diff --git a/ansible/deploy-fastpath.yml b/ansible/deploy-fastpath.yml
new file mode 100644
index 00000000..74179cfd
--- /dev/null
+++ b/ansible/deploy-fastpath.yml
@@ -0,0 +1,25 @@
+---
+- name: Deploy fastpath
+  hosts:
+    - fastpath.dev.ooni.io
+  become: true
+  roles:
+    - role: bootstrap
+    - role: dehydrated
+      vars: 
+        ssl_domains: 
+          - "{{ inventory_hostname }}"
+        tls_cert_dir: /var/lib/dehydrated/certs
+    - role: prometheus_node_exporter
+      vars:
+        node_exporter_port: 9100
+        node_exporter_host: "0.0.0.0"
+        prometheus_nginx_proxy_config: 
+          - location: /metrics/node_exporter
+            proxy_pass: http://127.0.0.1:9100/metrics
+    - role: geerlingguy.docker
+      docker_users:
+        - fastpath
+        - ubuntu
+      docker_package_state: latest
+    - role: fastpath
diff --git a/ansible/host_vars/fastpath.dev.ooni.io/vars.yml b/ansible/host_vars/fastpath.dev.ooni.io/vars.yml
new file mode 100644
index 00000000..6171aaf4
--- /dev/null
+++ b/ansible/host_vars/fastpath.dev.ooni.io/vars.yml
@@ -0,0 +1,4 @@
+s3_ooni_open_data_access_key: "{{ vault_s3_ooni_open_data_access_key }}"
+clickhouse_url: "clickhouse://write:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_write_password', profile='oonidevops_user_prod') }}@clickhouseproxy.dev.ooni.io/oonitest"
+bucket_name: "ooni-data-eu-fra-test"
+collector_id: "3"
\ No newline at end of file
diff --git a/ansible/host_vars/fastpath.dev.ooni.io/vault b/ansible/host_vars/fastpath.dev.ooni.io/vault
new file mode 100644
index 00000000..6605b2cf
--- /dev/null
+++ b/ansible/host_vars/fastpath.dev.ooni.io/vault
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+30333638353938613934613439396236613334333437623332653266353065616332323461343537
+6363393434393664626432373738393239346366336236630a653764373339663739393434666162
+37666566306164643738356138363232623461316233396233653030633031303634356233666631
+3863336634343932330a356232343735313033396365383161666666646335333033656639623135
+64366564306163343738316538663539326631653435343232383464666330333765643132363264
+61386432316330383366363665323237663634656630393933303430633034313634633937633337
+36373164353238326265643232626536303165613135396137656566653131393033643062656435
+38303563333835313965
diff --git a/ansible/inventory b/ansible/inventory
index 9009752d..3a23e524 100644
--- a/ansible/inventory
+++ b/ansible/inventory
@@ -42,3 +42,7 @@ monitoringproxy.prod.ooni.io
 [openvpn]
 openvpn1.htz-fsn.prod.ooni.nu
 openvpn2.htz-fsn.prod.ooni.nu
+
+[aws-backend]
+fastpath.dev.ooni.io
+# fastpath.prod.ooni.io
\ No newline at end of file
diff --git a/ansible/requirements/ansible-galaxy.yml b/ansible/requirements/ansible-galaxy.yml
index 3b29d9ba..997d7a83 100644
--- a/ansible/requirements/ansible-galaxy.yml
+++ b/ansible/requirements/ansible-galaxy.yml
@@ -1,15 +1,21 @@
-- src: willshersystems.sshd
-  version: v0.25.0
-- src: nginxinc.nginx
-  version: 0.24.3
-- src: geerlingguy.certbot
-  version: 5.2.0
-- src: artis3n.tailscale
-  version: v4.5.0
-- src: https://github.com/idealista/clickhouse_role
-  scm: git
-  version: 3.5.1
-  name: idealista.clickhouse_role
-- src: https://github.com/ooni/airflow-role.git
-  scm: git
-  name: ooni.airflow_role
\ No newline at end of file
+roles: 
+  - src: willshersystems.sshd
+    version: v0.25.0
+  - src: nginxinc.nginx
+    version: 0.24.3
+  - src: geerlingguy.certbot
+    version: 5.2.0
+  - src: artis3n.tailscale
+    version: v4.5.0
+  - src: https://github.com/idealista/clickhouse_role
+    scm: git
+    version: 3.5.1
+    name: idealista.clickhouse_role
+  - src: https://github.com/ooni/airflow-role.git
+    scm: git
+    name: ooni.airflow_role
+  - src: geerlingguy.docker # installs docker
+    version: 7.4.7
+collections: 
+  - name: community.docker # manages containers
+    version: 4.6.1
\ No newline at end of file
diff --git a/ansible/roles/fastpath/defaults/main.yml b/ansible/roles/fastpath/defaults/main.yml
new file mode 100644
index 00000000..af88ea5d
--- /dev/null
+++ b/ansible/roles/fastpath/defaults/main.yml
@@ -0,0 +1,9 @@
+tls_cert_dir: /var/lib/dehydrated/certs
+
+# Fastpath user
+fastpath_user: fastpath
+fastpath_home: "/opt/{{ fastpath_user }}"
+
+# Fastpath settings
+# TODO Update this to the actual clickhouse host when we have migrated it 
+clickhouse_url: "clickhouse://default:default@clickhouse-server:9000"
\ No newline at end of file
