Success Story: Streamlined Multi-Cloud Networking with Prosimo for Amazon Bedrock
Introduction In an era where artificial intelligence (AI) and Generative AI are reshaping the technological landscape of the cloud, the demand for scalable, secure, and agile cloud networking solutions has never been more critical. The rise of using AI and, more specifically Generative AI workloads, characterized by their dynamic connectivity, performance and security requirements, and dynamic resource allocation needs, presents both an opportunity and a challenge for cloud networking. AI Apps are different. The unique characteristics of Gen AI apps (e.g, Amazon Bedrock, Vertex AI, Github Copilot, etc) emphasized on the need for low-latency processing, rapid scaling and provisioning of app endpoints, heavy use of API gateways along with serverless functions, and the ability to dynamically scale resources in response to fluctuating demands, require a specialized cloud networking platform that goes beyond the bounds of conventional network architectures. Prosimo is very uniquely positioned in the realm of AI as we developed the platform grounds up on the core principles of understanding the applications/services layer with dynamic scaling requirements, use of machine learning to take data-driven decisions, ultra-fast deployment of application endpoints utilizing cloud-native networking constructs which enables the cloud networking and CCoE teams to build the technical foundations for developers for Self-service. These capabilities make Prosimo a platform of choice for Gen AI workloads. From virtualized resources and distributed computing to advanced networking features and AI firewalls with built-in Zero Trust profiles, Prosimo offers AI Suite for Multi-Cloud Networking necessary to support the unique demands of Gen AI. Customers are serious about AI Our customers frequently express interest in enabling their developers to explore the potential of Gen AI and Machine learning. Every organization is keen on staying ahead of the curve, seeking innovative ways to empower their developers and application teams to experiment with applications driven by the advancements we see in Gen AI. This urgency is echoed in findings from Gartner, which predict that over 80% of enterprises will have embraced Generative AI through the use of Generate AI APIs or Deployed Generative AI-enabled applications by 2026. This technical brief aims to delve into the intricacies of multi-cloud networking specifically tailored for Gen AI workloads, exploring the sophisticated connectivity requirements and security considerations, including guard rails and ensuring compliance, developer self-service, and strategic approaches necessary to support the demands of Gen AI workloads using Prosimo. What are the customer requirements for Multi-Cloud Networking? During our conversations with customers exploring Gen AI, the networking architecture, platform teams, developers, and crucial technology partners brought up several essential requirements as top priorities for enabling a seamless and consistent connectivity framework across multi-cloud with self-service experience and clear implementation of vital guard rails. Operational Excellence and Rapid Deployment Framework Scalability, consistent architecture, and rapid provisioning of resources came across as fundamental requirements where customers want to build a service connectivity mesh across multi-cloud without having to worry about network connectivity dependencies, IP address management, route table propagation, orchestration of cloud-native constructs (ALB, TGW, Private Links, etc). The service Connectivity layer should be detached from the underlying networking corpus as the AI workloads are very dynamic and transient in nature with heavy reliance on APIs and serverless, which cannot be achieved with rapid provisioning of network constructs. Infrastructure as Code (IaC) compliance is a demand from organizations investing heavily in IaC. They prefer these environments to utilize established IaC tools, like Terraform. Secure Framework, Guardrails, and Compliance Security and Privacy Concerns were expressed as customers wanted to understand the cloud network and application communication patterns in order to better understand where they are exposed to risk and whether they can implement guardrails to ensure compliance and inhibit the improper use of accessing specific datasets OR establish an LLM access policy that restricts the public or open models without clear assurances on data privacy and non-public usage of their data. Self-Service Developers’ Self-service was highlighted as the utmost priority. The goal is for developers to have a seamless experience without hindrances to innovation. Platform and NetOps teams are acutely aware of their workload supporting other essential tasks. Cost Compliance Cost Efficiency is critical, especially considering the hundreds or thousands of