AWS Deployment with Cloud Formation Template

High-Level Architecture Overview

This section provides a conceptual overview of how the BlueRock Secure MCP Server is deployed on AWS EC2 and how its core components interact.

End-to-End Flow

Deployment scripts are executed from a user desktop or client environment where AWS CLI is configured. The script uses AWS APIs to provision the required AWS Resources and deploy BlueRock Secure MCP Server.

BlueRock EC2 Deployment Architecture

Architecture Diagram

BlueRock EC2 Architecture Components

A typical BlueRock Secure MCP Server EC2 deployment consists of the following AWS Resources/Services:

AWS Resources/Services

Description

Virtual Private Cloud (VPC)

Provides an isolated networking environment in AWS where all BlueRock deployment resources are created.

Amazon VPC Gateway

Enables controlled inbound and outbound internet access for resources deployed inside the VPC.

Amazon EC2 (BlueRock Node)

Runs the BlueRock MCP Server using a hardened BlueRock AMI and hosts all runtime services.

Amazon Elastic Block Store (EBS)

Provides persistent block storage attached to the EC2 instance for operating system and application data.

Amazon S3 (BlueRock Config)

Stores BlueRock configuration files such as config.toml that are retrieved by the BlueRock control plane during runtime.

AWS Identity and Access Management (IAM) Role

Grants the EC2 instance permission to access required AWS services such as Amazon S3 and Amazon CloudWatch.

Amazon CloudWatch

Receives telemetry and monitoring data generated by the BlueRock MCP Server.

Amazon CloudWatch Logs

Stores runtime logs and security events generated by the BlueRock MCP Server for analysis and auditing.

User / Administrator

Manages and monitors the BlueRock deployment through AWS services such as CloudWatch and AWS Systems Manager (SSM).

Supported AMI Distributions

BlueRock Secure MCP Server supports the following Linux distributions. Each distribution has a corresponding AMI with specific kernel version:

Name

Kernel Version

AMI Name

Amazon Linux 2023

6.12.51

bluerock-release-25-50-0-amzlnx2023-6.12.52-free-ami

Ubuntu 24.04

6.12.51

bluerock-release-25-50-0-ubuntu2404-6.12.52-free-ami

Note: The AMI name includes the BlueRock release version, Linux distribution, and Kernel version, allowing users to identify compatibility directly from the AMI name.

Prerequisites

AWS Requirements

Active AWS account
API key credentials configured in local environment
AWS CLI should be installed and key credentials should be configured

Required Packages

The BlueRock Deployment Package for EC2 is provided by BlueRock as part of customer onboarding. This package includes AWS CloudFormation templates required to deploy the BlueRock Secure MCP Server on AWS EC2.

AWS CLI installation and configuration guide: AWS-CLI-Installation-Config-Guide

AWS CLI uses credentials stored in the following file:
~/.aws/credentials

If the .aws directory does not exist, create it using:
mkdir -p ~/.aws

Create or edit the credentials file:
~/.aws/credentials

Add the following entries:
AWS_ACCESS_KEY_ID=[your_access_key]
AWS_SECRET_ACCESS_KEY=[your_secret_key]
AWS_SESSION_TOKEN=[your_session_token]

Obtaining AWS Access Keys

Access keys can be generated from the AWS Management Console.

Navigate to the AWS Management Console
Open IAM
Go to Users
Select your user account
Open the Security credentials tab
Under Access keys, choose Create access key

Copy the Access Key ID and Secret Access Key into the credentials file shown above.

AWS Permissions Required

User permissions: The user executing the deployment script requires permissions to create the following AWS resources:

VPC, Subnets, Internet Gateway, Route Tables
EC2 instance
Security Group
IAM Profile
S3 bucket

Note: The IAM instance profile required for BlueRock instance is automatically created by the deployment script.

Deployment Package Overview

Download and Extract Package

Download the BlueRock deployment package (bluerock-cloudformation-ec2) and extract it on your local environment. It contains AWS CloudFormation templates required to deploy the BlueRock Secure MCP Server on AWS EC2.

Download the package:
bluerock_rel25500_deploy_script.tar.gz

Extract the package:
tar -xzf bluerock_rel25500_deploy_script.tar.gz

Verify extraction:
ls -l

Output:
bluerock_rel25500_deploy_script/

Note:

On macOS, the tar command may display the warning:

tar: Ignoring unknown extended header keyword 'LIBARCHIVE.xattr.com.apple.quarantine'

This warning is expected and can be safely ignored.

