Skip to Content
prxy.monster v1 is in early access. See what shipped →
Local ModeAWS self-deploy (CDK)

AWS self-deploy

Run the prxy.monster gateway entirely inside your own AWS account. Your data, your IAM, your bill, your control plane. Pairs naturally with the Bedrock provider for an end-to-end AWS-native deploy.

The CDK template is part of the cloud monorepo at infra/aws-cdk/. (Local-only prxy-local users — you don’t need this; just docker run per the Docker quick start.)

What it provisions

ResourcePurpose
VPC (2 AZs)Public + private + isolated subnets
Aurora Serverless v2 Postgrespgvector-capable database (auto-pause when idle)
ElastiCache Serverless (Valkey)Redis-compatible cache + KV (no shard sizing)
S3 bucketBlob storage (eviction archive, large payloads)
Secrets ManagerDB credentials + provider API keys
App Runner serviceRuns the gateway container; scales to zero when idle
CloudWatch log groupApplication + access logs
IAM rolesLeast-priv runtime + ECR pull. Bedrock + SES already included.
Route53 + ACM (optional)Custom domain when --context domain=... is passed

The IAM runtime role grants bedrock:Converse* and ses:SendEmail so the Bedrock provider and the SES email backend work out of the box.

Deploy

Prerequisites

  • Node 20+, npm
  • AWS CDK v2: npm install -g aws-cdk
  • AWS credentials configured (aws configure or env vars)
  • Account bootstrapped for CDK in the target region: cdk bootstrap
  • A container image for the gateway, published to ECR Public, GHCR, or your own ECR (default: ghcr.io/ekkos-technologies-inc/prxy-monster:latest)

Synth + deploy

git clone https://github.com/Ekkos-Technologies-Inc/prxy-monster
cd prxy-monster/infra/aws-cdk
npm install
npm run synth                       # generate CloudFormation; sanity check
npm run deploy --context domain=prxy.example.com

Useful context flags:

FlagDefaultNotes
--context domain=...(none)Enables Route53 + ACM provisioning
--context image=...ghcr.io/ekkos-technologies-inc/prxy-monster:latestOverride the gateway image
--context blobBucketName=...(auto-generated)Globally-unique S3 bucket name
--context dbName=...prxyPostgres database name

Post-deploy

  1. Enable pgvector — Aurora Postgres ships pgvector but doesn’t pre-load it: 
    CREATE EXTENSION IF NOT EXISTS vector;
  2. Populate provider keys — open the secret named AppSecrets in Secrets Manager and fill in ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, GROQ_API_KEY as needed. Bedrock keys aren’t stored here — the IAM role gives the gateway native Bedrock access.
  3. Verify SES sender domain if you intend to send mail with EMAIL_PROVIDER=ses.
  4. Custom domain — if you passed --context domain=..., associate the custom domain with App Runner: 
    aws apprunner associate-custom-domain \
  --service-arn <gateway-service-arn> \
  --domain-name <your-domain>

Cost estimate (us-east-1, idle)

  • App Runner: ~$5/mo (1 vCPU x 2 GB, scales to zero)
  • Aurora Serverless v2: ~$45/mo (0.5 ACU min, idle most of the day)
  • ElastiCache Serverless: ~$0/mo idle, ~$0.13/GB-hr active
  • S3: ~$0.02/GB/mo storage + standard egress
  • NAT Gateway: ~$32/mo (the unavoidable “AWS tax” for private egress)

Burst load adds Aurora ACUs + App Runner concurrency. The NAT gateway is the only static-cost piece — replace with NAT Instances if you’re optimising for hobby use.

Why CDK over CloudFormation / Terraform / Pulumi?

CDK gives us TypeScript-native infra with the same aws-cdk-lib constructs the AWS team uses internally — significantly less boilerplate than raw CloudFormation, faster iteration than Terraform’s HCL, and a wider ecosystem than Pulumi for AWS-specific services. A raw CloudFormation export ships at infra/aws-cdk/cloudformation/ for Terraform shops who’d rather convert it.

Why App Runner over ECS Fargate?

App Runner is the closest AWS analogue to Cloud Run — scales to zero, no ALB to provision, no task-def churn for image-only updates, and a dramatically smaller mental footprint. The trade-offs:

  • Tighter per-region quotas
  • Visible cold starts at very low traffic
  • Less control over networking (use ECS Fargate if you need a custom load-balancer rule set)

For self-deploy, those trade-offs are worth the operational simplicity. If you outgrow App Runner you can swap to ECS Fargate without changing the gateway image.

Destroying

cd infra/aws-cdk
npm run destroy

RemovalPolicy.RETAIN is set on the S3 bucket and RemovalPolicy.SNAPSHOT on the database so accidental destroys don’t lose data. Manually empty + drop those resources for a full teardown.

Last updated on
Local mode — Airgap modeLocal mode — Docker reference