Skip to main content

Network Architecture

VAMS supports multiple network deployment configurations to accommodate commercial AWS, AWS GovCloud, . This page describes the network topology for each deployment mode, VPC configuration options, VPC endpoints, and subnet architecture.

Deployment Modes

Amazon CloudFront Deployment (Commercial AWS)

The default deployment mode uses Amazon CloudFront as the global content delivery network for both the web application and API requests.

CloudFront Network Architecture

In this mode:

  • Amazon CloudFront serves the React web application from an Amazon S3 origin bucket
  • API requests are proxied through Amazon CloudFront to Amazon API Gateway V2
  • An optional AWS WAF Web ACL (deployed in us-east-1) protects the distribution
  • Custom domain names are supported via useCloudFront.customDomain configuration with an AWS Certificate Manager certificate and optional Amazon Route 53 hosted zone

Application Load Balancer Deployment (GovCloud / ALB Mode)

For AWS GovCloud or environments requiring an Application Load Balancer, VAMS deploys an ALB as the entry point.

ALB Network Architecture

In this mode:

  • An Application Load Balancer serves the web application and proxies API requests
  • The ALB requires a domain host name and an AWS Certificate Manager certificate ARN
  • The ALB can be deployed in public or private subnets (useAlb.usePublicSubnet)
  • An optional AWS WAF Web ACL (regional) protects the ALB
  • VPC is required (useGlobalVpc.enabled = true)

VPC-Isolated Deployment (GovCloud)

For restricted environments, GovCloud deployments can use full VPC isolation with all AWS service access routed through VPC endpoints and no internet egress.

VPC Configuration Options

VAMS supports three VPC modes:

ModeConfigurationDescription
No VPCuseGlobalVpc.enabled = falseDefault for commercial. Lambda functions run outside VPC.
VAMS-Managed VPCuseGlobalVpc.enabled = true, no optionalExternalVpcIdVAMS creates a new VPC with configured CIDR range.
External VPC ImportuseGlobalVpc.enabled = true + optionalExternalVpcIdVAMS imports an existing VPC and specified subnets.

VAMS-Managed VPC Configuration

When VAMS creates its own VPC, the following subnet types are provisioned:

Subnet TypeCIDR MaskPurposeAlways Created
Isolated (PRIVATE_ISOLATED)/23 (510 usable IPs)Lambda functions, VPC endpointsYes
Private (PRIVATE_WITH_EGRESS)/26 (62 usable IPs)Pipeline compute (AWS Batch with NAT Gateway)Conditional
Public/26 (62 usable IPs)ALB, pipeline compute requiring internetConditional

Private and public subnets are created when any of the following are enabled:

  • ALB with public subnet (useAlb.usePublicSubnet)
  • RapidPipeline ECS or EKS
  • ModelOps pipeline
  • Splat Toolbox pipeline
  • Isaac Lab Training pipeline
  • NVIDIA Cosmos pipeline (Predict, Reason, or Transfer)

Availability Zone Configuration

The number of availability zones is determined by the deployment configuration:

ConditionAZ Count
Amazon OpenSearch Service (Provisioned)3 AZs
ALB enabled, or all Lambdas in VPC, or RapidPipeline EKS2 AZs
Pipeline-only (no ALB, no all-Lambda VPC)1 AZ

External VPC Import

When importing an existing VPC, subnet IDs must be provided for each subnet type:

ConfigurationDescription
optionalExternalVpcIdVPC ID to import
optionalExternalIsolatedSubnetIdsComma-separated isolated subnet IDs
optionalExternalPrivateSubnetIdsComma-separated private subnet IDs
optionalExternalPublicSubnetIdsComma-separated public subnet IDs
Context Loading

When importing a VPC, you may need to run an initial cdk synth with loadContextIgnoreVPCStacks = true to populate the CDK context with VPC metadata before the full deployment.

VPC Endpoints

When useGlobalVpc.addVpcEndpoints = true, VAMS creates VPC endpoints to enable AWS service access from isolated subnets without internet connectivity.

