CHR: Installing on AWS
CHR: Installing on AWS
Section titled “CHR: Installing on AWS”RouterOS CHR can be deployed on Amazon Web Services (AWS) as an EC2 instance. The recommended method is through the AWS Marketplace, which provides pre-built AMIs with integrated licensing. Alternatively, you can import the MikroTik RAW image as a custom AMI.
Deployment Methods
Section titled “Deployment Methods”| Method | Pros | Cons |
|---|---|---|
| AWS Marketplace AMI | Quickest setup, integrated billing | Pay-as-you-go pricing may exceed perpetual license cost at scale |
| Custom AMI import | Full control, supports all CHR license tiers | More manual steps |
Method 1: AWS Marketplace AMI (Recommended)
Section titled “Method 1: AWS Marketplace AMI (Recommended)”Subscribe and Launch
Section titled “Subscribe and Launch”- Navigate to the AWS Marketplace and search for MikroTik CHR
- Click Subscribe and accept the terms
- Click Continue to Configuration:
- Select your preferred Software Version (RouterOS version)
- Select your Region
- Click Continue to Launch:
- Choose Launch through EC2
- Select an Instance Type (see recommendations below)
Recommended Instance Types
Section titled “Recommended Instance Types”| Use Case | Instance Type | vCPUs | RAM |
|---|---|---|---|
| Lab / testing | t3.micro | 2 | 1 GB |
| Small router | t3.small | 2 | 2 GB |
| Production routing | m5.large | 2 | 8 GB |
| High throughput | c5n.xlarge | 4 | 10.5 GB |
Method 2: Custom AMI Import
Section titled “Method 2: Custom AMI Import”Download and Prepare the Image
Section titled “Download and Prepare the Image”# Download the RAW CHR imagewget https://download.mikrotik.com/routeros/7.x/chr-7.x.img.zipunzip chr-7.x.img.zip
# Upload to S3aws s3 mb s3://my-chr-imagesaws s3 cp chr-7.x.img s3://my-chr-images/chr-7.x.imgImport as EC2 AMI
Section titled “Import as EC2 AMI”Create a file containers.json:
[ { "Description": "MikroTik CHR 7.x", "Format": "raw", "UserBucket": { "S3Bucket": "my-chr-images", "S3Key": "chr-7.x.img" } }]Import the snapshot and register the AMI:
# Import snapshotaws ec2 import-snapshot \ --description "CHR 7.x" \ --disk-container file://containers.json
# Wait for snapshot import to complete, then get snapshot IDaws ec2 describe-import-snapshot-tasks
# Register the AMI (replace snap-xxxxx with your snapshot ID)aws ec2 register-image \ --name "MikroTik-CHR-7.x" \ --description "MikroTik RouterOS CHR 7.x" \ --architecture x86_64 \ --root-device-name /dev/xvda \ --block-device-mappings '[{"DeviceName":"/dev/xvda","Ebs":{"SnapshotId":"snap-xxxxx"}}]' \ --virtualization-type hvmVPC and Security Group Configuration
Section titled “VPC and Security Group Configuration”Create a Security Group for CHR
Section titled “Create a Security Group for CHR”CHR requires specific ports to be accessible. Create a security group with the minimum necessary rules:
# Create security groupaws ec2 create-security-group \ --group-name chr-sg \ --description "MikroTik CHR Security Group" \ --vpc-id vpc-xxxxx
# Allow SSH (management)aws ec2 authorize-security-group-ingress \ --group-id sg-xxxxx \ --protocol tcp --port 22 --cidr 203.0.113.0/24
# Allow WinBox (MikroTik management GUI)aws ec2 authorize-security-group-ingress \ --group-id sg-xxxxx \ --protocol tcp --port 8291 --cidr 203.0.113.0/24
# Allow established/related (stateful — handled by AWS SG automatically)AWS Security Groups are stateful — return traffic for allowed outbound connections is automatically permitted. However, inbound access (SSH, WinBox, BGP, IPsec) must be explicitly opened or the instance is unreachable despite any RouterOS firewall configuration.
Common ports for MikroTik CHR:
| Service | Port | Protocol |
|---|---|---|
| SSH | 22 | TCP |
| WinBox | 8291 | TCP |
| API | 8728 | TCP |
| API-SSL | 8729 | TCP |
| Winbox/HTTP | 80 | TCP |
| BGP | 179 | TCP |
| IPsec IKE | 500 | UDP |
| IPsec NAT-T | 4500 | UDP |
Assign an Elastic IP
Section titled “Assign an Elastic IP”For persistent public IP addressing, allocate and associate an Elastic IP:
# Allocate Elastic IPaws ec2 allocate-address --domain vpc
# Associate with instance (replace with your IDs)aws ec2 associate-address \ --instance-id i-xxxxx \ --allocation-id eipalloc-xxxxxInitial Configuration via EC2 User Data
Section titled “Initial Configuration via EC2 User Data”CHR reads EC2 user-data on first boot and executes it as a RouterOS script. This enables automated initial configuration without manual console access.
Example User Data Script
Section titled “Example User Data Script”In the EC2 launch wizard, paste the following into Advanced Details → User data as plain text:
/user set admin password=StrongPassword123!/ip service disable telnet,ftp,www,api,api-ssl/ip service set ssh address=203.0.113.0/24/ip service set winbox address=203.0.113.0/24/ip firewall filter add chain=input action=accept connection-state=established,related comment="Accept established"/ip firewall filter add chain=input action=accept protocol=tcp dst-port=22,8291 src-address=203.0.113.0/24 comment="Management access"/ip firewall filter add chain=input action=drop comment="Drop all other input"/system identity set name=aws-chr-01User data is executed as a RouterOS script on first boot only. The script must contain valid RouterOS CLI commands. Incorrect syntax will cause silent failures. Test your script on a local CHR instance before deploying to AWS.
Retrieving Metadata Inside CHR
Section titled “Retrieving Metadata Inside CHR”After boot, CHR can query the AWS metadata service for its own IP and instance details:
/tool fetch url="http://169.254.169.254/latest/meta-data/public-ipv4" output=userPost-Deployment Configuration
Section titled “Post-Deployment Configuration”After launching, connect via SSH:
ssh -i your-key.pem admin@<elastic-ip>Apply recommended hardening:
# Restrict management to known addresses/ip service set ssh address=203.0.113.0/24/ip service set winbox address=203.0.113.0/24
# Disable unused services/ip service disable telnet,ftp,www,api
# Set a strong password/user set admin password=VeryStrongPassword!
# Configure source NAT if CHR is acting as a NAT gateway/ip firewall nat add chain=srcnat out-interface=ether1 action=masqueradeLicensing on AWS
Section titled “Licensing on AWS”CHR deployed from the AWS Marketplace uses pay-as-you-go licensing billed through AWS. No separate MikroTik license purchase is needed for Marketplace deployments.
For custom AMI deployments, apply a MikroTik CHR license:
/system/license renewaccount=your-mikrotik-accountpassword=your-passwordlevel=p1Instances cloned from the same AMI may share a system ID. Run /system license generate-new-id on each new instance before requesting a trial or paid license.
Troubleshooting
Section titled “Troubleshooting”Cannot Connect After Launch
Section titled “Cannot Connect After Launch”- Verify the Security Group allows your source IP on port 22 or 8291
- Confirm the Elastic IP is associated with the correct instance
- Check the EC2 instance is in running state
- Review the instance’s System log in the EC2 console for boot errors
User Data Script Not Applied
Section titled “User Data Script Not Applied”- User data is executed on first boot only
- Verify the script contains valid RouterOS commands
- Check
/log printon the router for script execution errors