diff --git a/ansible/roles/fastpath/handlers/main.yml b/ansible/roles/fastpath/handlers/main.yml
new file mode 100644
index 00000000..594ebfe9
--- /dev/null
+++ b/ansible/roles/fastpath/handlers/main.yml
@@ -0,0 +1,27 @@
+- name: test nginx config
+  command: /usr/sbin/nginx -t -c /etc/nginx/nginx.conf
+  listen:
+    - restart nginx
+    - reload nginx
+
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
+
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
+
+- name: reload nftables
+  tags: nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: reloaded
+  
+- name: restart docker
+  tags: docker
+  ansible.builtin.systemd_service:
+    name: docker
+    state: restarted
\ No newline at end of file
diff --git a/ansible/roles/fastpath/tasks/main.yml b/ansible/roles/fastpath/tasks/main.yml
new file mode 100644
index 00000000..d4b62a56
--- /dev/null
+++ b/ansible/roles/fastpath/tasks/main.yml
@@ -0,0 +1,183 @@
+---
+# For prometheus scrape requests
+- name: Flush all handlers 
+  meta: flush_handlers
+
+- name: Allow traffic on port 9100
+  become: true
+  tags: prometheus-proxy
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/9100.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 9100 counter accept comment "node exporter"
+  notify:
+   - reload nftables  
+
+# For incoming fastpath traffic
+- name: Allow traffic on port 8472
+  become: true
+  tags: fastpath
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/8472.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 8472 counter accept comment "fastpath"
+  notify:
+   - reload nftables  
+
+# Docker seems to have problems with nftables, so this command will translate all iptables
+# commands to nftables commands
+- name: Update alternatives for iptables 
+  tags: docker
+  become: yes
+  ansible.builtin.command: "update-alternatives --set iptables /usr/sbin/iptables-nft"
+  notify: 
+   - restart docker
+
+- name: Update alternatives for iptables 
+  tags: docker
+  become: yes
+  ansible.builtin.command: "update-alternatives --set ip6tables /usr/sbin/ip6tables-nft"
+  notify: 
+   - restart docker
+
+- name: Flush all handlers # Required to apply iptables settings before docker runs
+  meta: flush_handlers
+
+### Create fastpath user 
+- name: Ensure the fastpath group exists
+  ansible.builtin.group:
+    name: "{{ fastpath_user }}"
+    state: present
+  become: yes
+- name: Create the fastpath user
+  ansible.builtin.user:
+    name: "{{ fastpath_user }}"
+    home: "{{ fastpath_home }}"
+    shell: "/bin/bash"
+    group: "{{ fastpath_user }}"
+    create_home: yes
+    system: yes
+  become: yes
+- name: Set ownership of the fastpath directory
+  ansible.builtin.file:
+    path: "{{ fastpath_home }}"
+    owner: "{{ fastpath_user }}"
+    group: "{{ fastpath_user }}"
+    state: directory
+    mode: '0755'
+  become: yes
+
+### Run fastpath
+- name: Make sure that the fastpath configuration directory exists
+  ansible.builtin.file:
+    path: /opt/{{fastpath_user}}/backend/fastpath/
+    state: directory
+    mode: '0700'
+    owner: "{{fastpath_user}}"
+    group: "{{fastpath_user}}"
+
+- name: Create configuration file
+  tags: fastpath
+  template:
+    src: templates/fastpath.conf
+    dest: "/opt/{{fastpath_user}}/backend/fastpath/fastpath.conf"
+    mode: 0444
+    owner: "{{fastpath_user}}"
+  become: yes
+
+- name: Ensure ooniapi directory existence 
+  ansible.builtin.file:
+    path: /var/lib/ooniapi
+    state: directory
+    mode: '0700'
+    owner: "{{fastpath_user}}"
+    group: "{{fastpath_user}}"
+
+- name: Ensure fastpath is running
+  community.docker.docker_container:
+    name: fastpath
+    image: ooni/fastpath:latest
+    state: started
+    published_ports: 
+      - "8472:8472"
+    volumes:
+      - /opt/{{fastpath_user}}/backend/fastpath/fastpath.conf:/etc/ooni/fastpath.conf
+      - /var/lib/ooniapi:/var/lib/ooniapi
+
+### API Uploader set up
+- name: configure api uploader using s3 bucket
+  tags: uploader
+  template:
+    src: templates/api-uploader.conf
+    dest: /etc/ooni/api-uploader.conf
+
+- name: Install measurement uploader script
+  tags: uploader
+  template:
+    src: templates/ooni_api_uploader.py
+    dest: /usr/bin/ooni_api_uploader.py
+    owner: "{{fastpath_user}}"
+    group: "{{fastpath_user}}"
+    mode: "0755"
+
+- name: Install clickhouse driver (uploader dep)
+  tags: uploader
+  become: true
+  apt: 
+    name: python3-clickhouse-driver
+    state: present
