AWS Public Sector Blog

Unlocking AI models in Standard AWS Regions from AWS GovCloud (US): Cross-partition access with Amazon Bedrock

AWS branded background with text "Unlocking AI models in Standard AWS Regions from AWS GovCloud (US): Cross-partition access with Amazon Bedrock"

Please note that the following post is intended for informational purposes only. The approach detailed below may not be suitable for all organizations and/or compliance programs. It is important to evaluate this potential solution against the compliance requirements of your organization and any applicable regulatory obligations you may have.

In this post, we walk through three solutions that allow AWS GovCloud (US) workloads to securely connect into Standard Amazon Web Services (AWS) Regions, such as us-east-1, to perform inference with Amazon Bedrock. Each approach comes with different trade-offs, and by the end you’ll have information necessary to assess whether the solutions will work for your organization. We recommend checking our AWS Services in Scope by Compliance Program page to validate each service by Region against any target compliance frameworks and requirements. Customers will also need to consider the unique differentiation AWS GovCloud (US) provides, including that it is both logically and physically isolated from other Regions, and administered exclusively by US citizens.

Generative AI is moving fast, with new foundation models (FMs) and features being released at a rapid pace. As a result, not all FMs are available in all Regions at their launch. For organizations operating in AWS GovCloud (US), the options in this blog provide a way to keep pace with this innovation by being able to test, experiment quickly, gather customer feedback, and mature new features into mission-ready functionality ahead of model availability in the partition. It may also be used for production applications provided the above compliance considerations are deemed acceptable, allowing for access to the wider breadth of FMs available in the Standard AWS Regions.

How cross-partition access works

AWS GovCloud (US) workloads call Amazon Bedrock by directing requests to the service API in the desired Standard AWS Region, or destination region. Instead of invoking an Amazon Bedrock endpoint in AWS GovCloud (US), the application sends the call across the partition using a chosen network connection into the destination region where Amazon Bedrock is hosted. This invocation of the model would include the data of both the input (prompt/context) and output (response) tokens.

Standard AWS Regions, sometimes known as AWS commercial Regions, are in the AWS partition. There is no native interconnectivity between AWS GovCloud (US) partition and the AWS partition, it is both logically and physically isolated. To communicate between them, customers must use a connection path such as the public internet, AWS Site-to-Site VPN, or AWS Direct Connect. These connections carry requests between partitions.

Amazon Bedrock service API calls use HTTPS, which encrypts requests using TLS from AWS GovCloud (US) to the Standard AWS Region of choice, or the destination region. This provides encryption for cross-partition communication regardless of which connectivity option you choose.

The application logic remains entirely within AWS GovCloud (US). Amazon API Gateway exposes an endpoint to workloads. AWS Lambda handles the request, retrieves the Amazon Bedrock API key from AWS Secrets Manager, and sends the inference request to Bedrock in the destination region. Amazon Bedrock processes the request and returns the response to the Lambda function, which then passes the result back to the application. Amazon CloudWatch in AWS GovCloud (US) records application logs for performance monitoring and troubleshooting, while AWS CloudTrail in the destination AWS Region can provide an audit trail of all API calls to Amazon Bedrock, including who made the request and when, allowing for tracking across both partitions.

When a Site-to-Site VPN or AWS Direct Connect is used, both GovCloud (US) and Standard AWS Region host Amazon Virtual Private Cloud (VPC)s are linked through the connection. The only difference across Internet, VPN, or Direct Connect is the path the request takes between GovCloud (US) and the Standard AWS Region. For workloads that require FIPS 140-validated cryptographic modules, we offer FIPS endpoints. Please see the Amazon Bedrock Data Protection Page for other Amazon Bedrock security considerations.

Three connectivity options

There are three connectivity options for linking AWS GovCloud (US) to the Standard AWS Regions. Selecting the right option depends on your organization’s security requirements, performance expectations, and operational considerations.

