> For the complete documentation index, see [llms.txt](https://docs.bluerock.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.bluerock.io/deployment-guides/aws-deployments/aws-deployment-with-cloud-formation-template.md). # AWS Deployment with Cloud Formation Template ### High-Level Architecture Overview This section provides a conceptual overview of how the BlueRock Secure MCP Server is deployed on AWS EC2 and how its core components interact. #### End-to-End Flow Deployment scripts are executed from a user desktop or client environment where AWS CLI is configured. The script uses AWS APIs to provision the required AWS Resources and deploy BlueRock Secure MCP Server. #### BlueRock EC2 Deployment Architecture #### Architecture Diagram
#### **BlueRock EC2 Architecture Components** A typical BlueRock Secure MCP Server EC2 deployment consists of the following AWS Resources/Services:
AWS Resources/ServicesDescription
Virtual Private Cloud (VPC)Provides an isolated networking environment in AWS where all BlueRock deployment resources are created.
Amazon VPC GatewayEnables controlled inbound and outbound internet access for resources deployed inside the VPC.
Amazon EC2 (BlueRock Node)Runs the BlueRock MCP Server using a hardened BlueRock AMI and hosts all runtime services.
Amazon Elastic Block Store (EBS)Provides persistent block storage attached to the EC2 instance for operating system and application data.
Amazon S3 (BlueRock Config)Stores BlueRock configuration files such as config.toml that are retrieved by the BlueRock control plane during runtime.
AWS Identity and Access Management (IAM) RoleGrants the EC2 instance permission to access required AWS services such as Amazon S3 and Amazon CloudWatch.
Amazon CloudWatchReceives telemetry and monitoring data generated by the BlueRock MCP Server.
Amazon CloudWatch LogsStores runtime logs and security events generated by the BlueRock MCP Server for analysis and auditing.
User / AdministratorManages and monitors the BlueRock deployment through AWS services such as CloudWatch and AWS Systems Manager (SSM).
*** ### Supported AMI Distributions BlueRock Secure MCP Server supports the following Linux distributions. Each distribution has a corresponding AMI with specific kernel version:
NameKernel VersionAMI Name
NameKernel VersionAMI Name
Amazon Linux 20236.12.51bluerock-release-25-50-0-amzlnx2023-6.12.52-free-ami
Ubuntu 24.046.12.51bluerock-release-25-50-0-ubuntu2404-6.12.52-free-ami
Note: The AMI name includes the **BlueRock release version**, **Linux distribution**, and **Kernel version**, allowing users to identify compatibility directly from the AMI name. *** ### Prerequisites #### AWS Requirements * Active AWS account * API key credentials configured in local environment * AWS CLI should be installed and key credentials should be configured #### Required Packages The BlueRock Deployment Package for EC2 is provided by BlueRock as part of customer onboarding.\ This package includes AWS CloudFormation templates required to deploy the BlueRock Secure MCP Server on AWS EC2. **AWS CLI installation and configuration guide:**\ [AWS-CLI-Installation-Config-Guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) ``` AWS CLI uses credentials stored in the following file: ~/.aws/credentials If the .aws directory does not exist, create it using: mkdir -p ~/.aws Create or edit the credentials file: ~/.aws/credentials Add the following entries: AWS_ACCESS_KEY_ID=[your_access_key] AWS_SECRET_ACCESS_KEY=[your_secret_key] AWS_SESSION_TOKEN=[your_session_token] ``` #### Obtaining AWS Access Keys Access keys can be generated from the AWS Management Console. 1. Navigate to the **AWS Management Console** 2. Open **IAM** 3. Go to **Users** 4. Select your user account 5. Open the **Security credentials** tab 6. Under **Access keys**, choose **Create access key** Copy the **Access Key ID** and **Secret Access Key** into the credentials file shown above. #### **AWS Permissions Required** **User permissions:** The user executing the deployment script requires permissions to create the following AWS resources: * VPC, Subnets, Internet Gateway, Route Tables * EC2 instance * Security Group * IAM Profile * S3 bucket **Note:** The IAM instance profile required for BlueRock instance is automatically created by the deployment script. *** ### Deployment Package Overview #### Download and Extract Package Download the BlueRock deployment package (bluerock-cloudformation-ec2) and extract it on your local environment. It contains AWS CloudFormation templates required to deploy the BlueRock Secure MCP Server on AWS EC2. ``` Download the package: bluerock_rel25500_deploy_script.tar.gz Extract the package: tar -xzf bluerock_rel25500_deploy_script.tar.gz Verify extraction: ls -l Output: bluerock_rel25500_deploy_script/ ``` **Note:** On macOS, the tar command may display the warning: ``` tar: Ignoring unknown extended header keyword 'LIBARCHIVE.xattr.com.apple.quarantine' ``` This warning is expected and can be safely ignored. \ **Directory Structure** After extracting the CloudFormation deployment package, the directory structure contains AWS CloudFormation templates and parameter files for different EC2 deployment modes. ``` bluerock_rel25500_deploy_script/ └── cloudformation/ └── ec2/ ├── README.md ├── al2023/ │ ├── bluerock-bru-aws-ec2-template.yaml │ └── parameters.json ├── ubuntu2404/ │ ├── bluerock-bru-aws-ec2-template.yaml │ └── parameters.json └── freemium/ ├── README.md ├── al2023/ │ ├── bluerock-bru-aws-ec2-template.yaml │ └── parameters.json └── ubuntu/ ├── bluerock-bru-aws-ec2-template.yaml └── parameters.json ``` *** ### CloudFormation Deployment #### Configuration Parameters The CloudFormation deployment uses a predefined set of parameters to control networking, instance configuration, and telemetry settings. Parameters can be provided in either of the following ways: * Through a **JSON parameters file** * Directly via the **AWS CloudFormation Console** #### Deployment using AWS Web Console 1. Navigate to **AWS CloudFormation Console** 2. Click **Create Stack** → With new resources (standard).
