diff --git a/k8s/nginx-3scale/nginx-3scale-cm.yaml b/k8s/nginx-3scale/nginx-3scale-cm.yaml
new file mode 100644
index 00000000..6f87b494
--- /dev/null
+++ b/k8s/nginx-3scale/nginx-3scale-cm.yaml
@@ -0,0 +1,13 @@
+############################################################################
+# This YAML file desribes a ConfigMap with a valid list of ':' separated   #
+# IP addresses (or 'all' for all IP addresses) that can connect to the     #
+# MongoDB instance. We only support the value 'all' currently.             #
+############################################################################
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mongodb-whitelist
+  namespace: default
+data:
+  allowed-hosts: "all"
diff --git a/k8s/nginx-3scale/nginx-3scale-dep.yaml b/k8s/nginx-3scale/nginx-3scale-dep.yaml
new file mode 100644
index 00000000..49695315
--- /dev/null
+++ b/k8s/nginx-3scale/nginx-3scale-dep.yaml
@@ -0,0 +1,96 @@
+###############################################################
+# This config file runs nginx as a k8s deployment and exposes #
+# it using an external load balancer.                         #
+# This deployment is used as a front end to both BigchainDB   #
+# and MongoDB.                                                #
+###############################################################
+
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: ngx-instance-0-dep
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: ngx-instance-0-dep
+    spec:
+      terminationGracePeriodSeconds: 10
+      containers:
+      - name: nginx-3scale
+        image: bigchaindb/nginx_3scale:0.1
+        # TODO(Krish): Change later to IfNotPresent
+        imagePullPolicy: Always
+        env:
+        - name: MONGODB_FRONTEND_PORT
+          value: $(NGX_INSTANCE_0_SERVICE_PORT_NGX_PUBLIC_MDB_PORT)
+        - name: MONGODB_BACKEND_HOST
+          value: mdb-instance-0.default.svc.cluster.local
+        - name: MONGODB_BACKEND_PORT
+          value: "27017"
+        - name: BIGCHAINDB_FRONTEND_PORT
+          value: $(NGX_INSTANCE_0_SERVICE_PORT_NGX_PUBLIC_BDB_PORT)
+        - name: BIGCHAINDB_BACKEND_HOST
+          value: bdb-instance-0.default.svc.cluster.local
+        - name: BIGCHAINDB_BACKEND_PORT
+          value: "9984"
+        - name: MONGODB_WHITELIST
+          valueFrom:
+            configMapKeyRef:
+              name: mongodb-whitelist
+              key: allowed-hosts
+        - name: DNS_SERVER
+          value: "10.0.0.10"
+        - name: NGINX_HEALTH_CHECK_PORT
+          value: "8888"
+        # TODO(Krish): use secrets for sensitive info
+        - name: THREESCALE_SECRET_TOKEN
+          value: "<Secret Token Here>"
+        - name: THREESCALE_SERVICE_ID
+          value: "<Service ID Here>"
+        - name: THREESCALE_VERSION_HEADER
+          value: "<Version Header Here>"
+        - name: THREESCALE_PROVIDER_KEY
+          value: "<Provider Key Here>"
+        - name: THREESCALE_FRONTEND_API_DNS_NAME
+          value: "<Frontend API FQDN Here>"
+        - name: THREESCALE_UPSTREAM_API_PORT
+          value: "<Upstream API Port Here>"
+        ports:
+        - containerPort: 27017
+          hostPort: 27017
+          name: public-mdb-port
+          protocol: TCP
+        - containerPort: 443
+          hostPort: 443
+          name: public-bdb-port
+          protocol: TCP
+        - containerPort: 8888
+          hostPort: 8888
+          name: health-check
+          protocol: TCP
+        - containerPort: 8080
+          hostPort: 8080
+          name: public-api-port
+          protocol: TCP
+        volumeMounts:
+        - name: https
+          mountPath: /usr/local/openresty/nginx/conf/ssl/
+          readOnly: true
+        resources:
+          limits:
+            cpu: 200m
+            memory: 768Mi
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8888
+          initialDelaySeconds: 15
+          timeoutSeconds: 10
+      restartPolicy: Always
+      volumes:
+      - name: https
+        secret:
+          secretName: certs
+          defaultMode: 0400
diff --git a/k8s/nginx-3scale/nginx-3scale-secret.yaml b/k8s/nginx-3scale/nginx-3scale-secret.yaml
new file mode 100644
index 00000000..8f725313
--- /dev/null
+++ b/k8s/nginx-3scale/nginx-3scale-secret.yaml
@@ -0,0 +1,13 @@
+# Certificate data should be base64 encoded before embedding them here by using
+# `cat cert.pem | base64 -w 0 > cert.pem.b64` and then copy the resulting
+# value here. Same goes for cert.key.
+# Ref: https://kubernetes.io/docs/concepts/configuration/secret/
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: certs
+type: Opaque
+data:
+  cert.pem: <certificate data here>
+  cert.key: <key data here>
diff --git a/k8s/nginx-3scale/nginx-3scale-svc.yaml b/k8s/nginx-3scale/nginx-3scale-svc.yaml
new file mode 100644
index 00000000..db212222
--- /dev/null
+++ b/k8s/nginx-3scale/nginx-3scale-svc.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ngx-instance-0
+  namespace: default
+  labels:
+    name: ngx-instance-0
+  annotations:
+    # NOTE: the following annotation is a beta feature and
+    # only available in GCE/GKE and Azure as of now
+    # Ref: https://kubernetes.io/docs/tutorials/services/source-ip/
+    service.beta.kubernetes.io/external-traffic: OnlyLocal
+spec:
+  selector:
+    app: ngx-instance-0-dep
+  ports:
+  - port: 443
+    targetPort: 443
+    name: ngx-public-bdb-port
+    protocol: TCP
+  - port: 8080
+    targetPort: 8080
+    name: ngx-public-3scale-port
+    protocol: TCP
+  - port: 27017
+    targetPort: 27017
+    name: ngx-public-mdb-port
+    protocol: TCP
+  type: LoadBalancer