For production, Boxfuse can run your Apps on AWS using your AWS account.


  • test
  • prod

As well as any additional custom environments you have created.


Boxfuse fully supports the ap-northeast-1, ap-south-1, ap-southeast-1, ap-southeast-2, ca-central-1, eu-central-1, eu-west-1, eu-west-2, sa-east-1, us-east-1, us-east-2, us-west-1 & us-west-2 regions.

We recommend the regions in Australia, the EU and the US (ap-southeast-2, eu-central-1, eu-west-1, us-east-1, us-west-1 and us-west-2) as we have optimized them for AMI creation speed with new Amazon Machine Images created in under 60 seconds. This is 5x to 10x faster than any other tool in the industry.

AWS Region AMI Creation Time
ap-northeast-1 Less than 5 minutes
ap-northeast-2 Less than 5 minutes
ap-south-1 Less than 5 minutes
ap-southeast-1 Less than 5 minutes
ap-southeast-2 Less than 60 seconds
ca-central-1 Less than 5 minutes
eu-central-1 Less than 60 seconds
eu-west-1 Less than 60 seconds
eu-west-2 Less than 5 minutes
sa-east-1 Less than 5 minutes
us-east-1 Less than 60 seconds
us-east-2 Less than 5 minutes
us-west-1 Less than 60 seconds
us-west-2 Less than 60 seconds

As Boxfuse expands its footprint, further regions will be optimized for fast deployment. The order will be based on based on customer usage and demand. This does not affect the runtime speed of your instance, which is determined by the instance type you selected.

Note: It is currently not possible to select an AWS region that does not have a default VPC. If your AWS account is missing a default VPC, you can ask AWS support to (re-)create it. Requests are usually fulfilled within a few hours.


Both the test and the prod environment are created within the default VPC of the AWS region you selected for your Boxfuse account.

You can use non-default VPCs as well as alternate regions in any custom environments you create.

Instance Types

Boxfuse supports all t2, m3, m4, c3, c4, r3 and r4 instance types in all available regions.

App Types

All app types are supported. Boxfuse always performs Zero Downtime upgrades of your apps when you redeploy them.

Security Groups

By default Boxfuse will create a security group for each deployment. This security group will be tagged with the app, the version and the environment. It will automatically have the correct ports for your image open with the appropriate restrictions if any were defined.

Additionally every instance of an app also receives a marker security group tagged with the app and environment names. This makes it easy to refer to all instances of an app from other security groups, regardless of the version.

All security groups that have been created by Boxfuse are automatically removed when they are no longer in use.

Alternatively you can also explicitly configure a custom security group for every app in each environment. In this case, Boxfuse will not create any security groups for you and it is then your responsibility to properly configure and decommission your security group.


Wherever supported by AWS and applicable all AWS resources created by Boxfuse are consistently tagged with one or more of the following tags:

AWS Tag Name Description Example
boxfuse:env The Boxfuse environment prod
boxfuse:app The Boxfuse application myuser/myapp
boxfuse:image The Boxfuse image myuser/myapp:1.2.3
Name (For EC2 instances only) The Boxfuse image and environment boxfuse myuser/myapp:[email protected]

Elastic IPs

When running a single-instance app, Boxfuse will automatically provision an AWS Elastic IP in that environment. As soon as healthchecks have passed for a deployment, your new instance becomes reachable via the Elastic IP (as opposed to its initial public IP which it replaces). This is effectively makes the Elastic IP the stable entry point into your application. Once the app is killed, the Elastic IP is also removed.

If this auto-provisioning doesn't work for you, you do have the option to set up your own Elastic IP and configure Boxfuse to use it for a specific environment. This in turn means that it is then also your responsibility to dispose of it when not needed anymore.


When running a load-balanced app, Boxfuse will automatically provision an AWS Elastic Load Balancer (ELB) in that environment to distribute incoming requests across all your instances. The ELB will also be tagged using the boxfuse:app and boxfuse:env tags described above. Once the app is killed, the ELB will also be removed.

Boxfuse configures each ELB it provisions to load-balance all open ports of an image at layer 4 (TCP, UDP). Unlike for layer 7 (HTTP, HTTPS) load balancing this means that HTTPS connection are only terminated on your instance and ensures the entire path between client and instance remains fully encrypted.

If those defaults don't work for you, you do have the option to set up your own ELB and configure Boxfuse to use it for a specific environment. This in turn means that it is then your entire responsibility to ensure it is configured correctly and decommissioned when not needed anymore.

Instance Profiles

To make it easy to access other AWS services, Boxfuse let's you configure IAM Instance Profiles to pass temporary AWS credentials to EC2 instances without needing to bake them into your image.

Note that by default for apps using CloudWatch Logs, Boxfuse will configure your instances to use an IAM Instance Profile that allows your application to invoke logs:PutLogEvents. This is required in order to be able to send log events to CloudWatch Logs.

If you configure your app to use a custom Instance Profile instead it will replace any default instance profile provided by Boxfuse. This means that if your app uses CloudWatch Logs, you have to ensure that the IAM policy attached to your custom instance profile does include the following statement:

"Statement": [
    "Effect": "Allow",
    "Action": [
    "Resource": [

Custom Domains