tanveerg
commented
4 months ago Hi @aiasmartakis ,
Thanks for playing around with the solution!
I am actually glad to hear that you were able to switch this over to AWS Titan embeddings. I was having a bit of trouble with Titan embeddings myself - because it required chunking the documents (as it properly wouldn't take the entire document for embedding) . Would you be able to do a Pull Request for Titan if you have time? It would be great to know how you got those bits to work.
I'd like to understand what is your target architecture - and why do you think putting the ALB in a private subnet would be useful.
If it is a matter of bringing in your own custom domain into the mix, then I would suggest using Route53 to register that, create certificates et al and proceed that way.
In its current implementation, the rag-app is secured via Cognito. On top of this, you can add WAF for firewall needs (so you don't have to worry about that stuff)
WAF will ensure your public domain / app has rules in place so you can choose what traffic to let in and what traffic to explicitly deny.
The other thing I notice is that the link you pasted recommends using the HTTP flavor of API gateway, I would recommend using the REST as it natively integrates with WAF. And you can do custom Lambda authorizer for making sure your app is secured. I have another sample that you could use to have that set up done - https://github.com/aws-samples/rest-api-gateway-jwt-cognito/tree/main ^ in that sample - you set up a simple Lambda function which is triggered when a request comes into the API gateway. It also features a custom lambda authorizer. All of this is hooked up to Cognito, which is used to generate JWT bearer tokens. In your case, you could replace that Lambda function with an ECS service , or a Lambda of your own that talks to Bedrock to get the response. The challenge here is that depending on Bedrock's response time, your API request could get timed out because API Gateway has a 30 second timeout limit for AWS integrations (which includes Lambda)
Streamlit does run on websockets unfortunately. If you were to completely decouple the frontend from the backend, I would try to create a separate frontend app, and a separate backend app (that interfaces with the LLM). Since I am not confident in frontend, I chose to go with Streamlit here.
Ideally, I would use API Gateway (REST) + Lambda or ECS for backend (with custom Lambda authorizers) ; and a separate frontend app (maybe checkout Amplify). It also depends if your use case warrants tracking history of the conversation, user management etc. That means you will need to introduce a database layer as well.
Happy to learn more about the use case I suppose, and maybe I could suggest better.
Apologies if my thoughts weren't best organized but I hope I answered some of what you were looking for.
aiasmartakis
Hello,
Thank you for the extensive example. I was easily able to switch it from openai to AWS Titan and the latest Claude LLM and get it up and running (and integrated using CI/CD pipelines!). To have it fit better in our architecture I want to put the ELB in a private subnet and use API Gateway with VPCLinks, but am facing 2 issues.
Regards, Aias