Before selecting a connection option, set up authentication with an Amazon Bedrock API key in the Standard AWS Region account. For details, refer to Accelerate AI development with Amazon Bedrock API keys. Customers should also apply key rotation best practices to these API keys. Because AWS GovCloud (US) can initiate outbound connections to the Standard AWS Region, key rotation can be handled programmatically from AWS GovCloud (US), reducing operational overhead and maintaining strong security posture.

The Lambda function in AWS GovCloud (US) retrieves this key from Secrets Manager and uses it to authenticate with Amazon Bedrock in the Standard AWS Region. AWS GovCloud (US) workloads never hold the key directly. AWS Secrets Manager in AWS GovCloud (US) stores the key securely so it can be rotated automatically and is only accessible by the Lambda function. AWS Identity and Access Management (IAM) policies enforce least privilege, so that only the components that need the key can access it.

In addition to the Bedrock API key, enable model access to Bedrock in the destination AWS Region for each foundation model you intend to use, and configure inference profiles where required.

For VPN and Direct Connect scenarios, plan private VPC endpoints in the Standard AWS Region VPC for Amazon Bedrock and any other services your solution will use, such as CloudWatch Logs, and Secrets Manager. VPC endpoints keep traffic on the AWS network, prevent it from traversing the public internet, and allow you to enforce fine-grained IAM and resource policies. For more details, see the Amazon VPC endpoints documentation.

Option 1: Internet-based connectivity

With this option, AWS GovCloud (US) applications send HTTPS requests to an API Gateway endpoint. TLS encrypts data in transit, while IAM and Secrets Manager provide authentication and credential isolation.

The following are required for this option in the Standard AWS Region:

  • An Amazon Bedrock API key for authentication
  • Model access enabled for each FM you intend to use
  • Inference profiles for models that require them

This option is well-suited for proofs of concept or pilot projects where the priority is speed of deployment. It can be deployed with minimal infrastructure. The trade-off is that traffic traverses the public internet, which might not meet your organization’s security and compliance requirements. The following diagram shows the architecture for this option.

Figure 1: High-level architecture that shows the public endpoint option, where AWS GovCloud (US) applications call Amazon Bedrock directly in the AWS partition using HTTPS.

Option 2: AWS Site-to-Site VPN connectivity

In this option, a AWS Site-to-Site VPN provides an encrypted tunnel between AWS GovCloud (US) and the AWS partition VPCs. All traffic flows through the Site-to-Site VPN connection, improving confidentiality and reducing exposure. VPC endpoints for Amazon Bedrock and supporting services are used to keep traffic on the AWS network, thus not traversing the public internet. As the Amazon VPC FAQ explains, “Packets that originate from the AWS network with a destination on the AWS network stay on the AWS global network, except traffic to or from AWS China Regions.” For additional background on AWS backbone networking, see the blog post Introduction to Network Transformation on AWS.

The following are required for this option in the Standard AWS Region:

  • Everything required in option 1
  • A VPN gateway configured to connect with AWS GovCloud (US)
  • VPC endpoints to access AWS services without traversing the internet

This option provides an additional layer of security with the trade-off of added complexity, longer setup time, and operational overhead. For step-by-step setup instructions, refer to Get started with AWS Site-to-Site VPN in the AWS documentation. The following diagram shows the architecture for this option.

Figure 2: High-level architecture that shows the AWS Site-to-Site VPN connectivity with private endpoints option, where AWS GovCloud (US) and Standard AWS Region VPCs are connected through an encrypted tunnel and AWS GovCloud (US) applications call, through the encrypted tunnel, Amazon Bedrock in the destination region.

Option 3: AWS Direct Connect

The final option uses AWS Direct Connect to establish a dedicated private connection between AWS GovCloud (US) and the AWS partition. AWS Direct Connect provides the highest throughput and best resiliency. This also uses VPC endpoints for Amazon Bedrock and supporting services keeping traffic on the AWS network.

