BYO AWS Account

Bring Your Own AWS Subscription to Frame

Frame provides two options for using AWS infrastructure. You can “Bring Your Own” (BYO) Amazon Web Services (AWS) subscription that you own and manage yourself or purchase Nutanix IaaS credits to use Nutanix-managed AWS subscription. When you bring your own (BYO) AWS subscription, you pay AWS directly for infrastructure (your VMs, storage, networking, etc.) and only pay Nutanix for using Frame.

Common reasons why you would bring your own AWS subscription are:

  • You wish to take advantage of existing billing arrangements with AWS for convenience and/or pricing. For example, your organization may already have certain AWS consumption commitments or pre-payments – you can use Frame to consume those resources on your own AWS account.

  • You want to have additional administrative control over your Frame workloads for more detailed monitoring and metrics.

  • You want to configure other network integrations (VPN gateways, Direct Connects, transit gateways) which you can’t do using Nutanix-managed AWS subscription.

  • You must meet industry-specific compliance regimes (e.g., HIPAA) that require you to fully manage and control your cloud resources.


  • In order to register your AWS account with Frame, you need to ensure that you have an IAM user who can create the CloudFormation stack with the Frame-provided CloudFormation script. The IAM user must have, at a minimum, the following permissions:

  • AWS Console login

  • AmazonEC2FullAccess

  • IAMFullAccess

  • AWSConfigRole

  • AWSCloudFormationFullAccess


Due to the way that CloudFormation Stacks operate, the continuing orchestration of Frame resources on your AWS subscription is not tied to any particular account. The Frame platform does not rely on the IAM user that was used to associate your AWS subscription to the Frame platform, and that IAM user can be deleted or disabled at any time without disabling your integration with Frame. If you do wish to disable your integration with Frame manually, please delete the Nutanix-Frame-High-Cloud-Stack-Prod CloudFormation stack, as well as the FrameGatewayRole, FrameLambdaRole, and FrameWorkloadRole IAM roles.

  • You will need your Account ID number, which can be found by going to your “My Account” page in your AWS console. Click on the drop down menu next to your account name in the upper right corner of your AWS Console to access this page. See below for all the steps required to add your BYO AWS account.

  • Some costs may begin to accrue immediately after completing the CloudFormation Stack creation.


You will need to be logged in to the AWS console with your IAM user in a separate tab or window in order to complete the CloudFormation Stack creation. Nutanix Frame will not have access to your AWS user credentials.

Adding your AWS Cloud Account

BYO cloud accounts can be created either at the “customer” or “organization” tiers of Frame’s logical hierarchy. More information about Frame’s hierarchy concepts can be referenced here.

A BYO cloud account created at the “customer” (highest) tier will be accessible to all hierarchical children (“organizations” and their accounts). If you choose to add the BYO cloud account at the “organization” tier, the BYO cloud account will only be available to the chosen organization and any accounts underneath it. Customer Administrators can add a BYO cloud account at the Customer or Organization level while Organization Administrators may only add a BYO cloud account at the Organization tier.


A particular cloud subscription can only be associated with a single entity on the Frame platform. If you associate your cloud subscription to one Organization, it cannot be associated with another Organization or Customer. If your use case requires that multiple Organizations will have access to your AWS subscription, you must associate the cloud account to your Customer entity.

AWS Cloud Account Registration Procedure

  1. Go to the Frame Admin view.

  2. Navigate to the “Organizations” or “Customers” section (depending on where you wish to add the cloud account).

  3. Click on the ellipsis listed next to the organization or customer you wish to add your cloud account to, click “Cloud Accounts.”

  4. Click the “Add Cloud Account” button on the top-right:

  5. A new window will appear prompting you for the following information:

    • Cloud provider: Select the AWS icon.

    • Name: Enter the desired name of your cloud service.

    • Cloud account ID: Enter your AWS Account ID (without dashes) in this field.

  6. Once you have entered the information, click the “Prepare the account with AWS CloudFormation” button.

  • At this point, your browser will be redirected to the AWS console in a new tab. If you are not logged in to AWS with the desired BYO AWS account, you will be prompted for credentials.

  • Make sure you are logged in with the correct AWS account you wish to use (if you have multiple AWS accounts).

  1. The first page you will be taken to is the CloudFormation Stack Quick Stack Creation page. All information should be automatically filled out for you.

  1. Simply scroll to the bottom and check the box to allow CloudFormation to create IAM resources for you, then click “Create stack”

  1. Once the above process is complete, you will be directed to a page which lists the events for this CloudFormation Stack. The creation process will proceed automatically. You may need to refresh the page to see new events. Once events appear named “Nutanix-Frame-High-Orchestrator-Role-Prod”, “Nutanix-Frame-High-Lambda-Role-Prod”, and “Nutanix-Frame-High-Workload-Role-Prod” and are marked as status “CREATE_COMPLETE”, the stack creation has completed. This typically takes less than two minutes.

  1. Once the stack has been created, navigate back to your Frame tab and select “Verify.”

  2. You will be informed that the cloud account setup has been verified. There will be a small text response below the Cloud account ID field stating “Cloud account setup is verified”. This indicates everything is working properly.

  3. Now you can select the data centers (AWS regions) for your Frame accounts. You may add additional data centers in the future.

