Skip to main content

Components for the NetApp GenAI engine

Contributors netapp-mwallis netapp-bcammett netapp-rlithman

When you deploy the GenAI infrastructure, workload factory creates an EC2 instance for the GenAI engine. It also creates an IAM role, security group, and private endpoints for this instance. You might want to understand more details about these components that workload factory creates in your AWS environment.

EC2 instance type

m5.large

IAM role

The GenAI engine instance needs permissions to send chunks of data to the embedding model on Amazon Bedrock and to communicate with the NetApp AI Service Backend. The IAM role includes the following permissions:

"ssm:Describe*",
"ssm:Get*",
"ssm:List*",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:SendCommand",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation",
"ssmmessages:*",
"ec2messages:GetMessages"
Security group

The outbound rules are open to all traffic, while the inbound rules are completely closed.

Private endpoints

If the target VPC doesn't already have them, workload factory creates private endpoints for the GenAI engine EC2 instance so that it can communicate with the following AWS services:

  • Amazon Bedrock

  • Amazon EC2

  • Amazon Elastic Container Registry (ECR)

  • Amazon S3

  • AWS Systems Manager (SSM)

  • Amazon FSx for NetApp ONTAP

  • Amazon CloudWatch