Skip to main content

Post-Deployment Configuration

After successfully deploying AxonFlow via CloudFormation, complete these configuration steps to get your system production-ready.

1. Verify Health Status

Run through this verification checklist to confirm all components are operational before proceeding.

Verification Checklist

CheckCommandExpected Result
Agent healthcurl -sf http://YOUR_AGENT_HOST:8080/health{"status":"healthy"}
Orchestrator healthcurl -sf http://YOUR_ORCHESTRATOR_HOST:8081/health{"status":"healthy"}
Database connectivityAgent health includes "database":"connected"connected
Agent-to-OrchestratorAgent health includes "orchestrator":"reachable"reachable
License validcurl -sf http://YOUR_AGENT_HOST:8080/health | jq .license.validtrue

Agent Health Check (port 8080)

AGENT_ENDPOINT="https://YOUR_AGENT_ENDPOINT"
curl -k ${AGENT_ENDPOINT}/health

Expected Response:

{
  "status": "healthy",
  "version": "4.2.0",
  "components": {
    "database": "connected",
    "orchestrator": "reachable"
  },
  "license": {
    "tier": "enterprise",
    "valid": true
  },
  "timestamp": "2026-02-06T10:30:45Z"
}

Orchestrator Health Check (port 8081)

ORCHESTRATOR_ENDPOINT="https://YOUR_ORCHESTRATOR_ENDPOINT"
curl -k ${ORCHESTRATOR_ENDPOINT}:8081/health

Expected Response:

{
  "status": "healthy",
  "version": "4.2.0",
  "components": {
    "database": "connected",
    "llm_provider": "configured"
  }
}

Troubleshooting Health Check

If "database": "disconnected":

  • Verify RDS security group allows inbound 5432 from Agent security group
  • Check database endpoint in environment variables
  • Test database connectivity: psql -h DB_ENDPOINT -U axonflow -d axonflow

If "orchestrator": "unreachable":

  • Verify Orchestrator service is running: aws ecs describe-services ...
  • Check security group allows Agent to reach Orchestrator (port 8081)
  • Review Orchestrator logs in CloudWatch

2. Configure MCP Connectors

AxonFlow uses Model Context Protocol (MCP) v0.2 for permission-aware data access.

Available Connectors

  • Amadeus GDS: Travel booking integration
  • Redis: Cache and session management
  • PostgreSQL: Database access
  • HTTP REST: Generic API integration

Creating a Connector

Example: Configure Redis Connector

curl -X POST ${AGENT_ENDPOINT}/api/v1/connectors \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{
    "name": "production-redis",
    "type": "redis",
    "config": {
      "host": "redis.internal.company.com",
      "port": 6379,
      "db": 0,
      "password": "stored-in-secrets-manager",
      "tls": true
    },
    "permissions": {
      "read": ["cache:*", "session:*"],
      "write": ["cache:*"]
    }
  }'

Response:

{
  "id": "conn_abc123",
  "name": "production-redis",
  "type": "redis",
  "status": "active",
  "created_at": "2025-10-23T10:35:12Z"
}

Test Connector

curl -X GET ${AGENT_ENDPOINT}/api/v1/connectors/conn_abc123/test \
  -H "Authorization: Bearer YOUR_API_KEY"

For detailed connector configuration, see MCP Connectors.

3. Set Up Policy-as-Code

AxonFlow uses declarative policies for governance.

Create Policy Repository

mkdir axonflow-policies
cd axonflow-policies
git init

# Create directory structure
mkdir -p policies/{access-control,rate-limiting,data-permissions}

Example: Rate Limiting Policy

File: policies/rate-limiting/per-user.yaml

apiVersion: axonflow.io/v1
kind: Policy
metadata:
  name: rate-limit-per-user
  description: Limit each user to 100 requests per minute
spec:
  type: rate-limit
  priority: 100
  rules:
    - limit: 100
      window: 60s
      scope: user
      action: block
      message: "Rate limit exceeded. Please try again later."

Deploy Policy

curl -X POST ${AGENT_ENDPOINT}/api/v1/policies \
  -H "Content-Type: application/yaml" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  --data-binary @policies/rate-limiting/per-user.yaml

Commit Policies to Git

git add .
git commit -m "Initial policy configuration"
git push origin main

For detailed policy syntax, see Policy-as-Code.

4. Integrate with LLM Provider

AxonFlow is LLM-provider agnostic. Configure your preferred provider:

Option A: AWS Bedrock

Step 1: Create IAM Role

# Create trust policy
cat > bedrock-trust-policy.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Service": "ecs-tasks.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
  }]
}
EOF

# Create role
aws iam create-role \
  --role-name AxonFlowBedrockRole \
  --assume-role-policy-document file://bedrock-trust-policy.json

# Attach Bedrock permissions
aws iam attach-role-policy \
  --role-name AxonFlowBedrockRole \
  --policy-arn arn:aws:iam::aws:policy/AmazonBedrockFullAccess

Step 2: Update ECS Task Definition

Add IAM role to Agent task definition (via CloudFormation update or AWS console).

