From fc8d89ea733742542b3b40e38deea0a863dc6783 Mon Sep 17 00:00:00 2001
From: Jamil <jamilbk@users.noreply.github.com>
Date: Thu, 27 Jun 2024 21:05:38 -0700
Subject: [PATCH] docs: Add AWS NAT Gateway example (#5543)

- Adds the AWS equivalent of our GCP scalable NAT Gateway.
- Adds a new kb section `/kb/automate` that will contain various
automation / IaaC recipes going forward. It's better to have these
guides in the main docs with all the other info.

~~Will update the GCP example in another PR.~~

Portal helper docs in the gateway deploy page will come in another PR
after this is merged.
---
 docs/README.md                                |  14 +-
 terraform/examples/.gitignore                 |   1 +
 terraform/examples/README.md                  |   9 +-
 terraform/examples/aws/nat-gateway/README.md  |   4 +
 terraform/examples/aws/nat-gateway/main.tf    | 168 ++++++++++++++
 .../google-cloud/nat-gateway/README.md        |   4 +
 .../examples/google-cloud/nat-gateway/main.tf | 212 ++++++++++++++++++
 .../examples/google-cloud/nat_gateway/main.tf |  40 ----
 .../google-cloud/nat_gateway/network.tf       | 103 ---------
 .../google-cloud/nat_gateway/outputs.tf       |   3 -
 .../google-cloud/nat_gateway/variables.tf     |  55 -----
 .../google-cloud/nat_gateway/versions.tf      |   8 -
 .../modules/aws/firezone-gateway/main.tf      |  54 +++++
 .../modules/aws/firezone-gateway/variables.tf |  85 +++++++
 .../public/images/kb/automate/aws-logo.svg    |  38 ++++
 .../public/images/kb/automate/gcp-logo.svg    |   1 +
 .../images/kb/automate/terraform-logo.svg     |   7 +
 .../terraform/gcp}/online-gateways.png        | Bin
 website/src/app/kb/automate/_page.tsx         |   6 +
 website/src/app/kb/automate/page.tsx          |  17 ++
 website/src/app/kb/automate/readme.mdx        |  49 ++++
 .../app/kb/automate/terraform/aws/_page.tsx   |   6 +
 .../app/kb/automate/terraform/aws/page.tsx    |  17 ++
 .../app/kb/automate/terraform/aws/readme.mdx  |  87 +++++++
 .../app/kb/automate/terraform/gcp/_page.tsx   |   6 +
 .../app/kb/automate/terraform/gcp/page.tsx    |  18 ++
 .../app/kb/automate/terraform/gcp/readme.mdx  |  30 ++-
 website/src/app/kb/deploy/gateways/readme.mdx |   7 +-
 website/src/app/page.tsx                      | 144 ++++++------
 website/src/components/DocCards/index.tsx     |   0
 website/src/components/KbCards/index.tsx      |  35 +++
 website/src/components/KbSidebar/index.tsx    |  13 ++
 32 files changed, 943 insertions(+), 298 deletions(-)
 create mode 100644 terraform/examples/.gitignore
 create mode 100644 terraform/examples/aws/nat-gateway/README.md
 create mode 100644 terraform/examples/aws/nat-gateway/main.tf
 create mode 100644 terraform/examples/google-cloud/nat-gateway/README.md
 create mode 100644 terraform/examples/google-cloud/nat-gateway/main.tf
 delete mode 100644 terraform/examples/google-cloud/nat_gateway/main.tf
 delete mode 100644 terraform/examples/google-cloud/nat_gateway/network.tf
 delete mode 100644 terraform/examples/google-cloud/nat_gateway/outputs.tf
 delete mode 100644 terraform/examples/google-cloud/nat_gateway/variables.tf
 delete mode 100644 terraform/examples/google-cloud/nat_gateway/versions.tf
 create mode 100644 terraform/modules/aws/firezone-gateway/main.tf
 create mode 100644 terraform/modules/aws/firezone-gateway/variables.tf
 create mode 100644 website/public/images/kb/automate/aws-logo.svg
 create mode 100644 website/public/images/kb/automate/gcp-logo.svg
 create mode 100644 website/public/images/kb/automate/terraform-logo.svg
 rename {terraform/examples/google-cloud/nat_gateway => website/public/images/kb/automate/terraform/gcp}/online-gateways.png (100%)
 create mode 100644 website/src/app/kb/automate/_page.tsx
 create mode 100644 website/src/app/kb/automate/page.tsx
 create mode 100644 website/src/app/kb/automate/readme.mdx
 create mode 100644 website/src/app/kb/automate/terraform/aws/_page.tsx
 create mode 100644 website/src/app/kb/automate/terraform/aws/page.tsx
 create mode 100644 website/src/app/kb/automate/terraform/aws/readme.mdx
 create mode 100644 website/src/app/kb/automate/terraform/gcp/_page.tsx
 create mode 100644 website/src/app/kb/automate/terraform/gcp/page.tsx
 rename terraform/examples/google-cloud/nat_gateway/README.md => website/src/app/kb/automate/terraform/gcp/readme.mdx (80%)
 create mode 100644 website/src/components/DocCards/index.tsx
 create mode 100644 website/src/components/KbCards/index.tsx

diff --git a/docs/README.md b/docs/README.md
index db5be830c..87b6db57c 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -103,12 +103,18 @@ product documentation, organized as follows:
 - [kotlin/](../kotlin/android): Android / ChromeOS clients.
 - [website/](../website): Marketing website and product documentation.
 - [terraform/](../terraform): Terraform files for various example deployments.
-  - [terraform/examples/google-cloud/nat_gateway](../terraform/examples/google-cloud/nat_gateway):
-    Example Terraform configurations for deploying a cluster of Firezone
-    gateways behind a NAT gateway on GCP with single egress IP.
+  - [terraform/examples/google-cloud/nat-gateway](../terraform/examples/google-cloud/nat-gateway):
+    Example Terraform configuration for deploying a cluster of Firezone Gateways
+    behind a NAT gateway on GCP with single egress IP.
+  - [terraform/examples/aws/nat-gateway](../terraform/examples/aws/nat-gateway):
+    Example Terraform configuration for deploying a cluster of Firezone Gateways
+    behind a NAT gateway on AWS with single egress IP.
   - [terraform/modules/google-cloud/apps/gateway-region-instance-group](../terraform/modules/google-cloud/apps/gateway-region-instance-group):
-    Production-ready Terraform module for deploying regional Firezone gateways
+    Production-ready Terraform module for deploying regional Firezone Gateways
     to Google Cloud Compute using Regional Instance Groups.
+  - [terraform/modules/aws/firezone-gateway](../terraform/modules/aws/firezone-gateway):
+    Production-ready Terraform module for deploying Firezone Gateways to AWS
+    using Auto Scaling Groups.
 
 ## Quickstart
 
diff --git a/terraform/examples/.gitignore b/terraform/examples/.gitignore
new file mode 100644
index 000000000..809648bda
--- /dev/null
+++ b/terraform/examples/.gitignore
@@ -0,0 +1 @@
+**/.terraform.*
diff --git a/terraform/examples/README.md b/terraform/examples/README.md
index 8ca4e6b17..3e77a0bfd 100644
--- a/terraform/examples/README.md
+++ b/terraform/examples/README.md
@@ -8,9 +8,16 @@ Gateways to your infrastructure.
 Each example below is self-contained and includes a `README.md` with
 instructions on how to deploy the example.
 
+### AWS
+
+- [NAT Gateway](./aws/nat-gateway): This example shows how to deploy one or more
+  Firezone Gateways in a single AWS VPC that is configured with a NAT Gateway
+  for egress. Read this if you're looking to deploy Firezone Gateways behind a
+  single, shared static IP address on AWS.
+
 ### Google Cloud Platform (GCP)
 
-- [NAT Gateway](./google-cloud/nat_gateway): This example shows how to deploy
+- [NAT Gateway](./google-cloud/nat-gateway): This example shows how to deploy
   one or more Firezone Gateways in a single GCP VPC that is configured with a
   Cloud NAT for egress. Read this if you're looking to deploy Firezone Gateways
   behind a single, shared static IP address on GCP.
diff --git a/terraform/examples/aws/nat-gateway/README.md b/terraform/examples/aws/nat-gateway/README.md
new file mode 100644
index 000000000..3d99a80f0
--- /dev/null
+++ b/terraform/examples/aws/nat-gateway/README.md
@@ -0,0 +1,4 @@
+# Deploy Firezone on AWS with Terraform
+
+See [our docs for a detailed guide](/kb/automate/terraform/aws) on deploying
+Firezone on AWS with Terraform using this example.
diff --git a/terraform/examples/aws/nat-gateway/main.tf b/terraform/examples/aws/nat-gateway/main.tf
new file mode 100644
index 000000000..551da8a91
--- /dev/null
+++ b/terraform/examples/aws/nat-gateway/main.tf
@@ -0,0 +1,168 @@
+module "gateway_aws_example" {
+  source = "github.com/firezone/firezone/terraform/modules/aws/firezone-gateway"
+
+  ###################
+  # Required inputs #
+  ###################
+
+  # Generate a token from the admin portal in Sites -> <site> -> Deploy Gateway.
+  # Only one token is needed for the cluster.
+  firezone_token = "YOUR_FIREZONE_TOKEN"
+
+  # Pick an AMI to use. We recommend Ubuntu LTS or Amazon Linux 2.
+  base_ami = data.aws_ami_ids.ubuntu.ids[0]
+
+  # Attach the Gateways to your VPC and subnets.
+  vpc            = aws_vpc.main.id
+  public_subnet  = aws_subnet.public.id
+  private_subnet = aws_subnet.private.id
+  instance_security_groups = [
+    aws_security_group.instance.id
+  ]
+
+  ###################
+  # Optional inputs #
+  ###################
+
+  # Deploy a specific version of the Gateway. Generally, we recommend using the latest version.
+  # firezone_version    = "latest"
+
+  # Override the default API URL. This should almost never be needed.
+  # firezone_api_url    = "wss://api.firezone.dev"
+
+  # Gateways are very lightweight.
+  # See https://www.firezone.dev/kb/deploy/gateways#sizing-recommendations.
+  # instance_type       = "t3.nano"
+
+  # We recommend a minimum of 3 instances for high availability.
+  # min_size            = 3
+  # max_size            = 5
+  # desired_capacity    = 3
+}
+
+data "aws_ami_ids" "ubuntu" {
+  owners = ["099720109477"] # Canonical
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"]
+  }
+}
+
+provider "aws" {
+  # Change this to your desired region
+  region = "us-east-1"
+}
+
+resource "aws_vpc" "main" {
+  cidr_block           = "172.16.0.0/16"
+  enable_dns_support   = true
+  enable_dns_hostnames = true
+}
+
+resource "aws_subnet" "public" {
+  vpc_id                  = aws_vpc.main.id
+  cidr_block              = "172.16.0.0/24"
+  map_public_ip_on_launch = true
+}
+
+resource "aws_subnet" "private" {
+  vpc_id     = aws_vpc.main.id
+  cidr_block = "172.16.1.0/24"
+}
+
+resource "aws_internet_gateway" "gw" {
+  vpc_id = aws_vpc.main.id
+}
+
+resource "aws_eip" "nat" {
+  domain = "vpc"
+}
+
+resource "aws_nat_gateway" "nat" {
+  allocation_id = aws_eip.nat.id
+  subnet_id     = aws_subnet.public.id
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.gw.id
+  }
+}
+
+resource "aws_route_table" "private" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.nat.id
+  }
+}
+
+resource "aws_route_table_association" "public" {
+  subnet_id      = aws_subnet.public.id
+  route_table_id = aws_route_table.public.id
+}
+
+resource "aws_route_table_association" "private" {
+  subnet_id      = aws_subnet.private.id
+  route_table_id = aws_route_table.private.id
+}
+
+resource "aws_security_group" "instance" {
+  vpc_id = aws_vpc.main.id
+
+  // allow SSH from other machines on the subnet
+  ingress {
+    from_port = 22
+    to_port   = 22
+    protocol  = "tcp"
+    cidr_blocks = [
+      aws_subnet.private.cidr_block,
+      aws_subnet.public.cidr_block
+    ]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 65535
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_security_group" "instance_connect" {
+  name        = "allow egress to all vpc subnets"
+  description = "Security group to allow SSH to vpc subnets. Created for use with EC2 Instance Connect Endpoint."
+  vpc_id      = aws_vpc.main.id
+
+  egress {
+    from_port = 22
+    to_port   = 22
+    protocol  = "tcp"
+    cidr_blocks = [
+      aws_subnet.private.cidr_block,
+      aws_subnet.public.cidr_block
+    ]
+  }
+}
+
+resource "aws_ec2_instance_connect_endpoint" "instance_connect_endpoint" {
+  subnet_id          = aws_subnet.public.id
+  preserve_client_ip = false
+  security_group_ids = [
+    aws_security_group.instance_connect.id
+  ]
+
+  tags = {
+    Name = "firezone-gateway-instance-connect-endpoint"
+  }
+}
+
+output "nat_public_ip" {
+  description = "The public IP of the NAT gateway"
+  value       = aws_eip.nat.public_ip
+}
diff --git a/terraform/examples/google-cloud/nat-gateway/README.md b/terraform/examples/google-cloud/nat-gateway/README.md
new file mode 100644
index 000000000..82f9d5d0f
--- /dev/null
+++ b/terraform/examples/google-cloud/nat-gateway/README.md
@@ -0,0 +1,4 @@
+# Deploy Firezone on GCP with Terraform
+
+See [our docs for a detailed guide](/kb/automate/terraform/gcp) on deploying
+Firezone on GCP with Terraform using this example.
diff --git a/terraform/examples/google-cloud/nat-gateway/main.tf b/terraform/examples/google-cloud/nat-gateway/main.tf
new file mode 100644
index 000000000..b26ce6232
--- /dev/null
+++ b/terraform/examples/google-cloud/nat-gateway/main.tf
@@ -0,0 +1,212 @@
+module "gateway_gcp_example" {
+  source = "github.com/firezone/firezone/terraform/modules/google-cloud/apps/gateway-region-instance-group"
+  # If you are changing this example along with the module, you should use the local path:
+  # source = "../../../modules/google-cloud/apps/gateway-region-instance-group"
+
+  project_id = var.project_id
+
+  compute_network    = google_compute_network.firezone.id
+  compute_subnetwork = google_compute_subnetwork.firezone.id
+
+  compute_instance_replicas = var.replicas
+  compute_instance_type     = var.machine_type
+  compute_region            = var.region
+
+  # Since we are behind a NAT gateway, we don't need public IP addresses
+  # to be automatically provisioned for the instances
+  compute_provision_public_ipv6_address = false
+  compute_provision_public_ipv4_address = false
+
+  vsn = "latest"
+
+  observability_log_level = "info"
+
+  token = var.token
+}
+
+################################################################################
+## Google Cloud Project
+################################################################################
+
+variable "project_id" {
+  type        = string
+  description = "Google Cloud Project ID"
+}
+
+################################################################################
+## Compute
+################################################################################
+
+variable "region" {
+  type        = string
+  description = "Region to deploy the Gateway(s) in."
+}
+
+variable "replicas" {
+  type        = number
+  description = "Number of Gateway replicas to deploy in the availability zone."
+  default     = 3
+}
+
+variable "machine_type" {
+  type    = string
+  default = "n1-standard-1"
+}
+
+################################################################################
+## Observability
+################################################################################
+
+variable "log_level" {
+  type     = string
+  nullable = false
+  default  = "info"
+
+  description = "Sets RUST_LOG environment variable to configure the Gateway's log level. Default: 'info'."
+}
+
+################################################################################
+## Firezone
+################################################################################
+
+variable "token" {
+  type        = string
+  description = "Gateway token to use for authentication."
+}
+
+variable "subnet_cidr" {
+  type        = string
+  description = "CIDR Range to use for subnet where Gateway(s) are deployed"
+}
+
+provider "google" {
+  project = var.project_id
+  region  = var.region
+}
+
+resource "google_project_service" "compute-api" {
+  project = var.project_id
+  service = "compute.googleapis.com"
+}
+
+resource "google_service_account" "firezone" {
+  account_id   = "firezone-gateway"
+  display_name = "Firezone Gateway Service Account"
+}
+
+# We create a new network and subnetwork. In real-world scenarios,
+# you would likely use an existing ones where your application is deployed.
+resource "google_compute_network" "firezone" {
+  name                     = "firezone-gateway"
+  auto_create_subnetworks  = false
+  enable_ula_internal_ipv6 = true
+  depends_on               = [google_project_service.compute-api]
