Recommended managed services
| Component | AWS service | Notes |
|---|---|---|
| Kubernetes | EKS | 3–5 nodes, ≥ t3.xlarge (4 vCPU / 16 GB), Multi-AZ, cluster autoscaler enabled. |
| MongoDB | MongoDB Atlas (preferred) | Atlas runs in AWS too. See MongoDB. |
| Elasticsearch | OpenSearch Service (Multi-AZ, 3 data + 3 dedicated master). See Elasticsearch. | |
| Redis | ElastiCache for Redis (cluster mode, Multi-AZ). Standard Redis is enough — no modules required. See Redis. | |
| PostgreSQL (optional) | RDS for PostgreSQL (Multi-AZ). See PostgreSQL. | |
| Object storage | S3. Two buckets are enough: models and uploads (the latter serves both public and private files, proxied by the api-gateway). Add a third public bucket fronted by CloudFront only if you need public assets served directly from a CDN. | |
| File storage (PVC RWX) | EFS (StorageClass efs-sc) or FSx for NetApp ONTAP, Multi-AZ. | |
| Ingress | AWS Load Balancer Controller with ALB. | |
| TLS / Certificates | ACM certificate covering api.<domain> and studio.<domain>. | |
| Secrets | AWS Secrets Manager + External Secrets Operator. | |
| Identity (S3 / SES) | IRSA (IAM Roles for Service Accounts) via the EKS OIDC provider. |
Persistent storage
The shared RWX PVC (used byprismeai-functions) must be backed by EFS or FSx for NetApp ONTAP, in Multi-AZ mode. EBS volumes are AZ-scoped and not suitable for the shared volume.
Infrastructure as Code
A reference Terraform bundle is available on request from Prisme.ai support. It provisions:| Module | What it provisions |
|---|---|
prismeai | EKS cluster, IAM roles (IRSA), EFS file system, Secrets Manager wiring, Prometheus, Bedrock access. |
elasticache | ElastiCache clusters for broker, runtime cache and crawler. |
opensearch | OpenSearch domain for events and crawler indices. |
s3 | Buckets for models and uploads, plus an optional public bucket fronted by CloudFront when direct CDN delivery is enabled. |
eksctl create cluster … aren’t reproduced here on purpose: most customers use Terraform or CloudFormation, and the AWS docs are the source of truth for the CLI.
DNS and CloudFront
Create two CNAME records pointing to the shared ALB hostname:uploads bucket are proxied by the api-gateway and need no CDN. Wire a separate public bucket → CloudFront distribution → custom domain via ACM only if you want public assets served directly from the CDN (see UPLOADS_PUBLIC_STORAGE_*).
Ingress annotations
Full ALB ingress example, including the two distinct LB timeouts (client_keep_alive=60s < api-gateway server keep-alive of 70s for socket reuse; idle_timeout=300s for SSE / long LLM streams) lives in Helm install — Ingress and load balancer.
The non-negotiable annotations:
Next Steps
Install with Helm
Configure values and deploy core + apps namespaces.
Databases
MongoDB, Redis, OpenSearch and PostgreSQL.
Install products
Fresh-install walkthrough.
Migration v27
Migrate an existing instance to v27.