It is important to note that Direct Connect does not provide a native private path directly between AWS GovCloud (US) and AWS partition. To enable cross-partition traffic over Direct Connect, customers terminate separate connections from each partition into their own network (for example, in a colocation facility) and route between them there. This design gives customers control of the traffic path, but incurs data transfer costs in both accounts.

The following are required for this option in the Standard AWS Region:

  • Everything required in option 1
  • A Direct Connect gateway, with connections from both partitions terminating in the customer’s network to enable routing
  • VPC endpoints to access AWS services without traversing the internet

This option provides the strongest security posture and consistent performance backed by service level agreements (SLAs). It does however require investment in networking infrastructure and consideration for lead times. For more on establishing Direct Connect between Standard AWS Regions and GovCloud (US) read this blog post Hybrid connectivity to AWS GovCloud (US) and commercial Regions using AWS Direct Connect. The following diagram shows the architecture for this option.

Figure 3: High-level architecture that shows the AWS Direct Connect option for AWS GovCloud (US) to Standard AWS Regions. Separate Direct Connect links from each partition terminate in the customer’s network, where traffic is routed before reaching the Amazon Bedrock service in the destination region.

Picking the right connectivity option

The right choice depends on your compliance requirements, data sensitivity, and existing network investments. AWS Direct Connect allows you to manage where the traffic goes. Data flows over a dedicated private link between your environment and the AWS partition. If you already have Direct Connect in place, adding another connection is straightforward. If not, provisioning a new Direct Connect typically takes several weeks to a few months, depending on circuit ordering, colocation facility setup, and provider timelines.

AWS Site-to-Site VPN with private endpoints provides a strong middle ground. The VPN tunnel provides encryption in transit, and with Infrastructure as Code, a VPN can often be configured in minutes. This makes it a practical option without the heavy lift of Direct Connect.

The public endpoint option requires the least amount of infrastructure and configuration. It relies on an internet path. While TLS provides encryption in transit, some organizations may not be comfortable with data leaving their controlled network environment.

When you use these options, the data you pass in the prompt is sent to the Amazon Bedrock service running in the AWS partition. It is important to understand that prompts and any associated context leave AWS GovCloud (US) and are processed in a separate partition. Organizations should review this flow carefully to verify it aligns with their compliance and data-handling requirements.

Because traffic crosses partitions, egress charges are incurred in both the AWS GovCloud (US) account and the Standard AWS Region. For workloads that move large volumes of data, these charges can become a meaningful factor in the total cost of ownership. In some cases, the different pricing for model usage in Standard AWS Regions may offset the data transfer costs.

Conclusion

Cross-partition inference provides a secure and scalable way for AWS GovCloud (US) customers to access AI models available in Standard AWS Regions. Using this solution requires assessing your organization’s requirements and the type of data you are sending to Amazon Bedrock. Please contact your AWS representative for more information and support in evaluating outcomes that aligns your specific compliance needs, mission impact, and business outcomes.

TAGS: , , , ,
Tyler Replogle

Tyler Replogle

Along with hosting and show running the Mission Innovation Powered by AWS video series, Tyler is a principal architect and technical databases leader at AWS for worldwide public sector. He enables AWS Partners and customers to run their end-mission solutions on AWS.

Doug Hairfield

Doug Hairfield

Doug is a senior solutions architect who helps organizations harness the power of AI to solve real-world problems. He brings a depth of experience helping public sector customers design their workloads in high compliance environments. When he's not architecting cloud solutions, you'll find him being a girl dad and enjoying time with his family.

Michael Pitcher

Michael Pitcher

Michael is a senior manager of solution architecture at AWS. In this role, he works closely with partners to enable end customer missions in the public sector. He brings extensive experience in security and compliance, having previously worked at a 3PAO, where he focused on highly regulated cloud authorizations and cloud security.

Vin Minichino

Vin Minichino

Vin is a senior solutions architect at AWS, where he supports federal healthcare partners. Outside of his professional life, he is a father of two, an RVer, and a builder of things.