{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"Customer Hosted VPC (AWS)","description":"Control the power of AI Agents in runtime.","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"customer-hosted-vpc-aws","__idx":0},"children":["Customer Hosted VPC (AWS)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The Customer Hosted VPC deployment model provides maximum data isolation by keeping your data plane within your own AWS environment while Capsule Security manages the control plane."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"architecture-overview","__idx":1},"children":["Architecture Overview"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/deployment-customer-vpc.cb64e87e3cb82d87dbe9983be8f815e94da1ce616bca69f94fd301cce1356572.9c1bb791.png","alt":"Customer Hosted VPcC Architecture"},"children":[]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"data-plane-customer-vpc","__idx":2},"children":["Data Plane (Customer VPC)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Your data remains in your AWS account with full control over:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Amazon RDS"]}," - All application data stored in your managed PostgreSQL database"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Amazon Bedrock"]}," - AI/ML inference runs within your AWS environment"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Network Controls"]}," - Your VPC, your security groups, your rules"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"control-plane-capsule-vpc","__idx":3},"children":["Control Plane (Capsule VPC)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule Security operates a dedicated, isolated control plane environment:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Stateless Architecture"]}," - No customer data stored in the control plane"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Dedicated Environment"]}," - Isolated infrastructure per customer"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Managed by Capsule"]}," - Full operational responsibility by Capsule's SRE team"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"deployment","__idx":4},"children":["Deployment"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"cloudformation-deployment","__idx":5},"children":["CloudFormation Deployment"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule provides a CloudFormation template that provisions all required resources in your AWS account:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"header":{"controls":{"copy":{}}},"source":"┌─────────────────────────────────────────────────────────────┐\n│                     Customer AWS Account                    │\n│  ┌───────────────────────────────────────────────────────┐  │\n│  │                    Customer VPC                       │  │\n│  │                                                       │  │\n│  │   ┌─────────────┐          ┌─────────────────────┐    │  │\n│  │   │   Amazon    │          │    Amazon Bedrock   │    │  │\n│  │   │    RDS      │          │    (AI Inference)   │    │  │\n│  │   │ PostgreSQL  │          │                     │    │  │\n│  │   └─────────────┘          └─────────────────────┘    │  │\n│  │                                                       │  │\n│  │   ┌────────────────────────────────────────────────┐  │  │\n│  │   │              VPC Endpoint / PrivateLink        │  │  │\n│  │   └────────────────────────────────────────────────┘  │  │\n│  └───────────────────────────────────────────────────────┘  │\n└─────────────────────────────────────────────────────────────┘\n                              │\n                    Secure Connection\n                              │\n┌─────────────────────────────────────────────────────────────┐\n│                     Capsule AWS Account                     │\n│  ┌───────────────────────────────────────────────────────┐  │\n│  │           Dedicated Control Plane (Stateless)         │  │\n│  │                                                       │  │\n│  │   ┌─────────────┐    ┌─────────────┐    ┌──────────┐  │  │\n│  │   │   API       │    │   Policy    │    │Monitoring│  │  │\n│  │   │   Gateway   │    │   Engine    │    │ & Alerts │  │  │\n│  │   └─────────────┘    └─────────────┘    └──────────┘  │  │\n│  └───────────────────────────────────────────────────────┘  │\n└─────────────────────────────────────────────────────────────┘\n"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"resources-provisioned","__idx":6},"children":["Resources Provisioned"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The CloudFormation template creates:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Resource"},"children":["Resource"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Purpose"},"children":["Purpose"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["VPC Subnets"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Private subnets for data plane components"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Security Groups"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Network access controls"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Amazon RDS (PostgreSQL)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Application database"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["IAM Roles"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Service permissions"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["VPC Endpoints"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Secure connectivity to Capsule control plane"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["CloudWatch Log Groups"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Local logging"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"deployment-steps","__idx":7},"children":["Deployment Steps"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Receive CloudFormation Template"]}," - Capsule provides a customized template for your deployment"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Review Parameters"]}," - Configure VPC CIDR, instance sizes, and backup settings"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Deploy Stack"]}," - Launch the CloudFormation stack in your AWS account"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Establish Connectivity"]}," - VPC peering or PrivateLink connection is configured"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Validation"]}," - Capsule SRE team verifies connectivity and performs health checks"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"data-residency","__idx":8},"children":["Data Residency"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["With Customer Hosted VPC, your data never leaves your AWS account:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Database"]}," - All persistent data stored in your RDS instance"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["AI Processing"]}," - Bedrock inference runs in your account"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Logs"]}," - Application logs remain in your CloudWatch"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Backups"]}," - RDS snapshots stored in your account"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The Capsule control plane only processes metadata and orchestration commands—no customer data is transmitted or stored outside your environment."