Below is a step-by-step guide to configure Metabase

(metabase/metabase:latest) on Amazon RDS using AWS Fargate for a

scalable and secure deployment. This guide assumes you have an AWS
account with appropriate permissions for RDS, ECS, Fargate, and VPC
management, and basic familiarity with AWS services.

Step-by-Step Guide to Deploy Metabase on AWS Fargate with RDS

Step 1: Set Up an Amazon RDS Instance

1 Access the RDS Console:

◦ Log in to the AWS Management Console.

◦ Navigate to RDS (search for “RDS” or select from the services

menu).

2 Create a Database:

◦ Click Create database.

◦ Choose PostgreSQL (Metabase supports PostgreSQL, MySQL, or

MariaDB; PostgreSQL is recommended for production).

◦ Select the latest version (e.g., PostgreSQL 15.x at the time of

writing).

◦ Choose a template (e.g., “Production” for Multi-AZ or “Free Tier”

for testing).

◦ Settings:

▪ DB instance identifier: Enter a unique name (e.g., metabase-db).

▪ Master username: Set a username (e.g., metabase_user).

▪ Master password: Set a secure password and note it down.

◦ Instance size: Choose an instance type (e.g., db.t3.small for

small deployments; adjust based on expected load).

◦ Storage: Allocate sufficient storage (e.g., 20 GB for general use).

◦ VPC Settings:

▪ Place the RDS instance in a VPC with private subnets for security.
 ▪ Create or select a DB Subnet Group with at least two subnets in
different Availability Zones.

◦ Security Group:

▪ Create a new security group (e.g., rds-metabase-sg).

▪ Allow inbound traffic on port 5432 (PostgreSQL) from the Fargate

service’s security group (configured later).

◦ Enable Automated Backups: Set a backup retention period (e.g.,

7 days) for disaster recovery.

◦ Click Create database.

◦ Note the Endpoint, Port, Username, Password, and Database

Name (e.g., metabase) from the RDS instance details.

Step 2: Configure a VPC for Fargate

1 Create or Use an Existing VPC:

◦ Navigate to VPC in the AWS Console.

◦ Ensure your VPC has at least one public subnet (for load
balancer) and two private subnets (for Fargate tasks and RDS).

◦ Create an Internet Gateway and attach it to the VPC.

◦ Update the route table for public subnets to route 0.0.0.0/0 to

the Internet Gateway.

2 Create Security Groups:

◦ Fargate Security Group (fargate-metabase-sg):

▪ Allow inbound traffic on port 3000 (Metabase’s default port) from

the Application Load Balancer’s security group.

▪ Allow outbound traffic to the RDS security group on port 5432.

◦ Load Balancer Security Group (alb-metabase-sg):

▪ Allow inbound traffic on port 80 (HTTP) or 443 (HTTPS) from

0.0.0.0/0.

▪ Allow outbound traffic to the Fargate security group on port

3000.
 ◦ Update the RDS security group (rds-metabase-sg) to allow
inbound traffic on port 5432 from the Fargate security group.

Step 3: Create an ECS Cluster

1 Navigate to ECS:

◦ Go to Elastic Container Service (ECS) in the AWS Console.

◦ Click Clusters > Create Cluster.

2 Configure Cluster:

◦ Choose Networking only (Fargate-compatible template).

◦ Enter a cluster name (e.g., metabase-cluster).

◦ Enable Container Insights (optional, for monitoring).

◦ Click Create.

Step 4: Create a Task Definition

1 Navigate to Task Definitions:

◦ In the ECS Console, click Task Definitions > Create new Task
Definition.

2 Configure Task Definition:

◦ Select Fargate as the launch type.

◦ Task Definition Name: metabase-task.

◦ Task Role and Task Execution Role:

▪ Create or use an existing IAM role (ecsTaskExecutionRole) with

the AmazonECSTaskExecutionRolePolicy policy attached.

◦ Network Mode: awsvpc.

◦ CPU: 0.5 vCPU (512 CPU units).

◦ Memory: 2 GB (2048 MB).

◦ Container Definitions:

▪ Name: metabase.

▪ Image: metabase/metabase:latest.

▪ Port Mappings: Container port 3000 (TCP).

 ▪ Essential: Check this box.

▪ Environment Variables:

▪ MB_DB_TYPE: postgres

▪ MB_DB_DBNAME: metabase (or your database name)

▪ MB_DB_HOST: (e.g., metabase-db.xxxxx.rds.amazonaws.com)

▪ MB_DB_PORT: 5432

▪ MB_DB_USER: (e.g., metabase_user)

▪ MB_DB_PASS:

▪ Log Configuration:

▪ Select awslogs as the log driver.

