Advanced Deployment

This section describes some more advanced deployment scenarios for Exasol 8 on AWS.

We recommend that you read Exasol Deployment Tool (c4) and Basic Deployment to understand the basic steps for using c4 to create and manage Exasol deployments on AWS before continuing.

The features described in this section are only available for deployments using a CloudFormation template.

Existing VPC

By default, c4 aws play -T creates a new Amazon VPC with the deployment. You can also create a deployment using an existing VPC. In this case a new VPC will not be created, and the subnet, internet gateway, routes, and endpoints of the existing VPC will be used instead.

To deploy using an existing VPC you must add the following parameters to your c4 configuration file or set the parameters on the command line when you create the deployment. For more information about how to specify parameters in different locations, see Parameters in c4.

Parameter Name Value Description
CCC_AWS_NEW_VPC true (default) A new VPC will be automatically created with the deployment.
false A VPC must be specified it in the following parameters.
CCC_AWS_SUBNET_ID <subnet ID of the VPC>

Identifier of the network to be used for the deployment.

The subnet ID is found in the AWS Console.


The IP address range that will be used for the nodes.

This range does not always equal to the range set on the network and should therefore be set explicitly.

The CIDR is determined in the AWS Console.


Instances role

The deployment instances can be assigned an existing Amazon Identity and Access Management (IAM) role that is specified in the c4 configuration, or a new IAM profile can be created with the deployment. To use an existing IAM profile, add the following parameters to the c4 configuration:

Parameter Name Value Description

A new AWS IAM profile will be created with the deployment.


The IAM profile specified in CCC_AWS_IAM_PROFILE will be used.

CCC_AWS_IAM_PROFILE (string) Name of the AWS IAM role to use.

Existing security group

To use an existing security group within an existing VPC, add the following parameter to the c4 configuration:

Parameter Name Value Description

The security group ID is found in the AWS Console.

If set to false or not set, a new security group will be created with the deployment.

Elastic IP addresses

Elastic IP addresses are used by default for the nodes in Exasol AWS deployments. To disable the use of Elastic IP addresses, set the following parameter in the c4 configuration:

Parameter Name Value Description
CCC_AWS_USE_EIP true (default)

Each node automatically gets an elastic IP address that can be used to access the node directly from the internet.

The node has full outgoing communication, without any limitations, and ingoing communication to the allowed ports (by default, to SSH, HTTPS and EXASOL).


The nodes will not get elastic IP addresses.

By default, no direct outgoing or incoming communication with the node from the internet is possible.

If the node will need internet access, this must be provided by special network configuration via a NAT gateway or a proxy server (not configured by default).

When using an existing VPC with Elastic IP addresses disabled (CCC_AWS_USE_EIP=false), the following VPC endpoints must be defined:

  • CloudFormation
  • S3
  • KMS
  • EC2
  • SSM
  • SSM Messages

For more information about VPC endpoints, see What are VPC endpoints?.


# CCC_AWS_SECURITY_GROUP_ID= (not specified = one will be created)
# CCC_AWS_USE_EIP= (not specified = true)

AWS Systems Manager

AWS Systems Manager (SSM) is supported on deployments that are using a CloudFormation template (c4 aws play -T). Using SSM you can access the host and cos subsystems on an Exasol cluster that has no direct TCP/IP connection.

To set the connection method to SSM, set the following parameter in the c4 configuration:


It is not possible to connect interactively to the database using c4 connect -s db over SSM.

Disallow SSH

Both SSH and SSM are enabled by default in all Exasol AWS deployments. To disable SSH access for a deployment using SSM, specify AWS_SSH_KEY_PAIR=SSM on the command line when creating the deployment:

CCC_AWS_KEY_PAIR=SSM c4 aws play -T ...

AWS availability zones

AWS availability zones (AZ) are supported for deployments using a CloudFormation template (c4 aws play -T).

By default, c4 play starts deployment without specifying availability zones. CloudFormation will then automatically assign all instances to a zone. To restrict deployment to specific availability zones, set the following parameters in the configuration file or include them in the c4 play command:

Parameter (configuration file) Parameter (command line) Description


--enable-availability-zones Contains a list of available availability zones to be used in the deployment.



Assigns availability zones to instances.

IP addresses

If only one availability zone is enabled, it will use IP addresses from the CCC_PLAY_SUBNETWORK_CIDR parameter.

If several availability zones are specified, the CCC_PLAY_SUBNETWORK_CIDR parameter is ignored and the networks of the zones automatically get IP addresses from the range sliced by the /26 mask (, ...)


Example 1: Create 3 instances all in same eu-west-1c availability zone.

c4 aws --enable-availability-zones eu-west-1c play -T -N3 @exasol-8.23.4

Example 2: Enable two availability zones and put all instances into one of them, keeping the second zone available for further deployments.

c4 aws --enabled-availability-zones "eu-west-1b eu-west-1c" \
  --availability-zone eu-west-1b play -T -N3 @exasol-8.23.4

Example 3: Enable two availability zones and distribute instances between them in a round-robin fashion. In this example nodes 11, 13, and 15 will be in eu-west-1a, and nodes 12 and 14 will be in eu-west-1c.

c4 aws --enable-availability-zones "eu-west-1a eu-west-1c" play -T -N5 @exasol-8.23.4

Example 4: Enable all availability zones in the given region, use the special word all:

c4 aws --enable-availability-zones "all" play -T -N3 @exasol-8.23.4

Example 5: Assign specific instances to distinct availability zones:

c4 aws --enable-availability-zones "all" \
  --availability-zone-11 eu-west-1c \
  --availability-zone-13 eu-west-1a play -T -N5 @exasol-8.23.4

This will create 5 instances where nodes 11 and 13 will be assigned to eu-west-1c and eu-west-1a respectively, and the other nodes will be distributed over all the enabled availability zones in a round-robin fashion:

11 -> eu-west-1c
12 -> eu-west-1b
13 -> eu-west-1a
14 -> eu-west-1a
15 -> eu-west-1b

For more information about Availability Zones, see Regions and Zones.