Install from AWS Marketplace

A Shortcut to GRAX Success

The article documents the fastest, easiest methodology for installing your own GRAX environment in an AWS account. The are several points of divergence in the steps; each will be clearly defined and present the options before you. If you have any questions, please reach out to a GRAX representative or [email protected].

AWS Account Identification / Creation

GRAX runs inside an account controlled and owned by your business. As such, identifying or creating the account is the first step. You'll need high-level or admin access to the chosen account throughout the process of installing GRAX. We recommend that this account be separated from the rest of your AWS network simply to provide your team with a clear demarcation between GRAX resources and other parts of your infrastructure. It can also simplify access and auditing conversations.

DNS and Domain Registration

NOTE: If you are meeting with a GRAX Engineering or Sales representative to perform a POC, Trial, Sandbox, or Production installation, you must complete this step first.

Your GRAX app will run at a publicly available domain/endpoint by default; this requires that the Load Balancer be associated with a registered domain and given a matching certificate. Please review our URL documentation for more information.


Prior to installing the GRAX AWS template, please ensure that you have communicated with the GRAX Sales Team. If you have not, please contact them at [email protected]; They can assist you through the AWS Marketplace experience to ensure that you have been provided a GRAX License for your installation. This is necessary to ensure that there is no disruption with your GRAX application once installed.


Now that you've secured a license and been sent into the Cloudformation interface, it's time to actually provision some infrastructure. We'll go one parameter at a time down the list and provide examples for when each parameter is needed.

The single most important step here is ensuring you're logged into the correct AWS account. Clicking the install/deploy links will assume the account that you were last using. This may not be correct for your use-case. Doublecheck your account before proceeding.


The parameters below are in order as they appear on the template, but parameters that should not be changed are not included. As such, if a parameter appears on the template but not here, leave it as the default.

VPC CIDRs and Subnet CIDRs (7 Parameters)

Specify a "/16" CIDR for the VPC and unique "/24" CIDRs for the subnets in the CIDR parameter fields.

Ensure that the VPC CIDR is unique from any VPC you may be interested in peering with the GRAX VPC.

Hosted Zone ID

If you chose option 1 or 2 in the "DNS and Domain Registration" section above, enter the ID of the created hosted zone in this field. It will take a form like Z090403712WK0R7BCGET5. Else, keep empty.

Domain Name

If you chose option 1 or 2 in the "DNS and Domain Registration" section above, this value must be a subdomain of the hosted zone's domain. This means that if your subdomain is "", valid values here would be of the form:


If you did not choose option 1 or 2 in the "DNS and Domain Registration" section above, your value here must be a subdomain of whatever domain you registered elsewhere.

Load Balancer Access Scheme

Set this value to "internet-facing" unless you have discussed an internal-only ALB access scheme with a GRAX engineer.

Load Balancer Ingress CIDR

This value controls what IP ranges can talk to the load balancer.

Set this value to unless you have strict requirements against it. This is usually only used with an "internal" access scheme. For general traffic filtering, see the WAF configuration options below.

Client-Side IPs

Several features of the GRAX application/service rely on user-client traffic directly talking to application endpoints. This means that the IPs of your end users must be able to reach the Load Balancer. If you have a limited network segment (VPN) which all of your users utilize for network access, you can add CIDR ranges here to allow them while removing "public" access. If blank, allows public access on several endpoints which are otherwise secured (token-based auth, etc).

This affects WAF regex patterns, not the ALB Security Group.

Configuration Encryption Base

Enter a new, secure, randomly generated string to serve as the base of an internal encryption key.

Database Password

Enter a new, secure, randomly generated user password for the GRAX DB.

Database KMS Key

If using BYOK KMS for RDS/DB, enter the ARN of your KMS key here.

S3 Bucket Name

If set, bucket will take the given name. If blank, name is based on the stack name and concatenated with a random string. Must be globally unique.

S3 KMS Key

If using BYOK KMS for S3, enter the ARN of your KMS key here.


Check the box at the bottom of the page to approve creation of custom-named IAM resources and click "Create Stack". Within 25 minutes your GRAX stack should be ready for connection.


The information necessary for connecting your GRAX app to storage is provided in the stack output. This consists of the URL of the GRAX web server, the bucket name, and the bucket region. Follow the standard GRAX connection documentation with these values to prepare your GRAX app.