This document walks you through deploying the Dynamiq GenAI Operating Platform into your own AWS VPC from an AWS Marketplace subscription.
It is aimed at DevOps engineers, SREs, software engineers, and data‑science practitioners who are comfortable with the AWS CLI and Kubernetes tooling.
Table of Contents
Prerequisites
AWS account with Administrator‑level access (or the specific permissions listed below).
Public or private domain name (e.g. example.com) that you control and are able to delegate to Route 53.
At least one VPC quota slot for a new EKS cluster (eksctl will create the VPC by default).
Service quotas for the EC2 instance families you plan to use (m5 for platform nodes, g5 for GPU nodes).
The acting IAM principal must be allowed to manage EKS, CloudFormation, IAM, RDS, Secrets Manager, S3, STS, and associated resources. For production we recommend deploying from a short‑lived CI user or assume‑role with the following AWS managed policies attached:
AmazonEKSClusterPolicy
AmazonEKSServicePolicy
AmazonEKSWorkerNodePolicy
AmazonEC2ContainerRegistryPowerUser
AmazonRDSFullAccess
AWSCloudFormationFullAccess
IAMFullAccess
SecretsManagerReadWrite
AmazonS3FullAccess
Subscribe on AWS Marketplace
Click Continue to Subscribe → Accept terms.
Wait until the subscription status shows Subscribed.
No additional Marketplace configuration is required; the Helm chart (deployed later) records usage automatically.
Set your environment variables
Edit only the three highlighted variables, then copy‑paste the whole block:
# ---------- BEGIN USER CONFIG -------------------
export AWS_DEFAULT_REGION="us-east-2" # <— Change to your preferred AWS region
export CLUSTER_NAME="dynamiq-demo" # <— Unique, lowercase, DNS‑compatible cluster name
export BASE_DOMAIN="example.com" # <— Root or sub‑domain you control
# ---------- END USER CONFIG ---------------------
export K8S_VERSION="1.31"
export AWS_PARTITION="aws"
export TEMPOUT="$(mktemp)"
export AWS_ACCOUNT_ID="$(aws sts get-caller-identity --query Account --output text)"
export AMD_AMI_ID="$(aws ssm get-parameter --name /aws/service/eks/optimized-ami/${K8S_VERSION}/amazon-linux-2/recommended/image_id --query Parameter.Value --output text)"
export GPU_AMI_ID="$(aws ssm get-parameter --name /aws/service/eks/optimized-ami/${K8S_VERSION}/amazon-linux-2-gpu/recommended/image_id --query Parameter.Value --output text)"
**Tip **Add set -euo pipefail to abort on errors; all commands below are idempotent unless otherwise noted.
Create the prerequisite IAM roles
The CloudFormation template bundled with Dynamiq creates the minimal IAM roles and policies required by Karpenter and External Secrets.
Dynamiq stores structured metadata in PostgreSQL. A convenience CloudFormation stack provisions a single‐AZ db.t3.medium instance with encrypted storage.
Create A or CNAME records for the three hostnames (nexus, synapse, ui) in Route 53 pointing to the Load Balancer address shown in the ADDRESS column. Once DNS propagates you should be able to visit:
https://ui.${BASE_DOMAIN} — Dynamiq web console
https://nexus.${BASE_DOMAIN} — Dynamiq API gateway
https://synapse.${BASE_DOMAIN} — Vector store service
Login with the default admin / admin credentials and change the password immediately.
Cleanup (optional)
The following commands remove all resources created by this guide. Irreversible!
Enable HTTPS by attaching an AWS Certificate Manager (ACM) certificate to the ALB Ingress Controller or by terminating TLS at an external load balancer.
Adjust Karpenter NodePool limits to meet your workload demands.
Integrate with your observability stack (Dynatrace, Datadog, CloudWatch) using Helm --set overrides.