|
| 1 | +--- |
| 2 | +description: Create an Ockam Bedrock outlet node using Cloudformation template |
| 3 | +--- |
| 4 | + |
| 5 | +# Ockam Node for Amazon Bedrock |
| 6 | + |
| 7 | +[Amazon Bedrock ](https://aws.amazon.com/bedrock/)is a fully managed service that makes high-performing foundation models (FMs) from leading AI companies and Amazon available for your use through a unified API. Organizations building innovative generative AI applications with Amazon Bedrock often need to ensure their proprietary data remains secure and private while accessing these powerful models.  |
| 8 | + |
| 9 | +By default, You can access Amazon Bedrock over the public internet, which means: |
| 10 | + |
| 11 | +1. Your API calls to Bedrock travel across the public internet. |
| 12 | +2. Your client must have public internet connectivity |
| 13 | +3. You must implement additional security measures to protect your data in transit |
| 14 | + |
| 15 | +### The Security Challenge |
| 16 | + |
| 17 | +When you build AI applications with sensitive or proprietary data, exposing them to the public internet creates several risks: |
| 18 | + |
| 19 | +* Your data may travel through unknown network paths |
| 20 | +* Attackers gain more potential entry points |
| 21 | +* Your compliance requirements may prohibit public internet usage |
| 22 | +* You must maintain extra security controls and monitoring |
| 23 | + |
| 24 | +**Understanding VPC Endpoints for Amazon Bedrock** |
| 25 | + |
| 26 | +**How VPC Endpoints Work** |
| 27 | + |
| 28 | +AWS PrivateLink powers VPC endpoints, which let you access Amazon Bedrock privately without exposing data to the public internet. When you create a private connection between your VPC and Bedrock: |
| 29 | + |
| 30 | +1. Your traffic stays within AWS network infrastructure |
| 31 | +2. You eliminate the need for public endpoints |
| 32 | +3. Your data remains on private AWS networks |
| 33 | + |
| 34 | +However, organizations often need additional capabilities: |
| 35 | + |
| 36 | +* Access to Bedrock from outside AWS |
| 37 | +* Secure connections from other cloud providers |
| 38 | +* Private access from on-premises environments |
| 39 | + |
| 40 | +This is where Ockam comes helps. |
| 41 | + |
| 42 | +Read: “[How does Ockam work?](https://docs.ockam.io/how-does-ockam-work)” to learn about end-to-end trust establishment. |
| 43 | + |
| 44 | +<figure><img src="../../../../.gitbook/assets/aws marketplace (1).png" alt=""><figcaption></figcaption></figure> |
| 45 | + |
| 46 | +### PreRequisite |
| 47 | + |
| 48 | +* You have permission to subscribe and launch Cloudformation stack from AWS Marketplace on the AWS Account running Amazon Redshift. |
| 49 | +* Make sure AWS Bedrock is available in the region you are deploying the cloudformation template.  |
| 50 | + |
| 51 | +### Create an Orchestrator Project |
| 52 | + |
| 53 | +1. [Sign up for Ockam](https://www.ockam.io/download) and pick a subscription plan through the guided workflow on Ockam.io. |
| 54 | +2. Run the following commands to install Ockam Command and enroll with the Ockam Orchestrator. |
| 55 | + |
| 56 | +```bash |
| 57 | +curl --proto '=https' --tlsv1.2 -sSfL https://install.command.ockam.io | bash |
| 58 | +source "$HOME/.ockam/env" |
| 59 | + |
| 60 | +ockam enroll |
| 61 | +``` |
| 62 | + |
| 63 | +3. Control which identities are allowed to enroll themselves into your project by issuing unique one-time use enrollment tickets. Generate two enrollment tickets, one for the Outlet and one for the Inlet. |
| 64 | + |
| 65 | +```bash |
| 66 | +# Enrollment ticket for Ockam Outlet Node |
| 67 | +ockam project ticket --expires-in 10h --usage-count 1 \ |
| 68 | + --attribute amazon-bedrock-outlet \ |
| 69 | + --relay bedrock \ |
| 70 | + > "outlet.ticket" |
| 71 | + |
| 72 | +# Enrollment ticket for Ockam Inlet Node |