Directory Structure

After extracting the CloudFormation deployment package, the directory structure contains AWS CloudFormation templates and parameter files for different EC2 deployment modes.

bluerock_rel25500_deploy_script/
└── cloudformation/
    └── ec2/
        ├── README.md
        ├── al2023/
        │   ├── bluerock-bru-aws-ec2-template.yaml
        │   └── parameters.json
        ├── ubuntu2404/
        │   ├── bluerock-bru-aws-ec2-template.yaml
        │   └── parameters.json
        └── freemium/
            ├── README.md
            ├── al2023/
            │   ├── bluerock-bru-aws-ec2-template.yaml
            │   └── parameters.json
            └── ubuntu/
                ├── bluerock-bru-aws-ec2-template.yaml
                └── parameters.json

CloudFormation Deployment

Configuration Parameters

The CloudFormation deployment uses a predefined set of parameters to control networking, instance configuration, and telemetry settings.

Parameters can be provided in either of the following ways:

Through a JSON parameters file
Directly via the AWS CloudFormation Console

Deployment using AWS Web Console

Navigate to AWS CloudFormation Console
Click Create Stack → With new resources (standard).

Upload the CloudFormation template

Configure parameters

Parameters List:

AllowIp
Public IP address allowed to access the instance via SSH.
Example: 101.0.62.104/32

NodeInstanceType
Instance type used for BlueRock worker node.
Example: t3.xlarge

Prefix
Prefix used for AWS resource names.

SshKeyName
Name of an existing EC2 key pair.

AmiId
AMI ID for the BlueRock Secure MCP Server image.
Example: ami-0251e1dd3708aab50

ExistingVpcId (Optional)
Existing VPC ID for deployment.

ExistingSubnetId (Optional)
Existing subnet ID for deployment.

Configure Stack Options

Review and create stack

Monitor stack events for completion

Deployment using AWS CLI

Step 1: Navigate to the CloudFormation template directory

Amazon Linux:
cd bluerock_rel25500_deploy_script/cloudformation/ec2/freemium/al2023

Ubuntu:
cd bluerock_rel25500_deploy_script/cloudformation/ec2/freemium/ubuntu

Step 2: Create CloudFormation stack

aws cloudformation create-stack \
  --stack-name bluerock-deployment \
  --template-body file://template.yaml \
  --parameters file://parameters.json \
  --capabilities CAPABILITY_IAM

Step 3: Monitor stack status.

Wait until the stack status shows CREATE_COMPLETE before proceeding.

aws cloudformation describe-stacks --stack-name bluerock-deployment

Output:
{
  "Stacks": [
    {
      "StackName": "bluerock-deployment",
      "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/bluerock-deployment/9c8f1e20-1234-11ef-a2c3-0a1b2c3d4e5f",
      "StackStatus": "CREATE_COMPLETE",
      "CreationTime": "2026-02-03T10:42:18.123Z",
      "Description": "BlueRock Secure MCP Server EC2 Deployment",
      "Capabilities": [
        "CAPABILITY_IAM"
      ]
    }
  ]
}

Post-Deployment Validation

This section verifies that the BlueRock Secure MCP Server has been deployed successfully and is functioning as expected.

Check Bluerock Instance

Check the instance status to confirm that the EC2 instance is running and has a public IP address assigned (for public deployments):

~ $ aws ec2 describe-instances \
    --filters "Name=tag:Name,Values=bluerock*"
{
  "Reservations": [
    {
      "ReservationId": "r-00fc24c1245a2e96c",
      "OwnerId": "077227809213",
      "RequesterId": "043320173835",
      "Groups": [],
      "Instances": [
        {
          "Architecture": "x86_64",
          "BlockDeviceMappings": [
            {
              "DeviceName": "/dev/sda1",
              "Ebs": {
                "AttachTime": "2026-02-09T07:37:36+00:00",
                "DeleteOnTermination": true,
                "Status": "attached",
                "VolumeId": "vol-0929b350547dc3802",
                "EbsCardIndex": 0
              }
            }
          ],
          "ClientToken": "2f7fae10-b724-84df-0dcf-c85aee79c683",
          "EbsOptimized": false,
          "EnaSupport": true,
          "Hypervisor": "xen",
          "IamInstanceProfile": {
            "Arn": "arn:aws:iam::077227809213:instance-profile/bluerock-external-otel-InstanceProfile",
            "Id": "AIPARD6ZC3G673AWVVTM6"
          },
          "NetworkInterfaces": [
            {
              "Association": {
                "IpOwnerId": "amazon",
                "PublicDnsName": "ec2-18-227-161-122.us-east-2.compute.amazonaws.com",
                "PublicIp": "18.227.161.122"
              },
              "Attachment": {
                "AttachTime": "2026-02-09T07:37:35+00:00",
                "AttachmentId": "eni-attach-09c4ad25e1611d5df",
                "DeleteOnTermination": true,
                "DeviceIndex": 0,
                "Status": "attached",
                "NetworkCardIndex": 0
              },
              "Groups": [
                {
                  "GroupId": "sg-053ae813feb64d4f4",
                  "GroupName": "bluerock-external-otel-InstanceSecurityGroup-hzuMqu5i2q7W"
                }
              ],
              "MacAddress": "02:bc:a1:63:78:df",
              "NetworkInterfaceId": "eni-0d8d5fda7c9e7459c",
              "OwnerId": "077227809213",
              "PrivateDnsName": "ip-10-0-1-211.us-east-2.compute.internal",
              "PrivateIpAddress": "10.0.1.211"
            }
          ],
          "State": {
            "Code": 16,
            "Name": "running"
          },
          "Tags": [
            {
              "Key": "Name",
              "Value": "bluerock-external-otel-node"
            }
          ]
        }
      ]
    }
  ]
}