  4. Check the box at the bottom informing you of possible resource usage on your AWS cloud infrastructure and then click “Create.” After a few minutes, you will see your AWS Cloud Account listed as “Ready”.


Now that your AWS Cloud Account is created and accessible within Frame, you will be able to create Frame accounts using this BYO cloud account.

Streaming Gateway Appliance Prerequisite

If you plan to deploy Streaming Gateway Appliances in AWS (either during the Frame account creation process or manually after the Frame account is created), you will need to accept the CentOS 7 license terms in the AWS Marketplace first. Visit and subscribe to CentOS 7 (x86_64).

Resources Created During BYO AWS Cloud Account Creation

During the creation of a BYO AWS Cloud Account, the Cloud Formation template creates three IAM Roles.

  • FrameGatewayRole allows Frame Platform to provision and deprovision AWS resources for Frame-managed workloads.

  • FrameLambdaRole allows log entries to be captured by Frame Platform.

  • FrameWorkloadRole enables Frame Platform to store and retrieve Nutanix-provided OS images in an S3 bucket in each of the AWS regions where you create Frame accounts.

AWS Service Limits

By default, a newly created AWS account will impose certain service limits on available resources. Depending on the number of the Frame workload VMs required of a given machine type (e.g., number of concurrent users on g4dn.2xlarge), how the Frame account is created (e.g., Frame networking with or without an SGA), and whether you use Publish or Quick Publish, you will likely need to adjust the default limits imposed on the AWS account. If these limits are set to values that are lower than what is required by the Frame platform, you can expect certain functions to either fail, or be substantially delayed. The requirements by Frame for these service limits depends on the desired workload and required resources. The recommended service limit increases include the following:

Recommended AWS Service Limits

AWS Resource


EC2 (CPU-only and GPU instance types)

AWS has service quotas on the total number of vCPUs for any given instance family, on a per-region basis. We recommend you first determine the expected max number of instances by instance type (per Frame account) for your needs. Next, calculate the required number of instance family-specific vCPUs based on the expected max number of instances and the required number of vCPUs per instance type (for that family). If you use Publish, set your vCPU quota to 2.2 times the number of instance family-specific vCPUs. The additional 20% will accommodate any additional resources such as Sandboxes, Utility servers, etc. If you use Quick Publish, you can use a minimum factor of 1.X times to calculate the required number of instance family-specific vCPUs. X is computed as the “Number of production instances created on publish” divided by expected max instances. By default, the “Number of production instances created on publish” value is configured to be 10 VMs. A factor of 1.3-1.5 should be sufficient to account for typical Quick Publishes and overhead.


Typically, this resource does not need to be modified. To estimate total disk storage consumption, multiply the total number of VMs you expect to provision by the size of the Sandbox VM (e.g., 80 GiB) across all Frame accounts you plan to provision. Number and size of any utility servers, number of Sandbox image backups, number and size of personal drives, and number and size of enterprise profile disks would be additional storage to consider.

IP Addresses

AWS does not have any service quotas on public or private IP addresses that are assigned when an EC2 instance is powered on and removed when an EC2 instance is powered off. If a Frame account is created with Frame networking (default), each workload VM will have both a public and private IP address. If the Frame account is created using Frame networking, private network with Streaming Gateway Appliance (SGA), then Frame will provision 1 public IP address for the SGA VM or the load balancer in front of the SGA VMs and all of the workload VMs will only have private IP addresses.

Elastic IP Addresses

Elastic IP addresses are static, public IPv4 addresses. Frame does not provision Elastic IP addresses. However, if you plan to use VPN endpoints, you will need to factor into your service quota calculations the 1 or 2 Elastic IP Addresses needed for configuring the VPN gateway.

Network Interfaces

By default, you should have 5,000 network interfaces per region. If a Frame account is created with Frame networking (default), you will have need 2 network interfaces (private IP address and public IP address) per workload VM. If a Frame account is created with Frame networking (private networking with SGA), you will have need 1 network interfaces (private IP address) per workload VM.


If Frame networking (default) or Frame networking (private networking) is used to create Frame accounts, the number of VPCs equals the number of Frame accounts. If Frame networking (private networking with SGA) is used to create Frame accounts, the required number of VPCs is two times the number of Frame accounts. For BYO networking, no new networks are created.

To modify service limits on your AWS account, you will need to click on the “Limits” link in the navigation panel on the left of the AWS console (pictured below):


Service Limits Tips

  • If possible, group your service limit increases by geographic region. Each geographic region has its own approval team. A limit increase across multiple regions can take 6-8 weeks.

  • Approval time can vary by the size of the request. For instance, two or three small service limit increase requests are generally approved more quickly than one large request.

  • Since capacity is limited, increasing service limits on GPU-backed instances generally takes longer than general purpose limit increases.

  • T2 instance limit increase requests are usually approved and implemented within 24 hours of the request. G2/G3 instance limit increases take longer (especially for larger quantities).

More information about AWS service limits can be found in their official documentation.

AWS Instance Types

Each IaaS provider has a unique naming scheme for their instance types. AWS categorizes their “Elastic Cloud Compute instances” (a.k.a. “EC2 instances”) based on compute, memory, and GPU configuration. More information about Amazon EC2 instances can be found in their official AWS documentation.

For the latest AWS instances supported by Frame, refer to Nutanix Frame Pricing Page.