Skip to main content

Components and Sizing Recommendations

Prerequisites

Ensure the following tools and resources are installed and available:
  • AWS Account with permissions to create ECS, EC2, VPC, ELB, IAM, S3, Secrets Manager, and CloudWatch resources.
  • AWS CLI configured with credentials.
  • Terraform v1.13 or later.

Create a Portkey Account

  • Go to the Portkey website.
  • Sign up for a Portkey account.
  • Once logged in, locate and save your Organisation ID for future reference. It can be found in the browser URL: https://app.portkey.ai/organisation/<organisation_id>/
  • Contact the Portkey AI team and provide your Organisation ID and the email address used during signup.
  • The Portkey team will share the following information with you:
    • Docker credentials for the Gateway images (username and password).
    • License: Client Auth Key.

Setup Project Environment

1. Prepare AWS Secrets

Create the required secrets in AWS Secrets Manager. You can either use the CloudFormation template provided in the portkey-gateway-infrastructure repository, or create them manually using the AWS CLI. Option A: Using CloudFormation
  1. Go to the AWS CloudFormation Console and create a stack.
  2. Upload cloudformation/secrets.yaml from the portkey-gateway-infrastructure repository.
  3. Provide the following parameters:
    • Project Name — e.g., portkey-gateway
    • Environment — e.g., dev
    • Docker Username / Password — provided by Portkey
    • Portkey Client Auth — provided by Portkey
    • Organisations — your Portkey Organisation ID(s), comma-separated if multiple
  4. After the stack completes, note the following outputs for use in the Terraform configuration:
    • DockerCredentialsSecretArn
    • ClientOrgSecretNameArn
Option B: Using AWS CLI
Note the ARNs returned for both secrets — they will be used in the Terraform configuration.

2. Create Terraform Configuration Files

Create a new directory for your deployment:
(Optional) Create an S3 bucket to store the Terraform state remotely:
Create a backend.config file:

3. Create Module Configuration

Create a main.tf file:

4. Deploy the Gateway

Note: Values in the secrets block must be AWS Secrets Manager ARNs, not raw secret values. The ECS task definition references the secret ARN directly and AWS injects the secret value at runtime.

Advanced Configuration

MCP Gateway (Optional)

By default, only the AI Gateway is enabled. To enable the MCP Gateway, update your module configuration: MCP Only:
Gateway + MCP (single service, ALB required):
Notes:
  • mcp_gateway_base_url is required when server_mode is "mcp" or "all". It must be the MCP external domain (with https:// or http:// prefix) that clients use to reach the MCP service.
  • When server_mode = "all", an Application Load Balancer is required (lb_type = "application") and you must configure host-based routing via alb_routing_configuration (gateway_host and mcp_host).
  • For the initial deployment, you can set mcp_gateway_base_url to a placeholder, then update it after the Load Balancer is provisioned and DNS is mapped.
Server Modes
  1. "gateway": Deploys only the AI Gateway. This is the default configuration.
  2. "mcp": Deploys only the MCP Gateway. Requires mcp_gateway_base_url.
  3. "all": Deploys both the AI Gateway and MCP Gateway. Requires mcp_gateway_base_url and an ALB with host-based routing.

Auto-Scaling Configuration

Control how ECS tasks scale based on CPU and memory utilisation:

Deployment Strategies

ECS supports multiple deployment strategies via gateway_deployment_configuration: Blue/Green Deployment:
Canary Deployment:

Network Configuration with VPC

Deploy the Gateway within a VPC. Create a new VPC:
Use an existing VPC and subnets:

Load Balancer Ingress

The module can provision either an Application Load Balancer (ALB) or a Network Load Balancer (NLB) in front of the Gateway tasks. Pick based on what you need:

Application Load Balancer (ALB)

Deploy a public ALB with TLS termination:
Host-based Routing (required when server_mode = "all"):
Configure DNS:
Enable ALB Access Logs:

Network Load Balancer (NLB)

Note: NLB does not support host-based routing, so it cannot be used when server_mode = "all".

Amazon ElastiCache for Redis

Use an existing Amazon ElastiCache cluster instead of the built-in Redis container:
If ElastiCache AUTH is enabled, store the AUTH token in AWS Secrets Manager (as JSON with a REDIS_PASSWORD key) and reference the secret ARN. Both the Gateway and Data Service connect to Redis, so the secret must be passed to both blocks if the Data Service is enabled:
Note: ElastiCache’s security groups must allow inbound TCP 6379 (or your configured port) from the Gateway and Data Service task security groups.

Object Storage (S3 Log Store)

Specify the S3 bucket for storing LLM access logs:
The module attaches an IAM policy to the Gateway task role granting s3:PutObject and s3:GetObject permissions on the configured buckets.

Data Service (Optional)

The Data Service is responsible for batch processing, fine-tuning, and log exports. Enable it via:

Amazon Bedrock (Optional)

To allow the Gateway to invoke Amazon Bedrock models, attach an IAM policy with the required bedrock:InvokeModel (and related) permissions to the Gateway ECS task role via gateway_task_role_policy_arns:
The module supports both same-account and cross-account Bedrock access (via sts:AssumeRole). For the full IAM policy documents, trust policy templates, and step-by-step setup for both modes, refer to following guide: Bedrock Access Configuration.

