Skip to content

4.2 Boot & Install

On AWS, Talos is installed via the AMI that was built and registered during the Provision Compute step. The EC2 instances boot directly from this AMI — there is no separate installation step.

How It Works

  1. The Formae modules/compute.pkl module launches EC2 instances with imageId set to the Talos AMI
  2. Each instance boots Talos Linux from the AMI root volume (/dev/xvda)
  3. Talos enters maintenance mode, waiting for a machine configuration to be applied via talosctl

Apply Machine Configuration

After the EC2 instances are running, apply the machine configuration generated in 4.1 Generate Machine Configuration:

Control Plane Nodes

# Apply config to each control plane node
# Use the NLB DNS name as the endpoint, or individual private IPs
talosctl apply-config \
  --insecure \
  --nodes <control-plane-private-ip> \
  --file controlplane.yaml

Worker Nodes

talosctl apply-config \
  --insecure \
  --nodes <worker-private-ip> \
  --file worker.yaml

Note

The --insecure flag is required for the initial configuration apply because the node does not yet have TLS credentials. After the first apply, all subsequent communication uses mTLS.

Accessing Nodes

Since nodes are in private subnets, you need network access to reach them:

  • Internet-facing NLB (nlbInternal = false): Use the NLB DNS name with allowedAdminCidr set to your IP
  • Internal NLB (nlbInternal = true): Access via VPN or bastion host within the VPC

The NLB forwards:

  • Port 6443 → Kubernetes API on control plane nodes
  • Port 50000 → Talos API on control plane nodes

For worker nodes, you must route through a control plane node:

# Configure talosctl to use the NLB endpoint
talosctl config endpoint <nlb-dns-name>

# Then target individual worker nodes
talosctl -n <worker-private-ip> get members

Talos Extensions

If you built a custom AMI with extensions via schematic.yaml, those extensions are baked into the image and active at boot. No additional configuration is needed.

The schematic.yaml file in the project lists available extensions:

formae/cluster/aws/schematic.yaml
customization:
  systemExtensions:
    officialExtensions: []
      # Uncomment extensions as needed:
      # - siderolabs/iscsi-tools
      # - siderolabs/zfs
      # - siderolabs/tailscale

See github.com/siderolabs/extensions for the full list.