We are sunsetting On-Premises API. Refer to our On-Premises API Sunset document for details, and to learn how to migrate to our next-generation Cloud API.

Deploying with Amazon Web Services

This document shows you how to use Amazon Web Services (AWS) to deploy the WhatsApp Business API. The process can be divided into two main steps:

  1. WhatsApp Business API client Deployment
  2. WhatsApp Business API client Configuration

Once you have completed the set up, you can choose to upgrade the client. If you ever need to restart both the Webapp and CoreApp, follow these steps.

This document walks through a new AWS template that we have tested for higher and more stable messaging throughput. If you are looking for the older AWS template, see AWS Archive.

Get Started

Before you start you will need to:

Set up an AWS Account ID

You need to set up a valid AWS account and be familiar with working on AWS. WhatsApp provides CloudFormation templates for deploying the WhatsApp Business API client easily. Refer to the AWS Getting Started Resource Center for more information.

Create an AWS Key Pair

You need to create a new key pair to access the EC2 instance created by the WhatsApp Business API template. You can also use a previously created key pair. Refer to the Amazon EC2 Key Pairs documentation for information about creating and using key pairs with an EC2 instance.

The key pair needs to be created using the region for which you are deploying the WhatsApp Business API.

Subscribe to a CentOS 9 Image

The WhatsApp Business API client makes use of a CentOS 9 image (available in the AWS Marketplace). Terms and conditions should be reviewed and accepted before using the template. Failure to accept the terms will lead to the template creation failure.

To review and accept the CentOS 9 AMI image:

  1. Go to the AWS Marketplace: CentOS 9 (x86_64) - with Updates HVM page.
  2. Click Continue to Subscribe in the upper right corner, then click the Accept Terms button.

Supported Regions

The WhatsApp Business API templates use the EFS resource type, which is not available in all AWS regions. Hence, only the following regions are currently supported:

  • N. Virginia (us-east-1)
  • Ohio (us-east-2)
  • N. California (us-west-1)
  • Oregon (us-west-2)
  • Mumbai (ap-south-1)
  • Seoul (ap-northeast-2)
  • Singapore (ap-southeast-1)
  • Sydney (ap-southeast-2)
  • Tokyo (ap-northeast-1)
  • Frankfurt (eu-central-1)
  • Ireland (eu-west-1)

Depending on initial testing, WhatsApp will determine whether we can provide an alternate option that is available in all regions.

FAQ

Deployment

Step 1: [Optional] Network Setup

The Virtual Private Cloud (VPC) network is generally created when you sign up for an AWS account. Further, there could be several customizations and access control restrictions required that are specific to an enterprise business.

If the VPC network infrastructure is already created, you can skip this step. Otherwise, the following template can be used to create the network infrastructure on AWS.

The network template is provided for reference purposes only. You can modify it to your specific needs.

Network Requirements

  • There must be at least two subnets in different availability zones within the region. Otherwise, template creation will fail while creating the RDS (database) resource.
  • It should allow inbound access to HTTP (port: 80), HTTPS (port: 443) and SSH (port: 22). For security reasons, it is highly recommended you use HTTPS and avoid HTTP.

To deploy the network template:

  1. Go to the CloudFormation console for your region (for example, eu-west-1).
  2. Select Create a stack.
  3. Download the wa_ent_net.yml file from GitHub and save it locally.
  4. Choose Upload a template file as the template source and upload the template file downloaded from step 3.
    Create Stack
  5. Click Next.
  6. On the Specify stack details screen, input the parameter values according to the table below:

Parameters

NameDescription

Stack name

Required.

Name of the stack to be created.

Availability Zones Configuration

NameDescription

Availability zones

Required.

The availability zones (AZs) for creating the VPC.
The template requires at least 2 AZs to be selected. For a production environment, it is recommended to select at least 3 AZs.

Number of availability zones

Required.

The number of availability zones selected.

VPC Configuration

NameDescription

IP address range

Required.

The IP address range (CIDR) for this VPC.

Tenancy

Required.

The VPC tenancy
Options: default, dedicated

Public Subnet Configuration

NameDescription

IP range - subnet #1

Required.