Integrating Gateway with Control Plane

Outbound Connectivity (Data Plane to Control Plane) Portkey supports the following methods for integrating the Data Plane with the Control Plane for outbound connectivity:
  • AWS PrivateLink
  • Over the Internet
Establishes a secure, private connection between the Data Plane and the Portkey Control Plane within the AWS network. Steps to establish AWS PrivateLink connectivity:
  1. Contact Portkey and provide your AWS account ARN so it can be whitelisted in Portkey’s Control Plane.
  2. Once you receive confirmation from Portkey that your AWS account is whitelisted, go to the VPC Console.
  3. Select the AWS Region where the Portkey Gateway is deployed.
  4. Navigate to the Endpoints section in the VPC console.
  5. Click on Create endpoint and enter the required details.
  6. Select the PrivateLink Ready partner services category and, under Service settings, provide the following details.
    • For Service name, enter com.amazonaws.vpce.us-east-1.vpce-svc-0c2c1c323d9f56d95
    • (Optional) If the Gateway is deployed in a region other than us-east-1, select Enable Cross Region endpoint, choose the us-east-1 region, and click the Verify service button.
  7. Under Network settings:
    • Select the VPC and subnets (at least two in different AZs for high availability) where the endpoint should be created. Ideally, this should be the same VPC where the Gateway is deployed.
    • Select the security group to associate with the endpoint. The security group must allow inbound connections on port 443 from the Gateway tasks.
  8. After all details are filled in, click on Create endpoint.
  9. Wait for the Status to change to Available.
  10. Once the status changes to Available, click on Actions > Modify private DNS name > select Enable for this endpoint.
  11. Update the main.tf to point the Gateway to the private Control Plane endpoint:
  12. Re-deploy the Gateway:

Over the Internet

Ensure the Gateway has access to the following endpoints over the internet:
  • https://api.portkey.ai
  • https://albus.portkey.ai
No additional configuration is needed if your VPC allows outbound internet access via a NAT Gateway.

Inbound Connectivity (Control Plane to Data Plane)

  • AWS PrivateLink
  • IP Whitelisting
Establishes a secure, private connection between the Control Plane and the Data Plane within the AWS network. Steps to establish AWS PrivateLink connectivity: AWS VPC Endpoint Services only support Network Load Balancers (NLB) or Gateway Load Balancers — they cannot be created directly against an ALB. Pick one of the two paths below depending on what the module provisions for you.
If your deployment uses lb_type = "network", the module already provisions an NLB that can be associated with the Endpoint Service directly. Ensure the Gateway is exposed via that NLB:
Create the Endpoint Service
  • Navigate to the AWS VPC Console.
  • In the top-right corner of the AWS Console, select the region where the Portkey Gateway is deployed.
  • Provide the following details:
    • Name of the endpoint service
    • Select the Network Load Balancer to associate with the endpoint (the module-provisioned NLB, or the NLB you created in front of the ALB)
    • Choose the regions in which the endpoint service will be available
    • Select whether acceptance is required for incoming connections
    • Choose whether to enable a Private DNS name — if enabled, provide the Private DNS Name
    • Select IPv4 under Supported IP address types
  • Click Create.
(Optional) Verify ownership of the Private DNS name This step is required only if you are using a Private DNS Name. Open the created Endpoint Service > click on Actions > select Verify domain ownership for private DNS name > create the recommended record in your DNS server > click Verify. Authorize Portkey’s Control Plane to initiate connection requests
  • Open the Endpoint Service > click on Actions > select Allow principals, and enter the Control Plane’s ARN (arn:aws:iam::299329113195:root).
  • Reach out to the Portkey team and share the following details:
    • Service name
    • DNS names
    • Private DNS name
    • Region selected while creating the Endpoint Service
    • Port number on which the Load Balancer is listening for connections
  • Wait for the Portkey team to initiate a connection request from the Control Plane’s AWS account to your Gateway’s AWS account. Navigate to the Endpoint connections section, and once the request appears, approve it.

IP Whitelisting

Allows the Control Plane to access the Data Plane over the internet by restricting inbound traffic to specific IP addresses of the Control Plane. This method requires the Data Plane to have a publicly accessible endpoint. To whitelist, add an inbound rule to the Load Balancer’s security group allowing connections from the Portkey Control Plane’s IPs (54.81.226.149, 34.200.113.35, 44.221.117.129) on the listener port. Alternatively, set allowed_lb_cidrs in the module configuration:
To integrate the Control Plane with the Data Plane, contact the Portkey team and provide the Public Endpoint of the Data Plane.

Verifying Gateway Integration with the Control Plane

  • Send a test request to the Gateway using curl:
  • Go to the Portkey website -> Logs.
  • Verify that the test request appears in the logs and that you can view its full details by selecting the log entry.

Uninstalling Portkey Gateway

Example Configurations

Minimal Development Deployment

This example shows a basic deployment with built-in Redis, a new VPC, and no load balancer:

Production Deployment with ALB, ElastiCache, and Data Service

This example shows a production-grade deployment with a public ALB, Amazon ElastiCache, the Data Service enabled, and auto-scaling:

Gateway + MCP Deployment

This example shows how to deploy both the AI Gateway and the MCP Gateway behind an Application Load Balancer with host-based routing:

Multi-Environment Setup

To manage dev, staging, and prod from a single codebase, organise your project as follows:
Each environment has its own remote state and variable values:
Deploy each environment independently:

Version Pinning and Upgrades

Always pin the module to a specific version in production:
To upgrade, review the release notes, test the new version in a non-production environment first, then promote to production:
To roll back, revert the ref to the previous version and re-run terraform init -upgrade && terraform apply.
Last modified on May 21, 2026