+    update_cache: true
+
+- name: Install ujson (uploader dep)
+  tags: uploader
+  become: true
+  apt: 
+    name: python3-ujson
+    state: present
+    update_cache: true
+  
+- name: Install Systemd 
+  tags: uploader
+  apt:
+    name: python3-systemd
+    state: present
+    update_cache: true
+
+- name: Install boto3
+  tags: uploader
+  apt:
+    name: python3-boto3
+    state: present
+    update_cache: true
+
+- name: Install Statsd
+  tags: uploader
+  apt:
+    name: python3-statsd
+    state: present
+    update_cache: true
+
+- name: Install uploder service
+  tags: uploader
+  template:
+    src: templates/ooni-api-uploader.service 
+    dest: /etc/systemd/system/ooni-api-uploader.service
+    mode: 0644
+    owner: root
+
+- name: Install uploader timer
+  tags: uploader
+  template:
+    src: templates/ooni-api-uploader.timer
+    dest: /etc/systemd/system/ooni-api-uploader.timer
+    mode: 0644
+    owner: root
+
+- name: Ensure uploader timer runs
+  tags: uploader
+  systemd:
+    name: ooni-api-uploader.timer
+    state: started
+    enabled: yes
\ No newline at end of file
diff --git a/ansible/roles/fastpath/templates/api-uploader.conf b/ansible/roles/fastpath/templates/api-uploader.conf
new file mode 100644
index 00000000..82b8c26e
--- /dev/null
+++ b/ansible/roles/fastpath/templates/api-uploader.conf
@@ -0,0 +1,10 @@
+# OONI API measurement uploader - Python ini format
+# Deployed by ansible, see roles/ooni-backend/templates/api-uploader.conf
+[DEFAULT]
+# arn:aws:iam::676739448697:user/ooni-pipeline, AWS: OONI Open Data
+aws_access_key_id = AKIAJURD7T4DTN5JMJ5Q
+aws_secret_access_key = {{ s3_ooni_open_data_access_key }}
+bucket_name = {{ bucket_name }}
+msmt_spool_dir = /var/lib/ooniapi/measurements
+collector_id = {{ collector_id }}
+db_uri = {{ clickhouse_url }}
\ No newline at end of file
diff --git a/ansible/roles/fastpath/templates/fastpath.conf b/ansible/roles/fastpath/templates/fastpath.conf
new file mode 100644
index 00000000..54ec9d7e
--- /dev/null
+++ b/ansible/roles/fastpath/templates/fastpath.conf
@@ -0,0 +1,19 @@
+[DEFAULT]
+# Collector hostnames, comma separated
+collectors = localhost
+
+
+{% if psql_uri is defined %}
+# The password is already made public
+db_uri = {{ psql_uri }}
+{% else %}
+db_uri =
+{% endif %}
+
+# S3 access credentials
+# Currently unused
+s3_access_key =
+s3_secret_key =
+
+
+clickhouse_url = {{clickhouse_url}}
diff --git a/ansible/roles/fastpath/templates/ooni-api-uploader.service b/ansible/roles/fastpath/templates/ooni-api-uploader.service
new file mode 100644
index 00000000..3aff1e53
--- /dev/null
+++ b/ansible/roles/fastpath/templates/ooni-api-uploader.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Upload raw OONI measurements to S3
+Wants=ooni-api-uploader.timer
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/ooni_api_uploader.py
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/ansible/roles/fastpath/templates/ooni-api-uploader.timer b/ansible/roles/fastpath/templates/ooni-api-uploader.timer
new file mode 100644
index 00000000..b0946c58
--- /dev/null
+++ b/ansible/roles/fastpath/templates/ooni-api-uploader.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Upload raw OONI measurements to S3
+Requires=ooni-api-uploader.service
+
+[Timer]
+Unit=ooni-api-uploader.service
+# run every hour at 10 minutes past the hour
+OnCalendar=*-*-* *:10
+#OnCalendar=*-*-* *:00/5
+
+[Install]
+WantedBy=timers.target
diff --git a/ansible/roles/fastpath/templates/ooni_api_uploader.py b/ansible/roles/fastpath/templates/ooni_api_uploader.py
new file mode 100644
index 00000000..f1a7d8a6
--- /dev/null
+++ b/ansible/roles/fastpath/templates/ooni_api_uploader.py
@@ -0,0 +1,228 @@
+#!/usr/bin/env python3
+"""
+Uploads OONI API measurements to S3
+Reads /etc/ooni/api.conf
+"""
+
+from configparser import ConfigParser
+from pathlib import Path
+from pathlib import PosixPath as PP
+from datetime import datetime, timedelta
+from typing import List, Dict
+import gzip
+import logging
+import tarfile
+import yaml
+
+import ujson
+import boto3
+import statsd  # debdeps: python3-statsd
+
+# debdeps: python3-clickhouse-driver
+from clickhouse_driver import Client as Clickhouse
+
+
+metrics = statsd.StatsClient("127.0.0.1", 8125, prefix="ooni_api_uploader")
+log = logging.getLogger("ooni_api_uploader")
+
+try:
+    from systemd.journal import JournalHandler  # debdeps: python3-systemd
+
+    log.addHandler(JournalHandler(SYSLOG_IDENTIFIER="ooni_api_uploader"))