The IP address range (CIDR) for public subnets

IP range - subnet #2

Required.

The IP address range (CIDR) for public subnets

IP range - subnet #3

Optional.

Required if the number of availability zones is greater than 2.

IP range - subnet #4

Optional.

Required if the number of availability zones is greater than 3.

Private Subnet Configuration

NameDescription

Create private subnets?

Required.

Options: true (default), false
If a private subnet is not required for some reason, this flag can be set to false.

IP range - subnet #1

Conditional.

Required if the private subnet creation is set to true.

IP range - subnet #2

Conditional.

Required if the private subnet creation is set to true.

IP range - subnet #3

Conditional.

Required if the private subnet creation is set to true and the number of AZs is greater than 2.

IP range - subnet #4

Conditional.

Required if the private subnet creation is set to true and the number of AZs is greater than 3.

Step 2: Upload DB and Monitoring Stack Configuration Files

Before deploying the WhatsApp Business API stack on AWS, you need to first upload referenced substacks’ configuration files to an S3 bucket that you have read access to.

  1. Create a new S3 bucket or use an existing S3 bucket that you have read access to.
  2. Download the wa_ent_db.yml file and the wa_ent_monitoring.yml file from GitHub and upload both of them to the S3 bucket mentioned in step 1.
  3. Choose the wa_ent_db.yml file from the Objects list, and copy its URL. It should be in the format of https://xxx.s3.<avalability_zone>.amazonaws.com/wa_ent_db.yml.
  4. In the wa_ent.yml file, replace the value of the TemplateURL in the dbStack with the object URL from step 3 and save the file.
  5. Choose the wa_ent_monitoring.yml file from the Objects list, and copy its URL. It should be in the format of https://xxx.s3.<avalability_zone>.amazonaws.com/wa_ent_monitoring.yml.
  6. In the wa_ent.yml file, replace the value of the TemplateURL in the Monitoring stack with the object URL from step 5 and save the file.
Upload to S3 Bucket

Step 3: WhatsApp Business API Deployment

WhatsApp Enterprise is the main template and creates all the resources (except the network) required for the WhatsApp Business API client. As noted earlier, this template also creates a database resource, if required.

To deploy the WhatsApp Business API client:

  1. Go to the CloudFormation console for your region (for example, eu-west-1).
  2. Select Create a stack.
  3. Download the wa_ent.yml file from GitHub and save it locally.
  4. Choose Upload a template file as the template source and upload the template file downloaded from step 3.
    Create Stack
  5. Click Next
  6. You will then be able to enter parameters. Refer to the table below for parameter descriptions.
  7. After setting all parameters (in the tables below), click Next onto the Configure stack options page. You may make any necessary changes based on your preferences and click Next.
  8. On the Review stack page, you will see a summary of parameter values and stack options. After verification, in the Capabilities section, check both boxes and click Submit to start creating the stack.
    Note: The deployment takes about 20-30 minutes.

Parameters

NameDescription

Stack name

Required.

The name of the stack to be created.

The stack name must be less than or equal to 22 characters. Note: For deployments in the ap-southeast-1, ap-southeast-2, ap-northeast-1, or ap-northeast-2 regions, the stack name must use 8 characters or less.

If the stack name is longer then these requirements, the creation of the stack will hang and fail, as it will not be able to create the SSL certificate.

General Configuration

NameDescription

High Availability

Optional.

Enables the High Availability feature.


Default: enabled

Desired Throughput

Required.

Number of messages you wish to send per second.


Together with the Type of Message option, server and database resources will be automatically selected and configured to meet the desired throughput when sending the selected type of messages.

Type of Message

Required.

The dominant message type you wish to send and receive.


Together with the Desired Throughput option, server and database resources will be automatically selected and configured to meet the desired throughput when sending the selected type of messages.

Host exporter for instance monitoring

Optional.

Installs node-exporter on each CoreApp host for instance monitoring purposes.


Default: enabled

Network Configuration

NameDescription

Network Stack Name

Required.

The name of the network CloudFormation stack created by the network setup step.

Number of subnets

Required.

The number of subnets chosen.


