diff --git a/tools/terraform/percona/network.tf b/tools/terraform/percona/network.tf
new file mode 100644
index 0000000000..dbdce6985e
--- /dev/null
+++ b/tools/terraform/percona/network.tf
@@ -0,0 +1,30 @@
+resource "aws_acm_certificate" "certificate" {
+  domain_name       = var.domain_name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route53_record" "record" {
+  for_each = {
+    for dvo in aws_acm_certificate.certificate.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.zone_id
+}
+
+resource "aws_acm_certificate_validation" "percona" {
+  certificate_arn         = aws_acm_certificate.certificate.arn
+  validation_record_fqdns = [for record in aws_route53_record.record : record.fqdn]
+}
diff --git a/tools/terraform/percona/percona.tf b/tools/terraform/percona/percona.tf
new file mode 100644
index 0000000000..a65acd583d
--- /dev/null
+++ b/tools/terraform/percona/percona.tf
@@ -0,0 +1,131 @@
+data "aws_ami" "percona" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["PMM2 Server *"]
+  }
+
+  owners = ["679593333241"] # Percona
+}
+
+
+resource "aws_route53_record" "record" {
+  name    = "percona"
+  type    = "A"
+  zone_id = var.zone_id
+  alias {
+    evaluate_target_health = false
+    name                   = aws_lb.main.dns_name
+    zone_id                = aws_lb.main.zone_id
+  }
+}
+
+resource "aws_lb" "main" {
+  name            = "percona"
+  internal        = false
+  security_groups = [aws_security_group.lb.id, aws_security_group.backend.id]
+  subnets         = var.public_subnets
+  idle_timeout    = 120
+}
+
+resource "aws_lb_listener" "https" {
+  load_balancer_arn = aws_lb.main.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08"
+  certificate_arn   = aws_acm_certificate_validation.percona.certificate_arn
+
+  default_action {
+    target_group_arn = aws_lb_target_group.percona.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_target_group" "percona" {
+  name        = "percona"
+  protocol    = "HTTP"
+  target_type = "instance"
+  port        = "80"
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_lb_target_group_attachment" "percona" {
+  target_group_arn = aws_lb_target_group.percona.arn
+  target_id        = aws_instance.percona.id
+}
+
+resource "aws_instance" "percona" {
+  ami                    = data.aws_ami.percona.id
+  instance_type          = "m5.large"
+  subnet_id              = var.private_subnet
+  vpc_security_group_ids = [aws_security_group.backend.id]
+  iam_instance_profile   = aws_iam_instance_profile.profile.name
+}
+
+resource "aws_iam_instance_profile" "profile" {
+  name = "percona-profile"
+  role = aws_iam_role.role.name
+}
+
+resource "aws_iam_role" "role" {
+  name = "percona-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "policy" {
+  name        = "percona-policy"
+  description = "policy to discover rds instances"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Stmt1508404837000",
+            "Effect": "Allow",
+            "Action": [
+                "rds:DescribeDBInstances",
+                "cloudwatch:GetMetricStatistics",
+                "cloudwatch:ListMetrics"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "Stmt1508410723001",
+            "Effect": "Allow",
+            "Action": [
+                "logs:DescribeLogStreams",
+                "logs:GetLogEvents",
+                "logs:FilterLogEvents"
+            ],
+            "Resource": [
+                "arn:aws:logs:*:*:log-group:RDSOSMetrics:*"
+            ]
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "test-attach" {
+  role       = aws_iam_role.role.name
+  policy_arn = aws_iam_policy.policy.arn
+}
\ No newline at end of file
diff --git a/tools/terraform/percona/security_groups.tf b/tools/terraform/percona/security_groups.tf
new file mode 100644
index 0000000000..b0c3608d67
--- /dev/null
+++ b/tools/terraform/percona/security_groups.tf
@@ -0,0 +1,69 @@
+resource "aws_security_group" "lb" {
+  name        = "percona load balancer"
+  description = "percona Load balancer security group"
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_security_group_rule" "lb-ingress" {
+  description = "percona: allow traffic from public internet"
+  type        = "ingress"
+
+  from_port   = "443"
+  to_port     = "443"
+  protocol    = "tcp"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = aws_security_group.lb.id
+}
+
+resource "aws_security_group_rule" "lb-http-ingress" {
+  description = "percona: allow traffic from public internet"
+  type        = "ingress"
+
+  from_port   = "80"
+  to_port     = "80"
+  protocol    = "tcp"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = aws_security_group.lb.id
+}
+resource "aws_security_group_rule" "backend-egress" {
+  description = "percona: allow all outbound traffic"
+  type        = "egress"
+
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = aws_security_group.backend.id
+}
+
+resource "aws_security_group" "backend" {
+  name        = "percona backend"
+  description = "percona Backend security group"
+  vpc_id      = var.vpc_id
+
+}
+
+resource "aws_security_group_rule" "lb-egress" {
+  description = "percona: allow all outbound traffic"
+  type        = "egress"
+
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = aws_security_group.lb.id
+}
+resource "aws_security_group_rule" "backend-ingress" {
+  description = "percona: allow traffic from load balancer"
+  type        = "ingress"
+
+  from_port                = "80"
+  to_port                  = "80"
+  protocol                 = "tcp"
+  source_security_group_id = aws_security_group.lb.id
+  security_group_id        = aws_security_group.backend.id
+}
diff --git a/tools/terraform/percona/variables.tf b/tools/terraform/percona/variables.tf
new file mode 100644
index 0000000000..9c2ab4f548
--- /dev/null
+++ b/tools/terraform/percona/variables.tf
@@ -0,0 +1,24 @@
+variable "zone_id" {
+  description = "R53 Zone ID to host Percona in"
+  type = string
+}
+
+variable "domain_name" {
+  description = "Domain name for Percona DNS"
+  type = string
+}
+
+variable "public_subnets" {
+  description = "Public subnets for the Percona LB"
+  type = list(string)
+}
+
+variable "private_subnet" {
+  description = "Private subnets for the Percona App instance"
+  type = string
+}
+
+variable "vpc_id" {
+  description = "VPC ID"
+  type = string
+}
\ No newline at end of file
diff --git a/tools/terraform/readme.md b/tools/terraform/readme.md
index c82828a0b6..c3b69e722c 100644
--- a/tools/terraform/readme.md
+++ b/tools/terraform/readme.md
@@ -40,6 +40,14 @@ fleet_license = "<your license key here"
 
 Check out [AWS Chatbot](https://docs.aws.amazon.com/chatbot/latest/adminguide/setting-up.html) for a quick and easy way to hook up Cloudwatch Alarms into a Slack channel. 
 
+**To deploy Percona PMM advanced MySQL monitoring**
+1. See [Percona deployment](https://www.percona.com/doc/percona-monitoring-and-management/1.x/deploy/server/ami.html#running-pmm-server-using-aws-marketplace) scenario for details
+2. Deploy infrastructure using `percona` directory
+   1. Create tfvars file
+   2. Add the required variables (vpc_id, subnets, etc.)
+   3. run `terraform apply -var-file=default.tfvars`
+3. Add RDS Aurora MySQL by following this [guide](https://www.percona.com/doc/percona-monitoring-and-management/1.x/amazon-rds.html)
+
 ### Configuration
 
 Typical settings to override in an existing environment: