Reputation: 195
Build a secure LLM RAG system on AWS
I'm developing an AWS architecture for a Retrieval Augmented Generation (RAG) system:
- Data (pdf, docx, txt, png, etc.) ingested and pre-processed are stored in an Amazon S3 bucket.
- A Lambda function is triggered to orchestrate the embedding process.
- The Lambda function uses an embedding model from Amazon Bedrock to generate embeddings of the document.
- The embeddings are stored in a Mongo Database that acts as a vector database.
- The user asks a question through the UI/UX frontend hosted in an AWS Amplify instance, and the question is forwarded to the Amazon API Gateway.
- The API request is managed by the API Gateway Endpoint and triggers the Lambda function for the application orchestration.
- The Lambda function retrieves the correct embedding vector correlated to the user question.
- The Lambda function also retrieves the chat history from the DynamoDB database.
- The context retrieved from the MongoDB Database and the chat history are augmented in the prompt for the request to Amazon Bedrock LLM model, which gives back an answer.
- The answer from the LLM is verified by another Lambda function triggered from the Lambda Orchestrator Function.
- The answer is forwarded to the UI/UX frontend.
SECURITY
Now, in terms of security, I don't want the system to be exposed to the public Internet (except for the front-end web app, that of course has to be public) therefore I'm putting the RDS MongDB database and all the Lambda functions inside the VPC (I know, technically the Lambda is always inside a VPC owned by the Lambda service, but in this case the Lambda functions are drawn inside my account VPC just to specify that they are configured to access resources in my account VPC). As you can see the connection with the S3 bucket and DynamoDB database is through a VPC Gateway Endpoint. While the connection with Amazon Bedrock service is through VPC Interface Endpoint (AWS PrivateLink).
QUESTION
Now my question is related to the connection between the front-end app and the API Gateway and the Lambda Orchestrator function. In particular, can a public API Gateway endpoint interact with the in-VPC Lambda Orchestrator function? Or do I need to set up an API Gateway private endpoint in the same VPC of the in-VPC Lambda function to allow communication? If I change the API Gateway to be private endpoint, how can I establish communication between the public front-end and the private API Gateway?
Upvotes: 1
Views: 631
Answers (0)
Related Questions
- Why can't an AWS lambda function inside a public subnet in a VPC connect to the internet?
- Can an AWS Lambda function call another
- AWS call Lambda inside VPC to another Lambda in another VPC
- AWS ECS Fargate invoke lambda via private API gateway in same subnet
- How to pass a querystring or route parameter to AWS Lambda from Amazon API Gateway
- AWS - Route from public API Gateway to in-VPC lambda
- Access AWS S3 from Lambda within VPC
- Timeout calling PRIVATE API Gateway from another AWS account
- Can S3 Website access API Gateway Private Endpoints?