Deploying Java AI Microservices to AWS EKS
Deploying production-grade artificial intelligence (AI) microservices requires an infrastructure that is scalable, resilient, and highly performant. For Java developers leveraging frameworks like Spring AI or Deep Java Library (DJL), Amazon Elastic Kubernetes Service (AWS EKS) is the industry-standard platform. AWS EKS provides a managed Kubernetes environment that simplifies running containerized Java applications while offering seamless integration with AWS machine learning hardware, such as GPU-enabled EC2 instances.
In this guide, we will explore how to package, configure, and deploy a Spring Boot AI microservice to AWS EKS. We will cover the unique challenges of running Java AI workloads in Kubernetes, such as memory tuning, IAM roles for service accounts, and resource allocation.
If you have not yet declared your baseline cloud environment variables or established your core IAM infrastructure roles, refer to our automated topology guide: Provisioning AWS AI Infrastructure with Terraform.
Architecture Overview
Before diving into the deployment steps, it is essential to understand how a Java AI microservice interacts with AWS EKS and external AI services. The diagram below illustrates the flow of a user request through the EKS cluster to our Spring Boot AI application, which securely accesses AWS Bedrock using IAM Roles for Service Accounts (IRSA).
[User Request]
โ
โผ
[AWS ALB / Ingress Controller]
โ
โผ
[EKS Cluster Node]
โ
โผ
[Spring Boot AI Pod] โโ(OIDC / IAM Role)โโ> [AWS Bedrock / S3]
- Java 17+ JVM
- Spring AI / LangChain4j
- Container-aware RAM settings
To inspect alternative design options for mapping service bounds across distributed systems before setting up cluster nodes, visit Designing AI-Driven Microservices Architectures.
Step 1: Preparing the Container Image
Java 17 and later versions are fully container-aware. However, AI workloads often require significant memory to handle vector calculations, embeddings, and model weights. We must configure our Dockerfile to use an optimized JVM base image and set appropriate memory flags.
FROM eclipse-temurin:17-jdk-alpine
VOLUME /tmp
ARG JAR_FILE=target/*.jar
COPY ${JAR_FILE} app.jar
ENTRYPOINT ["java", "-XX:MaxRAMPercentage=75.0", "-XX:+UseG1GC", "-jar", "/app.jar"]Note: Using -XX:MaxRAMPercentage=75.0 ensures that the JVM dynamically adjusts its heap size based on the memory limits configured in our Kubernetes deployment manifest, leaving 25% of the memory for non-heap processes and OS overhead.
For a detailed breakdown of build tools and baseline multi-stage compilation patterns tailored for smaller container footprints, see our dedicated handbook: Containerizing AI-Enabled Java Applications with Docker.
Step 2: Pushing the Image to Amazon ECR
Amazon Elastic Container Registry (ECR) is a secure, managed container registry. To deploy to EKS, we must first authenticate our Docker client and push our image to ECR.
# Authenticate Docker to AWS ECR
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com
# Tag the image
docker tag java-ai-service:latest 123456789012.dkr.ecr.us-east-1.amazonaws.com/java-ai-service:v1
# Push the image
docker push 123456789012.dkr.ecr.us-east-1.amazonaws.com/java-ai-service:v1Step 3: Creating the Kubernetes Manifests
To deploy our Java AI microservice to EKS, we need to define a Kubernetes Deployment and a Service. This manifest configures resource requests and limits, which are critical for preventing CPU throttling and OutOfMemory (OOM) kills during heavy AI inference tasks.
apiVersion: apps/v1
kind: Deployment
metadata:
name: java-ai-service
namespace: ai-apps
labels:
app: java-ai-service
spec:
replicas: 3
selector:
matchLabels:
app: java-ai-service
template:
metadata:
labels:
app: java-ai-service
spec:
serviceAccountName: java-ai-sa
containers:
- name: java-ai-container
image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/java-ai-service:v1
ports:
- containerPort: 8080
resources:
requests:
memory: "1024Mi"
cpu: "500m"
limits:
memory: "2048Mi"
cpu: "1500m"
env:
- name: SPRING_PROFILES_ACTIVE
value: "prod"
- name: AWS_REGION
value: "us-east-1"
---
apiVersion: v1
kind: Service
metadata:
name: java-ai-service
namespace: ai-apps
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 8080
selector:
app: java-ai-serviceIf your application logic targets local model endpoints running natively on Kubernetes rather than managed AWS endpoints, explore our scaling and provisioning manual: Deploying AI Java Microservices to Kubernetes.
AWS SDK Client Orchestration and Execution Patterns
Once your containers are scheduled across the EKS data plane, the inner application code must establish high-throughput connections with the cloud provider's API endpoints. Developers should implement clean client definitions that utilize non-blocking connection pools and leverage built-in retry mechanisms.
For a code-level deep dive into building these service layers and handling raw inference vectors, read Integrating AWS Bedrock and SageMaker with Spring Boot. If you want to replace manual JSON payload parsers with enterprise-grade framework wrappers, check out Introduction to the Spring AI Framework.
