Forem: angelomao

How to deploy MCP Servers on AWS with the Best Practices

angelomao — Tue, 04 Nov 2025 03:06:04 +0000

The Model Context Protocol (MCP) Servers become the hub between AI applications and external systems like databases, knowledge bases, and 3rd party websites during the Generative AI era for developers, which significantly increases the efficiency and effectiveness of integrating AI chatbots (like ChatGPT, Claude Desktop, Qwen) with external services or your dedicated knowledge bases.

This article describes the process of hands-on steps for deploying the MCP servers onto AWS while aligning with the best practices of the Well-Architected Framework (WAF).

The architecture implements:

CloudFront distribution for global content delivery with WAF protection
Application Load Balancer for traffic distribution and SSL termination
ECS Fargate and Lambda for containerized and serverless MCP servers
AWS Cognito for OAuth 2.0 authorization server functionality
OAuth 2.0 Protected Resource Metadata endpoints for standards-compliant authentication
StreamableHTTP transport with stateless request handling
Four-stack CDK deployment: VPC, Security, CloudFront WAF, and MCP Server stacks

The solution addresses several key challenges:

Secure hosting of MCP servers on AWS infrastructure
Standards-compliant authentication using OAuth 2.0 Protected Resource Metadata (RFC9728)
Remote access to MCP servers through secure StreamableHTTP transport
Stateless server architecture for concurrent client support
Scalable and maintainable deployment using AWS CDK

Deployment Procedure

A. Install AWS CDK with a program like Node.js on your terminal.
npm install -g aws-cdk
B. Configure AWS permissions with your credentials via AWS CLI.
aws configure
C. Set up the AWS CDK on your AWS environment.
cdk bootstrap
D. Clone the source code into the terminal and go to the relevant directory.

git clone https://github.com/aws-solutions-library-samples/guidance-for-deploying-model-context-protocol-servers-on-aws.git
cd guidance-for-deploying-model-context-protocol-servers-on-aws
cd source/cdk/ecs-and-lambda

E. Install the dependencies.
npm install

F. Log in to the public AWS ECR (assume the deploy region is us-east-1).
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws

G. Deploy the entire stack via CDK.
cdk deploy --all

H. Type "yes" to continue the deployment of the network components like VPC.

I. Type "yes" to deploy security components like CloudFront and WAF.

J. Type "yes" to deploy server components like ECS and Lambda.

K. Update the MCP servers.

cdk deploy MCP-Server

L. Now the entire MCP server stack is deployed on AWS.

M. Go to the AWS Cognito panel and note down the value of "User pool ID". Then create a test user.

# Create test user
aws cognito-idp admin-create-user --user-pool-id YOUR_USER_POOL_ID --username test

# Set permanent password (bypass temporary)
aws cognito-idp admin-set-user-password --user-pool-id YOUR_USER_POOL_ID --username test --password "TestPass123!" --permanent

Verification Procedure

a. On a different host from the one to deploy the MCP server, clone the source code and go to the relevant directory.

git clone https://github.com/aws-solutions-library-samples/guidance-for-deploying-model-context-protocol-servers-on-aws.git
cd guidance-for-deploying-model-context-protocol-servers-on-aws
cd source/sample-clients/simple-auth-client-python

b. Install the dependencies with uv.

pip install uv
uv sync --reinstall

c. Export the environment variables in the shell (you need to go to AWS CloudFront and Cognito console to check the values first).

export MCP_SERVER_URL="https://<your-cloudfront-endpoint>/weather-nodejs/mcp"
export OAUTH_CLIENT_ID="<your-cognito-client-id>"
export OAUTH_CLIENT_SECRET="<your-cognito-client-secret>"

d. Run the MCP client.

uv run python -m mcp_simple_auth_client.main

e. Input the username and password created in the above step for the authorization.

f. Set up MFA for the MCP client.

g. You will see the info that indicates the successful authentication and you can close the browser.

h. Back to the MCP client, and you're free to go with interacting with the deployed MCP server.

i. You can follow the instructions to interact with the MCP server in terms of list/call the relevant functions as below.

