Create Deployment
This guide walks you through creating an EZ-CDC deployment in your cloud account (AWS or GCP).
Prerequisites
Before creating a deployment, ensure you have:
Create a Deployment
Step 1: Start Deployment Wizard
- Log in to the EZ-CDC Portal
- Navigate to Deployments → New Deployment
Step 2: Basic Configuration
Enter the basic deployment settings:
| Field | Description | Example (AWS) | Example (GCP) |
|---|---|---|---|
| Name | Unique identifier for this deployment | production | production |
| Description | Optional description | Production CDC workers | Production CDC workers |
| Cloud Provider | Cloud where workers will run | AWS | GCP |
| Region | Region for worker instances | us-west-2 | us-central1 |
Step 3: IAM Configuration
AWS
- Deploy the CloudFormation template to create the EZ-CDC deployment role in your account.
- Paste the IAM Role ARN from the CloudFormation stack output:
arn:aws:iam::123456789012:role/ez-cdc-deployment-role - Click Validate Role to verify permissions.
GCP
- Enter your GCP Project ID:
my-project-123456 - EZ-CDC will automatically create a Service Account in your project using Workload Identity Federation — no exported keys required.
- Click Validate to confirm permissions.
Step 4: Network Configuration
AWS
Select your VPC and subnets:
| Field | Description |
|---|---|
| VPC | The VPC where workers will run |
| Subnets | Private subnets for worker instances (multi-AZ recommended) |
tip
Select subnets in multiple Availability Zones for high availability.
GCP
Select your VPC network and subnetwork:
| Field | Description |
|---|---|
| VPC Network | The VPC network where workers will run |
| Subnetwork | The subnetwork for worker instances |
Step 5: Connectivity Mode
Choose how workers connect to the control plane:
Standard (AWS & GCP)
Workers connect via public internet using HTTPS/gRPC:
Worker → NAT Gateway / Cloud NAT → Internet → Control Plane
- ✅ Simpler setup
- ✅ No additional cloud resources
- ⚠️ Traffic traverses internet (encrypted)
PrivateLink (AWS only)
Workers connect via AWS PrivateLink:
Worker → VPC Endpoint → PrivateLink → Control Plane
- ✅ No internet exposure
- ✅ Private IP connectivity
- ⚠️ Additional setup required
- ⚠️ PrivateLink costs apply
See PrivateLink Setup for details.
Cloud NAT (GCP only)
Workers have no public IP and reach the control plane through Cloud NAT:
Worker → Cloud NAT → Internet → Control Plane
- ✅ Workers have no public IP
- ✅ Egress via Cloud NAT + mTLS
- ⚠️ Additional Cloud NAT setup required
See Cloud NAT Setup for details.
Step 6: Worker Configuration
Configure the worker instances:
| Field | Default (AWS) | Default (GCP) | Description |
|---|---|---|---|
| Instance Type | c5.2xlarge | c2-standard-8 | Instance/machine type |
| Min Instances | 1 | 1 | Minimum workers (ASG/MIG) |
| Max Instances | 3 | 3 | Maximum workers (ASG/MIG) |
| Volume Size | 20 GB | 20 GB | Boot disk size |
Step 7: Create
- Review your configuration
- Click Create Deployment
EZ-CDC will provision the infrastructure:
Creating deployment...
├─ Creating security group / firewall rules ✓
├─ Creating IAM instance profile ✓
├─ Creating launch template / instance template ✓
├─ Creating Auto Scaling Group / MIG ✓
└─ Waiting for workers ⏳
This typically takes 2-3 minutes.