+}
+
+resource "google_compute_subnetwork" "firezone" {
+  project = var.project_id
+
+  name = "firezone-gateways"
+
+  stack_type = "IPV4_IPV6"
+
+  ip_cidr_range = var.subnet_cidr
+  region        = var.region
+  network       = google_compute_network.firezone.id
+
+  ipv6_access_type = "INTERNAL"
+
+  private_ip_google_access = true
+}
+
+# Allocate IPv4 addresses for the NAT gateway
+resource "google_compute_address" "ipv4" {
+  project    = var.project_id
+  name       = "firezone-gateway-nat-ipv4"
+  ip_version = "IPV4"
+}
+
+# Create a router and NAT to allow outbound traffic
+resource "google_compute_router" "firezone" {
+  name    = "firezone-gateway-router"
+  network = google_compute_network.firezone.id
+}
+
+resource "google_compute_router_nat" "firezone" {
+  name   = "firezone-gateway-nat"
+  router = google_compute_router.firezone.name
+
+  nat_ip_allocate_option = "MANUAL_ONLY"
+  nat_ips = [
+    google_compute_address.ipv4.self_link,
+  ]
+
+  source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
+  subnetwork {
+    name                    = google_compute_subnetwork.firezone.id
+    source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
+  }
+}
+
+# Configure Firewall to allow outbound traffic
+resource "google_compute_firewall" "gateways-egress-ipv4" {
+  project = var.project_id
+
+  name      = "firezone-gateways-egress-ipv4"
+  network   = google_compute_network.firezone.id
+  direction = "EGRESS"
+
+  target_tags        = module.gateways.target_tags
+  destination_ranges = ["0.0.0.0/0"]
+
+  allow {
+    protocol = "all"
+  }
+}
+
+resource "google_compute_firewall" "gateways-egress-ipv6" {
+  project = var.project_id
+
+  name      = "firezone-gateways-egress-ipv6"
+  network   = google_compute_network.firezone.id
+  direction = "EGRESS"
+
+  target_tags        = module.gateways.target_tags
+  destination_ranges = ["::/0"]
+
+  allow {
+    protocol = "all"
+  }
+}
+
+# Allow SSH access to the gateways. This is optional but helpful for debugging
+# and administration of the gateways. Since they're not publicly accessible,
+# you need to tunnel through IAP:
+#
+#   gcloud compute instances list --project <PROJECT_ID>
+#   gcloud compute ssh --tunnel-through-iap --project <PROJECT_ID> gateway-XXXX
+resource "google_compute_firewall" "ssh-rule" {
+  name    = "allow-gateways-ssh"
+  network = google_compute_network.firezone.id
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22"]
+  }
+
+  target_tags   = module.gateways.target_tags
+  source_ranges = ["35.235.240.0/20"] // IAP CIDR
+}
+
+output "static_ip_addresses" {
+  value = [google_compute_address.ipv4.address]
+}
+
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "5.20"
+    }
+  }
+}
diff --git a/terraform/examples/google-cloud/nat_gateway/main.tf b/terraform/examples/google-cloud/nat_gateway/main.tf
deleted file mode 100644
index 8ee406c0e..000000000
--- a/terraform/examples/google-cloud/nat_gateway/main.tf
+++ /dev/null
@@ -1,40 +0,0 @@
-provider "google" {
-  project = var.project_id
-  region  = var.region
-}
-
-resource "google_project_service" "compute-api" {
-  project = var.project_id
-  service = "compute.googleapis.com"
-}
-
-resource "google_service_account" "firezone" {
-  account_id   = "firezone-gateway"
-  display_name = "Firezone Gateway Service Account"
-}
-
-module "gateways" {
-  source = "github.com/firezone/firezone/terraform/modules/google-cloud/apps/gateway-region-instance-group"
-  # If you are changing this example along with the module, you should use the local path:
-  # source = "../../../modules/google-cloud/apps/gateway-region-instance-group"
-
-  project_id = var.project_id
-
-  compute_network    = google_compute_network.firezone.id
-  compute_subnetwork = google_compute_subnetwork.firezone.id
-
-  compute_instance_replicas = var.replicas
-  compute_instance_type     = var.machine_type
-  compute_region            = var.region
-
-  # Since we are behind a NAT gateway, we don't need public IP addresses
-  # to be automatically provisioned for the instances
-  compute_provision_public_ipv6_address = false
-  compute_provision_public_ipv4_address = false
-
-  vsn = "latest"
-
-  observability_log_level = "info"
-
-  token = var.token
-}
diff --git a/terraform/examples/google-cloud/nat_gateway/network.tf b/terraform/examples/google-cloud/nat_gateway/network.tf
deleted file mode 100644
index 98a1de083..000000000
--- a/terraform/examples/google-cloud/nat_gateway/network.tf
+++ /dev/null
@@ -1,103 +0,0 @@
-# We create a new network and subnetwork. In real-world scenarios,
-# you would likely use an existing ones where your application is deployed.
-resource "google_compute_network" "firezone" {
-  name                     = "firezone-gateway"
-  auto_create_subnetworks  = false
-  enable_ula_internal_ipv6 = true
-  depends_on               = [google_project_service.compute-api]
-}
-
-resource "google_compute_subnetwork" "firezone" {
-  project = var.project_id
-
-  name = "firezone-gateways"
-
-  stack_type = "IPV4_IPV6"
-
-  ip_cidr_range = var.subnet_cidr
-  region        = var.region
-  network       = google_compute_network.firezone.id
-
-  ipv6_access_type = "INTERNAL"
-
-  private_ip_google_access = true
-}
-
-# Allocate IPv4 addresses for the NAT gateway
-resource "google_compute_address" "ipv4" {
-  project    = var.project_id
-  name       = "firezone-gateway-nat-ipv4"
-  ip_version = "IPV4"
-}
-
-# Create a router and NAT to allow outbound traffic
-resource "google_compute_router" "firezone" {
-  name    = "firezone-gateway-router"
-  network = google_compute_network.firezone.id
-}
-
-resource "google_compute_router_nat" "firezone" {
-  name   = "firezone-gateway-nat"
-  router = google_compute_router.firezone.name
-
-  nat_ip_allocate_option = "MANUAL_ONLY"
-  nat_ips = [
-    google_compute_address.ipv4.self_link,
-  ]
-
-  source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
-  subnetwork {
-    name                    = google_compute_subnetwork.firezone.id
-    source_ip_ranges_to_nat = ["ALL_IP_RANGES"]
-  }
-}
-
-# Configure Firewall to allow outbound traffic
-resource "google_compute_firewall" "gateways-egress-ipv4" {
-  project = var.project_id
-
-  name      = "firezone-gateways-egress-ipv4"
-  network   = google_compute_network.firezone.id
-  direction = "EGRESS"
-
-  target_tags        = module.gateways.target_tags
-  destination_ranges = ["0.0.0.0/0"]
-
-  allow {
-    protocol = "all"
-  }
-}
-
-resource "google_compute_firewall" "gateways-egress-ipv6" {
-  project = var.project_id
-
-  name      = "firezone-gateways-egress-ipv6"
-  network   = google_compute_network.firezone.id
-  direction = "EGRESS"
-
-  target_tags        = module.gateways.target_tags
-  destination_ranges = ["::/0"]
-
-  allow {
-    protocol = "all"
-  }
-}
-
-# Allow SSH access to the gateways. This is optional but helpful for debugging
-# and administration of the gateways. Since they're not publicly accessible,
-# you need to tunnel through IAP:
-#
-#   gcloud compute instances list --project <PROJECT_ID>
-#   gcloud compute ssh --tunnel-through-iap --project <PROJECT_ID> gateway-XXXX
-resource "google_compute_firewall" "ssh-rule" {
-  name    = "allow-gateways-ssh"
-  network = google_compute_network.firezone.id
-
-  allow {
-    protocol = "tcp"
-    ports    = ["22"]
-  }
-
-  target_tags   = module.gateways.target_tags
-  source_ranges = ["35.235.240.0/20"] // IAP CIDR
-}
diff --git a/terraform/examples/google-cloud/nat_gateway/outputs.tf b/terraform/examples/google-cloud/nat_gateway/outputs.tf
deleted file mode 100644
index a57040bed..000000000
--- a/terraform/examples/google-cloud/nat_gateway/outputs.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-output "static_ip_addresses" {
-  value = [google_compute_address.ipv4.address]
-}
diff --git a/terraform/examples/google-cloud/nat_gateway/variables.tf b/terraform/examples/google-cloud/nat_gateway/variables.tf
deleted file mode 100644
index 74232a2f9..000000000
--- a/terraform/examples/google-cloud/nat_gateway/variables.tf
+++ /dev/null
@@ -1,55 +0,0 @@
-################################################################################
-## Google Cloud Project
-################################################################################
-
-variable "project_id" {
-  type        = string
-  description = "Google Cloud Project ID"
-}
-
-################################################################################
-## Compute
-################################################################################
-
-variable "region" {
-  type        = string
-  description = "Region to deploy the Gateway(s) in."
-}
-
-variable "replicas" {
-  type        = number
-  description = "Number of Gateway replicas to deploy in the availability zone."
-  default     = 3
-}
-
-variable "machine_type" {
-  type    = string
-  default = "n1-standard-1"