| 73 | +ockam project ticket --expires-in 10h --usage-count 1 \ |
| 74 | + --attribute amazon-bedrock-inlet --tls \ |
| 75 | + > "inlet.ticket" |
| 76 | +``` |
| 77 | + |
| 78 | +### Setup Ockam Bedrock Outlet Node |
| 79 | + |
| 80 | +* Login to AWS Account you would like to use |
| 81 | +* Subscribe to "Ockam - Node for Amazon Bedrock" in AWS Marketplace  |
| 82 | +* Navigate to `AWS Marketplace -> Manage subscriptions`. Select `Ockam - Node for Amazon Bedrock` from the list of subscriptions. Select `Actions-> Launch Cloudformation stack`  |
| 83 | +* Select the Region you want to deploy and click `Continue to Launch`. Under Actions, select `Launch Cloudformation` |
| 84 | +* Create stack with the following details |
| 85 | + * **Stack name**: `bedrock-ockam-outlet` or any name you prefer |
| 86 | + * Network Configuration |
| 87 | + * **VPC ID:** Choose a VPC ID where the VPC Endpoint for Bedrock and EC2 instance will be deployed. |
| 88 | + * **Subnet ID:** Select a suitable Subnet ID within the chosen VPC. |
| 89 | + * **EC2 Instance Type**: Default instance type is `m6a.large`. please use different instance types based on your use case. |
| 90 | + * Ockam Node Configuration |
| 91 | + * **Enrollment ticket**: Copy and paste the content of the `outlet.ticket` generated above |
| 92 | + * **JSON Node Configuration**: Copy and paste the below configuration. Note that the configuration values (relay, allow attribute) match with the enrollment tickets created in the previous step. `$BEDROCK_RUNTIME_ENDPOINT` will be replaced during runtime. |
| 93 | + |
| 94 | +```json |
| 95 | +{ |
| 96 | + "http-server-port": 23345, |
| 97 | + "relay": "bedrock", |
| 98 | + "tcp-outlet": { |
| 99 | + "to": "$BEDROCK_RUNTIME_ENDPOINT:443", |
| 100 | + "allow": "amazon-bedrock-inlet", |
| 101 | + "tls": true |
| 102 | + } |
| 103 | +} |
| 104 | +``` |
| 105 | + |
| 106 | +* Click Next to launch the CloudFormation run. |
| 107 | +* A successful CloudFormation stack run  |
| 108 | + * Creates a VPC Endpoint for Bedrock Runetime API |
| 109 | + * Configures an Ockam Bedrock Outlet node on an EC2 machine. |
| 110 | + * EC2 machine mounts an EFS volume created in the same subnet. Ockam state is stored in the EFS volume. |
| 111 | + * A security group with ingress access within the security group and egress access to the internet will be attached to the EC2 machine and VPC Endpoint. |
| 112 | +* Connect to the EC2 machine via AWS Session Manager.  |
| 113 | + * To view the log file, run `sudo cat /var/log/cloud-init-output.log`. |
| 114 | + * _Note: DNS Resolution for the EFS drive may take up to 10 minutes. The script will retry_ |
| 115 | + * A Successful run will show `Ockam node setup completed successfully` in the above log. |
| 116 | + * To view the status of Ockam node run `curl http://localhost:23345/show | jq` |
| 117 | +* View the Ockam node status in CloudWatch. |
| 118 | + * Navigate to `Cloudwatch -> Log Group` and select `bedrock-ockam-outlet-status-logs`. Select the Logstream for the EC2 instance.  |
| 119 | + * The Cloudformation template creates a subscription filter which sends data to a Cloudwatch alarm `bedrock-ockam-outlet-OckamNodeDownAlarm.`Alarm will turn green upon ockam node successfully running.  |
| 120 | +* An Autoscaling group keeps atleast one EC2 instance is running. |
| 121 | + |
| 122 | +Ockam bedrock outlet node setup is complete. You can now create Ockam bedrock inlet nodes in any network to establish secure communication. |
| 123 | + |
| 124 | +### Setup Bedrock Ockam Inlet Node |
| 125 | + |
| 126 | +You can set up an Ockam Bedrock Inlet Node locally using Docker. You can then use any library (aws cli, python, javascript etc) to access AWS Bedrock via Ockam inlet |
| 127 | + |
| 128 | +* Create a file named `docker-compose.yml` with the following content: |
| 129 | + |
| 130 | +```yaml |
| 131 | +services: |
| 132 | + ockam: |