active developer environments for Generative AI. It’s vital to show insights into cloud utilization, minimize costs for each environment, and decommission infrastructure with built-in automation that is underused to conserve resources. Before we map the customer requirements to a deployment blueprint for Amazon Bedrock using Prosimo, let us orient you with Bedrock and its architecture. If you are familiar with how Bedrock works, please skip the next section. What is Amazon Bedrock? Amazon Bedrock is a managed service by AWS that simplifies the consumption of Generative AI by making base models from Amazon and other 3rd party providers available via API. The account and infrastructure for Amazon Bedrock are specific to the model provider and are hosted in their accounts, which are owned and managed by AWS. Amazon Bedrock enables the creation of applications that can generate text, images, audio, and synthetic data based on prompts. What sets Bedrock apart is its accessibility to a range of foundation models from leading AI startups, including AI21, Anthropic, and Stability AI, as well as exclusive access to AWS’s Titan family of foundation models. This variety ensures that AWS customers can choose the most suitable models for their specific needs. Key Advantages of Using Amazon Bedrock via AWS Ease of Access: Amazon Bedrock provides an API that opens up a world of foundation models, making it simple to select and implement the model that best fits your project requirements. Speed and Efficiency: The service significantly accelerates the development and deployment process of generative AI applications, allowing you to bring your ideas to fruition faster. Scalability and Reliability: With AWS’s robust infrastructure, Bedrock ensures that your applications can scale seamlessly while maintaining high reliability. Security: Leveraging AWS’s proven security protocols, Bedrock guarantees a secure environment for your generative AI applications. No Infrastructure Management: Bedrock’s managed service model eliminates the complexities of managing the underlying infrastructure, enabling you to
Adapting to Azure’s New VM Outbound Access Defaults: Get the right architecture in place
TL;DR: “On 30 September 2025, default outbound access connectivity for virtual machines in Azure will be retired.” Read more about the Azure changes here. Introduction Azure is transitioning its VM outbound access defaults, a significant change that could impact many users. This blog post delves into the challenges posed by this transition and how Prosimo offers effective solutions to prep for these changes Windows Activation & Updates VMs in Azure depend on public connectivity for essential functions like activation and updates. The new Azure defaults could disrupt these critical processes, leading to potential system vulnerabilities and performance issues. Dependency Failures Many systems interface with other systems, public APIs, and various endpoints. Restricting outbound access can lead to failures in these dependencies, disrupting operations and data flow. Increasing Complexity Introducing elements like NAT Gateways, route tables, and routes to manage new outbound access rules can significantly complicate network setups. This complexity can lead to increased administrative overhead and potential for errors. Review Imperative With Azure’s changes, it’s crucial to review deployment pipelines and applications to ensure they maintain uninterrupted Internet access. This review process is vital to avoid unexpected disruptions in service. Common Approaches and Challenges A typical response might involve directing traffic through regional firewalls. However, the dynamic nature of cloud environments makes this a challenging task, especially for network and security teams that are already under considerable strain. How Prosimo helps to navigate around these changes in a few months. Prosimo offers innovative solutions to address these challenges: Default Internet Route via Prosimo: Eliminate the need for public IPs on your VMs. Direct internet access from your private subnets through Prosimo for Egress, and manage remote user access via Prosimo Private Proxy for ingress when needed. Spoke-less Architecture with Private Link: Simplify your network architecture while maintaining secure and private connectivity. Per-flow Service Insertion: Gain granular control over your network flows, enhancing security and efficiency. Route Orchestration and Management: Simplify the management of your network routes, reducing complexity and administrative burden. Conclusion The upcoming Azure shift in VM outbound access defaults is a significant change, but it doesn’t have to disrupt your operations. You can navigate this transition smoothly by understanding the challenges and equipping yourself with the right tools and strategies, such as those offered by Prosimo. Reach out now to see how Prosimo can assist in adapting to these changes.