Currently we only support 2 subnets for deployment to distribute the ECS tasks evenly on all hosts.

Load balancer scheme

Required.

Currently we only support Internet-facing load balancers, which are visible to the public. Please modify the security groups after the API stack is created to close off unnecessary access.

Container Configuration

NameDescription

Keypair to use

Required.

The appropriate key pair to access the EC2 instance, if required.

WA Enterprise container registry

Optional.

This is for future-proofing and to support experimental WhatsApp Business API clients. The default value should be good for a majority of cases.

WA Enterprise Client version

Required.

It's always recommended to use the latest stable version (see the changelog for the latest version).
Format: v2.yy.xx

The WhatsApp Business API client version always begins with a "v", unless explicitly stated otherwise. Using an incorrect version will cause stack creation failure.

EBS volume size

Required.

It's recommended choosing 32GB or more for production work loads.

Database Configuration

NameDescription

Store configuration in DB

Optional.

Enables storing configuration information in the database.
Options: true (default), false
Setting the value to false disables storing the configuration information in the database and stores it in files instead.

Existing DB hostname

Optional.

The existing database hostname.
If you already have a dedicated MySQL database instance for the WhatsApp Business API client, you can enter the hostname here.
Leaving it empty will create a new Amazon Aurora instance. For stable high throughput, we highly recommend creating a new Aurora database or using an existing Aurora database previously created by this template.

Administrator name

Required.

The administrator name for accessing the database.

Administrator password

Required.

The administrator password for accessing the database.

The database password should not contain any of these characters: ?{}&~!()^/"@

Server port

Required.

Port number to access the database backend.

Persist DB Connection

Optional.

Indicates whether to persist Database connection for Web containers.


Default: enabled

DB Idle Connection Timeout

Optional.

The length of time in milliseconds after which the database closes idle connections.
Default: 180000 ms

Logging Configuration

NameDescription

Logging driver for container logs

Optional.

The logging driver for the container logs.
Options: json-file, awslogs(default)
The json-file value stores the logs on EC2 hosts. The awslogs value streams all container logs to CloudWatch.

Maximum container log file size

Optional.

The maximum size of a container log file in MB before it's rotated.

Allowed values between 1 and 250 (both inclusive). Default: 50.

Maximum number of container log files

Optional.

The maximum number of log files to retain per container.
Stopped containers are eventually removed from the host. In those cases, all the retained log files for that container are deleted.

Allowed values between 1 and 30 (both inclusive). Default: 7.

Days to retain CloudWatch logs

Optional.

Number of days to retain logs in CloudWatch.
Select from one of the available values in the list.

Default: 7

Filesystem Configuration

NameDescription

File system identifier

Not used.

Leave this parameter empty.

Security Configuration

NameDescription

Key to encrypt DB & EFS

Optional.

By default, the AWS service key (the Default-Key option) is used to encrypt DB & EFS data at rest. Other options are:

  • Unencrypted: The data at rest is not encrypted
  • Create-New-Key: A new KMS key is created and used to encrypt the data
  • User-Provided-Key: You can provide a KMS key ID that is used to encrypt the data. Leave this blank, if another option is selected.

User provided key id

Optional.

You can provide a KMS key ID that is used to encrypt the data. Leave this blank, if the User-Provided-Key option is not selected.

DB connection encryption

Optional.

By default, the data in transit to the database is encrypted. This is currently only applicable for the Coreapp. Webapp encryption is not yet supported. In addition, with a new database engine, even if this option is disabled, the Coreapp performs encryption, but without server certificate (identity) verification.

CA certificate for DB connection

Optional.

The default value contains the RDS certificate bundle. If a non-RDS database is used, then the appropriate CA certificate bundle can be provided or you can leave it blank. The default value is adequate for enabling a secure connection with the database.

Client certificate for DB connection

Optional.

The client certificate for the database connection

Client key for DB connection

Optional.

The client key for the database connection

WhatsApp Business API Access Point

These parameters are required for Grafana dashboards to retrieve application metrics for monitoring purposes.

NameDescription

WAWebUsername

Required.

Specifies the WhatsApp Business API Username.

WAWebPassword

Required.

