Prerequisites

Everything you need before deploying the AI Gateway.

Required Tools

Tool	Version	Purpose
mise	latest	Tool version manager — installs all other tools automatically
uv	latest	Python package manager
Terraform	>= 1.9	Infrastructure as code (installed via mise)
AWS CLI	v2	AWS operations and credential management
Docker	latest	Container builds and local testing

# mise
curl https://mise.run | sh
echo 'eval "$(mise activate zsh)"' >> ~/.zshrc

# uv
curl -LsSf https://astral.sh/uv/install.sh | sh

# mise
curl https://mise.run | sh
echo 'eval "$(mise activate bash)"' >> ~/.bashrc

# uv
curl -LsSf https://astral.sh/uv/install.sh | sh

The gateway deploys the following AWS resources. Your IAM identity needs permissions to create and manage them.

Service	Resources Created
VPC	VPC, subnets (2 public + 2 private), NAT Gateway, Internet Gateway, route tables
ECS	Fargate cluster, service, task definition
ECR	Container image repository
ALB	Application Load Balancer, listeners, target group
Cognito	User Pool, resource server, app client, domain
WAF v2	Web ACL with managed rules and IP rate limiting
CloudWatch	Log groups, Logs Insights queries, operational dashboard
Secrets Manager	Provider API keys (OpenAI, Anthropic, Google, Azure OpenAI)
IAM	Task execution role, task role
VPC Endpoints	ECR (API + DKR), CloudWatch Logs, Secrets Manager, S3

For HTTPS access with a custom domain:

Register or delegate a domain in Route 53 (or use an existing hosted zone)
Request an ACM certificate for your domain in the same region as the deployment
Set the domain variables in your Terraform tfvars file

Without a custom domain, the gateway is accessible via the ALB’s auto-generated DNS name over HTTP.

Outbound internet access — The ECS tasks need to reach external LLM provider APIs (api.openai.com, api.anthropic.com, etc.) via the NAT Gateway
VPN / network policy — If your organization restricts outbound traffic, ensure the NAT Gateway’s public IP is allowed to reach provider endpoints on port 443