> For the complete documentation index, see [llms.txt](https://docs.catalyx.solutions/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.catalyx.solutions/catalyx-blockchain-manager/hyperledger-fabric/version-2.4/operations-guide/installation-instructions/aws.md).
# AWS
## Prerequisites
{% stepper %}
{% step %}
**Set up a Kubernetes cluster**
{% hint style="info" %}
**Supported Kubernetes version:** 1.17 and later.
You can use an existing cluster or create a new one using [managed service EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) or provision one manually with kops on EC2 machines.
* Make your default storage class's underlying provider resizable, so all PVCs for Hyperledger Fabric nodes can be resized when needed.
* Add zone labels to Kubernetes nodes when a cluster is stretched across multiple availability zones.
{% endhint %}
**Minimum cluster size:**
* Catalyst Blockchain Platform (1 instance): 2 core CPU, 4 GB RAM, 10 GB disk space
* Each additional node (CA, orderer, or peer):
| Node | CPU | Memory (Mi) | Storage (Gi) |
| ------- | --- | ----------- | ------------ |
| CA | 0.1 | 128 | 1 |
| Peer | 0.1 | 128 | 1 |
| Orderer | 0.1 | 128 | 1 |
{% hint style="info" %}
Consider the expected load and increase these values accordingly. Each chaincode installed to a peer runs as a separate pod consuming additional resources.
{% endhint %}
{% endstep %}
{% step %}
**Install Helm to your workstation**
Installation guide:
{% hint style="info" %}
**Supported Helm version:** 3.\*
{% endhint %}
{% endstep %}
{% step %}
**Configure ingress and DNS**
**Ingress Controller**
{% hint style="info" %}
We recommend using the Traefik ingress controller (v2.3). Installation guide:
{% endhint %}
The ingress controller exposes Hyperledger Fabric nodes (peer, orderer, CA) as well as API and UI through port `:443`.
* Ingress resources for Hyperledger Fabric nodes are provisioned automatically — these nodes require **TLS passthrough** because of mutual TLS.
* Ingress resources for API and UI require a **trusted TLS certificate**.
Two load balancer options:
{% tabs %}
{% tab title="Option 1 — Single NLB (recommended)" %}
A single network load balancer (NLB) with TLS passthrough. TLS certificate is provisioned by [cert-manager](https://cert-manager.io/docs/installation/helm/). Traefik handles TLS termination for API and UI.
No additional customization needed.
**DNS record:**
```
A *.example.com -> NLB address
```
{% endtab %}
{% tab title="Option 2 — Two NLBs + ACM" %}
Two load balancers: NLB1 with AWS Certificate Manager (ACM) for TLS termination, and NLB2 with TLS passthrough for Hyperledger Fabric nodes.
Create the ACM-enabled service:
```yaml
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert:
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
name: traefik-with-acm
namespace:
spec:
ports:
- name: web
port: 80
protocol: TCP
targetPort: web
- name: websecure
port: 443
protocol: TCP
targetPort: websecure
selector:
app.kubernetes.io/instance: traefik
app.kubernetes.io/name: traefik
type: LoadBalancer
```
**DNS records:**
```
A example.com -> NLB1 address (API and UI — TLS termination via ACM)
A *.example.com -> NLB2 address (Fabric nodes — TLS passthrough)
```
{% endtab %}
{% endtabs %}
**Component endpoints:**
* **UI:** `example.com:443`
* **API:** `example.com:443/api`
* **Any HL Fabric node:** `.example.com:443`
{% endstep %}
{% step %}
**Create a namespace**
```bash
kubectl create ns ${ns_name}
```
* Get credentials to the Helm repository in JFrog Artifactory from the IntellectEU admin team.
* Add the repo to Helm:
```bash
helm repo add catbp https://intellecteu.jfrog.io/artifactory/catbp-helm \
--username ${ARTIFACTORY_USERNAME} \
--password ${ARTIFACTORY_PASSWORD}
```
{% endstep %}
{% step %}
**Create an ImagePullSecret**
```bash
kubectl create secret intellecteu-jfrog-access regcred \
--docker-server=intellecteu-catbp-docker.jfrog.io \
--docker-username=${your-name} \
--docker-password=${your-password} \
--docker-email=${your-email} \
-n ${ns_name}
```
{% endstep %}
{% step %}
#### Deploy a message broker
Message broker is needed by the Catalyst Blockchain Platform Hyperledger Fabric service to schedule commands, emit events and control workflows.
The Catalyst Blockchain Platform Hyperledger Fabric service requires a vhost and a user with full access for the vhost. Single queue will be propagated upon the Catalyst Blockchain Platform Hyperledger Fabric service startup.
{% hint style="info" %}
Currently, only **RabbitMQ** is supported.
**Version**: 3.7 and later.
We recommend using **Amazon MQ** managed service.
* No specific configurations are needed.
* 1GB RAM is recommended as a minimum setup.
* Usually, load on the message broker is low so it does not require much resources. t3.micro can be selected as a machine.
{% endhint %}
{% hint style="danger" %}
Default configuration comes with TLS enabled, even for private VPC, make sure you enable amqp.tls option in helm values.
{% endhint %}
{% endstep %}
{% step %}
#### Deploy a database
We recommend using Amazon RDS managed service.
* 1GB RAM is recommended as a minimum setup.
* No specific configurations are needed.
* db.t3.small can be selected as a machine.
A database is required by the Catalyst Blockchain Platform Hyperledger Fabric service to support internal architecture for workflows as well as store users action logs.
The Catalyst Blockchain Platform Hyperledger Fabric service requires a database and a user with full read/write access to the database. Database tables will be provisioned in default schema on application startup.
In this example we will use PostgreSQL. Schema is ‘public’ by default.
Run these commands to provision a database on the recently deployed server:
```asciidoc
CREATE DATABASE "catbp-org1";
CREATE USER "catbp" WITH ENCRYPTED PASSWORD 'catbp';
GRANT ALL PRIVILEGES ON DATABASE "catbp-org1" to "catbp";
```
{% hint style="danger" %}
Make sure to set up automatic backups so that all action logs of users won’t be lost in case of failure.
{% endhint %}
{% endstep %}
{% step %}
#### Setup
Configure Helm chart values
{% endstep %}
{% endstepper %}
## Install the Catalyst Blockchain Platform
Once prerequisites are complete, proceed with the Installation Instructions to configure Helm chart values and deploy the service.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.catalyx.solutions/catalyx-blockchain-manager/hyperledger-fabric/version-2.4/operations-guide/installation-instructions/aws.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.