Specifies the password for WAWebUsername. This will be the new password after you change the default password at the first login.

Grafana

NameDescription

GrafanaAdminPassword

Required.

Specifies the password that is used as the login password for the Grafana dashboard when the stack is created.

GrafanaEnableSmtp

Optional.

Indicates whether SMTP is enabled for setting up email alerts. Valid values are: 0 for disabled and 1 for enabled.

Default: 0 (disabled)

GrafanaSmtpHost

Optional.

The SMTP host used in email alerts. For instance, smtp.gmail.com:465.

GrafanaSmtpUser

Optional.

Specifies the SMTP user name used in email alerts.

GrafanaSmtpPassword

Optional.

Specifies the SMTP password used in email alerts.

Output after Deployment

Upon successful creation of template, the following parameters are displayed:

  • Load balancer name: Hostname of the load balancer accessing the WhatsApp Business Platform API client
  • Database hostname: Hostname of the database that is created or provided during template creation
  • Database port number: Port number for the database connection
  • ECS cluster name: Name of the ECS cluster created
  • Log retention days: Number of days to retain logs
  • DB connection CA: Value of DB Connection CA if configured
  • DB connection cert: Value of DB Connection cert if configured
  • DB connection key: Value of DB Connection key if configured
  • Grafana: Grafana Dashboard URL
  • ShardCount: Number of shards to configure for the WhatsApp Business Platform API

Edit SSH Security Rules

By default, the security rules created by the stack allow all traffic to be able to reach the EC2 instances through SSH, the API endpoints and Grafana dashboard through HTTPs, and the cadvisor and Prometheus containers. For security reasons, you are highly recommended to close off unnecessary access. This section will illustrate the steps updating the SSH security rule as an example. You should always restrict SSH access to only traffic you trust.

  1. In the EC2 - Security Groups console (for instance: EC2 Management Console (amazon.com)):
    1. Select the correct region in the upper right corner.
    2. Select the security group that contains <stackName>-EcsSecurityGroup, then switch to the Inbound Rules tab.
      Edit Inbound Rules
    3. Select Edit inbound rules, update the Source column to only allow trusted traffic (for instance: My IP) to access EC2 hosts through SSH.
    4. After adjusting all security rules, click Save rules to apply the changes.
    5. Repeat these changes for the security group that contains "<stackName>-ms-xxx-EcsSecurityGroup" to restrict SSH access for the monitoring stack.

WhatsApp Business API Client Configuration

Once the WhatsApp Business API client is successfully deployed, it needs to be configured to bring it into operation.

Step 1: Phone Registration

Refer to the Phone Number guide for more in-depth information about phone number registration.

Download the base64-encoded certificate from your WhatsApp account in the Facebook Business Manager under the Phone Numbers tab of the WhatsApp Manager.

Once you have the correct phone number selected and have the base64-encoded certificate, you need to register the WhatsApp Business API client via the account node. Refer to the Registration documentation for more information.

If the phone number is capable of receiving text messages, use the SMS method for registration code retrieval.

If you have already received the registration code from WhatsApp, you can skip this step.

Step 2: Set Shards

After the stack is created, you need to use the shards API call to increase the number of active Coreapp instances to achieve the desired throughput. The number of shards can be found in the Output section of the stack.

Step 3: Update Application Settings

The configuration of WhatsApp Business API web callbacks and other parameters is described in the Application Settings documentation. To achieve stable throughput, the following application settings are recommended.

 {
    "settings": {
        "application": {
            "callback_backoff_delay_ms": 3000,
            "callback_persist": true,
            "db_garbagecollector_enable": false, # change this to true when there are no ongoing messaging campaigns
            "heartbeat_interval": 5,
            "max_callback_backoff_delay_ms": 900000,
            "media": {
                "auto_download": [
                    "document",
                    "image",
                    "video",
                    "voice",
                    "sticker",
                    "audio"
                ]
            },
            "notify_user_change_number": true,
            "pass_through": false,
            "sent_status": true,
            "show_security_notifications": false,
            "skip_referral_media_download": false,
            "unhealthy_interval": 30,
            "wa_id": "12245552741",
            "webhooks": {
                "max_concurrent_requests": 24,
                "message": {
                    "delivered": true,
                    "read": true,
                    "sent": true
                },
                "url": "<YOUR_WEBHOOK_SERVER_URL>"
            }
        }
    },
    "meta": {
        "api_status": "stable",
        "version": "2.41.3"
    }
}