+except ImportError:
+    pass
+
+log.setLevel(logging.DEBUG)
+
+
+def create_s3_client(conf):
+    session = boto3.Session(
+        aws_access_key_id=conf.get("aws_access_key_id"),
+        aws_secret_access_key=conf.get("aws_secret_access_key"),
+    )
+    return session.resource("s3")
+
+
+def read_conf():
+    cf = "/etc/ooni/api-uploader.conf"
+    log.info(f"Starting. Reading {cf}")
+    conf = ConfigParser()
+    conf.read(cf)
+    return conf["DEFAULT"]
+
+
+def connect_to_db(conf):
+    default = "clickhouse://api:api@localhost/default"
+    uri = conf.get("db_uri", default)
+    log.info(f"Connecting to database on {uri}")
+    conn = Clickhouse.from_url(uri)
+    return conn
+
+
+@metrics.timer("update_db_table")
+def update_db_table(conn, lookup_list, jsonl_s3path):
+    for d in lookup_list:
+        d["s3path"] = jsonl_s3path
+
+    q = "INSERT INTO jsonl (report_id, input, s3path, linenum, measurement_uid) VALUES"
+    log.info(f"Writing {len(lookup_list)} rows to DB")
+    conn.execute(q, lookup_list)
+
+
+@metrics.timer("upload_measurement")
+def upload_to_s3(s3, bucket_name: str, tarf: PP, s3path: str) -> None:
+    obj = s3.Object(bucket_name, s3path)
+    log.info(f"Uploading {s3path}")
+    obj.put(Body=tarf.read_bytes())
+
+
+@metrics.timer("fill_postcan")
+def fill_postcan(hourdir: PP, postcanf: PP) -> List[PP]:
+    msmt_files = sorted(f for f in hourdir.iterdir() if f.suffix == ".post")
+    if not msmt_files:
+        log.info(f"Nothing to fill {postcanf.name}")
+        return []
+    log.info(f"Filling {postcanf.name}")
+    measurements = []
+    postcan_byte_thresh = 20 * 1000 * 1000
+    # Open postcan
+    with tarfile.open(str(postcanf), "w:gz") as tar:
+        for msmt_f in msmt_files:
+            # Add a msmt and delete the msmt file
+            metrics.incr("msmt_count")
+            tar.add(str(msmt_f))
+            measurements.append(msmt_f)
+            tarsize = postcanf.stat().st_size
+            if tarsize > postcan_byte_thresh:
+                log.info(f"Reached {tarsize} bytes")
+                return measurements
+
+    return measurements
+
+
+@metrics.timer("fill_jsonl")
+def fill_jsonl(measurements: List[PP], jsonlf: PP) -> List[Dict]:
+    log.info(f"Filling {jsonlf.name}")
+    # report_id, input, 2020092119_IT_tor.n0.0.jsonl.gz
+    lookup_list = []
+    with gzip.open(jsonlf, "w") as jf:
+        for linenum, msmt_f in enumerate(measurements):
+            try:
+                post = ujson.load(msmt_f.open())
+            except Exception:
+                log.error("Unable to parse measurement")
+                jf.write(b"{}\n")
+                continue
+
+            fmt = post.get("format", "").lower()
+            msm = None
+            if fmt == "json":
+                msm = post.get("content", {})
+            elif fmt == "yaml":
+                try:
+                    msm = yaml.load(msm, Loader=yaml.CLoader)
+                except Exception:
+                    pass
+
+            if msm is None:
+                log.error("Unable to parse measurement")
+                jf.write(b"{}\n")
+                continue
+
+            jf.write(ujson.dumps(msm).encode())
+            jf.write(b"\n")
+
+            rid = msm.get("report_id") or ""
+            input = msm.get("input") or ""
+            msmt_uid = msmt_f.name[:-5]
+            d = dict(
+                report_id=rid, input=input, measurement_uid=msmt_uid, linenum=linenum
+            )
+            lookup_list.append(d)
+
+    return lookup_list
+
+
+def delete_msmt_posts(measurements: List[PP]) -> None:
+    log.info(f"Deleting {len(measurements)} measurements")
+    for msmt_f in measurements:
+        msmt_f.unlink()
+
+
+@metrics.timer("total_run_time")
+def main():
+    conf = read_conf()
+    bucket_name = conf.get("bucket_name")
+    spooldir = Path(conf.get("msmt_spool_dir"))
+    format_char = "n"
+    collector_id = conf.get("collector_id")
+    identity = f"{format_char}{collector_id}"
+    log.info(f"Uploader {collector_id} starting")
+    assert collector_id, "collector_id is not set"
+    log.info(f"Using bucket {bucket_name} and spool {spooldir}")
+
+    s3 = create_s3_client(conf)
+
+    db_conn = connect_to_db(conf)
+
+    # Scan spool directories, by age
+    idir = spooldir / "incoming"
+    threshold = datetime.utcnow() - timedelta(hours=1)
+    for hourdir in sorted(idir.iterdir()):
