Setup Guide
Deploy OpenClaw to the Cloud
Run OpenClaw on cloud infrastructure for always-on availability, better performance, and enterprise scalability. This guide covers deployment to AWS, Google Cloud Platform, Azure, and popular VPS providers. Follow this guide to set it up yourself, or let our team handle it for you.
Prerequisites
- Cloud provider account (AWS, GCP, Azure, or VPS)
- Basic cloud/server administration knowledge
- SSH access configured
- Domain name (recommended for production)
- SSL certificate (Let's Encrypt or commercial)
Cloud Deployment Overview
Deploying OpenClaw to cloud infrastructure provides significant advantages over local installations: always-on availability ensures your assistant responds even when your personal devices are off, cloud networking offers better connectivity to messaging platforms, and cloud resources can scale to handle multiple users or high message volumes.
This guide covers deployment strategies for major cloud providers including Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and general VPS providers like DigitalOcean, Linode, and Vultr. While the specific console interfaces differ, the fundamental concepts remain consistent across providers.
Choosing Your Deployment Model
Cloud deployment options range from simple single-server setups to complex multi-region architectures. For personal use, a single small virtual machine provides sufficient resources at minimal cost. For business or team deployments, consider load-balanced configurations with database backends. Enterprise deployments may require Kubernetes orchestration, multiple availability zones, and dedicated security infrastructure.
Start simple and scale as needed. A single 2-vCPU, 4GB RAM instance handles most personal and small business workloads effectively. You can always scale up or out as your requirements grow. The configurations in this guide build from simple to complex, so you can stop at any point that meets your needs.
Cost Considerations
Cloud costs vary significantly between providers and instance types. For reference, a suitable VM for personal OpenClaw use typically costs $10-25/month across major providers. This includes compute, storage, and typical bandwidth usage. Additional costs may include domain registration, SSL certificates (free with Let's Encrypt), and backup storage.
DigitalOcean specifically offers a one-click OpenClaw deploy starting at $24/month with a security-hardened image, representing a good middle ground between manual setup and managed services. This option includes automatic updates and basic monitoring, reducing operational overhead.
Deploying to Amazon Web Services
Amazon Web Services offers extensive infrastructure options for OpenClaw deployment. This section covers EC2-based deployment, which provides the most control and flexibility for running OpenClaw.
Creating an EC2 Instance
Start by launching a new EC2 instance from the AWS Console. Select Ubuntu 22.04 LTS as the base AMI for best compatibility with OpenClaw. For instance type, t3.small (2 vCPU, 2GB RAM) works for light usage, while t3.medium (2 vCPU, 4GB RAM) handles heavier workloads comfortably. Enable detailed monitoring if you want CloudWatch metrics.
Configure the security group to allow SSH (port 22) from your IP address, HTTP (port 80) and HTTPS (port 443) from anywhere for web access, and optionally port 18789 for direct WebSocket access during setup. Restrict SSH access to known IP addresses for security.
Storage Configuration
Allocate at least 20GB of EBS storage for the root volume. gp3 storage type offers good performance at reasonable cost. For production deployments, consider separate EBS volumes for data directories to enable easier backups and snapshots. Enable encryption at rest using AWS-managed keys or customer-managed KMS keys for sensitive deployments.
Network Configuration
Launch the instance in a VPC with proper subnet configuration. For simplicity, a public subnet with auto-assigned public IP works well. For enhanced security, deploy in a private subnet with NAT Gateway for outbound internet access and Application Load Balancer for inbound traffic. The ALB can handle SSL termination and provides health checking.
Installing OpenClaw
After the instance launches, SSH into it using your key pair. Update the system packages, install Node.js 22 using NodeSource repository, and install OpenClaw globally. Run the onboarding wizard with daemon installation to configure and start the Gateway. The instance's public IP or Elastic IP provides initial access.
Securing with ALB and SSL
For production deployments, place an Application Load Balancer in front of your instance. Request an SSL certificate through AWS Certificate Manager (free for AWS resources). Configure the ALB listener on port 443 with HTTPS and forward to your instance's port 18789. This setup provides SSL termination, health checking, and a foundation for future scaling.
Deploying to Google Cloud Platform
Google Cloud Platform provides excellent networking and competitive pricing for OpenClaw deployments. This section covers Compute Engine deployment with Cloud Load Balancing for production readiness.
Creating a Compute Engine Instance
Navigate to Compute Engine in the GCP Console and create a new VM instance. Select a region close to your primary users for lower latency. Choose Ubuntu 22.04 LTS as the boot disk image with at least 20GB SSD persistent disk. For machine type, e2-small (2 vCPU, 2GB RAM) suits light usage, while e2-medium (2 vCPU, 4GB RAM) handles typical workloads.
