Reference Architecture

An opinionated, end-to-end tech stack built on top of the Infrastructure as Code Library that we deploy into your AWS accounts in about one day.

A new standard for architecture on AWS

The Reference Architecture is an opinionated, battle-tested, best-practices way to assemble the code from the Infrastructure as Code Library into an end-to-end tech stack that includes just about everything you need: server cluster, load balancer, database, cache, network topology, monitoring, alerting, CI/CD, secrets management, VPN, and more (check out the Production Readiness Checklist to see what it takes to go to prod on AWS).

We customize the Reference Architecture to your needs, deploy into into your AWS accounts, and give you 100% of the codeā€”all in about one day.

Gruntwork Reference Architecture
An example Reference Architecture. Yours may look different, depending on the options you pick.

How It Works

Choose your architecture options

You fill out an online web form to customize your Reference Architecture:

  • Single AWS Account or Multi-Account
  • AWS region
  • End-to-end encryption (as part of HIPAA, PCI, or other compliance programs)
  • Run services on Docker or directly on EC2 Instances
  • PostgreSQL, MySQL, SQL Server, Amazon Aurora, or any other RDS Database
  • Redis or Memcached
  • CircleCI, Travis CI, or Jenkins
  • Bastion Host or OpenVPN
  • S3 + CloudFront CDN for static content
  • Lambda functions
  • DNS, TLS
  • Monitoring, Alerting, Log Aggregation
  • Kakfa, ZooKeeper, ELK, MongoDB, and many other options

Are we missing something you want? Pay us a one-time fee to build it for you.

We build your architecture

We translate your preferences into infrastructure code written in Terraform, Bash, Python, and Go. We put the code into your git repos and deploy it into your AWS account(s), all in about one day.

Learn how to use it

Use our DevOps Training Library to learn how to use your new architecture with a series of micro-videos that do an in-depth walkthrough of all the most common uses cases. Need to learn Terraform, Docker, or Packer? We have courses on those, too!

Get support

If you run into a snag, ask a question on our community support channel via Slack. Or sign up for Dedicated Support to chat directly with Gruntwork engineers via a private shared Slack channel, email, or phone/video, and guarantee a timely response.

Reference Architecture Features

Infrastructure as Code
Infrastructure as Code

Written in Terraform, Go, Python, and Bash. You get 100% of the code.


The architecture has been proven with 70+ Gruntwork customers.


Get a fully-working, best-practices tech stack in AWS in about one day!


Designed for high availability, scalability, and durability


Network security, encryption, audit trail, server hardening, & more


Includes training videos and documentation

What's included

The Reference Architecture includes:

AWS Account(s) Choose from a single AWS account configuration, or a multi-account setup where each AWS account represents a distinct environment.
Network Topology For each environment, create a VPC with multiple subnet tiers, route tables, NAT Gateways, Network ACLs, etc.
Server cluster Choose from a Docker Cluster (backed by Amazon EC2 Container Service) or Auto Scaling Groups.
Load balancer Choose from the Application Load Balancer (HTTP/HTTPS) or the Load Balancer Classic (TCP).
Database Choose from MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, or Aurora.
Cache Choose from Redis or Memcached.
Other data stores We have support for Kafka, ZooKeeper, MongoDB, ELK (Elasticsearch, Logstash, Kibana), and more.
Static content Deploy your images, CSS, and JS into an S3 bucket and and CloudFront as a CDN in front of it.
Bastion host Choose from either a plain bastion host or an OpenVPN server as the sole entrypoint to your AWS network.
CI server Choose from Jenkins, CircleCI, or TravisCI.
Sample frontend app A sample frontend application that shows how to package the code using Docker or Packer, how to manage configuration across multiple environments, how to store application secrets, how to do service discovery to talk to a backend app, and how to run the entire stack in the dev environment.
Sample backend app A sample backend application that shows how to package the code using Docker or Packer, how to manage configuration across multiple environments, how to store application secrets, how to talk to the database and cache, and how to apply schema migrations.
SQS, Kinesis Optionally include queues in SQS and streams in Kinesis.
Lambda Optionally deploy Lambda functions using Terraform and run and test your Lambda functions locally using Docker.
Environments Choose the isolated environments you want to create: e.g., dev, qa, stage, prod.
Account setup Choose to deploy all environments into a single AWS account (more convenient) or to deploy each environment into a separate AWS account (more secure).
Encryption Choose if you want to enable end-to-end encryption for all data at rest and in transit. Mandatory for compliance use-cases (e.g., HIPAA, PCI, SOX, etc).
Automated build & deployment (CI / CD) Run a build after every commit to test your code, package it using Docker or Packer, and, for commits to certain branches or tags, automatically deploy that Docker or Packer image to specific environments.
Monitoring Configure CloudWatch with extra metrics not visible to the AWS hypervisor, including memory and disk space usage.
Alerting Configure alerts on key CloudWatch metrics: e.g., high CPU usage on EC2 instances, too many 4xx or 5xx errors on load balancers, low disk space on RDS instances. Configure Route 53 health checks on public endpoints.
Log aggregation Configure all servers to send logs to the CloudWatch Logs UI.
DNS Configure your domain name(s) using Route 53.
SSL/TLS Create SSL/TLS certificates for your domain names using AWS Certificate Manager.
Server hardening Configure every server to run fail2ban and to automatically install critical security patches on a nightly basis.
SSH management Install ssh-iam on every server, which allows admins to grant or revoke SSH access using IAM groups and for each developer to be able to use their own username and SSH key to connect to servers.
Secrets management Use KMS to securely encrypt and decrypt application secrets, such as database passwords.
Account security Enable CloudTrail to audit all API calls in your AWS account(s). Create best practices IAM groups and policies for user and permissions management.
High Availability All aspects of the architecture are designed for high availability: e.g., all servers are deployed across multiple Availability Zones; load balancers perform health checks and automatically replace failed servers; the load balancers themselves run multiple servers and do automatic failover; the database and cache can also do automatic failover to standby servers in another Availability Zone; data is automatically backed up on a nightly basis.
Scalability All aspects of the architecture support easy vertical and horizontal scalability: e.g., you can use auto scaling policies to resize the server cluster in response to load; the load balancers will automatically scale up and down in response to load; you can configure read replicas for your database and cache.
Infrastructure as code You get 100% of the source code for everything in the Reference Architecture. It is written using a variety of tools, including Terraform, Packer, Docker, Go, Python, and Bash.
Documentation Comprehensive written and video documentation of everything included in the Reference Architecture.


Check out the Pricing page for details. Please note that to use the Reference Architecture, you must be a Gruntwork Subscriber.