Check Instance Access

Option 1: SSH Access (Public Deployment Only)

Check instance access to confirm SSH connectivity for public deployments by running the appropriate command for the selected AMI:

Amazon Linux:
ssh -i /path/to/key.pem ec2-user@<PUBLIC_IP>

Ubuntu:
ssh -i /path/to/key.pem ubuntu@<PUBLIC_IP>

Option 2: AWS Systems Manager (SSM)

For Private deployment, where SSH is disabled, connect via AWS SSM.

Navigate to EC2 Console
Select the BlueRock instance
Click Connect → Session Manager

Click Connect

Successful connection confirms:

SSM agent is running
IAM instance profile permissions are correct

sh-5.2$ whoami
ssm-user
sh-5.2$

Verify BlueRock Control Plane Service

Verify that the BlueRock Control Plane service is running by checking that the Ultra Control service is in the active (running) state.

sudo systemctl status uc-docker.service

Output:
uc-docker.service - Manage the Ultracontrol Docker Service
     Loaded: loaded (/etc/systemd/system/uc-docker.service; enabled; preset: disabled)
     Active: active (running) since Mon 2026-02-09 07:38:45 UTC; 32min ago
   Main PID: 3207 (uc-docker.sh)
      Tasks: 2 (limit: 18937)
     Memory: 640.0K
        CPU: 763ms
     CGroup: /system.slice/uc-docker.service
             ├─3207 /usr/bin/bash /opt/bluerock/bin/uc-docker.sh start
             └─7233 sleep 5

Feb 09 07:38:45 ip-10-0-1-211.us-east-2.compute.internal systemd[1]: Started uc-docker.service - Manage the Ultracontrol Docker Service.
Feb 09 07:38:45 ip-10-0-1-211.us-east-2.compute.internal uc-docker.sh[3207]: starting uc container with ultracontrol-eks:latest image
Feb 09 07:38:45 ip-10-0-1-211.us-east-2.compute.internal uc-docker.sh[3207]: To check logs run: /opt/bluerock/bin/uc-docker.sh logs
Feb 09 07:38:45 ip-10-0-1-211.us-east-2.compute.internal uc-docker.sh[3220]: 0d11bbd42f7965c1bf91b3df00657931f38de20b158f8cbd2c631c96634bf7ea
Feb 09 07:38:46 ip-10-0-1-211.us-east-2.compute.internal uc-docker.sh[3207]: uc container started successfully.

Check Otel Collector:

Check the OpenTelemetry Collector and Ultra Control containers to verify that both services are running.

sh-5.2$ sudo docker ps

Output:
CONTAINER ID   IMAGE                                                         COMMAND                  CREATED          STATUS          PORTS                                                                      NAMES
0d11bbd42f79   ultracontrol-eks:latest                                       "/opt/bluerock/sbin/…"   24 minutes ago   Up 24 minutes                                                                              uc
c273c9761964   public.ecr.aws/aws-observability/aws-otel-collector:v0.44.0   "/awscollector --con…"   24 minutes ago   Up 24 minutes   2000/tcp, 4317/tcp, 55681/tcp, 0.0.0.0:4318->4318/tcp, :::4318->4318/tcp   otel-collector

View logs:
/opt/bluerock/bin/uc-docker.sh logs
docker logs otel-collector