Under networking, enable HTTP and HTTPS traffic in the firewall rules. Assign an external IP address or set up Cloud NAT if deploying in a private network. Enable deletion protection for production instances to prevent accidental removal.
Setting Up Cloud NAT
For instances without external IP addresses, Cloud NAT provides outbound internet access. Create a Cloud Router and NAT gateway in your VPC. This configuration enhances security by keeping instances private while allowing necessary outbound connections to messaging platforms and AI APIs.
Installing OpenClaw
Connect to your instance using gcloud compute ssh or the browser-based SSH in the Console. Install Node.js 22 and OpenClaw following the standard Linux installation process. The onboarding wizard configures the Gateway daemon. Test access via the external IP on port 18789 before setting up load balancing.
Configuring Cloud Load Balancing
For HTTPS access with managed SSL, create an external HTTP(S) load balancer. Add your instance to a backend service with health checks. Create a Google-managed SSL certificate for your domain. Configure URL maps to route all traffic to your backend. The load balancer handles SSL termination and provides a stable endpoint.
Using Cloud Armor
Cloud Armor provides DDoS protection and WAF capabilities. Create a security policy with rules to block malicious traffic patterns. Apply the policy to your load balancer's backend service. For OpenClaw deployments, consider rate limiting rules to prevent abuse while allowing legitimate high-frequency interactions.
Deploying to Microsoft Azure
Microsoft Azure offers robust infrastructure with excellent enterprise integration. This section covers Virtual Machine deployment with Application Gateway for production configurations.
Creating an Azure Virtual Machine
In the Azure Portal, create a new Virtual Machine resource. Select Ubuntu 22.04 LTS as the image and Standard_B2s (2 vCPU, 4GB RAM) as the size for typical workloads. Configure SSH authentication with your public key. Under networking, create or select a virtual network and subnet, enable public IP assignment, and configure the network security group.
The network security group (NSG) controls traffic to your VM. Add inbound rules for SSH (port 22) from your IP, HTTP (80), HTTPS (443), and optionally WebSocket (18789) during initial setup. Remove direct access rules after configuring the Application Gateway.
Managed Disks Configuration
Azure uses managed disks for VM storage. The default 30GB Premium SSD provides good performance. For data persistence, consider attaching an additional data disk mounted to the OpenClaw data directory. Enable Azure Backup for automated snapshots if required by your recovery objectives.
Installing OpenClaw
Connect to your VM via SSH using Azure CLI or a direct SSH client. Install Node.js 22 from NodeSource, then install OpenClaw globally. Run the onboarding wizard to configure the Gateway. Azure VMs have good network connectivity, so channel connections should establish reliably.
Application Gateway Setup
Azure Application Gateway provides Layer 7 load balancing with WAF capabilities. Create an Application Gateway in the same region as your VM. Configure the backend pool with your VM's private IP. Set up HTTP settings with WebSocket support enabled. Create a listener on port 443 with an SSL certificate from Key Vault or uploaded directly.
The Application Gateway's WAF can be enabled in detection or prevention mode. Start with detection mode to understand traffic patterns before enabling prevention. Configure exclusions for WebSocket paths if the WAF causes connection issues.
Azure CDN Integration
For the WebChat interface, Azure CDN can cache static assets and provide global edge locations for faster loading. Create a CDN profile and endpoint pointing to your Application Gateway. Configure caching rules to cache static resources while bypassing API and WebSocket paths.
Deploying to VPS Providers
Virtual Private Server (VPS) providers like DigitalOcean, Linode, and Vultr offer simpler interfaces and predictable pricing. This section covers deployment patterns that work across most VPS providers.
DigitalOcean One-Click Deploy
DigitalOcean offers a one-click OpenClaw deployment that significantly simplifies setup. The preconfigured droplet includes Ubuntu 22.04, Node.js 22, OpenClaw, security hardening, and automatic updates. Simply select the OpenClaw app from the Marketplace, choose your droplet size (minimum 2GB RAM recommended), and launch. Initial configuration completes through the web interface.
The one-click deploy costs $24/month for the Basic droplet tier and includes a security-hardened image maintained by the OpenClaw community. This option represents the easiest path to a production-ready cloud deployment.
Manual VPS Setup
For manual setup on any VPS provider, start with Ubuntu 22.04 and at least 2GB RAM. After creating the server, SSH in and perform initial security hardening: update packages, configure the firewall, disable root SSH login, and set up fail2ban for brute-force protection.