▪ Set:

▪ awslogs-group: /ecs/metabase

▪ awslogs-region: (e.g., us-east-1)

▪ awslogs-stream-prefix: ecs

◦ Click Create.

3 Register Task Definition:

◦ Save the task definition JSON to a file (e.g., metabase-task.json)

if using AWS CLI:{

◦ "family": "metabase-task",

◦ "networkMode": "awsvpc",

◦ "requiresCompatibilities": ["FARGATE"],

◦ "cpu": "512",

◦ "memory": "2048",

◦ "executionRoleArn": "arn:aws:iam:::role/ecsTaskExecutionRole",

◦ "taskRoleArn": "arn:aws:iam:::role/ecsTaskExecutionRole",

◦ "containerDefinitions": [

◦ {
◦ "name": "metabase",

◦ "image": "metabase/metabase:latest",

◦ "cpu": 512,

◦ "memory": 2048,

◦ "essential": true,

◦ "portMappings": [

◦ {

◦ "containerPort": 3000,

◦ "hostPort": 3000,

◦ "protocol": "tcp"

◦ }

◦ ],

◦ "environment": [

◦ { "name": "MB_DB_TYPE", "value": "postgres" },

◦ { "name": "MB_DB_DBNAME", "value": "metabase" },

◦ { "name": "MB_DB_HOST", "value": "" },

◦ { "name": "MB_DB_PORT", "value": "5432" },

◦ { "name": "MB_DB_USER", "value": "" },

◦ { "name": "MB_DB_PASS", "value": "" }

◦ ],

◦ "logConfiguration": {

◦ "logDriver": "awslogs",

◦ "options": {

◦ "awslogs-group": "/ecs/metabase",

◦ "awslogs-region": "",

◦ "awslogs-stream-prefix": "ecs"

◦ }
 ◦ }

◦ }

◦ ]

◦ }

◦ Register using AWS CLI (optional):aws ecs register-task-definition

--cli-input-json file://metabase-task.json

Step 5: Set Up an Application Load Balancer (ALB)

1 Create an ALB:

◦ Navigate to EC2 > Load Balancers > Create Load Balancer.

◦ Choose Application Load Balancer.

◦ Name: metabase-alb.

◦ Scheme: Internet-facing.

◦ Listeners: Add HTTP (port 80) or HTTPS (port 443, requires an

SSL certificate).

◦ VPC: Select the same VPC as your RDS and Fargate tasks.

◦ Subnets: Choose public subnets.

◦ Security Group: Assign the alb-metabase-sg security group.

2 Create a Target Group:

◦ Target Type: IP.

◦ Name: metabase-target.

◦ Port: 3000.

◦ VPC: Same as above.

◦ Health Check: Path /api/health, protocol HTTP.

◦ Click Create.

3 Configure Listener Rules:

 ◦ Add a rule to forward HTTP traffic to the metabase-target target
group.

Step 6: Create a Fargate Service

1 Navigate to ECS:

◦ Go to Clusters > Select your cluster (metabase-cluster) >

Services > Create.

2 Configure Service:

◦ Launch Type: Fargate.

◦ Task Definition: Select metabase-task (latest revision).

◦ Service Name: metabase-service.

◦ Number of Tasks: 1 (adjust for scaling needs).

◦ VPC and Subnets: Select the same VPC and private subnets.

◦ Security Group: Assign the fargate-metabase-sg security group.

◦ Load Balancer:

▪ Select Application Load Balancer.

▪ Choose metabase-alb and associate it with the metabase-target

target group.

◦ Auto-scaling (optional): Configure based on CPU/memory usage

or request count.

◦ Click Create Service.

Step 7: Complete Metabase Setup

1 Access Metabase:

◦ Get the ALB’s DNS name from the EC2 Load Balancer console.

◦ Open a browser and navigate to http:// or https:// if using HTTPS.

◦ Metabase will load its setup wizard.

2 Run the Setup Wizard:

◦ Follow the on-screen instructions to configure Metabase.

 ◦ The RDS database connection is already configured via
environment variables in the task definition.

◦ Create an admin account and connect to your data sources.

Step 8: Monitor and Secure

1 Enable CloudWatch Logs:

◦ Verify that logs are being sent to /ecs/metabase in CloudWatch.

◦ Monitor task health and performance using CloudWatch

Container Insights.

2 Secure the Deployment:

◦ Enable HTTPS on the ALB using an SSL certificate from AWS

Certificate Manager (ACM).

◦ Restrict security group rules to minimize exposure.

◦ Regularly update the metabase/metabase:latest image to the

latest version for security patches.

◦ Take manual snapshots of the RDS instance and test your

disaster recovery plan.

3 Backup and Recovery:

◦ Ensure automated RDS backups are enabled.

◦ Periodically test restoring from snapshots to verify your