Step 3: Configure AxonFlow

curl -X POST ${AGENT_ENDPOINT}/api/v1/config/llm \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{
    "provider": "bedrock",
    "region": "us-east-1",
    "model": "anthropic.claude-v2",
    "max_tokens": 4096
  }'

Option B: OpenAI / Anthropic

Step 1: Store API Key in Secrets Manager

aws secretsmanager create-secret \
  --name axonflow-openai-key \
  --secret-string "sk-..." \
  --region us-east-1

Step 2: Grant ECS Task Access

Update task execution role to allow secretsmanager:GetSecretValue for the secret.

Step 3: Configure AxonFlow

curl -X POST ${AGENT_ENDPOINT}/api/v1/config/llm \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{
    "provider": "openai",
    "api_key_secret": "axonflow-openai-key",
    "model": "gpt-4",
    "max_tokens": 4096
  }'

5. Set Up Monitoring

Create CloudWatch Dashboard

Dashboard JSON:

{
  "widgets": [
    {
      "type": "metric",
      "properties": {
        "metrics": [
          ["AxonFlow", "agent_policy_latency_p95"]
        ],
        "period": 60,
        "stat": "Average",
        "region": "us-east-1",
        "title": "Policy Evaluation Latency (P95)"
      }
    },
    {
      "type": "metric",
      "properties": {
        "metrics": [
          ["AxonFlow", "agent_requests_per_second"]
        ],
        "period": 60,
        "stat": "Sum",
        "region": "us-east-1",
        "title": "Request Throughput"
      }
    }
  ]
}

Create Dashboard:

aws cloudwatch put-dashboard \
  --dashboard-name AxonFlow-Production \
  --dashboard-body file://dashboard.json

Configure Alarms

P95 Latency Alarm (alert if >10ms):

aws cloudwatch put-metric-alarm \
  --alarm-name axonflow-agent-p95-latency \
  --alarm-description "Alert if P95 latency exceeds 10ms" \
  --metric-name agent_policy_latency_p95 \
  --namespace AxonFlow \
  --statistic Average \
  --period 60 \
  --evaluation-periods 2 \
  --threshold 10 \
  --comparison-operator GreaterThanThreshold \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:axonflow-alerts

High Error Rate Alarm:

aws cloudwatch put-metric-alarm \
  --alarm-name axonflow-high-error-rate \
  --alarm-description "Alert if error rate >1%" \
  --metric-name agent_error_rate \
  --namespace AxonFlow \
  --statistic Average \
  --period 300 \
  --evaluation-periods 2 \
  --threshold 1 \
  --comparison-operator GreaterThanThreshold \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:axonflow-alerts

For detailed monitoring setup, see CloudWatch Monitoring.

6. Configure Secrets Management

Best Practices

  1. Store all credentials in AWS Secrets Manager
  2. Rotate secrets regularly (monthly recommended)
  3. Use IAM roles instead of API keys where possible
  4. Enable secret versioning for rollback capability

Example: Store Database Credentials

aws secretsmanager create-secret \
  --name axonflow/production/database \
  --secret-string '{
    "username": "axonflow",
    "password": "YOUR_SECURE_PASSWORD",
    "engine": "postgres",
    "host": "axonflow-prod-db.abc123.us-east-1.rds.amazonaws.com",
    "port": 5432,
    "dbname": "axonflow"
  }' \
  --region us-east-1

Enable Automatic Rotation

aws secretsmanager rotate-secret \
  --secret-id axonflow/production/database \
  --rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:SecretsManagerRotation \
  --rotation-rules AutomaticallyAfterDays=30

7. Network Configuration

Configure VPC Endpoints (Optional)

For enhanced security and performance, create VPC endpoints:

Secrets Manager Endpoint:

aws ec2 create-vpc-endpoint \
  --vpc-id vpc-abc123 \
  --service-name com.amazonaws.us-east-1.secretsmanager \
  --route-table-ids rtb-xyz789 \
  --subnet-ids subnet-private1 subnet-private2

CloudWatch Logs Endpoint:

aws ec2 create-vpc-endpoint \
  --vpc-id vpc-abc123 \
  --service-name com.amazonaws.us-east-1.logs \
  --route-table-ids rtb-xyz789 \
  --subnet-ids subnet-private1 subnet-private2

Benefits:

  • No data transfer to internet
  • Lower latency
  • Reduced NAT Gateway costs

8. Security Hardening

TLS Configuration

Ensure all external-facing endpoints use TLS:

# Verify TLS is active on the ALB
aws elbv2 describe-listeners \
  --load-balancer-arn YOUR_ALB_ARN \
  --query 'Listeners[].{Port:Port,Protocol:Protocol,Cert:Certificates[0].CertificateArn}'

# If using self-signed certs for internal traffic, set in Agent env:
# AXONFLOW_TLS_CERT_FILE=/etc/axonflow/tls.crt
# AXONFLOW_TLS_KEY_FILE=/etc/axonflow/tls.key

Recommendation: Use AWS Certificate Manager (ACM) for ALB certificates and rotate them automatically.