-}
-
-################################################################################
-## Observability
-################################################################################
-
-variable "log_level" {
-  type     = string
-  nullable = false
-  default  = "info"
-
-  description = "Sets RUST_LOG environment variable to configure the Gateway's log level. Default: 'info'."
-}
-
-################################################################################
-## Firezone
-################################################################################
-
-variable "token" {
-  type        = string
-  description = "Gateway token to use for authentication."
-  sensitive   = true
-}
-
-variable "subnet_cidr" {
-  type        = string
-  description = "CIDR Range to use for subnet where Gateway(s) are deployed"
-}
diff --git a/terraform/examples/google-cloud/nat_gateway/versions.tf b/terraform/examples/google-cloud/nat_gateway/versions.tf
deleted file mode 100644
index 11a0305bb..000000000
--- a/terraform/examples/google-cloud/nat_gateway/versions.tf
+++ /dev/null
@@ -1,8 +0,0 @@
-terraform {
-  required_providers {
-    google = {
-      source  = "hashicorp/google"
-      version = "5.20"
-    }
-  }
-}
diff --git a/terraform/modules/aws/firezone-gateway/main.tf b/terraform/modules/aws/firezone-gateway/main.tf
new file mode 100644
index 000000000..837c0cea0
--- /dev/null
+++ b/terraform/modules/aws/firezone-gateway/main.tf
@@ -0,0 +1,54 @@
+resource "aws_launch_configuration" "lc" {
+  name                        = "firezone-gateway-lc"
+  image_id                    = var.base_ami
+  instance_type               = var.instance_type
+  security_groups             = var.instance_security_groups
+  associate_public_ip_address = false
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  user_data = <<-EOF
+  #!/bin/bash
+  set -e
+
+  sudo apt-get update
+  sudo apt-get install -y curl uuid-runtime
+
+  FIREZONE_TOKEN="${var.firezone_token}" \
+  FIREZONE_VERSION="${var.firezone_version}" \
+  FIREZONE_NAME="${var.firezone_name}" \
+  FIREZONE_ID="$(uuidgen)" \
+  FIREZONE_API_URL="${var.firezone_api_url}" \
+  bash <(curl -fsSL https://raw.githubusercontent.com/firezone/firezone/main/scripts/gateway-systemd-install.sh)
+
+  EOF
+}
+
+resource "aws_autoscaling_group" "asg" {
+  desired_capacity     = var.desired_capacity
+  max_size             = var.max_size
+  min_size             = var.min_size
+  vpc_zone_identifier  = [var.private_subnet]
+  launch_configuration = aws_launch_configuration.lc.id
+
+  tag {
+    key                 = "Name"
+    value               = "firezone-gateway-instance"
+    propagate_at_launch = true
+  }
+
+  dynamic "tag" {
+    for_each = var.extra_tags
+    content {
+      key                 = tag.value.key
+      propagate_at_launch = tag.value.propagate_at_launch
+      value               = tag.value.value
+    }
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/terraform/modules/aws/firezone-gateway/variables.tf b/terraform/modules/aws/firezone-gateway/variables.tf
new file mode 100644
index 000000000..a0c5a7eea
--- /dev/null
+++ b/terraform/modules/aws/firezone-gateway/variables.tf
@@ -0,0 +1,85 @@
+variable "base_ami" {
+  description = "The base AMI for the instances"
+  type        = string
+}
+
+variable "instance_type" {
+  description = "The instance type"
+  type        = string
+  default     = "t3.nano"
+}
+
+variable "desired_capacity" {
+  description = "The desired number of instances"
+  type        = number
+  default     = 3
+}
+
+variable "min_size" {
+  description = "The minimum number of instances"
+  type        = number
+  default     = 3
+}
+
+variable "max_size" {
+  description = "The maximum number of instances"
+  type        = number
+  default     = 5
+}
+
+variable "firezone_token" {
+  description = "The Firezone token"
+  type        = string
+  nullable    = false
+  sensitive   = true
+}
+
+variable "firezone_version" {
+  description = "The Gateway version to deploy"
+  type        = string
+  default     = "latest"
+}
+
+variable "firezone_name" {
+  description = "Name for the Gateways used in the admin portal"
+  type        = string
+  default     = "$(hostname)"
+}
+
+variable "firezone_api_url" {
+  description = "The Firezone API URL"
+  type        = string
+  default     = "wss://api.firezone.dev"
+}
+
+variable "vpc" {
+  description = "The VPC id to use"
+  type        = string
+}
+
+variable "private_subnet" {
+  description = "The private subnet id"
+  type        = string
+}
+
+variable "public_subnet" {
+  description = "The public subnet id"
+  type        = string
+}
+
+variable "instance_security_groups" {
+  description = "The security group ids to attach to the instances"
+  type        = list(string)
+}
+
+variable "extra_tags" {
+  description = "Extra tags for the Auto Scaling group"
+
+  type = map(object({
+    key                 = string
+    value               = string
+    propagate_at_launch = bool
+  }))
+
+  default = {}
+}
diff --git a/website/public/images/kb/automate/aws-logo.svg b/website/public/images/kb/automate/aws-logo.svg
new file mode 100644
index 000000000..4715937ff
--- /dev/null
+++ b/website/public/images/kb/automate/aws-logo.svg
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 19.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 304 182" style="enable-background:new 0 0 304 182;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#252F3E;}
+	.st1{fill-rule:evenodd;clip-rule:evenodd;fill:#FF9900;}
+</style>
+<g>
+	<path class="st0" d="M86.4,66.4c0,3.7,0.4,6.7,1.1,8.9c0.8,2.2,1.8,4.6,3.2,7.2c0.5,0.8,0.7,1.6,0.7,2.3c0,1-0.6,2-1.9,3l-6.3,4.2
+		c-0.9,0.6-1.8,0.9-2.6,0.9c-1,0-2-0.5-3-1.4C76.2,90,75,88.4,74,86.8c-1-1.7-2-3.6-3.1-5.9c-7.8,9.2-17.6,13.8-29.4,13.8
+		c-8.4,0-15.1-2.4-20-7.2c-4.9-4.8-7.4-11.2-7.4-19.2c0-8.5,3-15.4,9.1-20.6c6.1-5.2,14.2-7.8,24.5-7.8c3.4,0,6.9,0.3,10.6,0.8
+		c3.7,0.5,7.5,1.3,11.5,2.2v-7.3c0-7.6-1.6-12.9-4.7-16c-3.2-3.1-8.6-4.6-16.3-4.6c-3.5,0-7.1,0.4-10.8,1.3c-3.7,0.9-7.3,2-10.8,3.4
+		c-1.6,0.7-2.8,1.1-3.5,1.3c-0.7,0.2-1.2,0.3-1.6,0.3c-1.4,0-2.1-1-2.1-3.1v-4.9c0-1.6,0.2-2.8,0.7-3.5c0.5-0.7,1.4-1.4,2.8-2.1
+		c3.5-1.8,7.7-3.3,12.6-4.5c4.9-1.3,10.1-1.9,15.6-1.9c11.9,0,20.6,2.7,26.2,8.1c5.5,5.4,8.3,13.6,8.3,24.6V66.4z M45.8,81.6
+		c3.3,0,6.7-0.6,10.3-1.8c3.6-1.2,6.8-3.4,9.5-6.4c1.6-1.9,2.8-4,3.4-6.4c0.6-2.4,1-5.3,1-8.7v-4.2c-2.9-0.7-6-1.3-9.2-1.7
+		c-3.2-0.4-6.3-0.6-9.4-0.6c-6.7,0-11.6,1.3-14.9,4c-3.3,2.7-4.9,6.5-4.9,11.5c0,4.7,1.2,8.2,3.7,10.6
+		C37.7,80.4,41.2,81.6,45.8,81.6z M126.1,92.4c-1.8,0-3-0.3-3.8-1c-0.8-0.6-1.5-2-2.1-3.9L96.7,10.2c-0.6-2-0.9-3.3-0.9-4
+		c0-1.6,0.8-2.5,2.4-2.5h9.8c1.9,0,3.2,0.3,3.9,1c0.8,0.6,1.4,2,2,3.9l16.8,66.2l15.6-66.2c0.5-2,1.1-3.3,1.9-3.9c0.8-0.6,2.2-1,4-1
+		h8c1.9,0,3.2,0.3,4,1c0.8,0.6,1.5,2,1.9,3.9l15.8,67l17.3-67c0.6-2,1.3-3.3,2-3.9c0.8-0.6,2.1-1,3.9-1h9.3c1.6,0,2.5,0.8,2.5,2.5
+		c0,0.5-0.1,1-0.2,1.6c-0.1,0.6-0.3,1.4-0.7,2.5l-24.1,77.3c-0.6,2-1.3,3.3-2.1,3.9c-0.8,0.6-2.1,1-3.8,1h-8.6c-1.9,0-3.2-0.3-4-1
+		c-0.8-0.7-1.5-2-1.9-4L156,23l-15.4,64.4c-0.5,2-1.1,3.3-1.9,4c-0.8,0.7-2.2,1-4,1H126.1z M254.6,95.1c-5.2,0-10.4-0.6-15.4-1.8
+		c-5-1.2-8.9-2.5-11.5-4c-1.6-0.9-2.7-1.9-3.1-2.8c-0.4-0.9-0.6-1.9-0.6-2.8v-5.1c0-2.1,0.8-3.1,2.3-3.1c0.6,0,1.2,0.1,1.8,0.3
+		c0.6,0.2,1.5,0.6,2.5,1c3.4,1.5,7.1,2.7,11,3.5c4,0.8,7.9,1.2,11.9,1.2c6.3,0,11.2-1.1,14.6-3.3c3.4-2.2,5.2-5.4,5.2-9.5
+		c0-2.8-0.9-5.1-2.7-7c-1.8-1.9-5.2-3.6-10.1-5.2L246,52c-7.3-2.3-12.7-5.7-16-10.2c-3.3-4.4-5-9.3-5-14.5c0-4.2,0.9-7.9,2.7-11.1
+		c1.8-3.2,4.2-6,7.2-8.2c3-2.3,6.4-4,10.4-5.2c4-1.2,8.2-1.7,12.6-1.7c2.2,0,4.5,0.1,6.7,0.4c2.3,0.3,4.4,0.7,6.5,1.1
+		c2,0.5,3.9,1,5.7,1.6c1.8,0.6,3.2,1.2,4.2,1.8c1.4,0.8,2.4,1.6,3,2.5c0.6,0.8,0.9,1.9,0.9,3.3v4.7c0,2.1-0.8,3.2-2.3,3.2
+		c-0.8,0-2.1-0.4-3.8-1.2c-5.7-2.6-12.1-3.9-19.2-3.9c-5.7,0-10.2,0.9-13.3,2.8c-3.1,1.9-4.7,4.8-4.7,8.9c0,2.8,1,5.2,3,7.1
+		c2,1.9,5.7,3.8,11,5.5l14.2,4.5c7.2,2.3,12.4,5.5,15.5,9.6c3.1,4.1,4.6,8.8,4.6,14c0,4.3-0.9,8.2-2.6,11.6
+		c-1.8,3.4-4.2,6.4-7.3,8.8c-3.1,2.5-6.8,4.3-11.1,5.6C264.4,94.4,259.7,95.1,254.6,95.1z"/>
+	<g>
+		<path class="st1" d="M273.5,143.7c-32.9,24.3-80.7,37.2-121.8,37.2c-57.6,0-109.5-21.3-148.7-56.7c-3.1-2.8-0.3-6.6,3.4-4.4
+			c42.4,24.6,94.7,39.5,148.8,39.5c36.5,0,76.6-7.6,113.5-23.2C274.2,133.6,278.9,139.7,273.5,143.7z"/>
+		<path class="st1" d="M287.2,128.1c-4.2-5.4-27.8-2.6-38.5-1.3c-3.2,0.4-3.7-2.4-0.8-4.5c18.8-13.2,49.7-9.4,53.3-5
+			c3.6,4.5-1,35.4-18.6,50.2c-2.7,2.3-5.3,1.1-4.1-1.9C282.5,155.7,291.4,133.4,287.2,128.1z"/>
+	</g>
+</g>
+</svg>
diff --git a/website/public/images/kb/automate/gcp-logo.svg b/website/public/images/kb/automate/gcp-logo.svg
new file mode 100644
index 000000000..ae6d94748
--- /dev/null
+++ b/website/public/images/kb/automate/gcp-logo.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 181 28"><defs><style>.cls-1{fill:#ea4335;}.cls-2{fill:#4285f4;}.cls-3{fill:#34a853;}.cls-4{fill:#fbbc05;}.cls-5{fill:#5f6368;}</style></defs><path class="cls-1" d="M21.85,7.41l1,0,2.85-2.85.14-1.21A12.81,12.81,0,0,0,5,9.6a1.55,1.55,0,0,1,1-.06l5.7-.94s.29-.48.44-.45a7.11,7.11,0,0,1,9.73-.74Z"/><path class="cls-2" d="M29.76,9.6a12.84,12.84,0,0,0-3.87-6.24l-4,4A7.11,7.11,0,0,1,24.5,13v.71a3.56,3.56,0,1,1,0,7.12H17.38l-.71.72v4.27l.71.71H24.5A9.26,9.26,0,0,0,29.76,9.6Z"/><path class="cls-3" d="M10.25,26.49h7.12v-5.7H10.25a3.54,3.54,0,0,1-1.47-.32l-1,.31L4.91,23.63l-.25,1A9.21,9.21,0,0,0,10.25,26.49Z"/><path class="cls-4" d="M10.25,8A9.26,9.26,0,0,0,4.66,24.6l4.13-4.13a3.56,3.56,0,1,1,4.71-4.71l4.13-4.13A9.25,9.25,0,0,0,10.25,8Z"/><path class="cls-5" d="M52.79,22.51a9.11,9.11,0,0,1-6.6-2.71,8.8,8.8,0,0,1-2.77-6.52,8.81,8.81,0,0,1,2.77-6.52A9.11,9.11,0,0,1,52.79,4a8.84,8.84,0,0,1,6.33,2.55L57.34,8.36a6.41,6.41,0,0,0-4.55-1.8,6.34,6.34,0,0,0-4.7,2,6.53,6.53,0,0,0-1.93,4.75A6.53,6.53,0,0,0,48.09,18a6.71,6.71,0,0,0,9.36.11A5.32,5.32,0,0,0,58.82,15h-6V12.44h8.49A8.12,8.12,0,0,1,61.41,14a8,8,0,0,1-2.19,5.9A8.51,8.51,0,0,1,52.79,22.51Zm19.74-1.7a6.12,6.12,0,0,1-8.47,0,5.7,5.7,0,0,1-1.73-4.25,5.71,5.71,0,0,1,1.73-4.25,6.13,6.13,0,0,1,8.47,0,5.71,5.71,0,0,1,1.73,4.25A5.7,5.7,0,0,1,72.52,20.81Zm-6.6-1.67a3.24,3.24,0,0,0,4.73,0,3.56,3.56,0,0,0,1-2.58,3.57,3.57,0,0,0-1-2.59,3.29,3.29,0,0,0-4.75,0,3.57,3.57,0,0,0-1,2.59A3.56,3.56,0,0,0,65.92,19.14Zm19.62,1.67a6.12,6.12,0,0,1-8.47,0,5.7,5.7,0,0,1-1.73-4.25,5.71,5.71,0,0,1,1.73-4.25,6.12,6.12,0,0,1,8.47,0,5.71,5.71,0,0,1,1.73,4.25A5.7,5.7,0,0,1,85.55,20.81Zm-6.6-1.67a3.24,3.24,0,0,0,4.73,0,3.56,3.56,0,0,0,1-2.58,3.57,3.57,0,0,0-1-2.59,3.29,3.29,0,0,0-4.75,0,3.57,3.57,0,0,0-1,2.59A3.56,3.56,0,0,0,78.94,19.14Zm15.16,8.71a5.24,5.24,0,0,1-3.33-1.06,6.13,6.13,0,0,1-1.94-2.46l2.28-.95a3.84,3.84,0,0,0,1.13,1.49,2.85,2.85,0,0,0,1.87.63,3,3,0,0,0,2.33-.9A3.65,3.65,0,0,0,97.28,22v-.86h-.09a3.81,3.81,0,0,1-3.13,1.35,5.43,5.43,0,0,1-4-1.74,5.75,5.75,0,0,1-1.71-4.19,5.81,5.81,0,0,1,1.71-4.22,5.42,5.42,0,0,1,4-1.75A4.3,4.3,0,0,1,95.9,11a3.7,3.7,0,0,1,1.3.95h.09V11h2.48V21.65a6.21,6.21,0,0,1-1.59,4.65A5.6,5.6,0,0,1,94.11,27.85Zm.18-7.68a2.91,2.91,0,0,0,2.26-1,3.7,3.7,0,0,0,.91-2.56A3.78,3.78,0,0,0,96.55,14a2.9,2.9,0,0,0-2.26-1,3.09,3.09,0,0,0-2.34,1,3.65,3.65,0,0,0-1,2.59,3.58,3.58,0,0,0,1,2.56A3.1,3.1,0,0,0,94.29,20.17Zm9.89-15.5V22.15h-2.61V4.67Zm7.16,17.84a5.68,5.68,0,0,1-4.21-1.71,5.79,5.79,0,0,1-1.69-4.24,5.86,5.86,0,0,1,1.63-4.28,5.36,5.36,0,0,1,4-1.67,5.05,5.05,0,0,1,2,.39,4.71,4.71,0,0,1,1.53,1,7,7,0,0,1,1,1.21,7.15,7.15,0,0,1,.59,1.17l.27.68-8,3.29a3,3,0,0,0,2.88,1.8,3.41,3.41,0,0,0,2.93-1.65l2,1.35a6.59,6.59,0,0,1-1.92,1.82A5.44,5.44,0,0,1,111.34,22.51ZM108,16.38l5.32-2.21a1.84,1.84,0,0,0-.83-.91,2.71,2.71,0,0,0-1.37-.35,3.09,3.09,0,0,0-2.15.95A3.17,3.17,0,0,0,108,16.38Z"/><path class="cls-5" d="M130.13,22.51a8.24,8.24,0,0,1-8.38-8.43,8.24,8.24,0,0,1,8.38-8.43,7.46,7.46,0,0,1,5.93,2.64l-1.44,1.4a5.44,5.44,0,0,0-4.48-2.05,6.11,6.11,0,0,0-4.45,1.78,6.24,6.24,0,0,0-1.81,4.66,6.24,6.24,0,0,0,1.81,4.66,6.11,6.11,0,0,0,4.45,1.78,6.36,6.36,0,0,0,5-2.34l1.44,1.44a7.86,7.86,0,0,1-2.77,2.11A8.48,8.48,0,0,1,130.13,22.51Z"/><path class="cls-5" d="M140.45,22.15h-2.07V6h2.07Z"/><path class="cls-5" d="M143.83,12.43a5.79,5.79,0,0,1,8.16,0,5.85,5.85,0,0,1,1.6,4.2,5.85,5.85,0,0,1-1.6,4.2,5.79,5.79,0,0,1-8.16,0,5.85,5.85,0,0,1-1.6-4.2A5.85,5.85,0,0,1,143.83,12.43Zm1.54,7.1a3.49,3.49,0,0,0,5.07,0,4,4,0,0,0,1.07-2.9,4,4,0,0,0-1.07-2.9,3.49,3.49,0,0,0-5.07,0,4,4,0,0,0-1.07,2.9A4,4,0,0,0,145.38,19.52Z"/><path class="cls-5" d="M165.06,22.15h-2V20.62H163A3.85,3.85,0,0,1,161.54,22a4.08,4.08,0,0,1-2.05.55,3.89,3.89,0,0,1-3.14-1.26,5,5,0,0,1-1.07-3.38V11.11h2.07v6.42q0,3.09,2.73,3.09a2.54,2.54,0,0,0,2.1-1,3.77,3.77,0,0,0,.81-2.39V11.11h2.07Z"/><path class="cls-5" d="M172.09,22.51a4.86,4.86,0,0,1-3.7-1.69,6,6,0,0,1-1.55-4.19,6,6,0,0,1,1.55-4.19,4.86,4.86,0,0,1,3.7-1.69,4.69,4.69,0,0,1,2.26.54,3.83,3.83,0,0,1,1.5,1.35h.09l-.09-1.53V6h2.07V22.15h-2V20.62h-.09a3.83,3.83,0,0,1-1.5,1.35A4.69,4.69,0,0,1,172.09,22.51Zm.34-1.89a3.3,3.3,0,0,0,2.49-1.08,4.05,4.05,0,0,0,1-2.91,4.05,4.05,0,0,0-1-2.91,3.38,3.38,0,0,0-5,0,4,4,0,0,0-1,2.9,4,4,0,0,0,1,2.9A3.3,3.3,0,0,0,172.43,20.62Z"/></svg>
\ No newline at end of file
diff --git a/website/public/images/kb/automate/terraform-logo.svg b/website/public/images/kb/automate/terraform-logo.svg
new file mode 100644
index 000000000..e98f8b71f
--- /dev/null
+++ b/website/public/images/kb/automate/terraform-logo.svg
@@ -0,0 +1,7 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 250 60.15">
+  <path class="text" fill="#000" d="M77.35 7.86V4.63h-3v3.23h-1.46V.11h1.51v3.25h3V.11h1.51v7.75zm7 0h-1.2l-.11-.38a3.28 3.28 0 0 1-1.7.52c-1.06 0-1.52-.7-1.52-1.66 0-1.14.51-1.57 1.7-1.57h1.4v-.62c0-.62-.18-.84-1.11-.84a8.46 8.46 0 0 0-1.61.17L80 2.42a7.89 7.89 0 0 1 2-.26c1.83 0 2.37.62 2.37 2zm-1.43-2.11h-1.08c-.48 0-.61.13-.61.55s.13.56.59.56a2.37 2.37 0 0 0 1.1-.29zM87.43 8a7.12 7.12 0 0 1-2-.32l.2-1.07a6.77 6.77 0 0 0 1.73.24c.65 0 .74-.14.74-.56s-.07-.52-1-.73c-1.42-.33-1.59-.68-1.59-1.76s.49-1.65 2.16-1.65a8 8 0 0 1 1.75.2l-.14 1.11a10.66 10.66 0 0 0-1.6-.16c-.63 0-.74.14-.74.48s0 .48.82.68c1.63.41 1.78.62 1.78 1.77S89.19 8 87.43 8zm6.68-.11V4c0-.3-.13-.45-.47-.45a4.14 4.14 0 0 0-1.52.45v3.86h-1.46V0l1.46.22v2.47a5.31 5.31 0 0 1 2.13-.54c1 0 1.32.65 1.32 1.65v4.06zm2.68-6.38V.11h1.46v1.37zm0 6.38V2.27h1.46v5.59zm2.62-5.54c0-1.4.85-2.22 2.83-2.22a9.37 9.37 0 0 1 2.16.25l-.17 1.25a12.21 12.21 0 0 0-1.95-.2c-1 0-1.37.34-1.37 1.16V5.5c0 .81.33 1.16 1.37 1.16a12.21 12.21 0 0 0 1.95-.2l.17 1.25a9.37 9.37 0 0 1-2.16.25c-2 0-2.83-.81-2.83-2.22zM107.63 8c-2 0-2.53-1.06-2.53-2.2V4.36c0-1.15.54-2.2 2.53-2.2s2.53 1.06 2.53 2.2v1.41c.01 1.15-.53 2.23-2.53 2.23zm0-4.63c-.78 0-1.08.33-1.08 1v1.5c0 .63.3 1 1.08 1s1.08-.33 1.08-1V4.31c0-.63-.3-.96-1.08-.96zm6.64.09a11.57 11.57 0 0 0-1.54.81v3.6h-1.46v-5.6h1.23l.1.62a6.63 6.63 0 0 1 1.53-.73zM120.1 6a1.73 1.73 0 0 1-1.92 2 8.36 8.36 0 0 1-1.55-.16v2.26l-1.46.22v-8h1.16l.14.47a3.15 3.15 0 0 1 1.84-.59c1.17 0 1.79.67 1.79 1.94zm-3.48.63a6.72 6.72 0 0 0 1.29.15c.53 0 .73-.24.73-.75v-2c0-.46-.18-.71-.72-.71a2.11 2.11 0 0 0-1.3.51zM81.78 19.54h-8.89v-5.31H96.7v5.31h-8.9v26.53h-6z"/>
+  <path class="text" fill="#000" d="M102.19 41.77a24.39 24.39 0 0 0 7.12-1.1l.91 4.4a25 25 0 0 1-8.56 1.48c-7.31 0-9.85-3.39-9.85-9V31.4c0-4.92 2.2-9.08 9.66-9.08s9.13 4.35 9.13 9.37v5h-13v1.2c.05 2.78 1.05 3.88 4.59 3.88zM97.65 32h7.41v-1.18c0-2.2-.67-3.73-3.54-3.73s-3.87 1.53-3.87 3.73zm28.54-4.33a45.65 45.65 0 0 0-6.19 3.39v15h-5.83V22.79h4.92l.38 2.58a26.09 26.09 0 0 1 6.12-3.06zm14.24 0a45.65 45.65 0 0 0-6.17 3.39v15h-5.83V22.79h4.92l.38 2.58a26.09 26.09 0 0 1 6.12-3.06zm19.51 18.4h-4.78l-.43-1.58a12.73 12.73 0 0 1-6.93 2.06c-4.25 0-6.07-2.92-6.07-6.93 0-4.73 2.06-6.55 6.79-6.55h5.59v-2.44c0-2.58-.72-3.49-4.45-3.49a32.53 32.53 0 0 0-6.45.72l-.72-4.45a30.38 30.38 0 0 1 8-1.1c7.31 0 9.47 2.58 9.47 8.41zm-5.83-8.8h-4.3c-1.91 0-2.44.53-2.44 2.29s.53 2.34 2.34 2.34a9.18 9.18 0 0 0 4.4-1.2zm23.75-19.79a17.11 17.11 0 0 0-3.35-.38c-2.29 0-2.63 1-2.63 2.77v2.92h5.93l-.33 4.64h-5.59v18.64h-5.83V27.43h-3.73v-4.64h3.73v-3.25c0-4.83 2.25-7.22 7.41-7.22a18.47 18.47 0 0 1 5 .67zm11.38 29.07c-8 0-10.13-4.4-10.13-9.18v-5.88c0-4.78 2.15-9.18 10.13-9.18s10.13 4.4 10.13 9.18v5.88c.01 4.78-2.15 9.18-10.13 9.18zm0-19.27c-3.11 0-4.3 1.39-4.3 4v6.26c0 2.63 1.2 4 4.3 4s4.3-1.39 4.3-4V31.3c0-2.63-1.19-4.02-4.3-4.02zm25.14.39a45.65 45.65 0 0 0-6.17 3.39v15h-5.83V22.79h4.92l.38 2.58a26.08 26.08 0 0 1 6.12-3.06zm16.02 18.4V29.82c0-1.24-.53-1.86-1.86-1.86a16.08 16.08 0 0 0-6.07 2v16.11h-5.83V22.79h4.45l.57 2a23.32 23.32 0 0 1 9.34-2.48 4.42 4.42 0 0 1 4.4 2.49 22.83 22.83 0 0 1 9.37-2.49c3.87 0 5.26 2.72 5.26 6.88v16.88h-5.83V29.82c0-1.24-.53-1.86-1.86-1.86a15.43 15.43 0 0 0-6.07 2v16.11z"/>
+  <path class="rect-dark" fill="#4040B2" d="M36.4 20.2v18.93l16.4-9.46V10.72L36.4 20.2z"/>
+  <path class="rect-light" fill="#5C4EE5" d="M18.2 10.72l16.4 9.48v18.93l-16.4-9.47V10.72z"/>
+  <path class="rect-light" fill="#5C4EE5" d="M0 .15v18.94l16.4 9.47V9.62L0 .15zm18.2 50.53l16.4 9.47V41.21l-16.4-9.47v18.94z"/>
+</svg>
diff --git a/terraform/examples/google-cloud/nat_gateway/online-gateways.png b/website/public/images/kb/automate/terraform/gcp/online-gateways.png
similarity index 100%
rename from terraform/examples/google-cloud/nat_gateway/online-gateways.png
rename to website/public/images/kb/automate/terraform/gcp/online-gateways.png
diff --git a/website/src/app/kb/automate/_page.tsx b/website/src/app/kb/automate/_page.tsx
new file mode 100644
index 000000000..8f8abd30f
--- /dev/null
+++ b/website/src/app/kb/automate/_page.tsx
@@ -0,0 +1,6 @@
+"use client";
+import Content from "./readme.mdx";
+
+export default function _Page() {
+  return <Content />;
+}
diff --git a/website/src/app/kb/automate/page.tsx b/website/src/app/kb/automate/page.tsx
new file mode 100644
index 000000000..a25acda88
