← Back to Articles

The Technical Foundation: Building a Production-Ready Ollama Deployment on AWS

Tim Fraser, Cloud Operations Lead March 22, 2025

After my recent post exploring the challenges of data sovereignty in AI implementations, many of you expressed interest in the technical aspects of deploying private LLMs. Today, I'll outline the architectural considerations for a secure, production-grade Ollama deployment on AWS that's right-sized for SMEs and mid-sized organizations.

Why Ollama on AWS?

Ollama has emerged as a powerful tool for running open-source LLMs locally, but scaling it for mid-sized business use requires thoughtful architecture. AWS provides the ideal infrastructure foundation with:

  • Robust security controls aligned with compliance requirements
  • Flexible compute options for various model sizes and workloads
  • Auto-scaling capabilities for cost efficiency
  • Comprehensive monitoring and observability

The Reference Architecture

A production-ready Ollama deployment for SME requires several key components:

1. Compute Layer

Recommendation: EC2 with GPU Support
  • g4dn or g5 instances for optimal price/performance
  • Auto Scaling Groups for high availability
  • Spot Instances for non-critical workloads to reduce costs

For smaller models (7B parameters), you can run effectively on CPU instances, but larger models benefit significantly from GPU acceleration.

2. Network Security

Recommendation: Defense-in-Depth Approach
  • VPC with private subnets for model servers
  • Security groups limiting access to authorized services
  • Network ACLs for additional boundary protection
  • AWS PrivateLink for service connections without internet exposure

3. API Management

Recommendation: API Gateway + Lambda Authorizers
  • REST API with custom domain
  • Lambda authorizers for fine-grained access control
  • Request validation to prevent prompt injection
  • AWS WAF rules to protect against common attack patterns

4. Observability Stack

Recommendation: Right-Sized Monitoring
  • CloudWatch for basic metrics and logs
  • Amazon Managed Grafana for visualization
  • X-Ray for request tracing
  • Custom metrics for model performance tracking
  • Anomaly detection for security events

5. CI/CD Pipeline

Recommendation: Infrastructure as Code
  • AWS CDK or Terraform for infrastructure definition
  • CodePipeline for automated deployments
  • Automated security scanning with tools like cdk-nag
  • Blue/green deployments for zero-downtime updates

Security Considerations

When deploying LLMs in a production environment for mid-sized organizations, several security considerations require special attention:

Data Protection

  • Encrypt data at rest using KMS
  • Encrypt network traffic with TLS 1.3
  • Implement token-based authentication for API access
  • Configure proper IAM roles with least privilege

Prompt Injection Prevention

  • Implement input sanitization and validation
  • Create allowlists for acceptable prompt patterns
  • Monitor for anomalous requests
  • Maintain a blocklist of known malicious patterns

Model Supply Chain

  • Verify model checksums before deployment
  • Document model provenance and licensing
  • Implement immutable infrastructure for traceability
  • Use ECR with image scanning for container security

Cost Optimization Strategies

GPU resources can be expensive, so consider these optimization approaches particularly relevant for SMEs:

  • Right-size your instances - match model size to appropriate instance type
  • Implement auto-scaling - scale down during periods of low utilization
  • Use spot instances for development environments
  • Quantize models where appropriate to reduce resource requirements
  • Implement caching for common queries to reduce inference costs

Implementation Example: Infrastructure as Code

Here's a simplified example of how you might define this infrastructure using AWS CDK (TypeScript):

typescript
import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as ecs from 'aws-cdk-lib/aws-ecs';
import * as ecr from 'aws-cdk-lib/aws-ecr';
import * as autoscaling from 'aws-cdk-lib/aws-autoscaling';


export class SecureOllamaStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);



// Create a VPC with private subnets
    const vpc = new ec2.Vpc(this, 'OllamaVPC', {
      maxAzs: 2,
      natGateways: 1,
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: 'private',
          subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
        },
        {
          cidrMask: 24,
          name: 'public',
          subnetType: ec2.SubnetType.PUBLIC,
        }
      ]
    });



// Security group for Ollama instances
    const ollamaSG = new ec2.SecurityGroup(this, 'OllamaSG', {
      vpc,
      description: 'Security group for Ollama model servers',
      allowAllOutbound: true,
    });



// Only allow access from API Gateway
    ollamaSG.addIngressRule(
      ec2.Peer.ipv4('10.0.0.0/16'),
      ec2.Port.tcp(11434),
      'Allow access from within VPC only'
    );



// Auto Scaling Group for Ollama servers
    const ollamaASG = new autoscaling.AutoScalingGroup(this, 'OllamaASG', {
      vpc,
      instanceType: ec2.InstanceType.of(
        ec2.InstanceClass.G4DN,
        ec2.InstanceSize.XLARGE
      ),
      machineImage: ec2.MachineImage.latestAmazonLinux2(),
      minCapacity: 2,
      maxCapacity: 10,
      securityGroup: ollamaSG,
      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_NAT },
    });



// Add user data script to set up Ollama
    ollamaASG.addUserData(
      'yum update -y',
      'yum install -y docker',
      'systemctl start docker',
      'systemctl enable docker',
      'docker pull ollama/ollama:latest',
      'docker run -d -p 11434:11434 --gpus all ollama/ollama:latest'
    );



// Rest of the infrastructure definition...
  }
}

This is just a starting point - a complete implementation would include the API Gateway, monitoring, and additional security controls.

Next Steps for Your Implementation

If you're a mid-sized organization considering implementing a secure Ollama deployment, I recommend:

  • Start with a proof-of-concept using the smallest viable model
  • Document your specific security and performance requirements
  • Create a reference architecture tailored to your organization's size and needs
  • Implement infrastructure as code from the beginning
  • Establish monitoring before deploying to production

What's Your Experience?

I'd love to hear from those of you who have worked with private LLM deployments in smaller organizations:

  • What models have you found most effective for your use cases?
  • What security controls have you implemented while working within SME resource constraints?
  • Have you encountered any surprising challenges in your implementations?

In the next post, I'll cover the DevSecOps pipeline for maintaining secure LLM infrastructure that's appropriately scaled for mid-sized businesses, including automated compliance checks and drift detection.

#AWSArchitecture #MachineLearning #AIInfrastructure #DataSecurity #DevOps #SME

Tags: AWSArchitectureMachineLearningAIInfrastructureDataSecurityDevOpsSME

← Back to Articles