Skip to main content

Installation Guide

This installation guide provides an overview of how to install Enthought Edge. Because Edge is a cloud-native product, we make extensive use of technologies like Terraform to ensure successful deployments.

There are three steps required to install Edge:

  1. Install base services.
  2. Set up the Amazon Web Services (AWS) environment, including Kubernetes.
  3. Install Edge via Terraform.

The default cloud provider for Edge is AWS. If you are interested in other providers like Azure or GCP, please contact us at


Deployment tooling

  • Terraform >= 1.3
  • The Enthought Edge Terraform module (will be provided by Enthought Support)
  • Enthought's EKS Cluster Module (will be provided by Enthought Support)
  • Access to the Edge Docker repositories (will be provided by Enthought Support)

Cloud infrastructure

  • AWS Account with administrator access
  • A Virtual Private Cloud (VPC), configured as follows:
    • 3 private subnets with at least 4096 IP addresses each
    • 3 public subnets with at least 512 IP addresses each
    • 3 database subnets with at least 256 IP addresses each
    • Subnets should be evenly spread across 3 availability zones
  • A Fully Qualified Domain Name (FQDN), which will be the public-facing domain for your Edge installation.
  • Access to the following remote services:
    • S3

Step 1: Install Base services

Edge requires an identity provider and a Python package server (Enthought Deployment Server). These should be installed first.

Identity Service

The Identity Service manages user accounts and passwords, and can be configured to serve as a "bridge" to external identity providers. Enthought provides a pre-packaged service based on KeyCloak, an industry-leading open source identity and access management product.

To install the identity service, follow the instructions available here:

Python package server

Edge makes heavy use of Python packages and runtimes, for example to enable Jupyter notebooks in the Analysis App. The Enthought Deployment Server (EDS) is a Python package server optimized for scientific use cases and designed to integrate with Edge.

To install EDS, follow the instructions available here:

Step 2: Configure AWS/Kubernetes

Create Terraform config file

Create a new configuration file for Terraform. To do so, you'll need a collection of settings. These change from time to time as Edge is updated, but in general include things like:

  • The domain where you will be deploying Edge, for example "".
  • Information for connecting Edge to the identity provider.
  • Information about the Kubernetes cluster that Edge will be running on.

Enthought Support will provide a pre-populated settings file and detailed guidance for your specific use case.

Set Up Terraform backend and required providers

Terraform is used to deploy Edge onto the cloud provider. In order to do this, you will need to define the appropriate "providers" for Terraform to communicate with the systems involved. Again, Enthought support will provide a customized set appropriate for your use case.

Step 3: Deploy Edge

Finally, you will use the Terraform command-line tool to do the deployment. One thing to consider is that Terraform needs to store its "state" somewhere; in other words, a record of which services have been deployed or updated. Depending on your local standard practice, you will consider adding a specific backend to store the Terraform state, for example S3. Or, you can store the state locally.

terraform init
terraform plan -o initial_deployment.plan
terraform apply initial_deployment.plan

Technology References

Cloud Computing and Orchestration

AWS Account

As the global market leader, AWS provides services with world-class APIs, fair pricing, and excellent customer service. An AWS account is required to install Edge. See the AWS Getting Started Guide for more information.

AWS Backup

AWS Backup allows cloud administrators to quickly set data retention policies for AWS resources. We recommend using AWS Backup to back up all Edge EBS volumes.

AWS Secrets Manager

The AWS Secrets Manager service provides a secure location for deployment secrets. We recommend using it for Edge deployment secrets such as container repository credentials.


Karpenter is used to automatically scale cluster compute capacity. When Karpenter finds an unscheduled pod it will create an EC2 instance that is just large enough to hold the pod and join it to the cluster. When the pod is destroyed, Karpenter will also destroy the EC2 instance. Karpenter guarantees that Edge customers are only paying for the resources that they're using.


Terraform is an open-source software solution for deploying infrastructure and applications. Its declarative configuration files allow users to deploy infrastructure as code and create deployments as code. Edge is deployed to an Amazon Elastic Kubernetes Service (EKS) cluster using Terraform.

Access to the Edge GitHub repository is required for loading the Edge Terraform module. Please work with your Customer Success Engineer to obtain access.


Amazon Relational Database Service (RDS) is a managed database service that provides PostgreSQL databases that span multiple availability zones at a low cost. Databases are automatically backed up and can be scaled rapidly. Edge uses RDS for several of its backend databases.

Authentication and Security


Keycloak is used by Edge as an Identity Provider (IdP). Support for other OAuth2-based Identity Providers such as Azure AD, and GitHub is planned.


Calico is commonly used for implementing network security policies within Kubernetes clusters. Edge uses Calico along with Istio to block applications from accessing restricted resources. provides a secure storage solution for container images. Images are automatically scanned for security vulnerabilities which drive developers to quickly implement fixes. Edge uses for all of its container images.


The classic Kubernetes network architecture is flat which means that any pod can talk to any pod. This open architecture means that an attacker can easily traverse a network and do harm to multiple services. A service mesh like Istio solves this problem by implementing Zero Trust security principles. All communication within the cluster is encrypted, authenticated and authorized. Istio accomplishes this task with sidecar containers that are attached to each pod. The sidecar container handles all communication between pods. By delegating inter-pod communication security to Istio, developers can focus more on feature delivery and less on security.



An SSL certificate is required for securing the Edge deployment. The certificate should be signed by a certificate authority that is trusted in your domain in order for Edge to work with modern browsers without security warnings. Untrusted self-signed certificates should not be used.


Edge requires a DNS record in order to provide the best user experience. We recommend creating a fully qualified domain name like so that users are able to find it easily.