--- /dev/null
+++ b/website/src/app/kb/automate/page.tsx
@@ -0,0 +1,17 @@
+import { Metadata } from "next";
+import _Page from "./_page";
+import LastUpdated from "@/components/LastUpdated";
+
+export const metadata: Metadata = {
+  title: "Automate • Firezone Docs",
+  description: "Automation recipes for deploying and managing Firezone.",
+};
+
+export default function Page() {
+  return (
+    <>
+      <_Page />
+      <LastUpdated dirname={__dirname} />
+    </>
+  );
+}
diff --git a/website/src/app/kb/automate/readme.mdx b/website/src/app/kb/automate/readme.mdx
new file mode 100644
index 000000000..fc30f978f
--- /dev/null
+++ b/website/src/app/kb/automate/readme.mdx
@@ -0,0 +1,49 @@
+import SupportOptions from "@/components/SupportOptions";
+import Alert from "@/components/DocsAlert";
+import Image from "next/image";
+import Link from "next/link";
+import NextStep from "@/components/NextStep";
+import { KbCards, KbCard } from "@/components/KbCards";
+import { FaPlus } from "react-icons/fa";
+
+# Automate Firezone
+
+These guides contain automation recipes for deploying Firezone using various
+infrastructure as code (IaC) tools.
+
+## Get started
+
+Follow one of the guides below to setup a production-ready deployment of
+Firezone on your infrastructure.
+
+<KbCards>
+  <KbCard
+    title="Deploy Firezone on AWS"
+    href="/kb/automate/terraform/aws"
+    logo={
+    <div>
+      <Image width={200} height={200} alt="Terraform" src="/images/kb/automate/terraform-logo.svg" className="mx-auto mb-8" />
+      <FaPlus size={32} className="mx-auto mb-8" />
+      <Image width={100} height={100} alt="AWS" src="/images/kb/automate/aws-logo.svg" className="mx-auto mb-8" />
+    </div>
+  }>
+    Deploy a scalable cluster of Firezone Gateways behind a NAT gateway on AWS
+    with a single egress IP.
+  </KbCard>
+  <KbCard
+    title="Deploy Firezone on GCP"
+    href="/kb/automate/terraform/gcp"
+    logo={
+    <div>
+      <Image width={200} height={200} alt="Terraform" src="/images/kb/automate/terraform-logo.svg" className="mx-auto mb-8" />
+      <FaPlus size={32} className="mx-auto mb-8" />
+      <Image width={220} height={220} alt="GCP" src="/images/kb/automate/gcp-logo.svg" className="mx-auto mb-8" />
+    </div>
+    }>
+    Deploy a scalable cluster of Firezone Gateways behind a Cloud NAT on GCP
+    with a single egress IP.
+
+  </KbCard>
+</KbCards>
+
+<SupportOptions />
diff --git a/website/src/app/kb/automate/terraform/aws/_page.tsx b/website/src/app/kb/automate/terraform/aws/_page.tsx
new file mode 100644
index 000000000..8f8abd30f
--- /dev/null
+++ b/website/src/app/kb/automate/terraform/aws/_page.tsx
@@ -0,0 +1,6 @@
+"use client";
+import Content from "./readme.mdx";
+
+export default function _Page() {
+  return <Content />;
+}
diff --git a/website/src/app/kb/automate/terraform/aws/page.tsx b/website/src/app/kb/automate/terraform/aws/page.tsx
new file mode 100644
index 000000000..ef64ae004
--- /dev/null
+++ b/website/src/app/kb/automate/terraform/aws/page.tsx
@@ -0,0 +1,17 @@
+import { Metadata } from "next";
+import _Page from "./_page";
+import LastUpdated from "@/components/LastUpdated";
+
+export const metadata: Metadata = {
+  title: "Deploy Firezone on AWS • Firezone Docs",
+  description: "Example Terraform configuration to deploy Firezone on AWS.",
+};
+
+export default function Page() {
+  return (
+    <>
+      <_Page />
+      <LastUpdated dirname={__dirname} />
+    </>
+  );
+}
diff --git a/website/src/app/kb/automate/terraform/aws/readme.mdx b/website/src/app/kb/automate/terraform/aws/readme.mdx
new file mode 100644
index 000000000..044ad22ca
--- /dev/null
+++ b/website/src/app/kb/automate/terraform/aws/readme.mdx
@@ -0,0 +1,87 @@
+import SupportOptions from "@/components/SupportOptions";
+import Alert from "@/components/DocsAlert";
+
+# Deploy Firezone on AWS with Terraform
+
+In this guide, we'll deploy a cluster of Firezone Gateways in a private subnet
+on AWS that are configured to egress traffic to the internet through an AWS
+[NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html).
+
+## Common use cases
+
+Use this guide to give your Firezone Clients a static, public IP address for
+egress traffic to particular Resource(s). Here are some common use cases for
+this example:
+
+- Use an IP allowlist to access a third-party or partner application such as a
+  client's DB or third-party API.
+- Use an IP allowlist with your identity provider to lock down access to a
+  public application.
+- Enabling a team of remote contractors access to a regionally-locked
+  application or service.
+
+## High availability
+
+All Firezone Gateways deployed in this example will automatically failover and
+load balance for each other.
+
+## Prerequisites
+
+1. [Terraform](https://www.terraform.io/downloads.html)
+1. [AWS account](https://aws.amazon.com/) with the necessary permissions to
+   create the resources.
+1. A [Firezone Site](https://www.firezone.dev/kb/deploy/sites) dedicated to use
+   for this example. This Site should contain **only** the Firezone Gateway(s)
+   deployed in this example and any associated Resources.
+1. A Firezone Gateway token. See
+   [Multiple Gateways](/kb/deploy/gateways#deploy-multiple-gateways) for
+   instructions on how to obtain a Firezone Gateway token that can be used
+   across multiple instances.
+
+## Sizing
+
+Simply update the number of `desired_capacity` to deploy more or fewer Firezone
+Gateways. There's no limit to the number of Firezone Gateways you can deploy in
+a single VPC. A basic AutoScaling Group is provisioned as part of the linked
+module.
+
+We've tested with `t3.nano` instances which still work quite well for most
+applications. However, you may want to consider a larger instance type if you
+have a high volume of traffic or lots of concurrent connections.
+
+## Deployment
+
+1. [Download](https://raw.githubusercontent.com/firezone/firezone/main/terraform/examples/aws/nat-gateway/main.tf)
+   the `main.tf` from the example module.
+1. Customize it as desired. At a minimum, you will need to set the
+   `firezone_token` and change `base_ami` and `region` to match your
+   environment.
+1. Run `terraform init` to initialize the working directory and download the
+   required providers.
+1. Run `terraform apply` to deploy the Firezone Gateway(s) into your AWS
+   project.
+
+You can see the IP addresses assigned to the NAT Gateway in the Terraform
+output. These are the IP addresses that your Firezone Gateway(s) will share to
+egress traffic.
+
+## Upgrading
+
+To upgrade the Firezone Gateway(s) to the latest version, simply update the
+`token` and issue a `terraform apply` which will trigger a redeployment of the
+Firezone Gateway(s).
+
+This will incur a few minutes of downtime as Terraform destroys the existing
+Firezone Gateway(s) and deploys new ones in their place.
+
+## Output
+
+`nat_public_ip` will contain the public IP address of the NAT Gateway you can
+use to whitelist your Firezone Gateway(s) in your third-party or partner
+application.
+
+# Cleanup
+
+To clean up the resources created by this example, run `terraform destroy`.
+
+<SupportOptions />
diff --git a/website/src/app/kb/automate/terraform/gcp/_page.tsx b/website/src/app/kb/automate/terraform/gcp/_page.tsx
new file mode 100644
index 000000000..8f8abd30f
--- /dev/null
+++ b/website/src/app/kb/automate/terraform/gcp/_page.tsx
@@ -0,0 +1,6 @@
+"use client";
+import Content from "./readme.mdx";
+
+export default function _Page() {
+  return <Content />;
+}
diff --git a/website/src/app/kb/automate/terraform/gcp/page.tsx b/website/src/app/kb/automate/terraform/gcp/page.tsx
new file mode 100644
index 000000000..6007bd70b
--- /dev/null
+++ b/website/src/app/kb/automate/terraform/gcp/page.tsx
@@ -0,0 +1,18 @@
+import { Metadata } from "next";
+import _Page from "./_page";
+import LastUpdated from "@/components/LastUpdated";
+
+export const metadata: Metadata = {
+  title: "Deploy Firezone on GCP • Firezone Docs",
+  description:
+    "Example Terraform configuration to deploy Firezone on Google Cloud Platform.",
+};
+
+export default function Page() {
+  return (
+    <>
+      <_Page />
+      <LastUpdated dirname={__dirname} />
+    </>
+  );
+}
diff --git a/terraform/examples/google-cloud/nat_gateway/README.md b/website/src/app/kb/automate/terraform/gcp/readme.mdx
similarity index 80%
rename from terraform/examples/google-cloud/nat_gateway/README.md
rename to website/src/app/kb/automate/terraform/gcp/readme.mdx
index 2d4808889..2307df127 100644
--- a/terraform/examples/google-cloud/nat_gateway/README.md
+++ b/website/src/app/kb/automate/terraform/gcp/readme.mdx
@@ -1,4 +1,8 @@
-# GCP NAT Gateway Example
+import SupportOptions from "@/components/SupportOptions";
+import Alert from "@/components/DocsAlert";
+import Image from "next/image";
+
+# Deploy Firezone on GCP with Terraform
 
