Deploying GoChain via AWS Marketplace
GoChain is available on the AWS Marketplace and can be deployed on your AWS account using a provided CloudFormation template that provisions the full platform infrastructure automatically.
Prerequisites:
- An AWS account with IAM permissions to create the following resource types: CloudFormation stacks, ECS clusters and services, RDS PostgreSQL instances, S3 buckets, Cognito user pools, Application Load Balancers, Secrets Manager secrets, and VPC resources (subnets, route tables, NAT Gateways, Internet Gateways)
- AWS Secrets Manager secrets created in advance for each service's database credentials — you will need the Secret ARN for each during stack creation, and all secrets must exist in the same AWS region as your stack
- The entitlement license ARN provided by AWS Marketplace after your subscription is accepted
1.1 Access the product listing
- Navigate to the GoChain listing on AWS Marketplace.
- Click Continue to Subscribe.
ℹ️ Note: The AWS Marketplace subscription must be completed before you attempt to launch the CloudFormation template. Launching the template directly without an active subscription will fail at stack creation time.
1.2 Accept terms and proceed to configuration
- Review the pricing and usage terms on the subscription page.
- Click Accept Terms.
- Wait for the subscription to be processed. This may take a few minutes. The page will update automatically when the subscription is active.
- Once the subscription is confirmed, click Continue to Configuration.
1.3 Confirm your linked AWS account
The configuration page shows which AWS account is linked for billing and resource creation. A confirmation banner reading "You successfully linked the account…" appears when the account is correctly connected.
If you need to use a different AWS account, click Link a different account before proceeding to the next step.
Step 2: Launch the CloudFormation Template
2.1 Select the CloudFormation deployment method
- On the configuration screen, confirm AWS CloudFormation is selected as the fulfillment option.
- Click Launch template next to
gochain-cloud-formation.
The AWS CloudFormation console opens with the GoChain template pre-loaded. The template is read-only and managed by GoLedger; you do not need to modify it.
2.2 Fill in required parameters
Provide the following values when the parameter form is displayed:
- Secret ARNs — one ARN per service (GoPaaS, GoFabric, GoBesu, GoInfra), each pointing to a secret in AWS Secrets Manager that holds the corresponding database credentials
- Entitlement license ARN — the ARN provided by AWS Marketplace after your subscription was accepted in Step 1
ℹ️ Note: All Secret ARNs must already exist in your AWS account in the same region as the stack you are about to create. Create them in AWS Secrets Manager before proceeding.
2.3 Complete the stack creation wizard
- Click Next through the stack configuration and options screens.
- On the final review screen, locate the Capabilities section and check the acknowledgement box to allow CloudFormation to create IAM roles on your behalf.
- Click Create stack.
2.4 Monitor deployment and confirm success
- Open the Events tab of the stack in the CloudFormation console to follow deployment progress in real time.
- Wait until the stack status changes to CREATE_COMPLETE. Depending on your region and account limits, this typically takes several minutes.
- Once the status is CREATE_COMPLETE, open the Outputs tab.
⚠️ Note: If the stack reaches
ROLLBACK_COMPLETEstatus, do not attempt to update or reuse it. Delete the failed stack, identify the root cause from the Events tab, resolve the underlying issue (for example, missing secrets or insufficient IAM permissions), then re-launch the template from Step 2.1.
Step 3: Access GoChain
In the Outputs tab of the completed stack, locate the output named GoChainALBDNSName
and copy its value. This is the DNS name of the Application Load Balancer and serves as the
public access point for the platform.
Use the following URLs to access GoChain:
| Interface | URL |
|---|---|
| Web UI | http://<GoChainALBDNSName> |
| API | http://<GoChainALBDNSName>:81 |
Open the web UI URL in a browser to confirm the GoChain interface loads correctly.
Architecture Overview
The CloudFormation template provisions a fully isolated, production-ready infrastructure on AWS. All platform services run inside a dedicated VPC with public and private subnets spread across two availability zones, following a standard three-tier architecture pattern with separation between public-facing load balancing, private compute, and private data layers.
| Component | AWS Resources Created | Purpose |
|---|---|---|
| Networking | VPC, 2 public subnets, 2 private subnets, NAT Gateways, Internet Gateway | Isolates platform services and routes external traffic securely |
| Compute | ECS Fargate cluster, 5 services (GoPaaS, GoFabric, GoBesu, GoInfra, Web) | Runs GoChain platform services without server management |
| Databases | 4 RDS PostgreSQL instances | Provides dedicated persistent storage for each platform service |
| Storage | S3 buckets (versioned) | Stores chaincode packages, Docker TLS certs, smart contracts, and keys |
| Authentication | Cognito User Pool with client | Manages user identities and authentication flows |
| Load Balancer & Observability | Application Load Balancer, CloudWatch Logs | Routes external traffic and centralises platform logs |
Networking
A dedicated VPC is created with DNS resolution enabled. Two public subnets and two private subnets are distributed across different availability zones for high availability. Services that require outbound internet access (for example, pulling container images) route traffic through NAT Gateways placed in the public subnets. The Application Load Balancer sits in the public subnets and forwards requests to ECS services running in the private subnets.
Compute
The platform runs as five ECS Fargate services within a shared cluster: GoPaaS (platform
gateway and UI backend), GoFabric (Hyperledger Fabric orchestrator), GoBesu
(Hyperledger Besu orchestrator), GoInfra (infrastructure provisioner), and Web
(frontend interface). Service-to-service communication is handled via AWS Cloud Map under the
namespace gochain.local, allowing services to reach each other by name without hardcoded
addresses.
Databases
Each of the four main platform services has a dedicated RDS PostgreSQL instance: one for GoPaaS, one for GoFabric, one for GoBesu, and one for GoInfra. All instances are placed in private subnets and access is restricted by dedicated security groups. Database passwords are managed through AWS Secrets Manager and injected into the ECS tasks at runtime.
Storage
Amazon S3 buckets with versioning enabled store binary artifacts used by the platform: chaincode packages (GoFabric), Docker TLS certificates (GoInfra), Hyperledger Besu smart contract binaries (GoBesu), and cryptographic keys. Versioning ensures that previous artifact versions can be recovered if needed.
Authentication
A Cognito User Pool handles user registration and authentication for the GoChain web interface. The pool is configured with standard authentication flows including username and password login and refresh token support.
Load Balancer and Observability
The Application Load Balancer exposes two listeners: port 80 routes requests to the GoChain web interface, and port 81 routes requests to the GoChain API. Each ECS service has a dedicated target group with health checks configured. All services write structured logs to Amazon CloudWatch Logs, providing a single location for monitoring and troubleshooting across the entire platform.
Next Steps
- GoFabric Introduction — Learn how to orchestrate Hyperledger Fabric networks using GoChain
- GoBesu Introduction — Learn how to orchestrate Hyperledger Besu networks using GoChain
- Infrastructure Guide — Set up infrastructure providers within the platform