      
      
    

Step 4: [Optional] SSL Configuration

The WhatsApp Business API client generates a self-signed certificate by default when it is created. The Certification Authority (CA) certificate used to generate the self-signed certificate might be required to verify the WhatsApp Business API client endpoint and to avoid a certificate trust warning.

You can download the CA certificate and store it locally to avoid the certificate trust warning, or upload your own. Refer to the certificate node documentation for more information.

In AWS deployments, the SSL certificate is created using the load balancer hostname. If an IP address is used instead of the hostname for access, the warning will still be noticed.

WhatsApp will support configuring customer provided SSL certificates in a future release.

Step 5: Validation of the Setup

Once the configuration and registration steps are successful, a message can be sent and received to validate the basic functionality of WhatsApp Business API client. This is fully described in the Messages documentation.

Upon successful receipt of a message, the WhatsApp Business API client will POST the message status/details to the Webhook configured in Step 3.

If your message was successfully received, congratulations, you are all set! Please refer to the Reference documentation for more information on the available API endpoints.

Restarting the Coreapp and Webapp

To restart the WhatsApp Business API client, in the the ECS console (for example, https://us-west-2.console.aws.amazon.com/ecs/home?region=us-west-2#/clusters):

  1. Select the correct region in the upper right corner.
  2. Select the appropriate cluster from the list.
  3. Under the Services tab, select the service name that contains WAEntService.
  4. Select the Tasks tab. There should typically be only one task, with an ID made of hex digits.
  5. In the Tasks window, click Stop in the upper right corner, then click Stop again when prompted.

This stops both the Webapp and CoreApp. Shortly after, the AWS infrastructure restarts both the Webapp and CoreApp.

You can expect about a minute or two of downtime.

Upgrading

Updating a CloudFormation stack directly may result in the database to be destroyed and recreated. We highly recommend you to follow the manual steps in the next section to update the system to avoid loss of data.

This section walks through how to upgrade both the WhatsApp Business API Client and the CloudFormation (CFN) Template. Performing an upgrade will result in a downtime, so do not send messages during this time. Resume sending messages only after the upgrade is complete.

You can upgrade the CFN Template and the WhatsApp Business API client version at the same time by doing the following:

  1. In Step 5 of the WhatsApp Business API Client Upgrade instructions, instead of Use current template, select Replace current template.
  2. In the Specify template section, choose “Upload a template file” and choose the latest template file downloaded from GitHub.

WhatsApp Business API Client Upgrade

  1. Go to the CFN console (for example, https://us-west-2.console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks?filter=active).
  2. Select the correct region in the upper right corner.
  3. Select the WhatsApp Business API client stack that was already created.
  4. Click Update.
  5. On the Prerequisite - Prepare template page, select the Replace current template option. In the Specify template section, choose “Upload a template file” and choose the latest template file downloaded from GitHub. Click Next.
  6. On the Specify stack details page, change the WhatsApp Business API Client (container) version to the desired version. DO NOT CHANGE any other parameter. Click Next.
  7. On the Configure stack options page, click Next.
  8. On the Review page, select "I acknowledge that AWS CloudFormation might create IAM resources with custom names." Review the Change set preview section for any unexpected changes. If there are any unexpected changes or you are unsure, please contact WhatsApp Direct Support. Click Update stack. The Stack Update status can be tracked in the CFN console and will change from UPDATE_IN_PROGRESS to UPDATE_COMPLETE once the upgrade is finished.

Quick upgrade verification: Send a text message and verify that the API response contains the correct version number (i.e., the new version). Verify also that the message is received by the recipient.

