Reference Architecture

An opinionated, end-to-end tech stack built on top of the Infrastructure as Code Library that we deploy into your AWS or GCP accounts in about one day.

Get a Demo

A new standard for architecture

The Reference Architecture is an opinionated, battle-tested, best-practices way to assemble the code from the Infrastructure as Code Library into an end-to-end tech stack that includes just about everything you need: server cluster, load balancer, database, cache, network topology, monitoring, alerting, CI/CD, secrets management, VPN, and more (check out the Production Readiness Checklist to see what it takes to go to prod).

We customize the Reference Architecture to your needs, deploy into your AWS or GCP accounts, and give you 100% of the code. The whole process takes about one day for AWS! If you're interested in a Reference Architecture for GCP, Contact Us!

We also offer a CIS AWS Foundations Benchmark compliant version of the Reference Architecture. See our Compliance offering to learn more.

Get a Detailed Walkthrough of the Reference Architecture
See our blog post How to Build an End to End Production-Grade Architecture on AWS.

Gruntwork Reference Architecture
An example AWS Reference Architecture. GCP Reference Architecture also available.

How It Works

Choose your architecture options

You fill out an online web form to customize your Reference Architecture:

  • Single Account or Multi-Account
  • Region
  • End-to-end encryption (as part of HIPAA, PCI, or other compliance programs)
  • Run services on Docker using Kubernetes or ECS, or directly on EC2 Instances using ASGs
  • PostgreSQL, MySQL, SQL Server, or other relational database
  • Redis or Memcached
  • CircleCI, Travis CI, or Jenkins
  • Bastion Host or OpenVPN
  • Static content storage and serving
  • Serverless functions
  • DNS, TLS
  • Monitoring, Alerting, Log Aggregation
  • Kafka, ZooKeeper, ELK, MongoDB, and many other options

We build your architecture

We translate your preferences into infrastructure code written in Terraform, Bash, Python, and Go. We put the code into your git repos and deploy it into your AWS or GCP account(s). For AWS, this takes about one day. For GCP, Contact Us!.

Learn how to use it

Use our DevOps Training Library to learn how to use your new architecture with a series of micro-videos that do an in-depth walkthrough of all the most common uses cases. Need to learn Terraform, Docker, or Packer? We have courses on those, too!

Get support

If you run into a snag, ask a question on our community support channel via Slack. Or sign up for Professional Support to chat directly with Gruntwork engineers via a private shared Slack channel or email, and guarantee a timely response.

Reference Architecture Features

Infrastructure as Code

Infrastructure as Code

Written in Terraform, Go, Python, and Bash. You get 100% of the code.



The architecture has been proven with 70+ Gruntwork customers.



Get a fully-working, best-practices tech stack in AWS in about one day!



Designed for high availability, scalability, and durability



Network security, encryption, audit trail, server hardening, & more



Includes training videos and documentation

What's included

The Reference Architecture includes:

Account configuration Choose from a single or multi account/project setup where each account/project represents a distinct environment.
Network Topology For each environment, create a VPC with multiple subnet tiers, route tables, NAT Gateways, Network ACLs, etc.
Server cluster Choose from a Docker Cluster (backed by Amazon EC2 Container Service, Amazon EC2 Kubernetes Service, or Google Kubernetes Engine) or Auto Scaling Groups.
Load balancer Choose your load balancer for distributing traffic across your server cluster.
Database Choose a supported relational database, such as MySQL, PostgreSQL, MariaDB, Oracle, or SQL Server.
Cache Choose a supported distributed cache, such as Redis or Memcached.
Other data stores We have support for Kafka, ZooKeeper, MongoDB, ELK (Elasticsearch, Logstash, Kibana), SQS, Kinesis, and more.
Static content Deploy your images, CSS, and JS into an S3 or GCS bucket and configure a CDN in front of it.
Bastion host Choose from either a plain bastion host or an OpenVPN server as the sole entrypoint to your network.
CI server Choose from Jenkins, CircleCI, or TravisCI.
Sample frontend app A sample frontend application that shows how to package the code using Docker or Packer, how to manage configuration across multiple environments, how to store application secrets, how to do service discovery to talk to a backend app, and how to run the entire stack in the dev environment.
Sample backend app A sample backend application that shows how to package the code using Docker or Packer, how to manage configuration across multiple environments, how to store application secrets, how to talk to the database and cache, and how to apply schema migrations.
Serverless Optionally deploy serverless functions using Terraform.
Environments Choose the isolated environments you want to create: e.g., dev, qa, stage, prod.
Encryption Choose if you want to enable end-to-end encryption for all data at rest and in transit. Mandatory for compliance use-cases (e.g., HIPAA, PCI, SOX, etc).
Automated build & deployment (CI / CD) Run a build after every commit to test your code, package it using Docker or Packer, and, for commits to certain branches or tags, automatically deploy that Docker or Packer image to specific environments.
Monitoring Configure metrics in CloudWatch or StackDriver.
Alerting Configure alerts on key metrics: e.g., high CPU usage on EC2 instances, too many 4xx or 5xx errors on load balancers, low disk space on your database.
Log aggregation Configure all servers to send logs to a central location for easier searching and filtering.
DNS Configure your domain name(s).
SSL/TLS Create SSL/TLS certificates for your domain names.
Server hardening Configure every server to run fail2ban and to automatically install critical security patches on a nightly basis.
SSH management Install ssh-grunt on every server, which allows admins to grant or revoke SSH access using your identity provider (e.g., IAM, Google, Active Directory) and for each developer to be able to use their own username and SSH key to connect to servers.
Secrets management Use KMS to securely encrypt and decrypt application secrets, such as database passwords.
Account security Enable audit logging for all of your API calls. Create best practices IAM groups and policies for user and permissions management.
High Availability All aspects of the architecture are designed for high availability: e.g., all servers are deployed across multiple Availability Zones; load balancers perform health checks and automatically replace failed servers; the load balancers themselves run multiple servers and do automatic failover; the database and cache can also do automatic failover to standby servers in another Availability Zone; data is automatically backed up on a nightly basis.
Scalability All aspects of the architecture support easy vertical and horizontal scalability: e.g., you can use auto scaling policies to resize the server cluster in response to load; the load balancers will automatically scale up and down in response to load; you can configure read replicas for your database and cache.
Infrastructure as code You get 100% of the source code for everything in the Reference Architecture. It is written using a variety of tools, including Terraform, Packer, Docker, Go, Python, and Bash.
Documentation Comprehensive written and video documentation of everything included in the Reference Architecture.

Read our blog post How to Build an End to End Production-Grade Architecture on AWS for an overview of what is included.


Check out the Pricing page for details. Please note that to use the Reference Architecture, you must be a Gruntwork Subscriber.