Gateway Endpoints (No Cost)

These gateway endpoints are always created when VPC endpoints are enabled:

EndpointServiceSubnets
Amazon S3GatewayVpcEndpointAwsService.S3Isolated
Amazon DynamoDBGatewayVpcEndpointAwsService.DYNAMODBIsolated

Common Interface Endpoints

These interface endpoints are always created when VPC endpoints are enabled:

EndpointServicePurpose
Amazon API GatewayAPIGATEWAYAPI Gateway invocations
AWS Systems Manager (SSM)SSMParameter Store access
AWS LambdaLAMBDALambda-to-Lambda invocations
AWS STSSTSCredential federation
Amazon CloudWatch LogsCLOUDWATCH_LOGSLog delivery
AWS Step FunctionsSTEP_FUNCTIONSWorkflow execution
Amazon SNSSNSEvent notifications
Amazon SQSSQSQueue operations

Conditional Interface Endpoints

These endpoints are created based on the deployment configuration:

EndpointConditionPurpose
AWS KMSuseKmsCmkEncryption.enabledKMS key operations
AWS KMS (FIPS)useKmsCmkEncryption.enabled + useFipsFIPS-compliant KMS
AWS BatchAny pipeline enabledPipeline job submission
Amazon ECR APIAny pipeline enabledContainer image registry
Amazon ECR DockerAny pipeline enabledContainer image pulls
Amazon EFSNVIDIA Cosmos enabledModel cache file system
Amazon ECSPipeline with compute needsContainer orchestration
Amazon ECS AgentIsaac Lab TrainingECS agent communication
Amazon ECS TelemetryIsaac Lab TrainingECS telemetry
Amazon Bedrock RuntimeGenAI Metadata + all Lambdas in VPCAI model invocation
Amazon RekognitionGenAI Metadata + all Lambdas in VPCImage analysis

Pipeline-Required Endpoints

The following endpoints are created when any of these pipelines are enabled: Point Cloud Potree Viewer, 3D Preview Thumbnail, GenAI Metadata Labeling, RapidPipeline (ECS/EKS), ModelOps, Splat Toolbox, Isaac Lab Training, or NVIDIA Cosmos (Predict, Reason, Transfer).

  • AWS Batch
  • Amazon ECR API
  • Amazon ECR Docker
ECS Endpoint Consolidation

Only one Amazon ECS interface endpoint can exist per VPC when private DNS is enabled. VAMS consolidates ECS endpoint subnets across pipeline types, with private subnets taking priority over isolated subnets when both are needed.

Security Groups

VPC Endpoint Security Group

A single security group is created for all VPC endpoints with the following rules:

DirectionProtocolPortSourcePurpose
IngressTCP443VPC CIDRHTTPS access to endpoints
IngressTCP53VPC CIDRDNS resolution for ECR
IngressUDP53VPC CIDRDNS resolution for ECR
EgressAllAll0.0.0.0/0Allow all outbound

Pipeline Security Groups

Each pipeline construct creates its own security group with VPC CIDR-based ingress rules for communication between AWS Batch compute environments and VPC endpoints.

VPC Flow Logs

When VAMS creates a managed VPC, VPC flow logs are automatically enabled:

SettingValue
DestinationAmazon CloudWatch Logs
Traffic TypeALL
Log Group/aws/vendedlogs/VAMSCloudWatchVPCLogs-{hash}
Retention10 years

DNS Configuration

All interface VPC endpoints are created with privateDnsEnabled: true. This allows Lambda functions and containers within the VPC to use standard AWS service hostnames (e.g., dynamodb.us-east-1.amazonaws.com) without custom DNS configuration. The VPC endpoint private DNS automatically resolves these hostnames to the endpoint's private IP addresses.

VAMS VPCs are created with:

  • enableDnsHostnames: true
  • enableDnsSupport: true

FIPS Endpoint Usage

When useFips = true, the partition-aware service helper (service-helper.ts) automatically resolves FIPS-compliant hostnames for all AWS service calls. This is achieved through the SERVICE_LOOKUP table in const.ts, which maps each service to its standard and FIPS hostname per partition.

For example:

ServiceStandard HostnameFIPS Hostname
Amazon S3s3.{region}.amazonaws.coms3-fips.{region}.amazonaws.com
Amazon DynamoDBdynamodb.{region}.amazonaws.comdynamodb-fips.{region}.amazonaws.com
AWS STSsts.{region}.amazonaws.comsts-fips.{region}.amazonaws.com
GovCloud FIPS

In AWS GovCloud, all endpoints are inherently FIPS-compliant. The API Gateway endpoint URL always uses the non-FIPS variant regardless of the useFips setting, as documented by AWS.

Next Steps