---AWS & GCP Cloud Deployment | Panovista

Cloud Provider Deployment (AWS & GCP)

For enterprise architectures hosted on major cloud providers, Panovista acts as the critical Layer 7 security boundary between your internal Virtual Private Cloud (VPC) and external foundational models.

Because Panovista is a stateless Go binary packaged inside a scratch Docker image, it deploys natively to both AWS and Google Cloud Platform (GCP) serverless container runtimes with zero infrastructure refactoring.


Amazon Web Services (AWS)

To guarantee that sensitive internal MCP tool traffic never touches the public internet, deploy Panovista inside your private subnets using AWS Fargate or Elastic Kubernetes Service (EKS).

AWS ECS (Fargate) Deployment

Deploying Panovista as a sidecar container in an ECS Task Definition is the most secure way to isolate AWS-hosted AI agents from your internal databases.

// AWS ECS Task Definition Snippet (MCP Sidecar)
{
  "containerDefinitions": [
    {
      "name": "ai-agent-app",
      "image": "[123456789.dkr.ecr.us-east-1.amazonaws.com/ai-agent:latest](https://123456789.dkr.ecr.us-east-1.amazonaws.com/ai-agent:latest)",
      "environment": [
        { "name": "MCP_SERVER_URL", "value": "[http://127.0.0.1:4321/mcp](http://127.0.0.1:4321/mcp)" }
      ]
    },
    {
      "name": "panovista-proxy",
      "image": "panovista/proxy:latest",
      "portMappings": [{ "containerPort": 4321 }],
      "environment": [
        { "name": "PANOVISTA_MODE", "value": "sidecar" },
        { "name": "TARGET_MCP_URL", "value": "[http://internal-db.local:8000/mcp](http://internal-db.local:8000/mcp)" }
      ],
      "secrets": [
        { "name": "PROVIDER_API_KEY", "valueFrom": "arn:aws:secretsmanager:us-east-1:123456789:secret:LLM_API_KEY" }
      ]
    }
  ]
}

Google Cloud Platform (GCP)

For teams utilizing Google Cloud, Panovista integrates perfectly with Google Cloud Run for serverless deployments or Google Kubernetes Engine (GKE) for managed cluster orchestration.

Google Cloud Run (Multi-Container)

Cloud Run supports multi-container deployments (the sidecar pattern). You can run your AI application and the Panovista proxy within the same Cloud Run instance, sharing the exact same localhost network boundary.

# GCP Cloud Run YAML Snippet
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: secure-ai-agent
spec:
  template:
    metadata:
      annotations:
        [run.googleapis.com/vpc-access-connector](https://run.googleapis.com/vpc-access-connector): "projects/my-project/locations/us-central1/connectors/my-vpc-connector"
    spec:
      containers:
      - image: gcr.io/my-project/ai-agent:latest
        env:
        - name: MCP_ROUTER_URL
          value: "[http://127.0.0.1:4321/mcp](http://127.0.0.1:4321/mcp)"
      - image: panovista/proxy:latest
        env:
        - name: PANOVISTA_PORT
          value: "4321"
        - name: TARGET_MCP_URL
          value: "[http://internal-db.internal.gcp:8000/mcp](http://internal-db.internal.gcp:8000/mcp)"

VPC & Network Security Best Practices

Regardless of whether you choose AWS or GCP, adhering to the following network principles ensures maximum compliance:

  1. Private Subnets: Always deploy the Panovista proxy inside a private subnet. It should only be accessible internally via your VPC.
  2. Egress Control: Use a NAT Gateway (AWS) or Cloud NAT (GCP) to strictly control the outbound IP addresses communicating with the external LLM providers.
  3. SIEM Integration: Stream Panovista’s stdout JSON logs directly to Amazon CloudWatch or Google Cloud Logging. Because every token-swapping event is cryptographically signed with HMAC-SHA256, your cloud-native logging platforms immediately become compliant, tamper-proof audit ledgers.