Cleanup Procedure

1). Remove the deployed stack on the host where you deploy it via AWS CDK
cdk destroy --all

2). Type "yes" to continue the decommissioning process.

3). Until the time when the deployed stack is decommissioned successfully.

Build a Fullstack Modern System with Kiro

angelomao — Thu, 11 Sep 2025 01:17:15 +0000

Thrilled to share that I have preliminarily finished my first project of building a full fledged AssetManagementSystem entirely based on Kiro which is composed of the tech stack below:

Frontend: React 18 with TypeScript, Tailwind CSS, React Router, React Query
Backend: Node.js with Express, TypeScript, JWT authentication
Database: PostgreSQL with Prisma ORM
Development: Docker Compose for containerized development environment

The process is pretty straightforward:

I described the business requirement to Kiro then it rephrases the detailed aspects.
After I consent to what it understand, it starts the High Level / Low Level design which include but not limited to: Frontend, Backend, Data Models, Data Schema, Error Handling, Test Methodology, Authentication, Performance, etc.
After I agree with the design, it starts to generate the task list based on the design according to the dependancy.
Then I start to execute the task sequencially until they're all finished successfully.

Of course, there are a lot of issues during the task execution (even after all those tasks executed). But I've been amazed at the troubleshooting capabilities of AI model behind the scene and fast responses to carry out the solutions to clear the issues (of course it also burns out my request of the plan).

This project let me witness the slogan of Kiro "Turn your idea into reality" isn't an empty talk but 100% capabilities shown before your eyes.

Here's my GitHub repo if you're keen to have a look:

https://github.com/angelomao/corporate-asset-management-kiro

Deploy the Generative AI Application Builder on AWS

angelomao — Fri, 05 Sep 2025 01:25:05 +0000

This solution is based on the below architecture with pure serverless technology on AWS.

The overview of this diagram is described as follows:

Use CloudFront to deliver the Web GUI which is hosted on S3 bucket.
The Web GUI leverages the REST API which behind APIGateway.
Use AWSWAF to protect the API from attacks via web ACL.
Leverage Cognito to authenticate users against Web UI and API Gateway.
AWS Lambda hosts the business logic for the Rest API.
Use CloudFormation to deploy the Use Cases.
Amazon DynamoDB stores the data of deployments.
Amazon CloudWatch monitors the performance of solution and operational health.

Deployment Process:

Download the cloudformation template from here
Deploy the downloaded template with inputs to the following parameters on AWS cloudformation console

Admin User Email: your email address
DeployUI: Yes

After the deployment is completed, you can get access to the Web UI as shown below

Deploy a Use Case such as Text based chatbot

Now you can start to chat with your LLM such as Amazon Nova Pro

Deploy Drupal on ECS Fargate

angelomao — Tue, 02 Sep 2025 10:06:37 +0000

Do you want to build a Content Management System (CMS) based on Drupal in a totally SERVERLESS manner automatically on Amazon Web Services (AWS)? Well this solution can definitely help you out with the following overview:

Host the Application layer on ECSFargate which is totally serverless
Attach the EFS system to multiple tasks on ECSFargate
Host the Database layer on Aurora for MySQL in Serverlessv2 db class
Deploy both the app and database layer in the private subnet in a VPC
Use Internet Gateway deployed in the public subnet for inbound traffic
Leverage NAT Gateway deployed in the public subnet for outbound traffic
The entire stack is deployed via CloudFormation template.

Deploying the CloudFormation Stacks

Clone the repository and deploy the solution from an AWS Cloudformation console using the cloned main.yaml file.

git clone https://github.com/angelomao/drupal-on-ecs-fargate.git

Providing the Parameter for CloudFormation to Deploy the Stack

Configuring the Drupal Website

Configure the demo Drupal application that you want to build. The application landing page redirects to the installation page after selecting Save and continue.

