AppScale Technical FAQs

How do I get the latest AppScale image in Azure?

For using a pre-configured image with AppScale and AppScale Tools installed on it, you can follow the next steps:

1. You will have to create a new resource group and a storage account associated with it on the Azure portal.

2. You will need to upload the latest available public AppScale image to the same storage account by providing the container name, storage account name and the access key. You will find the latest BLOB-URL of the AppScale image here and you can upload it to your account with the following command:

Azure CLI 1.0
azure storage blob copy start {BLOB-URL} {CONTAINER-NAME} -a {STORAGE-ACCOUNT} -k {STORAGE-ACCESS-KEY}

Azure CLI 2.0
az storage blob copy start -u {BLOB-URL} -b {DESTINATION-BLOB-NAME} -c {CONTAINER-NAME} --account-name {STORAGE-ACCOUNT} --account-key {STORAGE-ACCESS-KEY}

3. This command performs an asynchronous copy and the status can be checked by running the command:
Azure CLI 1.0
azure storage blob copy show -a {STORAGE-ACCOUNT} -k {STORAGE-ACCESS-KEY} --container {CONTAINER-NAME} --blob {BLOB-URI}

Azure CLI 2.0
az storage blob show --name {BLOB-NAME} --container-name {CONTAINER-NAME} --account-name {STORAGE-ACCOUNT}
**BLOB-URI is the resource path where the blob would be uploaded. E.g:

How do I create an Azure instance with the latest AppScale image?

Creating a VM instance using the resources created above:


**BLOB-URL: The URL of the copied over image into the storage account.

You would be prompted for a username and password and now a virtual machine instance would now be created within the resource group. Login with the username and password and to login as root click here.

How do I get the latest AppScale image in AWS EC2?

You can find the latest AppScale AMI here. For a complete list of regular and FastStart AMIs visit our GitHub releases page.

How do I get the latest AppScale image in GCE?

In the Google Cloud Platform console, go to Images under Compute Engine, and create a new image with the following settings:
Name: “appscale”, Source: “Cloud Storage file”, Cloud Storage file: “appscale-images/latest/appscale.tar.gz”


How do I get the latest AppScale image for Vagrant/VirtualBox?

You can create a Vagrant/VirtualBox configuration file by running:
appscale init appscale/releases

What about security in AppScale?

AppScale manages the firewall on each machine of a deployment. This allows AppScale to only open ports that are required for its operation. AppScale leverages iptables in the underlying system, and provides facilities for the administrator to allow or deny basic access to functionalities (for example the AppScale dashboard could be made accessible only from certain IPs).

How do I setup a network rule suitable for AppScale in Azure?

We need to first create the resources that the VM requires from the Portal in the following order:

Creating a Virtual Network & Public IP Address:
On the Azure Portal, navigate to within the resource group where you would like your deployment and click on the Add button to add a Virtual Network and a Public IP Address:

Creating a Network Interface:
Similarly create a Network Interface by clicking on the Add button and make sure you select the Virtual Network name (created above) from the drop down. And to make sure you have the right network security group setup as instructions below:

Since AppScale manages the firewall directly, the easiest way is to setup a network rule with all the ports open. To do so, click on the Network security group and create a new rule with all ports open.

Next, make sure you associate the Public IP address resource created to the Network Interface by following the steps in the screenshot below:

How do I setup a network rule suitable for AppScale in AWS?

Since AppScale manages the firewall directly, the easiest way is to setup a network rule with all the ports open. To do so:

from the AWS console
– select the EC2 service
– select the Security Groups
– create a new security group with the following settings: Group name: ‘appscale’, Description: ‘AppScale default security group’, VPC: ‘No VPC’. Add two rules to the security group: ‘All TCP / TCP / 0 – 65535 / Anywhere /’ and ‘All UDP / UDP / 0 – 65535 / Anywhere /’.


from the command line (AWS Docs)
– create a new security group:
aws ec2 create-security-group --group-name 'appscale' --description 'AppScale default security group'
– add the network rules:
aws ec2 authorize-security-group-ingress --group-name appscale --protocol tcp --port 1-65365 --cidr
aws ec2 authorize-security-group-ingress --group-name appscale --protocol udp --port 1-65365 --cidr

How do I setup a network rule suitable for AppScale in GCE?

Since AppScale manages the firewall rules directly, the easiest way is to setup a network rule with all the ports open. To do so:
– login to the google developer console
– go to the Networking section under Compute and select Firewall rules
– create a new firewall rule with the following settings: Name: ‘appscale’, Network: choose ‘default’ or create a new network, Source filter: ‘Allow from any source (’, Allowed protocols and ports: ‘tcp:1-65535;udp:1-65535’


What if I don’t want to make a generic network rule with all ports open?

