept the browser warning (self-signed cert)
Join AD Domain FQDN, join username/password; add DC IP only if AD was not auto-discovered (see VPC Prerequisites)
Owner password Set the local break-glass rrsmb-admin password (12+ characters)
Claim admin Sign in with your domain account to claim Appliance Admin
Finish Click Complete First-Time Setup

Domain join usually takes 30–90 seconds. Use Test before Join Domain.

Step 5 — Log in

Sign in to the Admin UI with the domain account you used to claim admin. You should see the Dashboard.

Step 6 — Create your first share

  1. SharesCreate Share.
  2. Name the share (e.g. data).
  3. Set permissions (preset or custom AD groups).
  4. Create — wait 15–60 seconds for the share to appear on all nodes.

Step 7 — Mount from Windows®

On a domain-joined Windows PC, in File Explorer:

\\<NlbDnsName>\<sharename>

Use NlbDnsName from the parent stack Outputs tab (same hostname family as AdminUIUrl). Sign in with your AD credentials.

Step 8 — Verify

  • Share opens in File Explorer
  • You can create a file and folder
  • Another permitted AD user can access the share

Harden for production — restrict Admin UI access

The launch form only asks for VPC and node count; networking defaults allow Admin UI HTTPS (port 443) from the internet. For production, narrow Admin UI access after deploy.

Which security group: Admin UI HTTPS is controlled by the NLB security group (name rrsmb-<EnvironmentName>-nlb), not the cluster node security group. The stack parameter is AdminIngressCidr (inbound 443/TCP on that NLB security group).

Recommended steps:

  1. CloudFormation → nested stack (…-InnerStack-…) → Update → set AdminIngressCidr to trusted CIDRs (office /32, VPN egress range, or jump-box public IP).
  2. Complete the update — CloudFormation adjusts the NLB security group rule on port 443.

Jump box pattern: set AdminIngressCidr to your bastion’s public /32, connect to the bastion, then open AdminUIUrl from a browser on the bastion (or SSH port-forward NLB:443).

Do not use AdminCidr for Admin UI — that parameter controls Prometheus (9090) and SSH ops (22222) on node security groups (rrsmb-<EnvironmentName>-nodes), not the Admin UI listener.

Detail: Security overview — Restricting Admin UI access · Deployment Guide — Admin UI access

Common first-time issues

Symptom Likely cause Fix
Admin UI won't load Admin ingress CIDR too narrow, or stack not ready Confirm your IP is allowed; check parent stack CREATE_COMPLETE; use parent Outputs (AdminUIUrl)
Can't find setup URL Looking at nested stack Open parent stack (RoadrunnerSMB-SingleAZ / RoadrunnerSMB-DualAZ) → OutputsAFirstTimeSetupInstructions
VPC Unsuitable on deploy VPC missing NAT, endpoints, or subnets VPC Prerequisites
Domain join DNS error AD not auto-discovered in VPC Enter DC IP in the join step (Case 2)
Domain join auth error Wrong credentials Use DOMAIN\user format; verify join account
Can't mount share NLB not healthy yet Wait 2 minutes; check Cluster in Admin UI
Access denied User not on share ACL Add user/group on the share Permissions tab

More help: Support & Troubleshooting.

What's next

Home · Documentation · Quick Start · Release Notes · Support

© 2026 Roadrunner SMB, LLC

Roadrunner SMB is an independent software project and is not affiliated with, endorsed by, or sponsored by Amazon Web Services, Inc.
Amazon Web Services, AWS, and Amazon EFS are trademarks of Amazon.com, Inc. or its affiliates.
Microsoft, Windows, and Active Directory are trademarks of the Microsoft Corporation in the United States and/or other countries.
Citrix and SoftNAS are registered trademarks of their respective owners.
Roadrunner SMB and Elastic SMB are trademarks of Roadrunner SMB, LLC. All rights reserved.