You will eventually see the website after initializing it successfully

How to deploy and manage your workload on EKS in a one-stop shop

angelomao — Fri, 06 Jun 2025 09:25:47 +0000

Amazon Web Services (AWS) has carried out its Elastic Kubernetes Service (EKS) Auto Mode based on the open source technology Karpenter, which extends the management beyond the Kubernetes cluster itself and provide Just-in-time autoscaling of the cluster based on your deployed workloads, and extremely offload the burden of the administer / DevOps personnel while let developers focus on the application. Recently I have exlpored this service and been amazed by the functionality and features which let you manage your containerized workload on this platform in a one-stop shop. This article works you through the process of setting up the cluster and deploying the sample application onto it.

Create the EKS Auto Mode cluster

First and foremost, you need to have an active AWS account with admin rights, with which you can create a user with the relevant IAM permission and Security credentials (aka, Access Key ID and Secret Access Key).

Second, you can choose the method to create the EKS Auto Mode cluster (like awscli, eksctl, terraform, etc). I choose Terraform module (https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest) and leverage GitHub with Terraform Cloud (https://app.terraform.io) to deploy it in a continuous manner, which extremely simplifies the process of deploying all required resources (EKS cluster, IAM role, IAM policy, SA, etc) and reduces the manually errors. The GUI looks like the picture below.

Third, if everything is OK, the EKS Auto Mode cluster should be successfully created and displayed on your AWS Management console as shown below.

Next, you need to update the kubeconfig on your laptop with command below so that you can get access to your cluster.

aws eks update-kubeconfig --name "<your cluster name>"

after which, you can spot the nodes of the cluster with below command:

kubectl get nodepools

Deploy your sample workload onto the EKS cluster

After creating the cluster, you can deploy the sample workload onto the cluster to see the effect. I choose to deploy game 2048 which gives the direct visual effects.

Create a file named 01-namespace.yaml:

apiVersion: v1
kind: Namespace
metadata:
  name: game-2048

Apply the namespace configuration:
kubectl apply -f 01-namespace.yaml

Create a file named 02-deployment.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: game-2048
  name: deployment-2048
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: app-2048
  replicas: 5
  template:
    metadata:
      labels:
        app.kubernetes.io/name: app-2048
    spec:
      containers:
        - image: public.ecr.aws/l6m2t8p7/docker-2048:latest
          imagePullPolicy: Always
          name: app-2048
          ports:
            - containerPort: 80
          resources:
            requests:
              cpu: "0.5"

Apply the deployment:
kubectl apply -f 02-deployment.yaml

Create a file named 03-service.yaml:

apiVersion: v1
kind: Service
metadata:
  namespace: game-2048
  name: service-2048
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: NodePort
  selector:
    app.kubernetes.io/name: app-2048

Apply the service:
kubectl apply -f 03-service.yaml

Create a file named 04-ingressclass.yaml:

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  labels:
    app.kubernetes.io/name: LoadBalancerController
  name: alb
spec:
  controller: eks.amazonaws.com/alb

Note:
You need to manually add the tag into the subnets of VPC below if the cluster isn't created by eksctl. Otherwise the creation will fail.
kubernetes.io/role/elb: 1

Then create the Ingress resource. Create a file named 05-ingress.yaml:
apiVersion: networking.k8s.io/v1

kind: Ingress
metadata:
  namespace: game-2048
  name: ingress-2048
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: service-2048
                port:
                  number: 80

Apply the ingress configurations:

kubectl apply -f 04-ingressclass.yaml
kubectl apply -f 05-ingress.yaml

Verify the Deployment

kubectl get pods -n game-2048
kubectl get svc -n game-2048
kubectl get ingress -n game-2048

The ADDRESS field in the ingress output will show your ALB endpoint. Wait 2-3 minutes for the ALB to provision and register all targets.

If everything works fine, you should be able to get access to the deployed app as shown below.

Monitoring your workload

In order to monitor your workload via AWS CloudWatch, you need to install CloudWatch Observability add-ons into the cluster.

First, go to the "Observability" tab of the EKS cluster on the management console.

Second, click on "Manage CloudWatch Observability add-ons" button and follow the instruction to install the add-on.

If everything is ok, you should see the add-on under the "Add-ons" tab as shown below.

