Components and Sizing Recommendations
Prerequisites
Ensure the following tools and resources are installed and available:- AWS Account with permissions to create ECS, EC2, VPC, ELB, IAM, S3, Secrets Manager, and CloudWatch resources.
- AWS CLI configured with credentials.
- Terraform v1.13 or later.
Create a Portkey Account
- Go to the Portkey website.
- Sign up for a Portkey account.
- Once logged in, locate and save your
Organisation IDfor future reference. It can be found in the browser URL:https://app.portkey.ai/organisation/<organisation_id>/ - Contact the Portkey AI team and provide your Organisation ID and the email address used during signup.
- The Portkey team will share the following information with you:
- Docker credentials for the Gateway images (username and password).
- License: Client Auth Key.
Setup Project Environment
1. Prepare AWS Secrets
Create the required secrets in AWS Secrets Manager. You can either use the CloudFormation template provided in the portkey-gateway-infrastructure repository, or create them manually using the AWS CLI. Option A: Using CloudFormation- Go to the AWS CloudFormation Console and create a stack.
- Upload
cloudformation/secrets.yamlfrom the portkey-gateway-infrastructure repository. - Provide the following parameters:
- Project Name — e.g.,
portkey-gateway - Environment — e.g.,
dev - Docker Username / Password — provided by Portkey
- Portkey Client Auth — provided by Portkey
- Organisations — your Portkey Organisation ID(s), comma-separated if multiple
- Project Name — e.g.,
- After the stack completes, note the following outputs for use in the Terraform configuration:
DockerCredentialsSecretArnClientOrgSecretNameArn
2. Create Terraform Configuration Files
Create a new directory for your deployment:backend.config file:
3. Create Module Configuration
Create amain.tf file:
4. Deploy the Gateway
secrets block must be AWS Secrets Manager ARNs, not raw secret values. The ECS task definition references the secret ARN directly and AWS injects the secret value at runtime.
Advanced Configuration
MCP Gateway (Optional)
By default, only the AI Gateway is enabled. To enable the MCP Gateway, update your module configuration: MCP Only:mcp_gateway_base_urlis required whenserver_modeis"mcp"or"all". It must be the MCP external domain (withhttps://orhttp://prefix) that clients use to reach the MCP service.- When
server_mode = "all", an Application Load Balancer is required (lb_type = "application") and you must configure host-based routing viaalb_routing_configuration(gateway_hostandmcp_host). - For the initial deployment, you can set
mcp_gateway_base_urlto a placeholder, then update it after the Load Balancer is provisioned and DNS is mapped.
"gateway": Deploys only the AI Gateway. This is the default configuration."mcp": Deploys only the MCP Gateway. Requiresmcp_gateway_base_url."all": Deploys both the AI Gateway and MCP Gateway. Requiresmcp_gateway_base_urland an ALB with host-based routing.
Auto-Scaling Configuration
Control how ECS tasks scale based on CPU and memory utilisation:Deployment Strategies
ECS supports multiple deployment strategies viagateway_deployment_configuration:
Blue/Green Deployment:
Network Configuration with VPC
Deploy the Gateway within a VPC. Create a new VPC:Load Balancer Ingress
The module can provision either an Application Load Balancer (ALB) or a Network Load Balancer (NLB) in front of the Gateway tasks. Pick based on what you need:Application Load Balancer (ALB)
Deploy a public ALB with TLS termination:server_mode = "all"):
Network Load Balancer (NLB)
server_mode = "all".
Amazon ElastiCache for Redis
Use an existing Amazon ElastiCache cluster instead of the built-in Redis container:REDIS_PASSWORD key) and reference the secret ARN. Both the Gateway and Data Service connect to Redis, so the secret must be passed to both blocks if the Data Service is enabled:
Object Storage (S3 Log Store)
Specify the S3 bucket for storing LLM access logs:s3:PutObject and s3:GetObject permissions on the configured buckets.
Data Service (Optional)
The Data Service is responsible for batch processing, fine-tuning, and log exports. Enable it via:Amazon Bedrock (Optional)
To allow the Gateway to invoke Amazon Bedrock models, attach an IAM policy with the requiredbedrock:InvokeModel (and related) permissions to the Gateway ECS task role via gateway_task_role_policy_arns:
sts:AssumeRole). For the full IAM policy documents, trust policy templates, and step-by-step setup for both modes, refer to following guide: Bedrock Access Configuration.
Integrating Gateway with Control Plane
Outbound Connectivity (Data Plane to Control Plane) Portkey supports the following methods for integrating the Data Plane with the Control Plane for outbound connectivity:- AWS PrivateLink
- Over the Internet
AWS PrivateLink (Outbound)
Establishes a secure, private connection between the Data Plane and the Portkey Control Plane within the AWS network. Steps to establish AWS PrivateLink connectivity:- Contact Portkey and provide your AWS account ARN so it can be whitelisted in Portkey’s Control Plane.
