Cloud Provider Deployment (AWS & GCP)
For enterprise architectures hosted on major cloud providers, Panovista acts as the critical Layer 7 security boundary between your internal Virtual Private Cloud (VPC) and external foundational models.
Because Panovista is a stateless Go binary packaged inside a scratch Docker image, it deploys natively to both AWS and Google Cloud Platform (GCP) serverless container runtimes with zero infrastructure refactoring.
Amazon Web Services (AWS)
To guarantee that sensitive internal MCP tool traffic never touches the public internet, deploy Panovista inside your private subnets using AWS Fargate or Elastic Kubernetes Service (EKS).
AWS ECS (Fargate) Deployment
Deploying Panovista as a sidecar container in an ECS Task Definition is the most secure way to isolate AWS-hosted AI agents from your internal databases.
- Task Definition: Add the Panovista container to the same Task Definition as your AI application or MCP tool server.
- Localhost Routing: Configure your AI agent to route its tool execution requests to the local Panovista sidecar (
http://127.0.0.1:4321/mcp). - Secrets Management: Bind your provider API keys and identity tokens directly from AWS Secrets Manager to the Panovista container. The primary agent container never sees the raw credentials.
// AWS ECS Task Definition Snippet (MCP Sidecar)
{
"containerDefinitions": [
{
"name": "ai-agent-app",
"image": "[123456789.dkr.ecr.us-east-1.amazonaws.com/ai-agent:latest](https://123456789.dkr.ecr.us-east-1.amazonaws.com/ai-agent:latest)",
"environment": [
{ "name": "MCP_SERVER_URL", "value": "[http://127.0.0.1:4321/mcp](http://127.0.0.1:4321/mcp)" }
]
},
{
"name": "panovista-proxy",
"image": "panovista/proxy:latest",
"portMappings": [{ "containerPort": 4321 }],
"environment": [
{ "name": "PANOVISTA_MODE", "value": "sidecar" },
{ "name": "TARGET_MCP_URL", "value": "[http://internal-db.local:8000/mcp](http://internal-db.local:8000/mcp)" }
],
"secrets": [
{ "name": "PROVIDER_API_KEY", "valueFrom": "arn:aws:secretsmanager:us-east-1:123456789:secret:LLM_API_KEY" }
]
}
]
}
Google Cloud Platform (GCP)
For teams utilizing Google Cloud, Panovista integrates perfectly with Google Cloud Run for serverless deployments or Google Kubernetes Engine (GKE) for managed cluster orchestration.
Google Cloud Run (Multi-Container)
Cloud Run supports multi-container deployments (the sidecar pattern). You can run your AI application and the Panovista proxy within the same Cloud Run instance, sharing the exact same localhost network boundary.
- VPC Egress: Route all egress traffic from the Cloud Run instance through a Serverless VPC Access Connector.
- Identity & Access Management (IAM): Assign a dedicated Google Service Account to the Cloud Run instance. Panovista uses this Service Account to seamlessly pull your DLP schemas from Google Cloud Storage (GCS) and your keys from GCP Secret Manager.
# GCP Cloud Run YAML Snippet
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: secure-ai-agent
spec:
template:
metadata:
annotations:
[run.googleapis.com/vpc-access-connector](https://run.googleapis.com/vpc-access-connector): "projects/my-project/locations/us-central1/connectors/my-vpc-connector"
spec:
containers:
- image: gcr.io/my-project/ai-agent:latest
env:
- name: MCP_ROUTER_URL
value: "[http://127.0.0.1:4321/mcp](http://127.0.0.1:4321/mcp)"
- image: panovista/proxy:latest
env:
- name: PANOVISTA_PORT
value: "4321"
- name: TARGET_MCP_URL
value: "[http://internal-db.internal.gcp:8000/mcp](http://internal-db.internal.gcp:8000/mcp)"
VPC & Network Security Best Practices
Regardless of whether you choose AWS or GCP, adhering to the following network principles ensures maximum compliance:
- Private Subnets: Always deploy the Panovista proxy inside a private subnet. It should only be accessible internally via your VPC.
- Egress Control: Use a NAT Gateway (AWS) or Cloud NAT (GCP) to strictly control the outbound IP addresses communicating with the external LLM providers.
- SIEM Integration: Stream Panovista’s
stdoutJSON logs directly to Amazon CloudWatch or Google Cloud Logging. Because every token-swapping event is cryptographically signed with HMAC-SHA256, your cloud-native logging platforms immediately become compliant, tamper-proof audit ledgers.