Real-World Use Case: Secure Spring AI Integration with Amazon Bedrock
In a production environment, you should never hardcode AWS credentials (like Access Keys and Secret Keys) inside your container or Kubernetes secrets. Instead, use IAM Roles for Service Accounts (IRSA). This allows your Spring Boot application running inside EKS to assume an IAM role dynamically using an OpenID Connect (OIDC) provider.
First, create an IAM role with permissions to access Amazon Bedrock or Amazon SageMaker. Then, create a Kubernetes Service Account that associates this role with your pods:
apiVersion: v1
kind: ServiceAccount
metadata:
name: java-ai-sa
namespace: ai-apps
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/JavaAIServiceBedrockRoleWhen the Spring Boot application starts, the AWS SDK automatically detects the OIDC token mounted by EKS and authenticates requests to Amazon Bedrock seamlessly, ensuring maximum security and compliance.
To inspect standard HTTP path definitions or to structure your endpoints before applying cluster security restrictions, visit Building AI-Powered Spring Boot REST APIs. If you need to manage conversational persistence for multi-turn prompts, read Managing Chat Memory and Conversational Context in Spring Boot.
Data Enrichment Pathways and Asynchronous Pipelines
Enterprise microservices rarely communicate with raw foundational models in isolation. Real-world architectures typically leverage Retrieval-Augmented Generation (RAG) to dynamically fetch contextual data from vector databases prior to running inference.
To learn how to process textual tokens and configure database drivers for semantic search, check out Understanding Vector Databases and Embeddings in Java. To implement the corresponding service loops within your Spring application layer, follow Implementing RAG with Spring AI.
Additionally, when processing bulky batch records or high-volume background tasks that exceed standard HTTP timeout thresholds, you should adopt a decoupled, event-driven pattern. Read our streaming integration guide: Asynchronous AI Processing with Kafka.
Hardware Optimization and Advanced Node Groups
While serverless integrations like AWS Bedrock scale automatically, hosting deep learning models directly on your EKS worker nodes requires specialized hardware management. Managing physical nodes requires setting up GPU scheduling, configuring appropriate taints, and tuning worker allocations to handle heavy model workloads.
To learn how to attach and share physical accelerators across your cluster pods, follow Kubernetes Scaling & GPU Resources for AI Workloads. For developers focused on minimizing cluster costs and eliminating JVM cold-start delays, look over our performance tuning manual: Optimizing Java AI Applications: GraalVM Native Images & Cost Management.
Common Mistakes to Avoid
- Underestimating JVM Overhead: Setting the Kubernetes memory limit exactly equal to the JVM heap size will result in the container being terminated by the Kubernetes OOM-killer. Always leave at least 25% of the container memory limit for off-heap memory, garbage collection overhead, and OS processes.
- Missing Readiness and Liveness Probes: AI models can take several seconds or even minutes to initialize or load embeddings into memory. Without proper readiness probes, Kubernetes might route traffic to the container before it is ready to process requests.
- Ignoring GPU Node Taints: If you are deploying deep learning models that require GPU nodes, ensure your pods have the appropriate tolerations. Otherwise, non-AI pods might get scheduled on expensive GPU instances, driving up cloud costs.
Interview Notes for Java AI Engineers
- Question: How does the JVM behave inside a Docker container when running on Kubernetes?
- Answer: Historically, the JVM did not recognize container resource limits and looked at the physical host's memory, leading to OOM kills. Since Java 10, the JVM is container-aware. By using flags like
-XX:MaxRAMPercentage, we can instruct the JVM to calculate its heap size based on the container's cgroup limits rather than the host's physical memory. - Question: How do you secure AWS API calls from a Spring Boot microservice running in EKS?
- Answer: We use IAM Roles for Service Accounts (IRSA). By associating an AWS IAM Role with a Kubernetes Service Account via OIDC, the AWS SDK inside the Spring Boot container can automatically retrieve temporary security credentials, avoiding the need for static access keys.
- Question: How do you handle long-running AI inference requests in a microservice architecture?
- Answer: For synchronous HTTP requests, configure appropriate read timeouts on the load balancer and ingress. For asynchronous processing, it is best to use a message-driven approach with Amazon SQS or Apache Kafka, where the EKS pods consume tasks and process them asynchronously.
Summary
Deploying Java AI microservices to AWS EKS combines the robust ecosystem of Kubernetes with the scalability of AWS cloud infrastructure. By configuring container-aware JVM memory settings, setting precise resource requests and limits, and securing service-to-service communication using IAM Roles for Service Accounts (IRSA), you can build highly secure, resilient, and performant AI platforms.
To safeguard your public-facing application paths from semantic vulnerabilities and injection risks, explore our comprehensive defensive security guide: Securing AI APIs, Prompts, and Data Pipelines in Spring Boot.
To configure end-to-end monitoring and alert dashboards for your cluster resources, check out our observability guide: Observability Strategies for AI Apps via Prometheus and Grafana.