Install Node.js 22 from NodeSource, then install OpenClaw globally. Run the onboarding wizard with daemon installation. Configure your firewall (ufw on Ubuntu) to allow SSH, HTTP, HTTPS, and optionally the WebSocket port. Set up Let's Encrypt for free SSL certificates using Certbot.
Nginx Reverse Proxy
Place Nginx in front of OpenClaw for SSL termination and added security. Install Nginx, configure a server block for your domain, and proxy requests to localhost:18789. Obtain SSL certificates with Certbot's Nginx plugin, which automatically configures HTTPS. Nginx configuration must include WebSocket upgrade headers for proper OpenClaw operation.
VPS Provider Comparison
DigitalOcean excels in simplicity with its one-click option and excellent documentation. Linode offers competitive pricing and good performance. Vultr provides extensive global locations for low-latency deployment worldwide. Hetzner offers exceptional European hosting value. Choose based on your geographic needs, pricing preferences, and desired level of managed services.
Cloud Security Best Practices
Cloud deployments require careful attention to security. This section covers essential security measures for protecting your OpenClaw installation in cloud environments.
Network Security
Implement defense in depth with multiple network security layers. Use security groups or firewalls to restrict inbound traffic to necessary ports only. Place OpenClaw behind a load balancer or reverse proxy rather than exposing it directly. Consider a VPN or Tailscale for administrative access instead of public SSH.
For the most secure configurations, deploy OpenClaw in a private subnet without any public IP. Use a bastion host or AWS Systems Manager Session Manager for SSH access. Route outbound traffic through NAT Gateway or Cloud NAT. This architecture prevents direct internet exposure while maintaining functionality.
SSL/TLS Configuration
Always use HTTPS for production deployments. Obtain certificates from Let's Encrypt (free, automated) or AWS/GCP/Azure managed certificates. Configure TLS 1.2 or 1.3 minimum, disable weak cipher suites, and enable HSTS headers. Test your SSL configuration with tools like SSL Labs to ensure proper setup.
API Key Protection
Store API keys in secrets management services: AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, or environment-injected secrets for containers. Never store keys in configuration files that might be backed up or version controlled. Use IAM roles where possible instead of static credentials.
Implement key rotation policies where supported. Monitor API key usage for anomalies that might indicate compromise. Consider separate keys for development, staging, and production environments with appropriate restrictions on each.
Monitoring and Alerting
Enable cloud provider monitoring (CloudWatch, Cloud Monitoring, Azure Monitor) for your OpenClaw instances. Set up alerts for high CPU, memory, disk usage, and unusual network traffic. Monitor authentication failures and API error rates. Regular log review helps identify security issues early.
Consider a SIEM solution for production deployments that aggregates logs from multiple sources and provides advanced threat detection. Cloud providers offer built-in options (CloudWatch Logs Insights, Cloud Logging, Azure Sentinel) that integrate with their monitoring services.
Scaling Your Deployment
As your OpenClaw usage grows, scaling becomes necessary. This section covers vertical and horizontal scaling strategies for cloud deployments.
Vertical Scaling
The simplest scaling approach increases instance size. Monitor resource usage to identify bottlenecks. High CPU usage suggests compute-constrained workloads; upgrade to more vCPUs. High memory usage indicates conversation history accumulation or concurrent session limits; add more RAM. Most cloud providers allow resizing with minimal downtime.
Horizontal Scaling Considerations
OpenClaw's architecture presents challenges for horizontal scaling. The Gateway maintains persistent connections to messaging platforms, which can't be easily distributed across multiple instances. For multi-instance deployments, use sticky sessions at the load balancer to ensure consistent routing.
Consider running multiple OpenClaw instances with different channel assignments. For example, WhatsApp on instance A, Telegram on instance B. This provides fault isolation and enables scaling by channel type while avoiding the complexity of distributed session management.
Database Backend
For large-scale deployments, OpenClaw supports external database backends for session storage. Moving from SQLite to PostgreSQL enables better concurrent access and separates compute from storage. Configure database connection strings in the OpenClaw configuration and ensure network connectivity between instances and database.
Container Orchestration
Kubernetes deployments enable sophisticated scaling with StatefulSets for stable network identities and persistent volume claims for data. Define resource limits and requests for proper scheduling. Use Horizontal Pod Autoscaler cautiously given session stickiness requirements. Our advanced scaling guide covers Kubernetes deployment in detail.
Backup and Disaster Recovery
Cloud deployments should include robust backup and recovery procedures. This section covers backup strategies and recovery planning for OpenClaw in cloud environments.
Data to Backup
Critical OpenClaw data includes the configuration file with channel settings, workspace directory with custom agents and skills, session data with conversation history, and channel credentials for messaging platforms. API keys should not be backed up; instead, document them securely in a secrets manager and re-enter after recovery.
