VPC
The solution provides two options for Amazon VPC configuration:
-
Let the solution build an Amazon VPC for you.
-
Managing and bringing your own Amazon VPC for use within the solution.
Let the solution build an Amazon VPC for you
If you select the option to let the solution build an Amazon VPC, it will deploy as a 2-AZ architecture by default with a CIDR range 10.10.0.0/20. You have the option to use Amazon VPC IP Address Manager (IPAM), with 1 public subnet and 1 private subnet in each AZ. The solution creates NAT Gateways in each of the public subnets, and configures Lambda functions to create the ENIs in the private subnets. Additionally, this configuration creates route tables and its entries, security groups and its rules, network ACLs, VPC endpoints (gateway and interface endpoints).
Managing your own Amazon VPC
When deploying the solution with an Amazon VPC, you have the option to use an existing Amazon VPC in your AWS account and Region. We recommended that you make your VPC available in at least two availability zones to ensure high availability. Your VPC must also have the following VPC endpoints and their associated IAM policies for your VPC and route table configurations.
For a Deployment dashboard Amazon VPC
For a use case Amazon VPC
-
Interface endpoint for Systems Manager Parameter Store.
Note
The solution only requires
com.amazonaws.region.ssm
. -
Interface endpoint for Amazon Bedrock (bedrock-runtime, agent-runtime, bedrock-agent-runtime).
-
Optional: If the deployment will use Amazon Kendra as a knowledge base, then an interface endpoint for Amazon Kendra is needed.
-
Optional: if the deployment will use any LLM under Amazon Bedrock, then an interface endpoint for Amazon Bedrock is needed.
Note
The solution only requires
com.amazonaws.region.bedrock-runtime
. -
Optional: If the deployment will use Amazon SageMaker AI for the LLM, then an interface endpoint for Amazon SageMaker AI is needed.
Note
The solution will not delete or modify the VPC configuration when using the Bring your own VPC deployment option. However, it will delete any VPCs that are created by the solution in the Create a VPC for me option. For this reason, you must be careful when sharing a solution-managed VPC across stacks/deployments.
For example, deployment A uses Create a VPC for me option. Deployment B uses Bring my own VPC using the VPC created by deployment A. If deployment A is deleted before deployment B, then deployment B will no longer work because the VPC has been deleted. Also because deployment B is using the ENIs created by the Lambda functions, deleting deployment A might have errors and retention of residual resources.