Teradata MCP Server on AWS EC2

October 15, 2025 · View on GitHub

Goal: spin up the Teradata MCP Server on a small EC2 instance so you can connect it using Claude Desktop or your prefered desktop application over HTTP.
DO NOT USE AS IS FOR PRODUCTION DEPLOYMENT

1) EC2 sizing & OS

You can run the Teradata MCP server on a relatively small instance using a Linux OS.

SizevCPURAMWhy
t3a.medium (recommended)24 GiBGreat cost/perf for small teams (≈5–15 users).
t3a.large28 GiBIf you want to co-locate heavier front-end applications (eg. Flowwise, n8n, your chat bots...).
t4g.medium (ARM)24 GiBCheaper/faster if all deps are arm64; otherwise stick to x86 if unsure / planning to experiment.
  • AMI: Amazon Linux 2023 (or Ubuntu 22.04).
  • Storage: 30 GiB gp3 EBS. (default)
  • Network: (default)

2) Open the port & bind correctly

You will need to allow inbound traffic using ssh to configure your system and TCP for the end-users

  • In the AWS Console, select your instance > Security > Security Group > Edit inbound rules:
    • Inbound: TCP, type SSH, port 22 (default),
    • Inbound: TCP, type Custom TCP, port 8001 (source = your end user IP list/range).

3) Software Install

Install uv to install the MCP server

# On Amazon Linux
sudo dnf update -y
curl -LsSf https://astral.sh/uv/install.sh | sh

Install the MCP server

uv tool install teradata-mcp-server

4) Configure the server

You can create a configuration file to store your server settings:

cat > .env <<'EOF'
# --- Required: DB connection ---
DATABASE_URI=teradata://<USER>:<PASS>@<HOST>:1025/<DB_OR_USER>

# --- Server (Streamable HTTP) ---
MCP_TRANSPORT=streamable-http
MCP_HOST=0.0.0.0
MCP_PORT=8001

EOF

Edit the database connection string as with the Teradata system and user credentials for the MCP server.

5) Run the server

You may now run the server as a background process:

nohup teradata-mcp-server > mcp.log &

After a few seconds, validate that the server is started: tail -50 mcp.log

6) Test the server connectivity

You can test the connectivity to the server from your clients servers/workstations with curl: curl -I http://<EC2_PUBLIC_IP>:8001/mcp.

If your MCP service is reachable, you should see this type of output:

HTTP/1.1 307 Temporary Redirect
date: Tue, 14 Oct 2025 15:39:58 GMT
server: uvicorn
...

If this returns a Failed to connect to ...: Connection refused, it is likely an issue in your network configuration.

7) Configure the clients

For Visual Studio Code, follow the usual http setup instructions.

For Claude desktop, you can use mcp-remote connect to your server.

{
  "mcpServers": {
    "teradata_mcp_remote_aws": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "http://<EC2_PUBLIC_IP>:8001/mcp/",
        "--allow-http"
      ]
    }
  }
}

8) Configure HTTPS with Caddy

If you are planning to expose the service over the public internet, you need to secure your MCP server communication with HTTPS.

In this example, we will use Caddy as a reverse proxy, alternatively, you may use ngix.

like and a free domain from DuckDNS. This guide reflects a working setup.

Prerequisites: Domain ownership and DNS

When you enable HTTPS using Let’s Encrypt (which Caddy does automatically), the certificate authority needs to verify that you control the domain name in the URL.

You also need to setup your DNS to resolve to the IP of the instance deployed above.

If you just want to want to quickly test the process, you may use a free dns service such as https://www.duckDNS.org/. So you can create a new subdomain (e.g., my-mcp-server.duckdns.org) and point to your cloud instance's public IP address.

1. Allow HTTPS inbound traffic

Add a security rule to your EC2 security group to allow inbound traffic on port 443 (HTTPS).

In the AWS Console, select your instance > Security>Security Group > Edit inbound rules > Add rule:

Type=HTTPS; port 443 (default); source = Anywhere-IPv4 (0.0.0.0/0).

2. Install Caddy

The process below downloads and installs the static Caddy binary. You can also check on the instal page if Caddy is distributed with your distribution's package manager.

curl -fsSL "https://github.com/caddyserver/caddy/releases/download/v2.6.4/caddy_2.6.4_linux_amd64_static" -o caddy
sudo mv caddy /usr/local/bin/caddy
sudo chmod +x /usr/local/bin/caddy

3. Setup Caddy user, directories, and configuration

Create a dedicated user and directories for Caddy:

sudo useradd --system --home /var/lib/caddy --shell /usr/sbin/nologin caddy
sudo mkdir -p /etc/caddy /var/lib/caddy /var/log/caddy
sudo chown -R caddy:caddy /etc/caddy /var/lib/caddy /var/log/caddy

Create the Caddyfile configuration file at /etc/caddy/Caddyfile with the following content:

mcp.your-domain.org {
    encode gzip
    reverse_proxy 127.0.0.1:8001
}

Replace mcp.your-domain.org with your actual DNS domain (eg. my-mcp-server.duckdns.org).

4. Create and enable the Caddy systemd service

Create /etc/systemd/system/caddy.service with the following content:

[Unit]
Description=Caddy web server
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
Restart=on-failure
LimitNOFILE=1048576

[Install]
WantedBy=multi-user.target

Reload systemd and start Caddy:

sudo systemctl daemon-reload
sudo systemctl enable --now caddy

5. Verify HTTPS and update your client configuration

Confirm that https://mcp.your-domain.org/mcp loads successfully with a valid TLS certificate:

just pasting the address in a browser should return a JSON RPC error.

Claude Desktop config:

You can simply create a new custom connector with the HTTPS URL: Settings>Connectors>Add Custom Connector, give it a name and your https URL, that's it! You may have to restart Claude Desktop for the change to take effect.

If you have enabled basic authentication and setup a database proxy user (eg. https://mcp.your-domain.org/mcp/), you may pass the database user credentials in the header.

For this head to the Settings>Developer section and update your claude_desktop_config.json configuration

{
  "mcpServers": {
    "teradata_mcp_remote_aws": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://your-domain.com/mcp/",
        "--header",
        "Authorization: Basic ${AUTH_TOKEN}",
        "--allow-http"
      ],
      "env": {
        "AUTH_TOKEN": "<YOUR_DB_USER:PASSWORD_u64>" 
      }
    }
  }
}

6. Close port 8001 publicly

Once HTTPS is working, update your AWS security group to close port 8001 from public access to improve security.

Troubleshooting tip

DNS changes can take some time to propagate. If HTTPS does not work immediately, wait a few minutes and retry. Also, Let's Encrypt (used by Caddy) may need a short time to issue certificates on first run. Check Caddy logs with:

sudo journalctl -u caddy -f