How to deploy MCP Servers on AWS with the Best Practices

#mcp #architecture #ai #aws

The Model Context Protocol (MCP) Servers become the hub between AI applications and external systems like databases, knowledge bases, and 3rd party websites during the Generative AI era for developers, which significantly increases the efficiency and effectiveness of integrating AI chatbots (like ChatGPT, Claude Desktop, Qwen) with external services or your dedicated knowledge bases.

This article describes the process of hands-on steps for deploying the MCP servers onto AWS while aligning with the best practices of the Well-Architected Framework (WAF).

The architecture implements:

CloudFront distribution for global content delivery with WAF protection
Application Load Balancer for traffic distribution and SSL termination
ECS Fargate and Lambda for containerized and serverless MCP servers
AWS Cognito for OAuth 2.0 authorization server functionality
OAuth 2.0 Protected Resource Metadata endpoints for standards-compliant authentication
StreamableHTTP transport with stateless request handling
Four-stack CDK deployment: VPC, Security, CloudFront WAF, and MCP Server stacks

The solution addresses several key challenges:

Secure hosting of MCP servers on AWS infrastructure
Standards-compliant authentication using OAuth 2.0 Protected Resource Metadata (RFC9728)
Remote access to MCP servers through secure StreamableHTTP transport
Stateless server architecture for concurrent client support
Scalable and maintainable deployment using AWS CDK

Deployment Procedure

A. Install AWS CDK with a program like Node.js on your terminal.
npm install -g aws-cdk
B. Configure AWS permissions with your credentials via AWS CLI.
aws configure
C. Set up the AWS CDK on your AWS environment.
cdk bootstrap
D. Clone the source code into the terminal and go to the relevant directory.

git clone https://github.com/aws-solutions-library-samples/guidance-for-deploying-model-context-protocol-servers-on-aws.git
cd guidance-for-deploying-model-context-protocol-servers-on-aws
cd source/cdk/ecs-and-lambda

E. Install the dependencies.
npm install

F. Log in to the public AWS ECR (assume the deploy region is us-east-1).
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws

G. Deploy the entire stack via CDK.
cdk deploy --all

H. Type "yes" to continue the deployment of the network components like VPC.

I. Type "yes" to deploy security components like CloudFront and WAF.

J. Type "yes" to deploy server components like ECS and Lambda.

K. Update the MCP servers.

cdk deploy MCP-Server

L. Now the entire MCP server stack is deployed on AWS.

M. Go to the AWS Cognito panel and note down the value of "User pool ID". Then create a test user.

# Create test user
aws cognito-idp admin-create-user --user-pool-id YOUR_USER_POOL_ID --username test

# Set permanent password (bypass temporary)
aws cognito-idp admin-set-user-password --user-pool-id YOUR_USER_POOL_ID --username test --password "TestPass123!" --permanent

Verification Procedure

a. On a different host from the one to deploy the MCP server, clone the source code and go to the relevant directory.

git clone https://github.com/aws-solutions-library-samples/guidance-for-deploying-model-context-protocol-servers-on-aws.git
cd guidance-for-deploying-model-context-protocol-servers-on-aws
cd source/sample-clients/simple-auth-client-python

b. Install the dependencies with uv.

pip install uv
uv sync --reinstall

c. Export the environment variables in the shell (you need to go to AWS CloudFront and Cognito console to check the values first).

export MCP_SERVER_URL="https://<your-cloudfront-endpoint>/weather-nodejs/mcp"
export OAUTH_CLIENT_ID="<your-cognito-client-id>"
export OAUTH_CLIENT_SECRET="<your-cognito-client-secret>"

d. Run the MCP client.

uv run python -m mcp_simple_auth_client.main

e. Input the username and password created in the above step for the authorization.