+        if not hourdir.is_dir() or hourdir.suffix == ".tmp":
+            continue
+        try:
+            tstamp, cc, testname = hourdir.name.split("_")
+        except Exception:
+            continue
+        if len(tstamp) != 10:
+            continue
+        hourdir_time = datetime.strptime(tstamp, "%Y%m%d%H")
+        if hourdir_time > threshold:
+            log.info(f"Stopping before {hourdir_time}")
+            break
+
+        log.info(f"Processing {hourdir}")
+        # Split msmts across multiple postcans and jsonl files
+        can_cnt = 0
+        while True:
+            # Compress raw POSTs into a tar.gz postcan
+            postcanf = hourdir.with_suffix(f".{identity}.{can_cnt}.tar.gz")
+            jsonlf = hourdir.with_suffix(f".{identity}.{can_cnt}.jsonl.gz")
+            msmfiles = fill_postcan(hourdir, postcanf)
+            if len(msmfiles) == 0:
+                break
+            # Also create jsonl file and delete msmt POSTs
+            lookup_list = fill_jsonl(msmfiles, jsonlf)
+            delete_msmt_posts(msmfiles)
+
+            # Upload current postcan to S3
+            postcan_s3path = (
+                f"raw/{tstamp[:8]}/{tstamp[8:10]}/{cc}/{testname}/{postcanf.name}"
+            )
+            jsonl_s3path = (
+                f"raw/{tstamp[:8]}/{tstamp[8:10]}/{cc}/{testname}/{jsonlf.name}"
+            )
+            if conf.get("run_mode", "") == "DESTROY_DATA":
+                log.info("Testbed mode: Destroying postcans!")
+            else:
+                upload_to_s3(s3, bucket_name, postcanf, postcan_s3path)
+                upload_to_s3(s3, bucket_name, jsonlf, jsonl_s3path)
+                update_db_table(db_conn, lookup_list, jsonl_s3path)
+
+            postcanf.unlink()
+            jsonlf.unlink()
+
+            can_cnt += 1
+            metrics.incr("postcan_count")
+
+        # Delete whole hourly directory
+        for f in sorted(hourdir.iterdir()):
+            f.unlink()
+        hourdir.rmdir()
+
+    log.info("Exiting")
+
+
+if __name__ == "__main__":
+    main()
diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 89d5d47a..33f2d0ca 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -448,7 +448,7 @@ module "ooni_clickhouse_proxy" {
     from_port   = 9000,
     to_port     = 9000,
     protocol    = "tcp",
-    cidr_blocks = module.network.vpc_subnet_private[*].cidr_block,
+    cidr_blocks = concat(module.network.vpc_subnet_private[*].cidr_block, [format("%s/32", module.ooni_fastpath.aws_instance_public_ip)]),
     }, {
     // For the prometheus proxy:
     from_port   = 9200,
@@ -559,6 +559,89 @@ resource "aws_route53_record" "monitoring_proxy_alias" {
   ]
 }
 
+
+### Fastpath 
+module "ooni_fastpath" {
+  source = "../../modules/ec2"
+
+  stage = local.environment
+
+  vpc_id              = module.network.vpc_id
+  subnet_id           = module.network.vpc_subnet_public[0].id
+  private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block
+  dns_zone_ooni_io    = local.dns_zone_ooni_io
+
+  key_name      = module.adm_iam_roles.oonidevops_key_name
+  instance_type = "t3a.small"
+
+  name = "oonifastpath"
+  ingress_rules = [{
+    from_port   = 22,
+    to_port     = 22,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 80,
+    to_port     = 80,
+    protocol    = "tcp",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port   = 9100,
+    to_port     = 9100,
+    protocol    = "tcp"
+    cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32"]
+  }]
+
+  egress_rules = [{
+    from_port   = 0,
+    to_port     = 0,
+    protocol    = "-1",
+    cidr_blocks = ["0.0.0.0/0"],
+    }, {
+    from_port        = 0,
+    to_port          = 0,
+    protocol         = "-1",
+    ipv6_cidr_blocks = ["::/0"],
+  }]
+
+  sg_prefix = "oonifastpath"
+  tg_prefix = "fstp"
+
+  disk_size = 150
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-tier0-fastpath" }
+  )
+}
+
+resource "aws_route53_record" "fastpath_alias" {
+  zone_id = local.dns_zone_ooni_io
+  name    = "fastpath.${local.environment}.ooni.io"
+  type    = "CNAME"
+  ttl     = 300
+
+  records = [
+    module.ooni_fastpath.aws_instance_public_dns
+  ]
+}
+
+module "fastpath_builder" {
+  source = "../../modules/ooni_docker_build"
+  trigger_tag = ""
+
+  service_name            = "fastpath"
+  repo                    = "ooni/backend"
+  branch_name             = "fastpath-dockerhub"
+  buildspec_path          = "fastpath/buildspec.yml"
+  trigger_path            = "fastpath/**"