3. Upload the CloudFormation template
4. Configure parameters **Parameters List:** ``` AllowIp Public IP address allowed to access the instance via SSH. Example: 101.0.62.104/32 NodeInstanceType Instance type used for BlueRock worker node. Example: t3.xlarge Prefix Prefix used for AWS resource names. SshKeyName Name of an existing EC2 key pair. AmiId AMI ID for the BlueRock Secure MCP Server image. Example: ami-0251e1dd3708aab50 ExistingVpcId (Optional) Existing VPC ID for deployment. ExistingSubnetId (Optional) Existing subnet ID for deployment. ```
4. Configure Stack Options
4. Review and create stack
4. Monitor stack events for completion
*** #### Deployment using AWS CLI **Step 1:** Navigate to the CloudFormation template directory ``` Amazon Linux: cd bluerock_rel25500_deploy_script/cloudformation/ec2/freemium/al2023 Ubuntu: cd bluerock_rel25500_deploy_script/cloudformation/ec2/freemium/ubuntu ``` **Step 2:** Create CloudFormation stack ``` aws cloudformation create-stack \ --stack-name bluerock-deployment \ --template-body file://template.yaml \ --parameters file://parameters.json \ --capabilities CAPABILITY_IAM ``` **Step 3:** Monitor stack status. Wait until the stack status shows **CREATE\_COMPLETE** before proceeding. ``` aws cloudformation describe-stacks --stack-name bluerock-deployment Output: { "Stacks": [ { "StackName": "bluerock-deployment", "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/bluerock-deployment/9c8f1e20-1234-11ef-a2c3-0a1b2c3d4e5f", "StackStatus": "CREATE_COMPLETE", "CreationTime": "2026-02-03T10:42:18.123Z", "Description": "BlueRock Secure MCP Server EC2 Deployment", "Capabilities": [ "CAPABILITY_IAM" ] } ] } ``` *** ### Post-Deployment Validation This section verifies that the BlueRock Secure MCP Server has been deployed successfully and is functioning as expected. #### Check Bluerock Instance Check the instance status to confirm that the EC2 instance is running and has a public IP address assigned (for public deployments): ``` ~ $ aws ec2 describe-instances \ --filters "Name=tag:Name,Values=bluerock*" { "Reservations": [ { "ReservationId": "r-00fc24c1245a2e96c", "OwnerId": "077227809213", "RequesterId": "043320173835", "Groups": [], "Instances": [ { "Architecture": "x86_64", "BlockDeviceMappings": [ { "DeviceName": "/dev/sda1", "Ebs": { "AttachTime": "2026-02-09T07:37:36+00:00", "DeleteOnTermination": true, "Status": "attached", "VolumeId": "vol-0929b350547dc3802", "EbsCardIndex": 0 } } ], "ClientToken": "2f7fae10-b724-84df-0dcf-c85aee79c683", "EbsOptimized": false, "EnaSupport": true, "Hypervisor": "xen", "IamInstanceProfile": { "Arn": "arn:aws:iam::077227809213:instance-profile/bluerock-external-otel-InstanceProfile", "Id": "AIPARD6ZC3G673AWVVTM6" }, "NetworkInterfaces": [ { "Association": { "IpOwnerId": "amazon", "PublicDnsName": "ec2-18-227-161-122.us-east-2.compute.amazonaws.com", "PublicIp": "18.227.161.122" }, "Attachment": { "AttachTime": "2026-02-09T07:37:35+00:00", "AttachmentId": "eni-attach-09c4ad25e1611d5df", "DeleteOnTermination": true, "DeviceIndex": 0, "Status": "attached", "NetworkCardIndex": 0 }, "Groups": [ { "GroupId": "sg-053ae813feb64d4f4", "GroupName": "bluerock-external-otel-InstanceSecurityGroup-hzuMqu5i2q7W" } ], "MacAddress": "02:bc:a1:63:78:df", "NetworkInterfaceId": "eni-0d8d5fda7c9e7459c", "OwnerId": "077227809213", "PrivateDnsName": "ip-10-0-1-211.us-east-2.compute.internal", "PrivateIpAddress": "10.0.1.211" } ], "State": { "Code": 