 In this example, we will deploy one or more Firezone Gateways in a single VPC on
 Google Cloud Platform (GCP) that are configured to egress traffic through a
@@ -31,12 +35,12 @@ load balance for each other. No other configuration is necessary.
 1. [Google Cloud Platform (GCP) account](https://cloud.google.com/)
 1. [Google Cloud SDK](https://cloud.google.com/sdk/docs/install)
 1. [Enable the Compute Engine API](https://console.cloud.google.com/flows/enableapi?apiid=compute.googleapis.com)
-1. A [Firezone Site](https://www.firezone.dev/kb/deploy/sites) dedicated to use
-   for this example. This Site should contain **only** the Firezone Gateway(s)
-   deployed in this example and any associated Resources.
+1. A [Firezone Site](/kb/deploy/sites) dedicated to use for this example. This
+   Site should contain **only** the Firezone Gateway(s) deployed in this example
+   and any associated Resources.
 1. A Firezone Gateway token. See
-   [Multiple Gateways](https://www.firezone.dev/kb/deploy/gateways#deploy-multiple-gateways)
-   for instructions on how to obtain a Firezone Gateway token that can be used
+   [Multiple Gateways](/kb/deploy/gateways#deploy-multiple-gateways) for
+   instructions on how to obtain a Firezone Gateway token that can be used
    across multiple instances.
 