+  codestar_connection_arn = aws_codestarconnections_connection.oonidevops.arn
+
+  codepipeline_bucket = aws_s3_bucket.ooniapi_codepipeline_bucket.bucket
+
+  ecs_cluster_name = module.ooniapi_cluster.cluster_name
+}
+
 #### OONI Run service
 
 module "ooniapi_oonirun_deployer" {
diff --git a/tf/modules/ec2/main.tf b/tf/modules/ec2/main.tf
index b3d7885f..b73bdec6 100644
--- a/tf/modules/ec2/main.tf
+++ b/tf/modules/ec2/main.tf
@@ -90,6 +90,11 @@ resource "aws_instance" "ooni_ec2" {
     ignore_changes = [ user_data, launch_template ]
   }
 
+  root_block_device {
+    volume_size = var.disk_size  # Size in GB
+    volume_type = "gp2"
+  }
+
   tags = merge(var.tags, {MonitoringActive = var.monitoring_active})
 }
 
diff --git a/tf/modules/ec2/outputs.tf b/tf/modules/ec2/outputs.tf
index 458bf405..3acd1293 100644
--- a/tf/modules/ec2/outputs.tf
+++ b/tf/modules/ec2/outputs.tf
@@ -12,4 +12,8 @@ output "ec2_sg_id" {
 
 output "aws_instance_private_ip" {
   value = aws_instance.ooni_ec2.private_ip
+}
+
+output "aws_instance_public_ip" {
+  value = aws_instance.ooni_ec2.public_ip
 }
\ No newline at end of file
diff --git a/tf/modules/ec2/variables.tf b/tf/modules/ec2/variables.tf
index a4db445f..f8b30d78 100644
--- a/tf/modules/ec2/variables.tf
+++ b/tf/modules/ec2/variables.tf
@@ -68,4 +68,10 @@ variable "monitoring_active" {
   description = "If the monitoring system should consider this machine. Set it to 'true' to activate it, anything else to deactivate it"
   default = "true"
   type = string
+}
+
+variable "disk_size" {
+  description = "Available disk space for this machine, in GB. Defaults to 8gb"
+  default = 8
+  type = number
 }
\ No newline at end of file
diff --git a/tf/modules/ooni_docker_build/main.tf b/tf/modules/ooni_docker_build/main.tf
new file mode 100644
index 00000000..8beb5ad7
--- /dev/null
+++ b/tf/modules/ooni_docker_build/main.tf
@@ -0,0 +1,268 @@
+## CodeBuild and CodePipeline for OONI API Services
+
+data "aws_caller_identity" "current" {}
+
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+}
+
+resource "aws_iam_policy" "codebuild" {
+  description = "Policy used in trust relationship with CodeBuild"
+  name        = "codebuild-${var.service_name}-${var.aws_region}"
+  path        = "/service-role/"
+
+  policy = <<POLICY
+{
+  "Statement": [
+    {
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:logs:${var.aws_region}:${local.account_id}:log-group:/aws/codebuild/oonidkr-${var.service_name}",
+        "arn:aws:logs:${var.aws_region}:${local.account_id}:log-group:/aws/codebuild/oonidkr-${var.service_name}:*"
+      ]
+    },
+    {
+      "Action": [
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:GetObjectVersion",
+        "s3:GetBucketAcl",
+        "s3:GetBucketLocation"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::codepipeline-ooniapi-${var.aws_region}-*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssmmessages:CreateControlChannel",
+        "ssmmessages:CreateDataChannel",
+        "ssmmessages:OpenControlChannel",
+        "ssmmessages:OpenDataChannel"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "codebuild:CreateReportGroup",
+        "codebuild:CreateReport",
+        "codebuild:UpdateReport",
+        "codebuild:BatchPutTestCases",
+        "codebuild:BatchPutCodeCoverages"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:codebuild:${var.aws_region}:${local.account_id}:report-group/oonidkr-${var.service_name}-*"
+      ]
+    },
+    {
+        "Effect": "Allow",
+        "Action": "codestar-connections:UseConnection",
+        "Resource": "${var.codestar_connection_arn}"
+    }
+  ],
+  "Version": "2012-10-17"
+}
+POLICY
+}
+
+resource "aws_iam_role" "codebuild" {
+  assume_role_policy = <<POLICY
+{
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codebuild.amazonaws.com"
+      }
+    }
+  ],
+  "Version": "2012-10-17"
+}
+POLICY
+
+  managed_policy_arns = [
+    aws_iam_policy.codebuild.arn,
+    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess",
+    "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
+  ]
+  max_session_duration = "3600"
+  name                 = "codebuild-oonidkr-${var.service_name}"
+  path                 = "/service-role/"
+}
+
+resource "aws_codebuild_project" "oonidkr" {
+  artifacts {
+    encryption_disabled    = "false"
+    override_artifact_name = "false"
+    type                   = "NO_ARTIFACTS"
+  }
+
+  badge_enabled = "false"
