# Customer Hosted VPC (AWS)

The Customer Hosted VPC deployment model provides maximum data isolation by keeping your data plane within your own AWS environment while Capsule Security manages the control plane.

## Architecture Overview

![Customer Hosted VPcC Architecture](/assets/deployment-customer-vpc.cb64e87e3cb82d87dbe9983be8f815e94da1ce616bca69f94fd301cce1356572.9c1bb791.png)

### Data Plane (Customer VPC)

Your data remains in your AWS account with full control over:

- **Amazon RDS** - All application data stored in your managed PostgreSQL database
- **Amazon Bedrock** - AI/ML inference runs within your AWS environment
- **Network Controls** - Your VPC, your security groups, your rules


### Control Plane (Capsule VPC)

Capsule Security operates a dedicated, isolated control plane environment:

- **Stateless Architecture** - No customer data stored in the control plane
- **Dedicated Environment** - Isolated infrastructure per customer
- **Managed by Capsule** - Full operational responsibility by Capsule's SRE team


## Deployment

### CloudFormation Deployment

Capsule provides a CloudFormation template that provisions all required resources in your AWS account:


```
┌─────────────────────────────────────────────────────────────┐
│                     Customer AWS Account                    │
│  ┌───────────────────────────────────────────────────────┐  │
│  │                    Customer VPC                       │  │
│  │                                                       │  │
│  │   ┌─────────────┐          ┌─────────────────────┐    │  │
│  │   │   Amazon    │          │    Amazon Bedrock   │    │  │
│  │   │    RDS      │          │    (AI Inference)   │    │  │
│  │   │ PostgreSQL  │          │                     │    │  │
│  │   └─────────────┘          └─────────────────────┘    │  │
│  │                                                       │  │
│  │   ┌────────────────────────────────────────────────┐  │  │
│  │   │              VPC Endpoint / PrivateLink        │  │  │
│  │   └────────────────────────────────────────────────┘  │  │
│  └───────────────────────────────────────────────────────┘  │
└─────────────────────────────────────────────────────────────┘
                              │
                    Secure Connection
                              │
┌─────────────────────────────────────────────────────────────┐
│                     Capsule AWS Account                     │
│  ┌───────────────────────────────────────────────────────┐  │
│  │           Dedicated Control Plane (Stateless)         │  │
│  │                                                       │  │
│  │   ┌─────────────┐    ┌─────────────┐    ┌──────────┐  │  │
│  │   │   API       │    │   Policy    │    │Monitoring│  │  │
│  │   │   Gateway   │    │   Engine    │    │ & Alerts │  │  │
│  │   └─────────────┘    └─────────────┘    └──────────┘  │  │
│  └───────────────────────────────────────────────────────┘  │
└─────────────────────────────────────────────────────────────┘
```

### Resources Provisioned

The CloudFormation template creates:

| Resource | Purpose |
|  --- | --- |
| VPC Subnets | Private subnets for data plane components |
| Security Groups | Network access controls |
| Amazon RDS (PostgreSQL) | Application database |
| IAM Roles | Service permissions |
| VPC Endpoints | Secure connectivity to Capsule control plane |
| CloudWatch Log Groups | Local logging |


### Deployment Steps

1. **Receive CloudFormation Template** - Capsule provides a customized template for your deployment
2. **Review Parameters** - Configure VPC CIDR, instance sizes, and backup settings
3. **Deploy Stack** - Launch the CloudFormation stack in your AWS account
4. **Establish Connectivity** - VPC peering or PrivateLink connection is configured
5. **Validation** - Capsule SRE team verifies connectivity and performs health checks


## Data Residency

With Customer Hosted VPC, your data never leaves your AWS account:

- **Database** - All persistent data stored in your RDS instance
- **AI Processing** - Bedrock inference runs in your account
- **Logs** - Application logs remain in your CloudWatch
- **Backups** - RDS snapshots stored in your account


The Capsule control plane only processes metadata and orchestration commands—no customer data is transmitted or stored outside your environment.

## Support & Operations

### Managed by Capsule

Even with data in your VPC, Capsule provides full operational support:

| Service | Description |
|  --- | --- |
| **24/7 Monitoring** | Continuous health monitoring of all components |
| **Incident Response** | Rapid response to alerts and issues |
| **Upgrades** | Zero downtime upgrades with coordinated upgrade windows |
| **Maintenance** | Regular security patches and optimizations |
| **Support** | Direct access to Capsule support and SRE teams |


### Customer Responsibilities

| Area | Responsibility |
|  --- | --- |
| AWS Account | Maintain AWS account and billing |
| Network | Manage VPC networking and firewall rules |
| Access | Control IAM access to your AWS resources |
| Compliance | Ensure AWS account meets your compliance requirements |


## Security

### Network Security

- **Private Subnets** - All data plane components in private subnets
- **No Public Access** - No direct internet access to data plane
- **PrivateLink** - Secure AWS backbone connectivity to control plane
- **Encryption in Transit** - TLS 1.3 for all communications


### Data Security

- **Encryption at Rest** - RDS encryption with AWS KMS
- **Customer-Managed Keys** - Option to use your own KMS keys
- **Network Isolation** - Data never traverses public internet


### Access Control & Audit

- **Role-Based Access Control (RBAC)** - Granular permissions for users and teams
- **Single Sign-On (SSO)** - Enterprise SSO integration support
- **Full Audit Logging** - Comprehensive audit trail of all user actions and system events


### Compliance

- **SOC 2 Type 2** - Certified across all deployment models
- **ISO 27001** - Information security management compliance
- **GDPR** - General Data Protection Regulation compliance
- **Data Residency** - Data remains in your chosen AWS region


## Prerequisites

Before deployment, ensure you have:

- [ ] AWS account with appropriate permissions
- [ ] VPC with available CIDR ranges
- [ ] AWS Service Quotas for RDS and Bedrock
- [ ] Network connectivity options (VPC peering or PrivateLink)


## Getting Started

Contact the Capsule team to begin your Customer Hosted VPC deployment:

1. **Architecture Review** - Discuss your requirements and AWS environment
2. **Template Customization** - Receive a CloudFormation template tailored to your needs
3. **Deployment Planning** - Schedule deployment with our SRE team
4. **Go Live** - Deploy and validate your environment


Contact us at [support@capsule.security](mailto:support@capsule.security) to get started.