Cloud-Native Backup Services
Leverage cloud provider backup services for automated protection. AWS Backup creates scheduled EBS snapshots with retention policies. GCP snapshot schedules automate persistent disk backups. Azure Backup provides centralized backup management with geo-redundant storage. Configure daily backups with 7-30 day retention for most deployments.
Cross-Region Replication
For critical deployments, replicate backups to a secondary region. This protects against regional outages and provides geographic redundancy. Most cloud providers offer cross-region snapshot copy capabilities. The additional cost is typically minimal compared to the protection provided.
Recovery Procedures
Document and test your recovery procedures before you need them. A typical recovery involves launching a new instance, attaching or restoring data volumes, installing OpenClaw, restoring configuration, and restarting the daemon. Some channels (especially WhatsApp) require re-authentication after recovery; factor this into your recovery time estimates.
Define Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for your deployment. RTO specifies how quickly you need to be operational; RPO specifies how much data loss is acceptable. These objectives guide backup frequency and recovery automation investments.
Code Examples
# Initial server setup (Ubuntu 22.04)
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl wget git
# Install Node.js 22
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
# Verify installation
node --version # Should show v22.x.x# Install OpenClaw
sudo npm install -g openclaw@latest
# Run onboarding with daemon
openclaw onboard --install-daemon
# Verify Gateway is running
openclaw gateway status# Configure firewall (Ubuntu/UFW)
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 18789/tcp # Optional: direct WebSocket access
sudo ufw enable
sudo ufw status# Install Nginx and Certbot
sudo apt install -y nginx certbot python3-certbot-nginx
# Obtain SSL certificate
sudo certbot --nginx -d your-domain.com
# Test auto-renewal
sudo certbot renew --dry-runserver {
listen 443 ssl http2;
server_name your-domain.com;
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:18789;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_send_timeout 86400;
}
}
server {
listen 80;
server_name your-domain.com;
return 301 https://$server_name$request_uri;
}# AWS CLI - Create security group
aws ec2 create-security-group \
--group-name openclaw-sg \
--description "OpenClaw security group"
# Add inbound rules
aws ec2 authorize-security-group-ingress \
--group-name openclaw-sg \
--protocol tcp \
--port 22 \
--cidr YOUR_IP/32
aws ec2 authorize-security-group-ingress \
--group-name openclaw-sg \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0# GCP - Create firewall rules
gcloud compute firewall-rules create openclaw-allow-https \
--direction=INGRESS \
--priority=1000 \
--network=default \
--action=ALLOW \
--rules=tcp:443 \
--source-ranges=0.0.0.0/0 \
--target-tags=openclaw
gcloud compute firewall-rules create openclaw-allow-ssh \
--direction=INGRESS \
--priority=1000 \
--network=default \
--action=ALLOW \
--rules=tcp:22 \
--source-ranges=YOUR_IP/32 \
--target-tags=openclaw# Backup script for cloud deployments
#!/bin/bash
BACKUP_DIR="/backup/openclaw-$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR
# Backup configuration and workspace
cp -r ~/.openclaw/openclaw.json $BACKUP_DIR/
cp -r ~/.openclaw/workspace $BACKUP_DIR/
# Backup session data (stop daemon first for consistency)
openclaw gateway stop
cp -r ~/.openclaw/data $BACKUP_DIR/
openclaw gateway start
# Compress backup
tar -czf $BACKUP_DIR.tar.gz $BACKUP_DIR
rm -rf $BACKUP_DIR
# Upload to cloud storage (example: AWS S3)
aws s3 cp $BACKUP_DIR.tar.gz s3://your-backup-bucket/openclaw/Related Content
Configure Anthropic Claude for OpenClaw
Configure OpenClaw with Anthropic's Claude models - the officially recommended AI provider. Learn API setup, model selection, OAuth configuration, and optimization for Claude Opus, Sonnet, and Haiku.
Configure OpenAI for OpenClaw
Configure OpenClaw with OpenAI's GPT-4 and GPT-3.5 models. Learn API key setup, model selection, parameter optimization, and best practices for OpenAI integration.
Configure OpenRouter for OpenClaw
Configure OpenClaw with OpenRouter for access to 100+ AI models including Claude, GPT-4, Llama, and more through a single API. Learn setup, model selection, cost optimization, and failover configuration.
Install OpenClaw with Docker
Step-by-step Docker installation guide for OpenClaw AI assistant. Learn how to deploy OpenClaw using Docker containers with optimized configurations, persistent storage, and production-ready settings.