Skip to main content

MTE Relay Server on AWS

Introduction

MTE Relay Server is an end-to-end encryption system that protects all network requests with next-generation application data security. It acts as a proxy server in front of your backend, communicating with an MTE Relay Client to encode and decode all network traffic. The server is highly customizable and supports integration with other services through custom adapters.

Below is a typical architecture where a client application communicates with an MTE Relay Server, which then proxies decoded traffic to backend services:

Typical Use Case


Prerequisites

Technical Requirements

  • A web or mobile application project that communicates with a backend API over HTTP.

Skills and Knowledge

  • Familiarity with ECS and/or EKS.
  • Experience with the AWS CLI.

Deployment Options

MTE Relay Server is provided as a Docker image and can be deployed on AWS ECS, AWS EKS, or manually using another container runtime.

1. Elastic Container Service (ECS)

Deployment Templates

Two CloudFormation templates are available:

  • Production template: Multiple instances, load balancing, and SSL configuration.
  • Demo template: Lightweight, development-oriented deployment.

Requirements

  • Git
  • AWS CLI
  • AWS permissions to launch resources

Deployment Steps

  1. Clone the GitHub repository:
    AWS CloudFormation Templates
  2. Choose between the demo or production template.
  3. Modify the parameters.json file with your configuration.
  4. Navigate to the respective template directory (demo or production).
  5. Run the deploy.sh create command to deploy, or the delete command to remove resources.

2. Elastic Kubernetes Service (EKS)

If kubectl is already configured for your EKS cluster:

Example Deployment File (deployment.yaml)

apiVersion: apps/v1
kind: Deployment
metadata:
name: aws-mte-relay-deployment
spec:
replicas: 1
selector:
matchLabels:
app: aws-mte-relay
template:
metadata:
labels:
app: aws-mte-relay
spec:
imagePullSecrets:
- name: awscrcreds
containers:
- name: aws-mte-relay
image: 709825985650.dkr.ecr.us-east-1.amazonaws.com/eclypses/mte-relay-server:4.4.8
ports:
- containerPort: 8080
env:
- name: CLIENT_ID_SECRET
value: <YOUR CLIENT ID SECRET HERE>
- name: CORS_ORIGINS
value: <YOUR CORS ORIGINS HERE>
- name: UPSTREAM
value: <UPSTREAM VALUE HERE>
- name: AWS_REGION
value: <AWS REGION HERE>
---
apiVersion: v1
kind: Service
metadata:
name: aws-mte-relay-service
spec:
type: LoadBalancer
selector:
app: aws-mte-relay
ports:
- protocol: TCP
port: 80
targetPort: 8080

Commands

kubectl apply -f deployment.yaml
kubectl get all
kubectl delete -f deployment.yaml

3. Docker Image

You can also run the image using Docker, Podman, K3s, or Docker Swarm.

Commands

aws ecr get-login-password --region us-east-1 \
| docker login --username AWS \
--password-stdin 709825985650.dkr.ecr.us-east-1.amazonaws.com

docker pull 709825985650.dkr.ecr.us-east-1.amazonaws.com/eclypses/mte-relay-server:4.4.8

Refer to the Server Configuration section for required environment variables.


Server Configuration

MTE Relay Server is configured using environment variables.

Required Variables

  • UPSTREAM – Upstream API or service URL.
  • CORS_ORIGINS – Comma-separated list of allowed origins.
  • CLIENT_ID_SECRET – Secret for signing client IDs (minimum 32 characters).
  • AWS_REGION – AWS region where the server is deployed.
  • REDIS_URL (recommended for production) – Redis cluster for maintaining session pairs across load-balanced containers.

Optional Variables

  • PORT – Default: 8080.
  • LOG_LEVEL – One of trace, debug, info, warning, error, panic, off. Default: info.
  • PASS_THROUGH_ROUTES – Routes proxied without MTE encoding.
  • MTE_ROUTES – If set, only listed routes use encoding; others return 404.
  • CORS_METHODS – Default: GET, POST, PUT, DELETE.
  • HEADERS – Object of custom headers.

Minimal Example

UPSTREAM='https://api.my-company.com'
CLIENT_ID_SECRET='2DkV4DDabehO8cifDktdF9elKJL0CKrk'
CORS_ORIGINS='https://www.my-company.com,https://dashboard.my-company.com'

Full Example

UPSTREAM='https://api.my-company.com'
CLIENT_ID_SECRET='2DkV4DDabehO8cifDktdF9elKJL0CKrk'
CORS_ORIGINS='https://www.my-company.com,https://dashboard.my-company.com'
REDIS_URL='redis://10.0.1.230:6379'
PORT=3000
LOG_LEVEL=info
PASS_THROUGH_ROUTES='/health,/version'
MTE_ROUTES='/api/v1/*,/api/v2/*'
CORS_METHODS='GET,POST,DELETE'
HEADERS='{"x-service-name":"mte-relay"}'

Client-Side Setup

Eclypses provides client-side SDKs to integrate with MTE Relay Server:

Client-side integration typically requires less than one day of effort.


Testing & Health Checks

  • Monitor startup logs in CloudWatch. Successful logs include:

    • MTE instantiated successfully.
    • Server listening at http://[0.0.0.0]:8080
  • Test Echo route:

    curl 'https//<DOMAIN>/api/mte-echo?msg=test'
  • Expected response:

    {
    "echo": "test",
    "time": "<timestamp>"
    }

Monitoring

Amazon Managed Grafana

  1. Create a Grafana workspace in AWS.
  2. Add CloudWatch as a data source (IAM role auth recommended).
  3. Import the provided dashboard:

Dashboard Metrics

  • Requests Processed [req/sec]
  • Request Time [ms]
  • Upstream Proxy Time [ms]
  • Average Decode Time [ms]
  • Average Encode Time [ms]

Performance Metrics

Performance was measured with ~1 kb request/response payloads on a t2.micro (1 vCPU, 1 GB RAM):

ConcurrencyReq/Sec RelayReq/Sec APIRelay %Extra Latency (Median)
40092.69498.5%+10 ms
50017918397.8%+17 ms
55021522695.1%+45 ms
600225.7267.684.3%+202 ms

Note: At higher volumes (≥550 concurrent), scaling across multiple Relay instances is recommended.


Troubleshooting

  1. Invalid Configuration
    • Check logs for missing/invalid environment variables.
  2. Relay unreachable
    • Verify Security Groups and load balancer settings.
  3. Redis connection issues
    • Ensure Redis is in the same VPC and credentials are correct.

Enable debug logs with DEBUG=true.


Security

  • No sensitive data is stored in the container.
  • No root privileges required.

Costs

The service uses a usage-based cost per instance per hour.
Associated AWS services include:

AWS ServicePurpose
ECSContainer orchestration
ElastiCache (Redis)State/session management
CloudWatchLogging and monitoring
VPCNetworking isolation
Elastic Load BalancerScaling across Relay containers

Maintenance

Routine Updates

  • Updated container images are distributed through the AWS Marketplace.

Fault Recovery

  • Relaunch the Relay container task; clients will automatically re-pair.

Service Limits


Supported Regions

MTE Relay Server is supported in most AWS regions, except:

  • GovCloud
  • Middle East (Bahrain, UAE)
  • China

Support

For assistance, contact Eclypses Support:
📧 customer_support@eclypses.com
🕒 Monday–Friday, 8:00 AM–5:00 PM MST (excluding holidays)