Overview
Safium is a production-ready LLM Gateway that provides a unified OpenAI-compatible API to 100+ AI providers including OpenAI, Anthropic, Google Gemini, AWS Bedrock, and Azure OpenAI. Deploy it in your VPC to centralize AI access, control costs, and ensure security compliance. The gateway automatically translates requests and responses across providers, enabling you to switch models without code changes and avoid vendor lock-in. Built for enterprise requirements, Safium includes SSO integration (Google, Microsoft, OIDC), role-based access control, team and user-level budgets, rate limiting, and comprehensive audit trails. The modern admin dashboard provides real-time usage analytics, spend tracking, and API key management. Intelligent load balancing and automatic fallbacks ensure high availability, while Redis caching and request retry logic optimize performance. This AWS Marketplace offering deploys Safium on ECS Fargate with Application Load Balancer, Multi-AZ RDS PostgreSQL, ElastiCache Redis, and CloudWatch monitoring. The containerized architecture ensures scalability and reliability while keeping your data and API keys under your control. Prometheus metrics export enables integration with existing observability stacks. Perfect for organizations implementing multi-provider AI strategies, requiring cost optimization through intelligent routing, or needing governance and compliance controls for LLM usage. Get started in minutes by deploying from AWS Marketplace, configuring your provider API keys, setting up SSO, creating teams with budgets, and making requests through the unified API. MIT licensed with comprehensive documentation and enterprise support available.
Highlights
- Unified OpenAI-compatible API for 100+ LLM providers - avoid vendor lock-in and switch models without code changes
- security with SSO, RBAC, team budgets, rate limiting, and comprehensive audit trails for compliance
- Production-ready deployment on ECS Fargate with intelligent load balancing, automatic fallbacks, and CloudWatch monitoring
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
- Monthly subscription
- $0.001/month
Vendor refund policy
This product is provided under MIT License as a self-hosted container. AWS infrastructure costs are billed separately by AWS. If you experience technical issues within 30 days of purchase, contact our support team. If we cannot resolve deployment or functionality issues, you may request a refund through AWS Marketplace support. Third-party LLM provider costs (OpenAI, Anthropic, etc.) are not covered by this policy.
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
Safium LLM Gateway - Production Container Image
- Amazon ECS
Container image
Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.
Version release notes
SAFIUM v2.1.1 - RELEASE NOTES Release date: July 12, 2026 Type: Minor release - CloudFormation/deployment update plus an application-image fix (Admin UI startup).
v2.1.1 hardens the AWS Marketplace CloudFormation template's security posture, adds new deployment options (right-sized compute, optional Redis, in-transit encryption toggles), brings the usage instructions into full alignment with what the template provisions, and ships a new application image (cambium/safium:v2.1.1) that fixes an Admin UI startup issue. It is the first published build of the 2.1 line (it supersedes an internal v2.1.0 pre-release).
SECURITY HARDENING
- Auto-generated credentials (no static passwords): the database and admin-UI passwords are no longer deploy-time parameters. The stack generates a random password per deployment via AWS Secrets Manager, so no password is entered, defaulted, or stored in the template. Retrieve the admin password from the --ui-credentials secret and change it on first login.
- RDS SSL/TLS enforced (rds.force_ssl=1; sslmode=require) - non-TLS connections are rejected.
- Redis in-transit encryption (TLS) on by default (new RedisInTransitEncryption parameter; the app connects over rediss://).
- ALB drops invalid HTTP headers.
- Least-privilege / correctness fixes: corrected the ECR image-pull IAM permission; removed unused resources and a dead condition; added deploy-time validation rules (SSL certificate and custom domain must be supplied together; Redis auto-failover requires 2+ nodes).
- Private AWS-service access: added VPC endpoints for Secrets Manager (interface) and S3 (gateway).
APPLICATION FIX (new image v2.1.1)
- Admin UI (/ui) is reliably available immediately after deploy. The dashboard's static files are now mounted once in the Gunicorn master before workers fork (--preload), eliminating a startup race that could intermittently return 404 for /ui until workers recycled.
- UI-mount failures now log a full traceback instead of failing silently.
NEW DEPLOYMENT OPTIONS
- TaskSize: small (default, 1 vCPU / 2 GB) / medium (2 / 4) / large (4 / 8), supplied as a matched CPU+memory pair so an invalid Fargate combination cannot be selected.
- EnableRedis (default true): the Redis cache is now optional; disabling it saves cost for small single-instance deployments (rate limits and budgets then become per-instance rather than global).
- RedisInTransitEncryption (default true).
- CloudFrontPrefixListId (default pl-3b927c52 for us-east-1): replaces a hardcoded region map.
- Explicit required inputs: EnvironmentName, TagClient, and DBInstanceClass no longer carry defaults.
- Constrained/validated values: engine locked to postgres; PostgreSQL 17; Redis port fixed at 6379; LogRetentionDays default 14; container image locked to the published version.