 ## Sizing
@@ -51,6 +55,8 @@ have a high volume of traffic or lots of concurrent connections.
 
 ## Deployment
 
+1. [Download](https://raw.githubusercontent.com/firezone/firezone/main/terraform/examples/google-cloud/nat_gateway/main.tf)
+   the `main.tf` from the example module.
 1. Configure the necessary Terraform
    [variables](https://developer.hashicorp.com/terraform/language/values/variables).
    Here's an example `terraform.tfvars` you can use as a starting point:
@@ -78,11 +84,13 @@ You can verify all Firezone Gateways are using this IP by viewing the Site in
 the Firezone admin portal, where you should now see the Firezone Gateway(s)
 listed as `Online`.
 
-<center>
-
-![Online Gateways](./online-gateways.png)
-
-</center>
+<Image
+  src="/images/kb/automate/terraform/gcp/online-gateways.png"
+  alt="Online Gateways"
+  width={1200}
+  height={1200}
+  className="rounded shadow mx-auto"
+/>
 
 ## Upgrading
 
diff --git a/website/src/app/kb/deploy/gateways/readme.mdx b/website/src/app/kb/deploy/gateways/readme.mdx
index 5de802176..44831e124 100644
--- a/website/src/app/kb/deploy/gateways/readme.mdx
+++ b/website/src/app/kb/deploy/gateways/readme.mdx
@@ -125,11 +125,10 @@ Resources in a Site. This effectively shards Client connections across all
 Gateways in a Site, achieving higher overall throughput than otherwise possible
 with a single Gateway.
 
-#### Deploy using Terraform
+### Automated Gateway deployment
 
-See our
-[Terraform examples](https://github.com/firezone/firezone/tree/main/terraform/examples)
-for deploying and scaling Gateways using Terraform on various cloud providers.
+See [our automation recipes](/kb/automate) for deploying Gateways on various
+cloud providers using Terraform.
 
 ### Keeping Gateways up to date
 
diff --git a/website/src/app/page.tsx b/website/src/app/page.tsx
index 3feaacc97..3f82bcaf5 100644
--- a/website/src/app/page.tsx
+++ b/website/src/app/page.tsx
@@ -329,8 +329,8 @@ export default function Page() {
         </div>
 
         <div className="mx-auto px-4 mt-8 max-w-screen-lg grid sm:grid-cols-2 gap-8 lg:gap-16">
-          <div className="p-4">
-            <div className="grid grid-cols-2 gap-4">
+          <div className="flex flex-col p-4">
+            <div className="mb-12 grid grid-cols-2 gap-4">
               <div className="p-4 flex items-center justify-center bg-white rounded-lg border border-2 border-neutral-200">
                 <AppleIcon size={12} href="/kb/user-guides/macos-client">
                   <span className="inline-block pt-4 w-full text-center">
@@ -374,74 +374,80 @@ export default function Page() {
                 </AppleIcon>
               </div>
             </div>
-            <p className="mt-4 md:mt-8 text-md md:text-xl tracking-tight md:text-justify">
-              Clients are available for every major platform, require no
-              configuration, and stay connected even when switching WiFi
-              networks.
-            </p>
-            <p className="mt-4">
-              <ActionLink
-                className="underline hover:no-underline text-md md:text-xl tracking-tight font-medium text-accent-500"
-                href="/kb/user-guides"
-              >
-                Download Client apps
-              </ActionLink>
-            </p>
-          </div>
-          <div className="p-4">
-            <div className="py-0.5 flex flex-col justify-between space-y-8 md:space-y-12">
-              <div className="mx-8 md:mx-16 flex justify-start">
-                <Image
-                  width={200}
-                  height={200}
-                  alt="Gateway"
-                  src="/images/docker.svg"
-                />
-              </div>
-              <div className="mx-8 md:mx-16 flex justify-end">
-                <Image
-                  width={200}
-                  height={200}
-                  alt="Gateway"
-                  src="/images/terraform.svg"
-                />
-              </div>
-              <div className="mx-8 md:mx-16 flex justify-start">
-                <Image
-                  width={200}
-                  height={200}
-                  alt="Gateway"
-                  src="/images/kubernetes.svg"
-                />
-              </div>
-              <div className="mx-8 md:mx-16 flex justify-end">
-                <Image
-                  width={200}
-                  height={200}
-                  alt="Gateway"
-                  src="/images/pulumi.svg"
-                />
-              </div>
+            <div className="mt-auto">
+              <p className="text-md md:text-xl tracking-tight md:text-justify">
+                Clients are available for every major platform, require no
+                configuration, and stay connected even when switching WiFi
+                networks.
+              </p>
+              <p className="mt-4">
+                <ActionLink
+                  className="underline hover:no-underline text-md md:text-xl tracking-tight font-medium text-accent-500"
+                  href="/kb/user-guides"
+                >
+                  Download Client apps
+                </ActionLink>
+              </p>
+            </div>
+          </div>
+          <div className="flex flex-col p-4">
+            <div className="mb-12">
+              <div className="py-0.5 flex flex-col justify-between space-y-8 md:space-y-12">
+                <div className="mx-8 md:mx-16 flex justify-start">
+                  <Image
+                    width={200}
+                    height={200}
+                    alt="Gateway"
+                    src="/images/docker.svg"
+                  />
+                </div>
+                <div className="mx-8 md:mx-16 flex justify-end">
+                  <Image
+                    width={200}
+                    height={200}
+                    alt="Gateway"
+                    src="/images/terraform.svg"
+                  />
+                </div>
+                <div className="mx-8 md:mx-16 flex justify-start">
+                  <Image
+                    width={200}
+                    height={200}
+                    alt="Gateway"
+                    src="/images/kubernetes.svg"
+                  />
+                </div>
+                <div className="mx-8 md:mx-16 flex justify-end">
+                  <Image
+                    width={200}
+                    height={200}
+                    alt="Gateway"
+                    src="/images/pulumi.svg"
+                  />
+                </div>
+              </div>
+              <pre className="mt-4 md:mt-8 text-xs p-2 bg-neutral-900 rounded shadow text-neutral-50 text-wrap">
+                <code>
+                  <strong>FIREZONE_TOKEN</strong>=&lt;your-token&gt; \<br /> ./
+                  <strong>firezone-gateway</strong>
+                </code>
+              </pre>
+            </div>
+            <div className="mt-auto">
+              <p className="text-md md:text-xl tracking-tight md:text-justify">
+                Gateways are lightweight Linux binaries you deploy anywhere you
+                need access. Just configure a token with your preferred
+                orchestration tool and you're done.
+              </p>
+              <p className="mt-4">
+                <ActionLink
+                  className="underline hover:no-underline text-md md:text-xl tracking-tight font-medium text-accent-500"
+                  href="/kb/deploy/gateways"
+                >
+                  Deploy your first Gateway
+                </ActionLink>
+              </p>
             </div>
-            <pre className="mt-4 md:mt-8 text-xs p-2 bg-neutral-900 rounded shadow text-neutral-50 text-wrap">
-              <code>
-                <strong>FIREZONE_TOKEN</strong>=&lt;your-token&gt; \<br /> ./
-                <strong>firezone-gateway</strong>
-              </code>
-            </pre>
-            <p className="mt-4 md:mt-8 text-md md:text-xl tracking-tight md:text-justify">
-              Gateways are lightweight Linux binaries you deploy anywhere you
-              need access. Just configure a token with your preferred
-              orchestration tool and you're done.
-            </p>
-            <p className="mt-4">
-              <ActionLink
-                className="underline hover:no-underline text-md md:text-xl tracking-tight font-medium text-accent-500"
-                href="/kb/deploy/gateways"
-              >
-                Deploy your first Gateway
-              </ActionLink>
-            </p>
           </div>
         </div>
       </section>
diff --git a/website/src/components/DocCards/index.tsx b/website/src/components/DocCards/index.tsx
new file mode 100644
index 000000000..e69de29bb
diff --git a/website/src/components/KbCards/index.tsx b/website/src/components/KbCards/index.tsx
new file mode 100644
index 000000000..8cb4eccdf
--- /dev/null
+++ b/website/src/components/KbCards/index.tsx
@@ -0,0 +1,35 @@
+import { Route } from "next";
+import Link from "next/link";
+
+export function KbCard({
+  title,
+  href,
+  logo,
+  children,
+}: {
+  title: string;
+  href: Route<string>;
+  logo: React.ReactNode;
+  children: React.ReactNode;
+}) {
+  return (
+    <Link
+      href={href}
+      className="flex flex-col p-6 hover:shadow rounded border-2 hover:border-accent-200 hover:bg-accent-100 transition duration-100"
+    >
+      <h3 className="text-neutral-800 text-xl font-semibold tracking-tight mb-12">
+        {title}
+      </h3>
+      {logo}
+      <div className="mt-auto tracking-tight">{children}</div>
+    </Link>
+  );
+}
+
+export function KbCards({ children }: { children: React.ReactNode }) {
+  return (
+    <div className="not-format grid grid-cols-1 gap-8 sm:grid-cols-2 lg:grid-cols-3">
+      {children}
+    </div>
+  );
+}
diff --git a/website/src/components/KbSidebar/index.tsx b/website/src/components/KbSidebar/index.tsx
index f40893d85..6bbc62919 100644
--- a/website/src/components/KbSidebar/index.tsx
+++ b/website/src/components/KbSidebar/index.tsx
@@ -117,6 +117,19 @@ export default function KbSidebar() {
               </li>
             </Collapse>
           </li>
+          <li>
+            <Collapse expanded={p.startsWith("/kb/automate")} label="Automate">
+              <li>
+                <Item href="/kb/automate">Overview</Item>
+              </li>
+              <li>
+                <Item href="/kb/automate/terraform/aws">Terraform + AWS</Item>
+              </li>
+              <li>
+                <Item href="/kb/automate/terraform/gcp">Terraform + GCP</Item>
+              </li>
+            </Collapse>
+          </li>
           <li className="ml-3 pt-3 border-t border-neutral-200 uppercase font-bold text-neutral-800">
             Use Firezone
           </li>