Webinar: Better Agents, Easier than Ever — Thursday, June 18th at 9am PT / 12pm ET. Register Now
Version 2.5
First-time setup
Set up MCP orchestration
AWS ECS Fargate

AWS ECS Fargate

ECS Fargate runs your MCP as a long-running container behind an Application Load Balancer (ALB). Best for AWS-first stacks that want a standard always-on service rather than a managed agent runtime. This is the same shape Sema4.ai uses to host its own MCP Gallery.

Container

Build a standard Linux image (the same Dockerfile shape as the Cloud Run page) listening on port 8080, and push it to Amazon ECR:

aws ecr create-repository --repository-name mcp-my-service
docker build -t mcp-my-service .
docker tag mcp-my-service:latest <acct>.dkr.ecr.<region>.amazonaws.com/mcp-my-service:latest
docker push <acct>.dkr.ecr.<region>.amazonaws.com/mcp-my-service:latest

Deploy

The overall flow:

  1. Create a task definition referencing the ECR image, container port 8080, and a health check (for example curl -f http://localhost:8080/healthz).
  2. Create an ECS service on Fargate from that task definition (private subnets recommended).
  3. Front the service with an ALB whose target group forwards to port 8080, with the health check pointing at your MCP's health path.

For the end-to-end console walkthrough, follow AWS's tutorial: Creating an Amazon ECS Linux task for Fargate (opens in a new tab).

Enable session affinity on the ALB target group. MCP streamable-HTTP sessions are stateful, so all requests in a session must reach the same task. Turn on stickiness at the target group level — see Sticky sessions for your Application Load Balancer (opens in a new tab).

Secrets

Store credentials in AWS Secrets Manager and reference them as secrets in the task definition. ECS injects them as environment variables, which your MCP reads as usual. (The task execution role needs permission to read those secrets.)

Register with an agent

Use the ALB's DNS name (or a custom domain in front of it) and register https://<alb-domain>/mcp on your agent. Make sure the Sema4.ai platform has network line of sight to that URL — with an internal ALB, the platform's network must be able to route to it (same VPC, peering, or PrivateLink).

Tips

  • CloudWatch Logs — configure the awslogs log driver on the task definition to capture container stdout.
  • VPC access — running in private subnets lets the MCP reach internal resources (databases, warehouses) directly; add a NAT gateway or VPC endpoints for any outbound calls.
  • Pin the image tag rather than using :latest, so deployments are deliberate and reproducible.
Google Cloud RunAzure Container Apps