NETWORKING & WAF
- CloudFront-scoped WAF remains the default (auto-created for us-east-1 deployments). The usage instructions include step-by-step guidance for bringing your own us-east-1 WAF when deploying in another region.
UPGRADING FROM v2.0.2 (existing stacks)
- Task size defaults to small; set TaskSize=large to keep the previous 4 vCPU / 8 GB compute.
- Enforcing SSL attaches a DB parameter group, which triggers a brief RDS reboot during the update.
- Redis moves to TLS (rediss://) unless you set RedisInTransitEncryption=false.
- The DBPassword / UIPassword parameters are removed; passwords rotate to auto-generated values in Secrets Manager. Retrieve the new admin password from the --ui-credentials secret after updating.
COMPATIBILITY
- Container image: cambium/safium:v2.1.1
- Region: us-east-1 recommended (required for the auto-created CloudFront WAF; other regions are supported with a customer-supplied us-east-1 WAF ARN).
- AWS services: ECS Fargate, RDS (PostgreSQL 17), ElastiCache Redis (optional), CloudFront, ALB, Secrets Manager, WAF, CloudWatch.
Additional details
Usage instructions
SAFIUM LLM GATEWAY - QUICK START
- DEPLOY
AWS Marketplace > "Safium AI" > Subscribe > Accept Terms > Continue to Configuration > pick region (us-east-1 recommended) > Continue to Launch > Download CloudFormation Template. CloudFormation console > Create stack > Upload template > set parameters > acknowledge IAM > Submit. Wait ~15-20 min for CREATE_COMPLETE.
Required parameters (no defaults):
- Stack name (e.g. safium-production)
- EnvironmentName: lowercase letters/numbers (e.g. prod)
- TagClient: your org name (cost tag)
- DBInstanceClass: RDS size (e.g. db.t4g.small)
Passwords are NOT entered - the stack auto-generates the DB and admin passwords (random per deployment). After deploy, get the admin password from Secrets Manager ([Identifier]-[EnvironmentName]-ui-credentials) and change it on first login.
Useful optional parameters:
- Identifier: name prefix (default safium; lowercase, 2-12 chars)
- UIUsername: admin dashboard username (default admin)
- TaskSize: small (default 1vCPU/2GB) | medium (2/4) | large (4/8)
- EnableRedis: true (default) | false to skip the cache
- CloudFrontPrefixListId: defaults to us-east-1 (pl-3b927c52); change only for other regions
- WAFWebACLArn, SSLCertificateArnCloudfront, CustomDomainName, AlarmEmail
WAF / REGION: In us-east-1, leave WAFWebACLArn empty and the stack auto-creates the CloudFront WAF. In any other region you MUST create a CloudFront-scoped WAF in us-east-1 first and paste its ARN into WAFWebACLArn (leaving it empty outside us-east-1 makes the stack roll back).
- ACCESS
URL: CloudFormation > Outputs > ApplicationURL (e.g. https://d1234abcd.cloudfront.net ). Log in with UIUsername (default admin) and the auto-generated password from Secrets Manager ([Identifier]-[EnvironmentName]-ui-credentials), then change it in Profile > Change Password. Add providers under Models; create API keys under Keys (shown once, start with sk-).
API call:
curl <ApplicationURL>/v1/chat/completions -H "Authorization: Bearer YOUR_API_KEY"
-H "Content-Type: application/json"
-d '{"model":"gpt-4","messages":[{"role":"user","content":"Hello"}]}'
Health: <ApplicationURL>/health/liveness and /health/readiness
- INFRASTRUCTURE
VPC across 2 AZs, internal ALB behind CloudFront, ECS Fargate, RDS PostgreSQL 17, optional Redis, Secrets Manager, CloudWatch. Traffic: Internet > CloudFront > ALB > ECS > RDS/Redis.
- SECURITY
Credentials in Secrets Manager; UI/API keys hashed or encrypted in PostgreSQL. RDS encrypted at rest and SSL enforced in transit; Redis encrypted at rest, TLS in transit by default. Internal ALB accepts traffic only from CloudFront (prefix list + secret header).
- COSTS (us-east-1, defaults)
~$145/mo: ECS ~$36, NAT ~$35, RDS ~$25, ALB ~$23, Redis ~$12, CloudFront ~$10, Logs ~$5. Plus LLM API usage. Larger TaskSize costs more; disabling Redis saves ~$12.
- OPERATIONS
Backups: RDS daily automated (7-day retention) + point-in-time recovery. Rotate: DB password via Secrets Manager (restart ECS after); API keys via dashboard. Upgrade: CloudFormation > Update > Replace template (data preserved; set TaskSize=large to keep 4vCPU/8GB). Delete: CloudFormation > Delete stack (database data is permanently deleted - export first).
- TROUBLESHOOTING
No access: wait ~5 min, confirm CREATE_COMPLETE, check Outputs. 401: check API key (sk-...). 403: check the key's model permission. Tasks failing: ECS > Tasks > Logs; verify DB/Secrets.
SUPPORT: support@cambium.co.il (24-48h). Full documentation is in the CloudFormation template metadata.
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.