This guide walks you through supporting a shared responsibility model for a BYOC app. You will configure an app that can be installed into a customer’s existing VPC. You will be able to monitor and update the install, even though the customer owns and manages the VPC it’s running in.

The component code used in this guide can be found in our Guides repo.


What You Will Create

This tutorial will walk you through creating the following:

Configure App

To configure the app, you will create a TOML config file using our CLI. In each section below we will provide you with configuration snippets for the app itself as well as it’s components.

If you would prefer to use Terraform, see our Terraform Configuration Management guide. We provide Terraform sample code you can use throughout this guide.

Create App

Define the app itself and give it a name. This will create the app in Nuon and generate a config file named nuon.<your-app>.toml. This file will be populated with sample config, which we will update in this guide.

nuon apps create --name=<your-app>

App Input

This is a setting that your customer will be able to configure when they install the app. It will be displayed on the installer page as a text field. For BYOVPC, this is especially important, since it allows the customer to tell Nuon which VPC to install the app into.

name = "sandbox"
description = "Sandbox inputs"
display_name = "Sandbox inputs"

name = "vpc_id"
description = "The VPC to install the app in"
sensitive = false
display_name = "VPC ID"
required = true
group = "sandbox"


Update the installer config. Installers provide an out-of-the-box installation flow your customers can use to install your app. You will use it later in this guide to create an install yourself.

name               = "My BYOVPC App"
description        = "A demo app that runs in a customer's VPC."
documentation_url  = ""
community_url      = ""
github_url         = ""
homepage_url       = ""
demo_url           = ""
logo_url           = ""
og_image_url       = ""
favicon_url        = ""
copyright_markdown = """
© 2024 Nuon.
footer_markdown = """
[Terms of Service](
post_install_markdown = """
# My EKS App

My EKS App is being deployed.
app_ids = ["<your-app-id>"]


Update the sandbox config. The aws-ecs-byovpc sandbox will provide everything you need to run ECS services on top of a pre-existing VPC.

terraform_version = "1.5.4"
directory = "aws-ecs-byovpc"
repo = "nuonco/sandboxes"
branch = "main"
name = "vpc_id"
value = "{{.nuon.install.inputs.vpc_id}}"


Update the runner config. The aws-ecs-byovpc sandbox requires that we use the aws-ecs runner. The runner manages the sandbox, provisioning and deprovisioning AWS resources during deploys.

The aws-ecs runner is so named because it runs on ECS, but it can be used to manage any AWS resources. Since it runs on ECS Fargate, no resources beyond what is needed for the runner are provisioned by default. You can use our ECS sandbox and runner to manage Lambda or EC2 deployments without worrying about extraneous ECS costs.

runner_type = "aws-ecs"

Sync App Config to Nuon

You now have a complete Nuon app config. This is a good place to stop and sync it to Nuon.

nuon apps sync --file=nuon.<your-app>.toml

Once the config is synced, select the newly created app using the CLI. This will scope CLI commands to the new app.

nuon apps select

Connect Components

This app consists of two components: one to build the Docker image, and another to provision the ECS service.

Docker Image

This is a Docker Build component that will build the API and create a Docker image containing it. When released, it will sync the image to each install’s ECR so ECS can pull it when creating tasks.

name   = "docker_image"
type = "docker_build"
dockerfile = "Dockerfile"
repo      = "nuonco/guides"
directory = "byo-vpc-tutorial/components/docker-image"
branch    = "main"

ECS Service

This component will create an ECS service using the docker image, and expose it to the internet with an ALB. It requires some info about the install it will run in, so we use Nuon variables to interpolate the required info on a per-install basis. See our Using Variables guide for more info about how this works.

name   = "ecs_service"
type = "terraform_module"
terraform_version = "1.5.3"
repo      = "nuonco/guides"
directory = "byo-vpc-tutorial/components/ecs-service"
branch    = "main"
name  = "service_name"
value = "introspect"
name  = "cluster_arn"
value = "{{.nuon.install.sandbox.outputs.ecs_cluster.arn}}"
name  = "image_url"
value = "{{.nuon.components.docker_image.image.repository.uri}}"
name  = "image_tag"
value = "{{.nuon.components.docker_image.image.tag}}"
name  = "app_id"
value = "{{}}"
name  = "org_id"
value = "{{}}"
name  = "install_id"
value = "{{}}"
name  = "vpc_id"
value = "{{}}"
name  = "domain_name"
value = "introspect.{{}}"
name  = "zone_id"
value = "{{.nuon.install.sandbox.outputs.public_domain.zone_id}}"

Sync Component Configs to Nuon

Now that you have the components, sync the update config to Nuon.

nuon apps sync --file=nuon.<your-app>.toml

Just like the app, you can use the CLI to verify they were synced successfully.

nuon components list

Initial builds for each component will also have been created. Verify with the CLI that they were successful.

nuon builds list

Create an Install

Creating an install requires two steps: granting access to the AWS account via an IAM role, and then provisioning the install in that account. There are a few ways to do this, but the easiest is to use the installer you configured earlier, via our installer UI template.

You can find the template at Clone that and run it locally following the instructions in the README.

For other approaches, see our guides Install Access Permissions and Create Installs.

Monitor Install Creation

To monitor the install’s status, log into the Dashboard and select your org. You should see a card for the install.

Installs on Dashboard

Click on the card, and use the History to verify that the install is being provisioned. You should see events for the sandbox being provisioned and the components being deployed.

Install Details on Dashboard

Inspect the Install

When the install has provisioned, and the deploys have completed, copy the install ID from the UI and curl the API to verify it’s running.

curl https://introspect.{install_id}

Wrapping Up and Next Steps

Congratulations, you just deployed a shared responsibility app to a VPC in AWS! A few suggestions for where to go next:

  • Check out our Release Management guide to learn how to update installs.
  • Dig into our App Configuration guide to learn how to configure more complex apps.
  • Share your installer with a friend and have them install your app in their AWS account.