- Once you receive confirmation from Portkey that your AWS account is whitelisted, go to the VPC Console.
- Select the AWS Region where the Portkey Gateway is deployed.
- Navigate to the Endpoints section in the VPC console.
- Click on Create endpoint and enter the required details.
-
Select the
PrivateLink Ready partner servicescategory and, under Service settings, provide the following details.- For Service name, enter
com.amazonaws.vpce.us-east-1.vpce-svc-0c2c1c323d9f56d95 - (Optional) If the Gateway is deployed in a region other than
us-east-1, selectEnable Cross Region endpoint, choose theus-east-1region, and click the Verify service button.
- For Service name, enter
-
Under Network settings:
- Select the VPC and subnets (at least two in different AZs for high availability) where the endpoint should be created. Ideally, this should be the same VPC where the Gateway is deployed.
- Select the security group to associate with the endpoint. The security group must allow inbound connections on port 443 from the Gateway tasks.
- After all details are filled in, click on Create endpoint.
-
Wait for the Status to change to
Available. -
Once the status changes to
Available, click on Actions > Modify private DNS name > select Enable for this endpoint. -
Update the
main.tfto point the Gateway to the private Control Plane endpoint: -
Re-deploy the Gateway:
Over the Internet
Ensure the Gateway has access to the following endpoints over the internet:https://api.portkey.aihttps://albus.portkey.ai
Inbound Connectivity (Control Plane to Data Plane)
- AWS PrivateLink
- IP Whitelisting
AWS PrivateLink (Inbound)
Establishes a secure, private connection between the Control Plane and the Data Plane within the AWS network. Steps to establish AWS PrivateLink connectivity: AWS VPC Endpoint Services only support Network Load Balancers (NLB) or Gateway Load Balancers — they cannot be created directly against an ALB. Pick one of the two paths below depending on what the module provisions for you.- Terraform-provisioned NLB
- Existing ALB (NLB-in-front)
If your deployment uses
lb_type = "network", the module already provisions an NLB that can be associated with the Endpoint Service directly. Ensure the Gateway is exposed via that NLB:- Navigate to the AWS VPC Console.
- In the top-right corner of the AWS Console, select the region where the Portkey Gateway is deployed.
- Provide the following details:
- Name of the endpoint service
- Select the Network Load Balancer to associate with the endpoint (the module-provisioned NLB, or the NLB you created in front of the ALB)
- Choose the regions in which the endpoint service will be available
- Select whether acceptance is required for incoming connections
- Choose whether to enable a Private DNS name — if enabled, provide the Private DNS Name
- Select IPv4 under Supported IP address types
- Click Create.
- Open the Endpoint Service > click on Actions > select Allow principals, and enter the Control Plane’s ARN (
arn:aws:iam::299329113195:root). - Reach out to the Portkey team and share the following details:
- Service name
- DNS names
- Private DNS name
- Region selected while creating the Endpoint Service
- Port number on which the Load Balancer is listening for connections
- Wait for the Portkey team to initiate a connection request from the Control Plane’s AWS account to your Gateway’s AWS account. Navigate to the Endpoint connections section, and once the request appears, approve it.
IP Whitelisting
Allows the Control Plane to access the Data Plane over the internet by restricting inbound traffic to specific IP addresses of the Control Plane. This method requires the Data Plane to have a publicly accessible endpoint. To whitelist, add an inbound rule to the Load Balancer’s security group allowing connections from the Portkey Control Plane’s IPs (54.81.226.149, 34.200.113.35, 44.221.117.129) on the listener port. Alternatively, set allowed_lb_cidrs in the module configuration:
Verifying Gateway Integration with the Control Plane
-
Send a test request to the Gateway using
curl: - Go to the Portkey website -> Logs.
- Verify that the test request appears in the logs and that you can view its full details by selecting the log entry.
Uninstalling Portkey Gateway
Example Configurations
Minimal Development Deployment
This example shows a basic deployment with built-in Redis, a new VPC, and no load balancer:Production Deployment with ALB, ElastiCache, and Data Service
This example shows a production-grade deployment with a public ALB, Amazon ElastiCache, the Data Service enabled, and auto-scaling:Gateway + MCP Deployment
This example shows how to deploy both the AI Gateway and the MCP Gateway behind an Application Load Balancer with host-based routing:Multi-Environment Setup
To managedev, staging, and prod from a single codebase, organise your project as follows:
Version Pinning and Upgrades
Always pin the module to a specific version in production:ref to the previous version and re-run terraform init -upgrade && terraform apply.