| 133 | + image: ghcr.io/build-trust/ockam |
| 134 | + container_name: bedrock-inlet |
| 135 | + environment: |
| 136 | + ENROLLMENT_TICKET: ${ENROLLMENT_TICKET:-} |
| 137 | + OCKAM_DEVELOPER: ${OCKAM_DEVELOPER:-false} |
| 138 | + OCKAM_LOGGING: true |
| 139 | + OCKAM_LOG_LEVEL: debug |
| 140 | + ports: |
| 141 | + - "443:443" # Explicitly expose port 443 |
| 142 | + command: |
| 143 | + - node |
| 144 | + - create |
| 145 | + - --enrollment-ticket |
| 146 | + - ${ENROLLMENT_TICKET} |
| 147 | + - --foreground |
| 148 | + - --configuration |
| 149 | + - | |
| 150 | + tcp-inlet: |
| 151 | + from: 0.0.0.0:443 |
| 152 | + via: bedrock |
| 153 | + allow: amazon-bedrock-outlet |
| 154 | + tls: true |
| 155 | + network_mode: bridge |
| 156 | +``` |
| 157 | +
|
| 158 | +Run the following command from the same location as the `docker-compose.yml` and the `inlet.ticket` to create an Ockam bedrock inlet that can connect to the outlet running in AWS , along with psql client container.  |
| 159 | + |
| 160 | +```bash |
| 161 | +ENROLLMENT_TICKET=$(cat inlet.ticket) docker-compose up -d |
| 162 | +``` |
| 163 | + |
| 164 | +* Check status of Ockam inlet node. You will see `The node is UP` when ockam is configured successfully and ready to accept connection |
| 165 | + |
| 166 | +```bash |
| 167 | +docker exec -it bedrock-inlet /ockam node show |
| 168 | +``` |
| 169 | + |
| 170 | +* Find your Ockam project id and use it to create to endpoint to bedrock |
| 171 | + |
| 172 | + ```bash |
| 173 | + # Below command will find your ockam project id |
| 174 | + ockam project show --jq .id |
| 175 | + ``` |
| 176 | +* Construct bedrock endpoint url |
| 177 | + |
| 178 | +```bash |
| 179 | +https://ANY_STRING_YOU_LIKE.YOUR_PROJECT_ID.ockam.network |
| 180 | +``` |
| 181 | + |
| 182 | +* An example bedrock endpoint url will look like below |
| 183 | + |
| 184 | +```bash |
| 185 | +BEDROCK_ENDPOINT=https://bedrock-runtime.d8eafd41-ff3e-40ab-8dbe-936edbe3ad3c.ockam.network |
| 186 | +``` |
| 187 | + |
| 188 | +* Run below AWS CLI Command. |
| 189 | + |
| 190 | +{% hint style="info" %} |
| 191 | +NOTE:  |
| 192 | + |
| 193 | +1\) You should have `amazon-titan-text-lite-v1` model enabled on the Account/Region  |
| 194 | + |
| 195 | +2\) You need AWS Credentials for the account with permission to run the below command. |
| 196 | +{% endhint %} |
| 197 | + |
| 198 | +```bash |
| 199 | +export AWS_REGION=<YOUR_REGION> |
| 200 | +aws bedrock-runtime invoke-model \ |
| 201 | +--endpoint-url $BEDROCK_ENDPOINT \ |
| 202 | +--model-id amazon.titan-text-lite-v1 \ |
| 203 | +--body '{"inputText": "Describe the purpose of a \"hello world\" program in one line.", "textGenerationConfig" : {"maxTokenCount": 512, "temperature": 0.5, "topP": 0.9}}' \ |
| 204 | +--cli-binary-format raw-in-base64-out \ |
| 205 | +invoke-model-output-text.txt |
| 206 | +``` |
| 207 | + |
| 208 | +The above command should produce similar result |
| 209 | + |
| 210 | +```bash |
| 211 | +> cat invoke-model-output-text.txt |
| 212 | +{"inputTextTokenCount":15,"results":[{"tokenCount":26,"outputText":"\nThe purpose of a \"hello world\" program is to print the text \"hello world\" to the console.","completionReason":"FINISH"}]} |
| 213 | +``` |
| 214 | + |
| 215 | +* Cleanup |
| 216 | + |
| 217 | +```bash |
| 218 | +docker compose down --volumes --remove-orphans |
| 219 | +``` |
| 220 | + |
| 221 | +### **Summary**  |
| 222 | + |
| 223 | +This guide walked you through: |
| 224 | + |
| 225 | +* Understanding the security challenges of accessing Amazon Bedrock over the public internet |
| 226 | +* How VPC endpoints secure your Bedrock communications within AWS |
| 227 | +* Setting up Ockam to extend this security beyond AWS boundaries |
| 228 | +* Deploying and configuring both Outlet and Inlet nodes |
| 229 | +* Testing your secure connection with a simple Bedrock API call |
0 commit comments