WhatsApp CFN Template Upgrade

  1. Go to the CFN console (for example, https://us-west-2.console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks?filter=active).
  2. Select the correct region in the upper right corner.
  3. Select the WhatsApp Business API client stack that was already created.
  4. Click Update.
  5. On the Prerequisite - Prepare template page, select the Replace current template option. In the Specify template section, choose “Upload a template file” and choose the latest template file downloaded from GitHub. Click Next.
  6. On the Specify Stack Details page, enter the appropriate parameters, per the information in previous sections. Click Next.
  7. On the Configure Stack Options page, click Next.
  8. On the Review page, select "I acknowledge that AWS CloudFormation might create IAM resources with custom names." Review the Change set preview section for any unexpected changes. If there are any unexpected changes or you are unsure, please contact WhatsApp Direct Support. Click Update stack. The Stack Update status can be tracked in the CFN console and will change from UPDATE_IN_PROGRESS to UPDATE_COMPLETE once the upgrade is finished.

How to Manually Reduce Cost when your System in Idle (Optional)

It is common that businesses want to set up a high throughput environment for a time-bounded campaign and wish to keep a low-cost environment running during non-campaign time. This section offers suggestions on how to manually scale down the AWS setup to save cost.

Important: Please be reminded that there will be downtime. Estimated downtime may be 5 to 15 minutes. Please make sure that you have all DevOps best practices followed, such as application settings backup and database backup.

  1. In the ECS console (e.g.: Amazon ECS:)
    1. Select the correct region in the upper right corner.
    2. Select the appropriate cluster from the list.
    3. In the Services tab, select the service name that contains WAEntCoreappService. Choose Edit Service, and update the "Desired tasks" value to 0.
      Deployment Configuration
    4. Repeat step c for all other services, including WAEntWebService, WAEntMasterService, and HostExporterService.
    5. Go back to the cluster page, in the Tasks tab, make sure there are no running tasks of the above services.
  2. In the EC2 - Auto Scaling Groups console (e.g.: Auto Scaling groups | EC2 Management Console (amazon.com)):
    1. Select the correct region in the upper right corner.
    2. Select the auto scaling group of the stack with HAECSAutoScalingGroup in the name, and choose Edit. Update both the “Desired capacity” and the “Minimum capacity” to 3.
      Group Size
    3. Select the auto scaling group of the stack with HAECSAutoScalingGroupWeb in the name, and choose Edit. Update both the “Desired capacity” and the “Minimum capacity” to 2.
  3. (Optional) If the initial value of "Type of message" is any of the image types, you can replace the EC2 instance types with the cheaper option of c5.large.
    1. In the EC2 - Launch Templates console, select the appropriate launch template from the list.
    2. Select Actions - Modify template (create new version).
      Launch Templates Console
    3. In the Instance type section, update the Instance type to c5.large, then choose Create template version.
      Instance Type
    4. In the EC2 - Auto Scaling Groups console, select the auto scaling group of the stack with HAECSAutoScalingGroup in the name.
    5. Select Edit in the Launch template section.
    6. Select the new launch template created in step 3c and choose Update.
      Launch Template
  4. In the RDS console (e.g.: RDS Management Console (amazon.com)):
    1. Select the correct region in the upper right corner.
    2. Select the appropriate Aurora database from the list.
    3. Select Modify, and update the DB instance class to r5.xlarge.
      Instance Configuration
  5. In the ECS console (e.g.: Amazon ECS):
    1. Select the correct region in the upper right corner.
    2. Select the appropriate cluster from the list.
    3. In the Services tab, select the service name that contains WAEntCoreappService. Choose Edit Service, and update the "Desired tasks" value to 3.
    4. In the Services tab, select the service name that contains HostExporterService. Choose Edit Service, and update the "Desired tasks" value to 3.
    5. In the Services tab, select the service name that contains WAEntWebService. Choose Edit Service, and update the "Desired tasks" value to 2.
    6. In the Services tab, select the service name that contains WAEntMasterService. Choose Edit Service, and update the "Desired tasks" value to 2.
  6. Wait for all services to launch the desired number of tasks. Once all tasks are running, use Set Shards API to reset the shards to 2.
  7. Validate the health of the system with the Health API. A message can also be sent and received to validate the basic functionality of WhatsApp Business API client. This is fully described in the Messages documentation.