Server Providers
Learn about the server providers supported by Forge.
Supported Server Providers
Forge can create and manage servers on the following cloud server providers:
- DigitalOcean
- Vultr
- Akamai / Linode Cloud
- Amazon AWS
- Forge supports provisioning servers in all non-Gov regions that are active in the connected AWS account.
- Hetzner Cloud
- Bring Your Own Server
If your preferred server provider is not supported by Forge, you may use Forge’s “Custom VPS” option to create your server. Custom VPS servers receive all of the same functionality as first-party supported server providers. Learn more
Linking Server Providers
You can link server providers from your Server Providers dashboard. It is possible to link any number of supported provider accounts, including multiple accounts for one provider.
Amazon AWS API Access
In order to provision servers on AWS, you need to create a new IAM role. To get started, navigate to the IAM service on your AWS dashboard. Once you are in the IAM dashboard, you may select “Roles” from the left-side navigation panel and click the “Create Role” button.
The process for creating the role is outlined in these steps:
- Choose “AWS account” as the trusted entity type, and select “Another AWS account.”
- Enter the “Forge AWS Account” from the Forge dashboard, then click “Next.”
- In the “Permissions policies” section, select the
AmazonEC2FullAccessandAmazonVPCFullAccesspolicies. Then, click “Next.” - In the “Name, review, and create” section, provide a name and description for the role.
- Update the “Trust policy” under “Select trusted entities” by enabling the “Require external ID” checkbox and entering the “AWS External ID” shown in the Forge dashboard.
- Complete the process by creating the role.
- Copy the role ARN displayed in the AWS dashboard and add it to your AWS credentials in Forge.
There are a few requirements you should review to ensure Forge works correctly with your linked AWS account:
- If you are using an existing VPC, the subnet must be configured to auto-assign public IP addresses.
- If you are using an existing VPC, the default security group must allow Forge to SSH into the server. Here is an example:
| Type | Protocol | Port Range | Source | Description | |
|---|---|---|---|---|---|
| HTTP | TCP | 80 | Custom | 0.0.0.0/0 | |
| HTTP | TCP | 80 | Custom | ::/0 | |
| SSH | TCP | 22 | Custom | YOUR_IP_ADDRESS/32 | SSH from your IP |
| SSH | TCP | 22 | Custom | 159.203.150.232/32 | SSH from Forge |
| SSH | TCP | 22 | Custom | 159.203.150.216/32 | SSH from Forge |
| SSH | TCP | 22 | Custom | 45.55.124.124/32 | SSH from Forge |
| SSH | TCP | 22 | Custom | 165.227.248.218/32 | SSH from Forge |
| HTTPS | TCP | 443 | Custom | 0.0.0.0/0 | |
| HTTPS | TCP | 443 | Custom | ::/0 |
AWS Service Limits
AWS Service Limits can be increased through the following options:
For additional information, refer to the following AWS documentation:
- Requesting a quota increase in the Service Quotas User Guide.
- AWS Service Quotas reference.
Akamai / Linode API Access
When creating a new Akamai Cloud API token for your Akamai account, Akamai will ask you to select which permissions are needed by the token. You will need to select the following permissions:
- Linodes - Read/Write
- IPs - Read/Write
In addition, you may wish to set the token to never expire.
DigitalOcean OAuth Access
The easiest way to allow Forge to communicate with your DigitalOcean account is by using the “Login with DigitalOcean” button. This option can be found on the Server Providers page within your Forge account.
Clicking the “Login with DigitalOcean” button will redirect you to DigitalOcean’s Authorize Application page, where you’ll be asked to approve the required permissions requested by Forge.
Once approved, Forge will create an OAuth credential, allowing it access to the necessary permissions needed in provisioning and managing your servers on your behalf.
DigitalOcean API Access
In addition to granting Forge access via OAuth, you can also use a Personal Access Token to enable Forge to communicate with your DigitalOcean account. When creating a new Personal Access Token for your DigitalOcean account, you will need to select which scopes will be granted on the token. You must select either:
- Full Access: Grants access to all scopes based on the account’s current role permissions
- Custom Scopes: Grants granular permissions on specific scopes. The following are required by Forge to successfully provision a server:
- Droplet - Create / Read / Update / Delete
- Reserved IP - Create / Read / Update / Delete
- SSH Key - Create / Read / Update / Delete
- VPC Key - Create / Read / Update / Delete
Vultr API Access
The Vultr server provider requires you to add the Forge IP addresses to an IP address allow list so that Forge can communicate with your servers. You should ensure that you do this before provisioning a Vultr server via Forge.
Hetzner Cloud API Access
Hetzner API tokens are specific to a Hetzner Project. If you utilize Hetzner Projects, you should ensure that Forge has an API token for each Hetzner Project.
Bring Your Own Server
Alongside supporting several first-party server providers, Forge also supports the ability to use your own custom server. To do so, select the Custom VPS option when creating a new server. When provisioning a Custom VPS, Forge can only provision and manage an existing server — it cannot create servers on that custom provider.
In addition, you should review the following server requirements:
- The server must be running a fresh installation of Ubuntu 22.04 or 24.04 x64.
- The server must be accessible externally over the Internet.
- The server must have
rootSSH access enabled. - The server requirements should meet the following criteria or more: 1 CPU Core with 1GHz, 1GB RAM, and 10GB Disk space.
- The server must have curl installed.
- Ensure that no firewall or security group is throttling requests to the server. Throttling SSH requests may cause provisioning to fail at the final stage.
- Some server providers may modify the contents of
/root/.ssh/authorized_keys. If this applies to your provider, ensure they allow Forge’s public key to access the server. You can find this key by visiting:https://forge.laravel.com/servers/<serverID>/settings. - If you restrict SSH access by IP address, consult the Forge IP address documentation.
- If you are protecting your internal network through Network Address Translation and you are mapping public SSH ports to different internal SSH ports, you may let Forge know about this by checking the This server is behind a NAT checkbox. This will show an extra input field, NAT SSH Port, that you can use to tell Forge about the SSH port to which SSH traffic is mapped. Forge will use this port to allow traffic into the server via
ufw. If the internal SSH port is the same as the public SSH port, you may leave the NAT SSH Port field empty. - If you are protecting your server with an antivirus software, make sure it doesn’t interfere with Forge’s operations. Antivirus programs may sometimes cause unexpected behavior during provisioning of the server that might result in misconfigurations of database instances or other applications on the server.