The Customer Hosted VPC deployment model provides maximum data isolation by keeping your data plane within your own AWS environment while Capsule Security manages the control plane.
Your data remains in your AWS account with full control over:
- Amazon RDS - All application data stored in your managed PostgreSQL database
- Amazon Bedrock - AI/ML inference runs within your AWS environment
- Network Controls - Your VPC, your security groups, your rules
Capsule Security operates a dedicated, isolated control plane environment:
- Stateless Architecture - No customer data stored in the control plane
- Dedicated Environment - Isolated infrastructure per customer
- Managed by Capsule - Full operational responsibility by Capsule's SRE team
Capsule provides a CloudFormation template that provisions all required resources in your AWS account:
┌─────────────────────────────────────────────────────────────┐
│ Customer AWS Account │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ Customer VPC │ │
│ │ │ │
│ │ ┌─────────────┐ ┌─────────────────────┐ │ │
│ │ │ Amazon │ │ Amazon Bedrock │ │ │
│ │ │ RDS │ │ (AI Inference) │ │ │
│ │ │ PostgreSQL │ │ │ │ │
│ │ └─────────────┘ └─────────────────────┘ │ │
│ │ │ │
│ │ ┌────────────────────────────────────────────────┐ │ │
│ │ │ VPC Endpoint / PrivateLink │ │ │
│ │ └────────────────────────────────────────────────┘ │ │
│ └───────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
Secure Connection
│
┌─────────────────────────────────────────────────────────────┐
│ Capsule AWS Account │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ Dedicated Control Plane (Stateless) │ │
│ │ │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌──────────┐ │ │
│ │ │ API │ │ Policy │ │Monitoring│ │ │
│ │ │ Gateway │ │ Engine │ │ & Alerts │ │ │
│ │ └─────────────┘ └─────────────┘ └──────────┘ │ │
│ └───────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘The CloudFormation template creates:
| Resource | Purpose |
|---|---|
| VPC Subnets | Private subnets for data plane components |
| Security Groups | Network access controls |
| Amazon RDS (PostgreSQL) | Application database |
| IAM Roles | Service permissions |
| VPC Endpoints | Secure connectivity to Capsule control plane |
| CloudWatch Log Groups | Local logging |
- Receive CloudFormation Template - Capsule provides a customized template for your deployment
- Review Parameters - Configure VPC CIDR, instance sizes, and backup settings
- Deploy Stack - Launch the CloudFormation stack in your AWS account
- Establish Connectivity - VPC peering or PrivateLink connection is configured
- Validation - Capsule SRE team verifies connectivity and performs health checks
With Customer Hosted VPC, your data never leaves your AWS account:
- Database - All persistent data stored in your RDS instance
- AI Processing - Bedrock inference runs in your account
- Logs - Application logs remain in your CloudWatch
- Backups - RDS snapshots stored in your account
The Capsule control plane only processes metadata and orchestration commands—no customer data is transmitted or stored outside your environment.
Even with data in your VPC, Capsule provides full operational support:
| Service | Description |
|---|---|
| 24/7 Monitoring | Continuous health monitoring of all components |
| Incident Response | Rapid response to alerts and issues |
| Upgrades | Zero downtime upgrades with coordinated upgrade windows |
| Maintenance | Regular security patches and optimizations |
| Support | Direct access to Capsule support and SRE teams |
| Area | Responsibility |
|---|---|
| AWS Account | Maintain AWS account and billing |
| Network | Manage VPC networking and firewall rules |
| Access | Control IAM access to your AWS resources |
| Compliance | Ensure AWS account meets your compliance requirements |
- Private Subnets - All data plane components in private subnets
- No Public Access - No direct internet access to data plane
- PrivateLink - Secure AWS backbone connectivity to control plane
- Encryption in Transit - TLS 1.3 for all communications
- Encryption at Rest - RDS encryption with AWS KMS
- Customer-Managed Keys - Option to use your own KMS keys
- Network Isolation - Data never traverses public internet
- Role-Based Access Control (RBAC) - Granular permissions for users and teams
- Single Sign-On (SSO) - Enterprise SSO integration support
- Full Audit Logging - Comprehensive audit trail of all user actions and system events
- SOC 2 Type 2 - Certified across all deployment models
- ISO 27001 - Information security management compliance
- GDPR - General Data Protection Regulation compliance
- Data Residency - Data remains in your chosen AWS region
Before deployment, ensure you have:
- AWS account with appropriate permissions
- VPC with available CIDR ranges
- AWS Service Quotas for RDS and Bedrock
- Network connectivity options (VPC peering or PrivateLink)
Contact the Capsule team to begin your Customer Hosted VPC deployment:
- Architecture Review - Discuss your requirements and AWS environment
- Template Customization - Receive a CloudFormation template tailored to your needs
- Deployment Planning - Schedule deployment with our SRE team
- Go Live - Deploy and validate your environment
Contact us at support@capsule.security to get started.