Maximizing Collaboration with Business Partners: Extending Business Applications and PaaS through AWS PrivateLink
As organizations strive to make their business-critical applications accessible to business partners, they often grapple with secure connectivity and privacy issues. Network routing constructs, such as using AWS Transit Gateways, Layer 3 virtual routers, hub & spoke architectures, or VPC peering, makes it extremely complex to extend enterprise applications such as financial tools, database access, and Platform as a Service (PaaS) to business partners due to a variety of inherent gaps like IP address overlap, route table limits, throughput requirements, route propagation, day-2 operational challenges for TGW and permission related issues for partner cloud subscriptions. Furthermore, these resources are frequently made available via VPN to maintain security with business partners or over the Internet to avoid VPN connectivity issues with IP/Source whitelisting that inadvertently create security vulnerabilities and lead to performance bottlenecks. As such, the prevailing approach to connectivity can result in potential ‘security potholes’ and disrupt the smooth operation of a business. AWS PrivateLink offers secure and private connectivity between Virtual Private Cloud (VPC) resources and various AWS services. Some commonly used services include S3 storage, RDS, DynamoDB, EFS, and Fargate. Using AWS PrivateLink, enterprises can better meet regulatory requirements that require private network connections for specific data types or workloads. In addition to a range of security advantages, AWS PrivateLink significantly simplifies inter-business collaborations by providing private access to VPC resources, which may encompass financial assets, wealth management tools, databases, etc. Organizations can leverage AWS PrivateLink to establish a private network link connectivity between their respective VPCs and their partners, enabling the private sharing of resources and data. Consequently, the assurance of data security and confidentiality is heightened, reducing the risk of data breaches and other security vulnerabilities. In this blog, I will take a closer look at how AWS PrivateLink can help solve connectivity challenges for business partners that require access to native AWS services and enterprise assets and what are some of the operational gaps that typically enterprises run into and solve through Prosimo’s Full Stack Cloud-native Transit platform. AWS Private Link AWS PrivateLink provides reliable, encrypted, fast connectivity between resources in client-managed AWS VPCs, without traversing a public connection. Additionally, the use of AWS PrivateLink eliminates the risk of IP address conflicts between networks on either side of the connection. More technical details on AWS Private Link are found here. Benefits of using AWS PrivateLink Enhanced Security – With AWS PrivateLink, you can access AWS services and third-party services privately without going over the Internet, ensuring that your data remains secure and reducing the risk of data breaches, unauthorized access, and other cyber threats. Reduced Latency – Since the traffic stays within the AWS network and never goes over the public internet, AWS PrivateLink reduces latency, resulting in faster access to AWS services over high bandwidth limits. Cost-Effective – AWS PrivateLink eliminates the need for costly VPN connections or Network Address Translation (NAT) gateways, reducing overall costs for accessing AWS services. Data exchanged over AWS PrivateLink is encrypted. Compliance – AWS PrivateLink can help you comply with regulatory requirements that mandate private network connections for certain types of data or workloads Enabling Seamless Access to Fortune 500 Enterprise Cloud Applications for Business Partners with Prosimo and AWS PrivateLink I recently got an opportunity to work with an enterprise where the core use case was to allow third-party trusted partner access to sensitive data and critical business applications. These included allowing partners to connect with financial apps, wealth management portals, RDS, and S3 Storage. In the first few architecture sessions, we discovered a few critical operational gaps with traditional IP layer networking that were left to be resolved by customers in making their core service available to business partners; Making Target Services (RDS, S3, EC2/Lambda) available to business partners with cross-AWS accounts in different regions Source apps and networks in partners’ AWS accounts that need private connectivity to enterprise financial apps, for example, wealth management portals and other banking systems Conflicting or Overlapping IP ranges. You can control what you own but not what your partners use as their IP scheme. Non-AWS (Azure, GCP, and others) require connectivity to the same services and apps in AWS. Little to no visibility and security control to who has access to what. To increase time to value, the enterprise deployed an architecture using traditional IP layer connectivity approaches in the cloud, including: VPN between the enterprise assets in AWS and the business partner cloud workloads using IP layer solutions available from the marketplace using virtual routers. Making the apps publicly available and whitelisting IP addresses with all the heavy lifting of managing SG ACLs to allow/deny business partners. The initial implementation functioned satisfactorily as an MVP for a select group of partners. However, as the range of their services expanded, the operational management became increasingly challenging. This included basic tasks such as IP/Source whitelisting for partners and adding them in SG ACLs, route table management, route propagation, and the addition or deletion of route entries. Other challenges involved dealing with restrictions and bottlenecks regarding throughput, the number of route entries, and ensuring the VPN remains operational and in compliance with various regulations and encryption standards. Moreover, managing IP overlap issues introduced additional complexities due to Network Address Translation (NAT). This approach hindered their ability to scale swiftly, launch modern applications for partners in the marketplace, and efficiently handle service tickets to maintain connectivity to existing applications and services How Prosimo orchestrates AWS Private Link to connect business partners With Prosimo’s Cloud-native Networking suite, they could use cloud-native peering options depending on the endpoint to attach their workloads and AWS Services; for example, the EC2 instances, networks, and IP endpoints, HTTP and TCP applications are connected using Transit Gateway attachments and AWS Services (S3, RDS, Dynamo DB, Fargate, etc.) are attached using Private Link endpoints. The benefit of this approach is to treat every endpoint uniquely. Prosimo provided them with an orchestration and abstraction suite using a SaaS control plane to provision TGW, VPC attachments to TGW, Route table