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"support--operations","__idx":9},"children":["Support & Operations"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"managed-by-capsule","__idx":10},"children":["Managed by Capsule"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Even with data in your VPC, Capsule provides full operational support:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Service"},"children":["Service"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["24/7 Monitoring"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Continuous health monitoring of all components"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Incident Response"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Rapid response to alerts and issues"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Upgrades"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Zero downtime upgrades with coordinated upgrade windows"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Maintenance"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Regular security patches and optimizations"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Support"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Direct access to Capsule support and SRE teams"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"customer-responsibilities","__idx":11},"children":["Customer Responsibilities"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Area"},"children":["Area"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Responsibility"},"children":["Responsibility"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["AWS Account"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Maintain AWS account and billing"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Network"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Manage VPC networking and firewall rules"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Access"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Control IAM access to your AWS resources"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Compliance"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Ensure AWS account meets your compliance requirements"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"security","__idx":12},"children":["Security"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"network-security","__idx":13},"children":["Network Security"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Private Subnets"]}," - All data plane components in private subnets"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["No Public Access"]}," - No direct internet access to data plane"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PrivateLink"]}," - Secure AWS backbone connectivity to control plane"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Encryption in Transit"]}," - TLS 1.3 for all communications"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"data-security","__idx":14},"children":["Data Security"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Encryption at Rest"]}," - RDS encryption with AWS KMS"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Customer-Managed Keys"]}," - Option to use your own KMS keys"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Network Isolation"]}," - Data never traverses public internet"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"access-control--audit","__idx":15},"children":["Access Control & Audit"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Role-Based Access Control (RBAC)"]}," - Granular permissions for users and teams"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Single Sign-On (SSO)"]}," - Enterprise SSO integration support"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Full Audit Logging"]}," - Comprehensive audit trail of all user actions and system events"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"compliance","__idx":16},"children":["Compliance"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SOC 2 Type 2"]}," - Certified across all deployment models"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["ISO 27001"]}," - Information security management compliance"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["GDPR"]}," - General Data Protection Regulation compliance"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Data Residency"]}," - Data remains in your chosen AWS region"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"prerequisites","__idx":17},"children":["Prerequisites"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Before deployment, ensure you have:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," AWS account with appropriate permissions"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," VPC with available CIDR ranges"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," AWS Service Quotas for RDS and Bedrock"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," Network connectivity options (VPC peering or PrivateLink)"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"getting-started","__idx":18},"children":["Getting Started"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Contact the Capsule team to begin your Customer Hosted VPC deployment:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Architecture Review"]}," - Discuss your requirements and AWS environment"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Template Customization"]}," - Receive a CloudFormation template tailored to your needs"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Deployment Planning"]}," - Schedule deployment with our SRE team"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Go Live"]}," - Deploy and validate your environment"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Contact us at ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"mailto:support@capsule.security"},"children":["support@capsule.security"]}," to get started."]}]},"headings":[{"value":"Customer Hosted VPC (AWS)","id":"customer-hosted-vpc-aws","depth":1},{"value":"Architecture Overview","id":"architecture-overview","depth":2},{"value":"Data Plane (Customer VPC)","id":"data-plane-customer-vpc","depth":3},{"value":"Control Plane (Capsule VPC)","id":"control-plane-capsule-vpc","depth":3},{"value":"Deployment","id":"deployment","depth":2},{"value":"CloudFormation Deployment","id":"cloudformation-deployment","depth":3},{"value":"Resources Provisioned","id":"resources-provisioned","depth":3},{"value":"Deployment Steps","id":"deployment-steps","depth":3},{"value":"Data Residency","id":"data-residency","depth":2},{"value":"Support & Operations","id":"support--operations","depth":2},{"value":"Managed by Capsule","id":"managed-by-capsule","depth":3},{"value":"Customer Responsibilities","id":"customer-responsibilities","depth":3},{"value":"Security","id":"security","depth":2},{"value":"Network Security","id":"network-security","depth":3},{"value":"Data Security","id":"data-security","depth":3},{"value":"Access Control & Audit","id":"access-control--audit","depth":3},{"value":"Compliance","id":"compliance","depth":3},{"value":"Prerequisites","id":"prerequisites","depth":2},{"value":"Getting Started","id":"getting-started","depth":2}],"frontmatter":{"sidebar":"../sidebars.yaml","seo":{"title":"Customer Hosted VPC (AWS)"}},"lastModified":"2026-02-10T10:33:48.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/deployment-customer-vpc","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}