Now you can go to the Container Insights of CloudWatch to monitor your workload in a visual manner.

Backend Architecture on AWS

angelomao — Sat, 22 Mar 2025 12:07:59 +0000

Today I am thrilled to announce that the brand new architecture designed by myself for the backend of XXX app is now live on Amazon Web Services (AWS) after several months of deploying and tuning efforts!
Plenty of features are applied to this architecture which include but not limited to:
Route53
API Gateway + VPC Link
AWS WAF
AWS ALB
AWS Certificate Manager
AWS Secrets Manager
Amazon Inspector
VPC Endpoints for S3/ECR/CodeDeploy
VPC Peering
NAT Gateway
CloudFront
EC2 AutoScaling Group
ECS Fargate AutoScaling
ECR
EFS
S3 Bucket
AWS Elastic Transcoder
AWS Rekognition
RDS MySQL + Read Replica
Elasticache for Memcached/Redis
Athena + Data Source Connector
HashiCorp Packer for AMI
MongoDB Atlas on AWS
Amazon Managed Grafana Labs
CloudWatch + SNS
Blue/Green Deployments for RDS
CI by GitLab + CD by CodeDeploy

The whole infrastructure is deployed with HashiCorp Terraform Cloud.

Setup OpenVPN AS on AWS

angelomao — Sat, 22 Mar 2025 11:54:30 +0000

Here’s an example of setting up an OpenVPN Inc. Access Server behind an Application Load Balancer which let the Admin/User login the web portal in a secure manner, and a Network Load Balancer which facilitates the User to form a VPN connection to the AS server with high performance and security then freely connect to private endpoints on Amazon Web Services (AWS)

Implement CD pipeline on AWS

angelomao — Sat, 22 Mar 2025 11:51:58 +0000

DevOps personnels don't have access to the source code due to some information security policies? Not a problem. You can upload a workable artifact from Developers together with appspec yml file and scripts for starting the services in zip format onto S3 bucket, and CodePipeline will check the changes of file and trigger the deployment with CodeDeploy which will deploy the new artifact onto EC2 servers via agent in an AutoScalingGroup, and SNS will inform you on any deployment failure events. Thus you have a workable CD pipeline on Amazon Web Services (AWS) which can introduce a lot of efficiencies into your daily work.

How to build an AMI image on AWS with HashiCorp Packer and use it in Terraform

angelomao — Mon, 04 Mar 2024 09:46:23 +0000

As a DevOps engineer you always encounter the scenario that you need to bake the image with which to spin up the new servers on the Public Clouds like AWS/Azure/GCP. This article introduce how to bake the image using HashiCorp Packer and use it via IaC tools like Terraform on the Public Cloud (take AWS as an example) in a continuous manner.

Follow the tutorial on HashiCorp official website to install Packer on your developer machine. https://developer.hashicorp.com/packer/tutorials/docker-get-started/get-started-install-cli.
Go to your AWS Management Console and generate an Access key under the IAM user with the necessary permission to build an AMI image. Export the credentials on your developer machine like the below. export AWS_ACCESS_KEY_ID= export AWS_SECRET_ACCESS_KEY=
Prepare your script for building the AMI with Packer in JSON format.
Use the command below to upgrade your script in JSON into HCL format. packer hcl2_upgrade .json
Go to your HashiCorp Cloud Platform website and generate the tokens required to push the built AMI onto Packer repo. Export the tokens into your env vars on your developer machine. export HCP_CLIENT_ID= export HCP_CLIENT_SECRET=
Build your AMI with the command below. packer build .hcl And Packer will upload the newly built AMI onto Packer repo on HCP website.
Add the required snippet into your Terraform code. Note: the value for bucket_name and region can be set according to your actual situation.
Refer to the ID of built AMI with the below statement in your Terraform code. image_id = data.hcp_packer_image.sample.cloud_image_id
So Terraform will always get the AMI ID of the newly built AMI as the referral to spin up the new EC2 instance.

Therefore you can build your AMI and use the ID of the output in your Terraform code in a continuous manner. And most importantly it's totally FREE. Hope it can help with your daily work.