Deploy on AWS
Run Elixium on Amazon Web Services using ECS Fargate for containers, RDS for PostgreSQL, and S3 for object storage. This guide covers a production-ready deployment using managed AWS services.
Prerequisites
- AWS account with permissions for ECS, RDS, S3, ECR, ALB, and VPC
- AWS CLI configured (
aws configure) - Docker installed locally (for image pull/push)
- Elixium enterprise license key
Architecture Overview
| Component | AWS Service | Notes |
|---|---|---|
| Frontend + API | ECS Fargate | Serverless containers, no EC2 management |
| Database | RDS PostgreSQL 16 | Managed backups, Multi-AZ optional |
| File Storage | S3 | S3-compatible — replaces MinIO |
| Authentication | ECS Fargate (Keycloak) | Backed by RDS |
| AI Inference | Gemini (default), OpenAI, Azure OpenAI, or Ollama (external GPU) | Cloud AI provider or self-hosted Ollama |
| Load Balancer | Application Load Balancer | TLS termination, path-based routing |
| Container Registry | ECR (private) | Mirror images from GHCR |
Step 1: Mirror Container Images
Pull the Elixium images from GHCR and push them to your private ECR registry:
# Authenticate to GHCR (credentials from sales team) docker login ghcr.io # Create ECR repositories aws ecr create-repository --repository-name elixium-app aws ecr create-repository --repository-name elixium-api # Pull, tag, and push docker pull ghcr.io/indirecttek/elixium-app:latest docker pull ghcr.io/indirecttek/elixium-api:latest aws ecr get-login-password | docker login --username AWS --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com docker tag ghcr.io/indirecttek/elixium-app:latest <account-id>.dkr.ecr.<region>.amazonaws.com/elixium-app:latest docker tag ghcr.io/indirecttek/elixium-api:latest <account-id>.dkr.ecr.<region>.amazonaws.com/elixium-api:latest docker push <account-id>.dkr.ecr.<region>.amazonaws.com/elixium-app:latest docker push <account-id>.dkr.ecr.<region>.amazonaws.com/elixium-api:latest
Step 2: Provision Infrastructure
VPC & Networking
# Create VPC with public + private subnets (2 AZs minimum) aws ec2 create-vpc --cidr-block 10.0.0.0/16 # Create subnets, internet gateway, NAT gateway, route tables # Or use the AWS VPC wizard for a standard 2-AZ setup
RDS PostgreSQL
aws rds create-db-instance \ --db-instance-identifier elixium-db \ --db-instance-class db.t3.medium \ --engine postgres \ --engine-version 16 \ --master-username elixium \ --master-user-password <your-secure-password> \ --allocated-storage 20 \ --vpc-security-group-ids <sg-id> \ --db-name elixium
S3 Bucket
aws s3 mb s3://elixium-uploads-<your-org> # Create an IAM user or role with S3 access for the API service
Step 3: Configure Environment
Store secrets in AWS Secrets Manager or SSM Parameter Store, then reference them in your ECS task definitions:
# Core configuration ELIXIUM_MODE=local ELIXIUM_LICENSE_KEY=<your-license-key> # Database (use RDS endpoint) DATABASE_URL=postgresql://elixium:<password>@elixium-db.<id>.<region>.rds.amazonaws.com:5432/elixium # Authentication (Keycloak runs as ECS service) KEYCLOAK_URL=http://keycloak.elixium.local:8080 KEYCLOAK_REALM=elixium KEYCLOAK_CLIENT_SECRET=<your-client-secret> # Storage (use S3 directly — replaces MinIO) MINIO_ENDPOINT=s3.amazonaws.com MINIO_PORT=443 MINIO_ACCESS_KEY=<iam-access-key> MINIO_SECRET_KEY=<iam-secret-key> # AI (gemini, openai, azure-openai, ollama) AI_PROVIDER=gemini GOOGLE_AI_API_KEY=<your-api-key> # Or use Ollama (requires external GPU host) # AI_PROVIDER=ollama # OLLAMA_HOST=http://ollama.elixium.local:11434
Step 4: Deploy ECS Services
Create an ECS cluster and deploy each service as a Fargate task. Use an Application Load Balancer for TLS termination and routing:
| Service | CPU / Memory | Port | Health Check |
|---|---|---|---|
| elixium-app | 512 / 1024 MB | 3000 | GET / |
| elixium-api | 1024 / 2048 MB | 3001 | GET /health |
| keycloak | 1024 / 2048 MB | 8080 | GET /health/ready |
| nginx | 256 / 512 MB | 80 / 443 | GET / |
AI Provider Options
Elixium uses Gemini by default. You can also configure OpenAI, Azure OpenAI, or self-hosted Ollama (requires a GPU host such as a g4dn.xlarge EC2 instance). Set the AI_PROVIDER environment variable accordingly.
Step 5: ALB & DNS
# ALB routing rules: # elixium.yourcompany.com → elixium-app:3000 # elixium.yourcompany.com/api → elixium-api:3001 # sso.yourcompany.com → keycloak:8080 # Add ACM certificate for TLS aws acm request-certificate --domain-name elixium.yourcompany.com # Create Route 53 record pointing to ALB aws route53 change-resource-record-sets ...
Estimated Monthly Cost
| Service | Configuration | Est. Cost |
|---|---|---|
| ECS Fargate (3 services) | App + API + Keycloak | ~$90 |
| RDS PostgreSQL | db.t3.medium, 20GB | ~$35 |
| S3 | Standard, minimal usage | <$1 |
| ALB | Application Load Balancer | ~$20 |
| AI Provider (optional GPU) | Gemini API or Ollama on g4dn.xlarge | $0–$380 |
| Total (without GPU) | ~$175/mo | |
Budget Option: Single EC2 Instance (~$35/mo)
For small teams (under 10 users), you can run all Elixium services on a single EC2 instance using Docker Compose. This eliminates the cost of managed services like RDS, ALB, and Fargate.
Terraform via Command Center (Recommended)
From your Elixium Command Center, go to Settings → Deployment and fill out your infrastructure profile (provider, region, compliance frameworks). Then click Download Bundle to get a pre-configured Terraform package tailored to your environment.
# 1. Download your deployment bundle from the Command Center # (Settings → Deployment → Download Bundle) unzip elixium-deploy-<your-org>.zip cd elixium-deploy/terraform/deployments/aws/docker-compose # 2. Your terraform.tfvars is pre-filled from your profile. # Just add your EC2 key pair and GHCR credentials: # key_pair_name = "your-ec2-key" # ghcr_user = "your-github-user" # ghcr_token = "your-ghcr-pat" # 3. Deploy terraform init terraform plan # Review what will be created terraform apply # Confirm to deploy # 4. Validate (~5 minutes after apply) ./scripts/validate-deployment.sh $(terraform output -raw public_ip) your-key.pem
Terraform creates a VPC, security group (SSH + HTTPS only), EC2 instance with Elastic IP, and bootstraps Elixium via cloud-init. All traffic routes through nginx on port 443 with auto-generated TLS certificates. Supports FIPS 140-2 for GovCloud and FedRAMP environments.
Manual Setup
Alternatively, launch a bare EC2 instance and follow the Self-Hosted (Docker) guide manually:
aws ec2 run-instances \ --image-id ami-0c02fb55956c7d316 \ --instance-type t3.medium \ --key-name <your-key> \ --security-group-ids <sg-id> # SSH in and install Docker ssh ec2-user@<public-ip> sudo yum install -y docker sudo systemctl enable --now docker sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" \ -o /usr/local/bin/docker-compose && sudo chmod +x /usr/local/bin/docker-compose # Follow the Self-Hosted (Docker) guide from here
| Service | Configuration | Est. Cost |
|---|---|---|
| EC2 Instance | t3.medium (2 vCPU, 4GB RAM) | ~$30 |
| EBS Storage | 30GB gp3 | ~$3 |
| Elastic IP | Static public IP | ~$4 |
| Total | ~$37/mo | |
Trade-offs: No auto-scaling, no managed database backups (set up pg_dump cron), and a single point of failure. Great for getting started — you can migrate to the managed architecture above as your team grows.
Need help with your AWS deployment? Contact [email protected] or back to self-hosted docs.