+  build_timeout = "60"
+
+  cache {
+    type = "NO_CACHE"
+  }
+
+  concurrent_build_limit = "1"
+  encryption_key         = "arn:aws:kms:${var.aws_region}:${local.account_id}:alias/aws/s3"
+
+  environment {
+    compute_type                = "BUILD_GENERAL1_SMALL"
+    image                       = "aws/codebuild/standard:7.0"
+    image_pull_credentials_type = "CODEBUILD"
+    privileged_mode             = "true"
+    type                        = "LINUX_CONTAINER"
+  }
+
+  logs_config {
+    cloudwatch_logs {
+      status = "ENABLED"
+    }
+
+    s3_logs {
+      encryption_disabled = "false"
+      status              = "DISABLED"
+    }
+  }
+
+  name               = "oonidkr-${var.service_name}"
+  project_visibility = "PRIVATE"
+  queued_timeout     = "480"
+  service_role       = aws_iam_role.codebuild.arn
+
+  source {
+    buildspec       = var.buildspec_path
+    git_clone_depth = "1"
+
+    git_submodules_config {
+      fetch_submodules = "false"
+    }
+
+    insecure_ssl        = "false"
+    location            = "https://github.com/${var.repo}.git"
+    report_build_status = "false"
+    type                = "GITHUB"
+  }
+}
+
+resource "aws_iam_policy" "codepipeline" {
+  description = "Policy used in trust relationship with CodePipeline"
+  name        = "codepipeline-oonidkr-${var.service_name}"
+  path        = "/service-role/"
+
+  policy = templatefile("${path.module}/templates/codepipeline_policy.json", {})
+}
+
+resource "aws_iam_role" "codepipeline" {
+  assume_role_policy = <<POLICY
+{
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codepipeline.amazonaws.com"
+      }
+    }
+  ],
+  "Version": "2012-10-17"
+}
+POLICY
+
+  managed_policy_arns = [
+    aws_iam_policy.codepipeline.arn,
+  ]
+  max_session_duration = "3600"
+  name                 = "codepipeline-oonidkr-${var.service_name}"
+  path                 = "/service-role/"
+}
+
+resource "aws_codepipeline" "oonidkr" {
+  name          = "oonidkr-${var.service_name}"
+  pipeline_type = "V2"
+  role_arn      = aws_iam_role.codepipeline.arn
+
+  artifact_store {
+    location = var.codepipeline_bucket
+    type     = "S3"
+  }
+
+  depends_on = [
+    aws_codebuild_project.oonidkr
+  ]
+
+  trigger {
+    provider_type = "CodeStarSourceConnection"
+
+    git_configuration {
+      source_action_name = "Source"
+      
+      push {
+        branches {
+          includes = [var.branch_name]
+        }
+        file_paths {
+          includes = [var.trigger_path]
+          excludes = ["**/README.md"]
+        }
+      }
+    }
+  }
+
+  stage {
+    action {
+
+      name             = "Source"
+      category         = "Source"
+      namespace        = "SourceVariables"
+      output_artifacts = ["SourceArtifact"]
+      owner            = "AWS"
+      provider         = "CodeStarSourceConnection"
+      region           = var.aws_region
+      run_order        = "1"
+      version          = "1"
+
+      configuration = {
+        ConnectionArn        = var.codestar_connection_arn
+        FullRepositoryId     = var.repo
+        BranchName           = var.branch_name
+        DetectChanges        = "true"
+        OutputArtifactFormat = "CODEBUILD_CLONE_REF"
+      }
+    }
+
+    name = "Source"
+  }
+
+  stage {
+    action {
+      category = "Build"
+
+      configuration = {
+        ProjectName = "oonidkr-${var.service_name}"
+      }
+
+      input_artifacts  = ["SourceArtifact"]
+      name             = "Build"
+      namespace        = "BuildVariables"
+      output_artifacts = ["BuildArtifact"]
+      owner            = "AWS"
+      provider         = "CodeBuild"
+      region           = var.aws_region
+      run_order        = "1"
+      version          = "1"
+    }
+
+    name = "Build"
+  }
+}
diff --git a/tf/modules/ooni_docker_build/outputs.tf b/tf/modules/ooni_docker_build/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/tf/modules/ooni_docker_build/templates/codepipeline_policy.json b/tf/modules/ooni_docker_build/templates/codepipeline_policy.json
new file mode 100644
index 00000000..6d465479
--- /dev/null
+++ b/tf/modules/ooni_docker_build/templates/codepipeline_policy.json
@@ -0,0 +1,162 @@
+{
+  "Statement": [
+    {
+      "Action": ["iam:PassRole"],
+      "Condition": {
+        "StringEqualsIfExists": {
+          "iam:PassedToService": [
+            "cloudformation.amazonaws.com",
+            "elasticbeanstalk.amazonaws.com",
+            "ec2.amazonaws.com",
