Network Security
Isolated network architecture for your Data Plane.
VPC Layout
- Public subnets: ALB (HTTPS 443), NAT Gateway
- Private subnets: All compute and data (no internet gateway)
Security Groups
| Resource | Inbound | Outbound |
|---|---|---|
| ALB | 443 from internet | EKS nodes |
| EKS | From ALB, inter-node | All (via NAT) |
| RDS | 5432 from EKS | None |
| Valkey | 6379 from EKS | None |
Outbound Connectivity
| Destination | Path | Purpose |
|---|---|---|
| *.corpai.io | NAT Gateway | Control Plane |
| S3, ECR, STS, Bedrock | VPC Endpoints | AWS services (private, no internet) |
| External APIs | NAT Gateway | MCP integrations (GitHub, Jira, etc.) |
VPC Endpoints
Deployed by default for private AWS service access:
- S3 (Gateway endpoint)
- ECR API, ECR DKR (Interface endpoints)
- STS (Interface endpoint)
- Bedrock Runtime, Bedrock Agent Runtime (Interface endpoints)
Next
Last updated on