Secrets Rotation

Rotate all secrets on a regular schedule:

SecretRotation IntervalMethod
Database password30 daysSecrets Manager auto-rotation
LLM API keys90 daysManual update in Secrets Manager
License keyOn renewalCloudFormation parameter update
Client secrets90 daysSecrets Manager auto-rotation

Network Policies

Restrict traffic between services to the minimum required paths:

SourceDestinationPortProtocol
ALBAgent8080HTTPS
AgentOrchestrator8081HTTPS
AgentRDS5432TLS
OrchestratorRDS5432TLS
Agent/OrchestratorSecrets Manager443HTTPS (VPC endpoint)
Agent/OrchestratorCloudWatch443HTTPS (VPC endpoint)

Deny all other inbound traffic by default in your security groups.

Enable CloudTrail Logging

aws cloudtrail create-trail \
  --name axonflow-audit \
  --s3-bucket-name company-cloudtrail-logs \
  --is-multi-region-trail \
  --enable-log-file-validation

Enable VPC Flow Logs

aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-ids vpc-abc123 \
  --traffic-type ALL \
  --log-destination-type cloud-watch-logs \
  --log-group-name /aws/vpc/axonflow-production

Configure Security Hub

aws securityhub enable-security-hub
aws securityhub batch-enable-standards \
  --standards-subscription-requests StandardsArn=arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0

9. Backup Configuration

Automated RDS Backups

Backups are enabled by default:

  • Retention: 7 days
  • Backup Window: 03:00-04:00 UTC
  • Restore: Use AWS RDS console

Manual Snapshot

Create manual snapshot before major changes:

aws rds create-db-snapshot \
  --db-instance-identifier axonflow-prod-db \
  --db-snapshot-identifier axonflow-pre-upgrade-$(date +%Y%m%d)

Export Policies

Backup policies regularly:

curl ${AGENT_ENDPOINT}/api/v1/policies \
  -H "Authorization: Bearer YOUR_API_KEY" \
  > policies-backup-$(date +%Y%m%d).json

# Commit to git
git add policies-backup-$(date +%Y%m%d).json
git commit -m "Backup policies $(date +%Y-%m-%d)"
git push

10. Configuration Tuning

Fine-tune AxonFlow behavior using these key environment variables:

Agent Configuration (port 8080)

Environment VariableDefaultDescription
AXONFLOW_LICENSE_KEY(required)License key (V2 format recommended)
AXONFLOW_ENDPOINThttp://localhost:8080Agent listen address
AXONFLOW_ORCHESTRATOR_URLhttp://orchestrator:8081Orchestrator endpoint
AXONFLOW_DB_MAX_OPEN_CONNS25Max open database connections
AXONFLOW_DB_MAX_IDLE_CONNS10Max idle database connections
AXONFLOW_LOG_LEVELinfoLog level (debug, info, warn, error)
AXONFLOW_POLICY_CACHE_TTL60sPolicy evaluation cache TTL
AXONFLOW_REQUEST_TIMEOUT30sMaximum request processing time

Orchestrator Configuration (port 8081)

Environment VariableDefaultDescription
AXONFLOW_LLM_PROVIDER(required)LLM provider (openai, bedrock, ollama)
AXONFLOW_LLM_MODELProvider defaultDefault model ID
AXONFLOW_LLM_MAX_TOKENS4096Max tokens per LLM response
AXONFLOW_LLM_TIMEOUT60sLLM provider request timeout
AXONFLOW_WCP_ENABLEDfalseEnable Workflow Completion Protocol tracking
AXONFLOW_PII_DETECTIONtrueEnable PII detection in requests

Tuning Recommendations

  • High-throughput deployments: Increase AXONFLOW_DB_MAX_OPEN_CONNS to 50 and use a PgBouncer sidecar.
  • Debugging: Temporarily set AXONFLOW_LOG_LEVEL=debug -- revert to info for production.
  • Latency-sensitive workloads: Lower AXONFLOW_POLICY_CACHE_TTL only if policies change frequently; longer TTLs reduce database load.

11. Production Checklist

Before going to production, verify:

  • Health check returns "healthy"
  • At least one MCP connector configured and tested
  • Policy-as-code repository created and deployed
  • LLM provider configured
  • CloudWatch dashboard created
  • CloudWatch alarms configured
  • SNS topic for alerts configured
  • Secrets stored in Secrets Manager
  • VPC endpoints created (optional)
  • CloudTrail logging enabled
  • VPC Flow Logs enabled
  • Manual RDS snapshot created
  • Policy backup in git
  • Documentation updated with endpoints
  • Team trained on operations
  • Incident response plan documented

Next Steps

  1. Configure MCP Connectors
  2. Create Policies
  3. Set Up Monitoring
  4. Troubleshooting
Last updated on