Install from AWS Marketplace

A Shortcut to GRAX Success

The article documents the fastest, easiest methodology for installing your own GRAX environment in an AWS account. The are several points of divergence in the steps; each is defined in the options before you. If you have any questions, please reach out to a GRAX representative or Support.

AWS Account Identification / Creation

GRAX runs inside an account controlled and owned by your business. As such, identifying/creating the account is the first step. You'll need high-level or administrator access to the chosen account throughout the process of installing GRAX. We recommend that this account be separated from the rest of your AWS network simply to provide your team with a clear demarcation between GRAX resources and other parts of your infrastructure. It can also simplify access and auditing conversations.

DNS and Domain Registration

NOTE: if you are meeting with a GRAX Engineering or Sales representative to perform a POC, Trial, Sandbox, or Production installation, you must complete this step first.

Your GRAX app runs at a publicly available domain/endpoint by default; this requires that the Load Balancer be associated with a registered domain and given a matching certificate. Please review our URL documentation for more information.


Prior to installing the GRAX AWS template, please ensure that you have communicated with the GRAX Sales Team. If you have not, please contact them at [email protected]; They can assist you through the AWS Marketplace experience to ensure that you have been provided a GRAX License for your installation. This is necessary to ensure that there is no disruption with your GRAX app once installed.


Now that you've secured a license and been sent into the Cloudformation interface, it's time to actually provision some infrastructure. We'll go one parameter at a time down the list and provide examples for when each parameter is needed.

The single most important step here is ensuring you're logged into the correct AWS account. Clicking the install/deploy links assumes the account that you were last using. This may not be correct for your use-case. Double check your account before proceeding.


The parameters below are in order as they appear on the template, but parameters that should not be changed aren't included. As such, if a parameter appears on the template but not here, leave it as the default.

VPC CIDRs and Subnet CIDRs (7 Parameters)

Specify a "/16" CIDR for the VPC and unique "/24" CIDRs for the subnets in the CIDR parameter fields.

Ensure that the VPC CIDR is unique from any VPC you may be interested in peering with the GRAX VPC.

Hosted Zone ID

If you chose option 1 or 2 in the "DNS and Domain Registration" section above, enter the ID of the created hosted zone in this field. Hosted zone IDs take a form like Z090403712WK0R7BCGET5. Else, keep empty.

Domain Name

If you chose option 1 or 2 in the "DNS and Domain Registration" section above, this value must be a subdomain of the hosted zone's domain. This means that if your subdomain is, valid values here would be of the form:


If you did not choose option 1 or 2 in the "DNS and Domain Registration" section above, your value here must be a subdomain of whatever domain you registered elsewhere.

Load Balancer Access Scheme

Set this value to "internet-facing" unless you have discussed an internal-only ALB access scheme with a GRAX engineer.

Load Balancer Ingress CIDR

This value controls what IP ranges can talk to the load balancer.

Set this value to unless you have strict requirements against it. This is usually only used with an "internal" access scheme. For general traffic filtering, see the WAF configuration options below.

Client-Side IPs

Several features of the GRAX app/service rely on user-client traffic directly talking to app endpoints. This means that the IPs of your end users must be able to reach the Load Balancer. If you have a limited network segment (VPN) which all of your users use for network access, you can add CIDR ranges here to allow them while removing "public" access. If blank, allows public access on several endpoints which are otherwise secured (token-based auth, etc).

This affects WAF regular expression patterns, not the ALB Security Group.

Configuration Encryption Base

Enter a new, secure, randomly generated string to serve as the base of an internal encryption key.

Database Password

Enter a new, secure, randomly generated user password for the GRAX DB.

Database KMS Key

If using BYOK KMS for RDS/DB, enter the ARN of your KMS key here.

S3 Bucket Name

If set, bucket takes the given name. If blank, name is based on the stack name and concatenated with a random string. Must be globally unique.

S3 KMS Key

If using BYOK KMS for S3, enter the ARN of your KMS key here.


Check the box at the bottom of the page to approve creation of custom-named IAM resources and click Create Stack. Within 25 minutes your GRAX stack should be ready for connection.


The information necessary for connecting your GRAX app to storage is provided in the stack output. This consists of the URL of the GRAX web server, the bucket name, and the bucket region. Follow the standard GRAX connection documentation with these values to prepare your GRAX app.