16, "Name": "running" }, "Tags": [ { "Key": "Name", "Value": "bluerock-external-otel-node" } ] } ] } ] } ``` #### Check Instance Access **Option 1: SSH Access** (Public Deployment Only) Check instance access to confirm SSH connectivity for public deployments by running the appropriate command for the selected AMI: ``` Amazon Linux: ssh -i /path/to/key.pem ec2-user@ Ubuntu: ssh -i /path/to/key.pem ubuntu@ ``` **Option 2: AWS Systems Manager (SSM)** For Private deployment, where SSH is disabled, connect via AWS SSM. 1. Navigate to EC2 Console 2. Select the BlueRock instance 3. Click **Connect → Session Manager**
4. Click **Connect**
Successful connection confirms: * SSM agent is running * IAM instance profile permissions are correct ``` sh-5.2$ whoami ssm-user sh-5.2$ ``` #### Verify BlueRock Control Plane Service Verify that the BlueRock Control Plane service is running by checking that the Ultra Control service is in the **active (running)** state. ``` sudo systemctl status uc-docker.service Output: uc-docker.service - Manage the Ultracontrol Docker Service Loaded: loaded (/etc/systemd/system/uc-docker.service; enabled; preset: disabled) Active: active (running) since Mon 2026-02-09 07:38:45 UTC; 32min ago Main PID: 3207 (uc-docker.sh) Tasks: 2 (limit: 18937) Memory: 640.0K CPU: 763ms CGroup: /system.slice/uc-docker.service ├─3207 /usr/bin/bash /opt/bluerock/bin/uc-docker.sh start └─7233 sleep 5 Feb 09 07:38:45 ip-10-0-1-211.us-east-2.compute.internal systemd[1]: Started uc-docker.service - Manage the Ultracontrol Docker Service. Feb 09 07:38:45 ip-10-0-1-211.us-east-2.compute.internal uc-docker.sh[3207]: starting uc container with ultracontrol-eks:latest image Feb 09 07:38:45 ip-10-0-1-211.us-east-2.compute.internal uc-docker.sh[3207]: To check logs run: /opt/bluerock/bin/uc-docker.sh logs Feb 09 07:38:45 ip-10-0-1-211.us-east-2.compute.internal uc-docker.sh[3220]: 0d11bbd42f7965c1bf91b3df00657931f38de20b158f8cbd2c631c96634bf7ea Feb 09 07:38:46 ip-10-0-1-211.us-east-2.compute.internal uc-docker.sh[3207]: uc container started successfully. ``` **Check Otel Collector:** Check the OpenTelemetry Collector and Ultra Control containers to verify that both services are running. ``` sh-5.2$ sudo docker ps Output: CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 0d11bbd42f79 ultracontrol-eks:latest "/opt/bluerock/sbin/…" 24 minutes ago Up 24 minutes uc c273c9761964 public.ecr.aws/aws-observability/aws-otel-collector:v0.44.0 "/awscollector --con…" 24 minutes ago Up 24 minutes 2000/tcp, 4317/tcp, 55681/tcp, 0.0.0.0:4318->4318/tcp, :::4318->4318/tcp otel-collector View logs: /opt/bluerock/bin/uc-docker.sh logs docker logs otel-collector ``` Logs should show normal startup messages with no repeated errors or crash loops. #### Verify OTEL Events in AWS CloudWatch **Check CloudWatch logs:** 1. Navigate to **CloudWatch Console**
2. Go to **Log Groups**
3. Find the BlueRock Log Group
4. **Verify:** * Log entries are present * Events originate from the EC2 instance * Timestamps align with instance startup activity
Expected logs include runtime events emitted by the BlueRock Secure MCP Server. For additional information on CloudWatch Logs, see:\ [CloudWatchLogs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bluerock.io/deployment-guides/aws-deployments/aws-deployment-with-cloud-formation-template.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.