Puppet on AWS
Quick Start Reference Deployment Guide


To enable communication between the Puppet master and Puppet agents, you must set up and enable name resolution via DNS. Agents reach the Puppet master by using a fully qualified DNS name such as

To provide name resolution within the Amazon VPC created by this Quick Start, the AWS CloudFormation template creates an Amazon Route 53 private hosted zone and provisions record sets for each EC2 instance based on the IP addresses provided through the template parameters at launch.

Using Amazon Route 53 is not a requirement. You can utilize your own DNS server infrastructure and manually create records and configure your instances. If you decide to use your own DNS server, make sure that your EC2 instances will resolve names against your own DNS server infrastructure, and create host (A) records that correspond to each EC2 instance IP address.

In addition to name resolution, a small number of network ports must be open to allow communication between the agents and the Puppet master. The Puppet master must be reachable by agents via TCP port 8140. For this Quick Start, the Puppet master is associated with an EC2 security group that permits inbound access to TCP port 8140 from any address within the VPC CIDR range.

To manage your agents, you must be able to connect remotely via SSH or RDP. This Quick Start creates and associates EC2 security groups for remote agent access. The inbound rules include access to TCP port 22 for SSH, and TCP port 3389 for RDP. Additionally, an inbound rule for TCP port 80 is permitted by the CIDR address you define for remote access. This will allow you to verify that your web servers are functional after applying your Puppet configurations on the agents.