Amazon EC2
Last updated
Was this helpful?
Last updated
Was this helpful?
Let's connect a nodejs app in one virtual private network with an application serving a self hosted model in another virtual private network. The example uses the AWS CLI to create these virtual networks.
Each company’s network is private, isolated, and doesn't expose ports. To learn how end-to-end trust is established, please read: “”
Then run the following commands:
If everything runs as expected, you'll see the answer to the question: "What is Ockham's Razor?".
In a typical production setup an administrator or provisioning pipeline generates enrollment tickets and gives them to nodes that are being provisioned. In our example, the run function is acting on your behalf as the administrator of the Ockam project.
First, the ai_corp/run.sh
script creates a network to host the application exposing the LLaMA model API:
We are now ready to create an EC2 instance where the Ockam outlet node will run:
When the instance is started, the run_ockam.sh
script is executed:
We then create an Ockam node:
First, the health_corp/run.sh
script creates a network to host the client.js
application which will connect to the LLaMA model:
We are now ready to create an EC2 instance where the Ockam inlet node will run:
The instance is started and the run_ockam.sh
script is executed:
We then create an Ockam node:
We finally wait for the instance to be ready and install the client.js
application:
Once the client.js
application is started:
We connected a nodejs application in one virtual private network with an application serving a LLaMA model in another virtual private network over an end-to-end encrypted portal.
Health Corp. does not get unfettered access to AI Corp.’s network. It gets access only to run API queries. AI Corp. does not get unfettered access to Health Corp.’s network. It gets access only to respond to queries over a TCP connection. AI Corp. cannot initiate connections.
To delete all AWS resources:
This example requires Bash, Git, Curl, and the AWS CLI. Please set up these tools for your operating system. In particular you need to with aws sso login
.
The script, that you ran above, and its are full of comments and meant to be read. The example setup is only a few simple steps, so please take some time to read and explore.
The calls the which invokes the to create an new identity, sign into Ockam Orchestrator, set up a new Ockam project, make you the administrator of this project, and get a project membership .
The run function then . The tickets are valid for 10 minutes. Each ticket can be redeemed only once and assigns to its redeemer. The is meant for the Ockam node that will run in AI Corp.’s network. The is meant for the Ockam node that will run in Health Corp.’s network.
The run function passes the enrollment tickets as variables of the run scripts provisioning and .
We and tag it.
We and attach it to the VPC.
We and to the Internet via the gateway.
We , with associate it to the route table.
We finally so that there is:
,
And to install the model and its application.
We .
We in order to access the EC2 instance via SSH.
Before creating the EC2 instance . Indeed, we need properly sized instance in order to run a large language model, and those instances are not available in all regions. If the instance is not available in the current region, we return the list of all the regions where that instance type is available.
We . Starting the instance executes a start script based on ai_corp/run_ockam.sh
where:
created by the administrator and given as a parameter to ai_corp/run.sh
.
We and .
The .
The .
With .
A . The policy authorizes identities with a credential containing the attribute ai-inlet="true".
With capable of forwarding the TCP traffic to the TCP outlet.
We and tag it.
We and attach it to the VPC.
We and to the Internet via the gateway.
We , and associate it to the route table.
We finally so that there is:
,
And to download and install the nodejs client application.
We .
We above and a start script based on run_ockam.sh
where:
created by the administrator and given as a parameter to run.sh
.
The .
The .
With .
Connected to .
A . The policy authorizes identities with a credential containing the attribute ai-outlet="true".
The is (this uses the previously created key.pem
file to identify).
We can then and:
.
.
It will .
It and waits for a response from the model.
The response is then .
Sensitive business data coming from the model is only accessible to AI Corp. and Health Corp. All data is with strong forward secrecy as it moves through the Internet. The communication channel is and . Keys and credentials are automatically rotated. Access to connect with the model API can be easily revoked.
All are secure-by-default. Only project members, with valid credentials, can connect with each other. NAT’s are traversed using a relay and outgoing tcp connections. AI Corp. or Health Corp. don’t expose any listening endpoints on the Internet. Their networks are completely closed and protected from any attacks from the Internet.