The ports that need to be accessible to an AppScale deployment are:
– TCP 22: this is the SSH port, and it’s needed to gain access to the nodes;
– TCP 80 and 443: those are the default HTTP and HTTPS ports. Highly recommended to have them open, although not necessary if your application doesn’t use them;
– TCP 8080-8100 and 4380-4400: those are ports that will be used in a FIFO manner when multiple applications are deployed. Are needed only if/when you have/want more applications running here. There are other ports that make it easy to control/debug an AppScale deployment but they are not necessary for normal operation. You can check in /root/appscale/firewall.conf (link to github page?) for the reserved ports. AppScale requires all ports open amongst the nodes of its own deployment. Usually this is easily achieved in public networks when instances belong to the same security group.

How do I install AppScale Tools?

Requires pip.
pip install appscale-tools

Mac OS X
Requires homebrew.
brew install appscale-tools

How do I create and customize my AppScalefile?

AppScale is configured using an AppScalefile. The AppScale Tools initially use the AppScalefile to understand the deployment layout (i.e. where the login node is, how many database nodes there are, where they are, etc.), and subsequently to start and manage the deployment.

An AppScalefile is created after running the fast-start script. For more samples of the AppScalefile, click here and here.

For a full list of AppScalefile options, you can run the command:

appscale init cluster

and look into the newly created AppScalefile.

How do I login as root?

Need to SSH into an AppScale-ready instance as root? What’s your infrastructure?


Navigate to the VM instances page under Compute Engine, and click SSH next to your instance, like so:
GCE_SSH and then run:
sudo -i


ssh -i </path/to/key/used/to/start/instance> <username>@<public_instance_IP>
sudo -i


ssh -i </path/to/key/used/to/start/instance> ubuntu@<public_instance_IP>
sudo -i


vagrant ssh #password: vagrant
sudo -i


SSH into the instance as any user you have access to and then run:
sudo -i

How do I set up password-less SSH?

Log into the head node as root.

Create an SSH key if there isn’t one present with:
ssh-keygen -t rsa
Optionally provide the file to save the keys and a passphrase. Press Enter to go on with the default settings (/root/.ssh/

Copy the contents of this public SSH key in /root/.ssh/authorized_keys on all virtual machines of the same AppScale deployment.

How do I login as root for Azure?

ssh -i @ sudo -i

How do I set up Service Principal for my Azure subscription?

Make sure you have a Microsoft Outlook/Azure account and you have suitable access permissions set for your subscription. Here we are using the Azure CLI to create a Service Principal for the Active Directory application you intend to deploy on AppScale.

1. Sign into your account

Azure CLI 1.0
azure config mode arm
azure login

Azure CLI 2.0
az login

2. Use the command to create a Service Principal for your application by providing a display name, the URI to a page that describes your application, the URIs that identify your application, and the password for your application identity.

Azure CLI 1.0
For an existing application:
azure ad sp create --applicationId {APP-ID}

For a new application:
azure ad sp create --name {APP-NAME}

Azure CLI 2.0
az ad sp create --id {IDENTIFIER-URI/APPLICATION-ID}

Make a note of the Object Id and the Service Principal name from the result as it is needed when granting permissions and logging in.

3. Grant the Service Principal permissions on your subscription. You would need to assign an appropriate role with write access (e.g. ‘Contributor’).

Azure CLI 1.0
azure role assignment create --objectId {OBJECT-ID} -o {ROLE} -c /subscriptions/{subscriptionId}/

Azure CLI 2.0
az role assignment create --assignee {USER/GROUP/SERVICE-PRINCIPAL} --role {ROLE}

4. If you want to create the Service Principal with a password, you need to provide credentials via the CLI.

You need to provide the tenant ID of the directory for your AD app to sign in with the Service Principal. To retrieve the tenant ID for your currently authenticated subscription, use:

Azure CLI 1.0
azure account show

Azure CLI 2.0
az account show

Login as the Service Principal:
Azure CLI 1.0
azure login --service-principal -u {USERNAME/SERVICE-PRINCIPAL-ID} --tenant {TENANT-ID}

Azure CLI 2.0
az login --service-principal -u {USERNAME/SERVICE-PRINCIPAL-ID} -p {PASSWORD} --tenant {TENANT}

You are prompted for the password. Provide the password you specified when creating the AD application. You have now authenticated the service principal that you created.

How do I access the AppScale Dashboard?

Each deployment starts the AppScale Dashboard (GUI). It is reachable at the public IP of the headnode or any load-balancer at port 1080 (you will be redirected to the secure port at 1443).

Once you reach the dashboard URL (the images above) you will need to log in to be able to access all the functionalities.