Verify Deployment
In the Portal
Once complete, you'll see:
Deployment: production
Status: ● Active
Region: us-west-2
Workers: 1/1 healthy
Connectivity: Standard
In AWS Console
Verify the created resources:
EC2 → Instances:
Name: ez-cdc-production-worker
Instance ID: i-0abc123def456
State: running
EC2 → Auto Scaling Groups:
Name: ez-cdc-production-asg
Desired: 1
Running: 1
EC2 → Security Groups:
Name: ez-cdc-production-worker-sg
Inbound: (none)
Outbound: 443, 5432, 8040, 9030
In GCP Console
Verify the created resources:
Compute Engine → VM Instances:
Name: ez-cdc-production-worker-xxxx
Status: RUNNING
Zone: us-central1-a
Compute Engine → Instance Groups (MIG):
Name: ez-cdc-production-mig
Target size: 1
Running: 1
VPC network → Firewall Rules:
Name: ez-cdc-production-worker-egress
Direction: EGRESS
Allow: tcp:443, tcp:5432, tcp:8040, tcp:9030
Worker Lifecycle
Workers go through these states:
Provisioning → Registering → Active → (Running Jobs)
│ │ │
│ │ └── Healthy, accepting jobs
│ │
│ └── Connecting to control plane
│
└── Instance launching (EC2 / GCE)
Health Checks
Workers report health every 30 seconds:
| Metric | Description |
|---|---|
| CPU | Current CPU utilization |
| Memory | Current memory usage |
| Disk | Available disk space |
| Jobs | Number of running jobs |
Scaling
Manual Scaling
Adjust worker count in the portal:
- Go to Deployments → your deployment
- Click Settings → Scaling
- Update Min and Max instances
- Click Save
Auto Scaling (Coming Soon)
Automatic scaling based on job queue depth and resource utilization.
Updating a Deployment
Update Configuration
Some settings can be updated without recreating:
- Instance type (requires instance refresh)
- Min/Max instances
- Volume size (new instances only)
Update Workers
To update worker binaries:
- Go to Deployments → your deployment
- Click Settings → Maintenance
- Click Upgrade Workers
Workers are upgraded one at a time (rolling update).
Delete a Deployment
danger
Deleting a deployment will:
- Stop all running jobs
- Terminate all worker instances
- Delete associated cloud resources
To delete:
- Go to Deployments → your deployment
- Stop all running jobs first
- Click Settings → Danger Zone
- Click Delete Deployment
- Confirm by typing the deployment name
Troubleshooting
Workers not becoming healthy (AWS)
- Check worker logs in CloudWatch:
/ez-cdc/workers/{instance-id} - Verify security group allows outbound 443
- Check NAT Gateway is functioning
- Verify IAM instance profile has S3 access
Workers not becoming healthy (GCP)
- Check worker logs in Cloud Logging: filter by
resource.labels.instance_id - Verify firewall egress rules allow outbound 443 and 50051
- Check Cloud NAT is configured and healthy (if using Cloud NAT mode)
- Verify the Service Account has the required roles
Deployment stuck in "Provisioning" (AWS)
- Check CloudFormation events for errors
- Verify IAM role permissions
- Check VPC has available IP addresses
MIG not creating instances (GCP)
- Check MIG status in Compute Engine → Instance Groups
- Review instance template for errors (machine type availability in zone)
- Verify Service Account permissions allow instance creation
- Check project quota for the selected machine type and region
Startup-script failures (GCP)
- View startup script output via Serial port logs in GCP Console
- Confirm the GCS bucket with worker binaries is accessible from the instance
- Check that the Service Account has
storage.objects.geton the binary bucket
Health check failing on port 50051 (gRPC)
- Verify the firewall egress rule allows
tcp:50051to the control plane - Confirm
CONTROL_PLANE_ENDPOINTis set correctly in the worker configuration - Check that no intermediate proxy is terminating TLS (use TCP passthrough for gRPC)
Workers terminated unexpectedly
- Check instance state/termination reason (EC2 state reason / GCE
lastAttempterror) - Review Auto Scaling / MIG activity history
- Check for Spot/Preemptible instance interruptions (if using Spot/Preemptible)
Next Steps
With your deployment created: