Roadrunner SMB

VPC Prerequisites

Time to read: 3 minutes
Goal: Confirm your VPC is ready before you launch Roadrunner SMB™ from AWS® Marketplace.

Roadrunner SMB deploys into your existing VPC. The stack does not create NAT gateways, routes, VPC endpoints, or DHCP options — your network team provisions those first.

Your VPC � what Roadrunner SMB needs You provide the VPC. RRSMB deploys into it. RRSMB does not create NAT, routes, or endpoints. Your VPC Availability Zone A Public subnet Internet-facing NLB (SMB :445, Admin :443) Private subnet RRSMB nodes (ECS on EC2) NAT (same AZ) RRSMB node Availability Zone B (Dual-AZ only) Public subnet Private subnet S3 + DynamoDB Gateway endpoints on private route tables (default) Active Directory � reachable from private subnets

Quick checklist

Before you launch, your VPC needs:

  • DNS enabled — VPC DNS support and DNS hostnames turned on
  • Private subnet(s) for RRSMB nodes — with no auto-assign public IP
  • Public subnet(s) for the internet-facing load balancer (Admin UI)
  • Outbound path from each private subnet — default 0.0.0.0/0NAT Gateway in the same AZ (cross-AZ NAT fails the check)
  • S3 + DynamoDB® Gateway endpoints on the private route tables (on by default in the template)
  • Active Directory® configured per AD expectations below

If something is wrong, the stack fails fast with VPC Unsuitable: … and no RRSMB resources are created.

Single-AZ vs Dual-AZ

Choose the delivery option that matches your Marketplace launch:

Single-AZ Dual-AZ (HA)
Private subnets 1 2 (different AZs)
Public subnets ≥1 ≥2 (different AZs)
NAT 1 NAT in the same AZ as the private subnet 1 NAT per private subnet AZ
Default cluster size 1 node 2 nodes
Use case Evaluation, trials Production HA

Leave subnet parameters blank to let the stack auto-discover subnets, or paste subnet IDs in CloudFormation®. VPC ID is selected from a dropdown at launch (no copy/paste required).

Active Directory expectations

The deploy-time checker does not test live AD connectivity. RRSMB supports two common patterns:

Case 1 — AD/DC auto-routed within the VPC

AD/DC is automatically routed and discoverable inside the VPC.

  • RRSMB assumes the domain controller resolves first in DNS (via VPC DHCP options or Route 53 Resolver).
  • AmazonProvidedDNS should be listed second in DHCP domain-name-servers so AWS APIs still resolve when the DC is briefly unavailable.
  • Configure the DC DNS forwarder to the VPC resolver (169.254.169.253) for non-AD queries.

Common use cases: AWS Managed Microsoft AD in the VPC, EC2-hosted AD with DHCP pointing at the DC, or other AD/DC layouts that are routable and resolvable from the RRSMB private subnets.

At deploy, the stack may pre-fill domain and DC hints in First-Time Setup (AdDiscoverySummary / DiscoveredDcDnsIp outputs).

Case 2 — Manually specify AD/DC during First-Time Setup

If AD/DC is not auto-discovered (no Managed AD in VPC, DHCP does not advertise the DC, or AD lives outside the VPC without Resolver forwarding), enter the domain controller IP and DNS domain manually in the Join Active Directory step of First-Time Setup.

For minimum join permissions (without Domain Admin), see AD domain join delegation.

Check stack output AdDiscoveryWarning after deploy — if it is non-empty, plan for Case 2.

domain-name:          corp.example.com
domain-name-servers:  10.x.x.x, AmazonProvidedDNS

What happens at deploy (simple)

Your VpcId (selected at launch)
    → Pick subnets (discovery)
    → Validate VPC (hard gate — fails if unsuitable)
    → Optional AD hints (warnings only)
    → Create RRSMB (ECS, EFS, NLB, DynamoDB, …)
Phase What it does Blocks deploy?
Discovery Chooses private + public subnets Yes, if it cannot pick valid subnets
Validation Checks DNS, NAT, endpoints, subnet layout Yes — VPC Unsuitable
AD hints May pre-fill DC/domain for the setup wizard No — warnings only

What Roadrunner SMB will not change

RRSMB does not modify:

  • NAT gateways, Internet gateways, or route tables
  • VPC endpoints (Gateway or Interface)
  • DHCP options, NACLs, or peering / Transit Gateway

You maintain the network; RRSMB runs on top of it.

Optional: test your VPC first

To run the same validation without deploying the full product, use the standalone rrsmb-vpc-validator.yaml CloudFormation template (if your team provides it).

After deploy — useful stack outputs

Output What it tells you
ValidationStatus Pass / fail summary
SelectedPrivateSubnetIds Subnets used for RRSMB nodes
AdDiscoverySummary / AdDiscoveryWarning Case 1 vs Case 2 for First-Time Setup
AdminUIUrl Admin console URL (https://…)
NlbDnsName SMB hostname for clients on your SmbClientCidr networks (\\…\<share>)

Next step

VPC ready? Continue to the Quick Start Guide.

Plan deployer and AD credentials first: Identity and permissions.

For architecture depth, see the Deployment Guide.

Home · Documentation · Quick Start · Release Notes · Support

© 2026 Roadrunner SMB, LLC

Roadrunner SMB is an independent software project and is not affiliated with, endorsed by, or sponsored by Amazon Web Services, Inc.
Amazon Web Services, AWS, and Amazon EFS are trademarks of Amazon.com, Inc. or its affiliates.
Microsoft, Windows, and Active Directory are trademarks of the Microsoft Corporation in the United States and/or other countries.
Citrix and SoftNAS are registered trademarks of their respective owners.
Roadrunner SMB and Elastic SMB are trademarks of Roadrunner SMB, LLC. All rights reserved.