+            "ecs-tasks.amazonaws.com"
+          ]
+        }
+      },
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "codecommit:CancelUploadArchive",
+        "codecommit:GetBranch",
+        "codecommit:GetCommit",
+        "codecommit:GetRepository",
+        "codecommit:GetUploadArchiveStatus",
+        "codecommit:UploadArchive"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "codedeploy:CreateDeployment",
+        "codedeploy:GetApplication",
+        "codedeploy:GetApplicationRevision",
+        "codedeploy:GetDeployment",
+        "codedeploy:GetDeploymentConfig",
+        "codedeploy:RegisterApplicationRevision"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": ["codestar-connections:UseConnection"],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "elasticbeanstalk:*",
+        "ec2:*",
+        "elasticloadbalancing:*",
+        "autoscaling:*",
+        "cloudwatch:*",
+        "s3:*",
+        "sns:*",
+        "cloudformation:*",
+        "rds:*",
+        "sqs:*",
+        "ecs:*"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": ["lambda:InvokeFunction", "lambda:ListFunctions"],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "opsworks:CreateDeployment",
+        "opsworks:DescribeApps",
+        "opsworks:DescribeCommands",
+        "opsworks:DescribeDeployments",
+        "opsworks:DescribeInstances",
+        "opsworks:DescribeStacks",
+        "opsworks:UpdateApp",
+        "opsworks:UpdateStack"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "cloudformation:CreateStack",
+        "cloudformation:DeleteStack",
+        "cloudformation:DescribeStacks",
+        "cloudformation:UpdateStack",
+        "cloudformation:CreateChangeSet",
+        "cloudformation:DeleteChangeSet",
+        "cloudformation:DescribeChangeSet",
+        "cloudformation:ExecuteChangeSet",
+        "cloudformation:SetStackPolicy",
+        "cloudformation:ValidateTemplate"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "codebuild:BatchGetBuilds",
+        "codebuild:StartBuild",
+        "codebuild:BatchGetBuildBatches",
+        "codebuild:StartBuildBatch"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "devicefarm:ListProjects",
+        "devicefarm:ListDevicePools",
+        "devicefarm:GetRun",
+        "devicefarm:GetUpload",
+        "devicefarm:CreateUpload",
+        "devicefarm:ScheduleRun"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "servicecatalog:ListProvisioningArtifacts",
+        "servicecatalog:CreateProvisioningArtifact",
+        "servicecatalog:DescribeProvisioningArtifact",
+        "servicecatalog:DeleteProvisioningArtifact",
+        "servicecatalog:UpdateProduct"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": ["cloudformation:ValidateTemplate"],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": ["ecr:DescribeImages"],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "states:DescribeExecution",
+        "states:DescribeStateMachine",
+        "states:StartExecution"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "appconfig:StartDeployment",
+        "appconfig:StopDeployment",
+        "appconfig:GetDeployment"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ],
+  "Version": "2012-10-17"
+}
diff --git a/tf/modules/ooni_docker_build/variables.tf b/tf/modules/ooni_docker_build/variables.tf
new file mode 100644
index 00000000..53edc7e2
--- /dev/null
+++ b/tf/modules/ooni_docker_build/variables.tf
@@ -0,0 +1,39 @@
+variable "aws_region" {
+  description = "The AWS region to create things in."
+  default     = "eu-central-1"
+}
+
+variable "service_name" {
+  description = "short service name. will become the first part of the fqdn eg. <service_name>.prod.ooni.io"
+}
+
+variable "buildspec_path" {
+  description = "relative path in the repo to the buildspec eg. api/fastapi/buildspec.yml"
+}
+
+variable "codepipeline_bucket" {
+  description = "specify a unique bucket to store build artifacts"
+}
+
+variable "codestar_connection_arn" {
+}
+
+variable "branch_name" {
+  default = "main"
+}
+
+variable "trigger_tag" {
+  description = "tag filters to use to trigger pipeline eg. release-1.0"
+}
+
+variable "repo" {
+  default = "ooni/backend"
+}
+
+variable "ecs_cluster_name" {
+  description = "id of the cluster to deploy into"
+}
+
+variable "trigger_path" {
+  description = "path filter for push changes which trigger the codepipeline eg. ooniapi/services/oonirun/**"
+}
\ No newline at end of file