Guides
DiscoverWorkspaces

Deployment Modes for Compute Nodes

The three compute node deployment modes explained.

Suggest Edits

The Pennsieve Compute Node Provisioner supports three deployment modes to meet different security, cost, and compliance requirements.

Mode Overview

ModeIdle Cost/MonthInternet AccessEncryptionUse Case
Basic~$2-4ECS: full; Lambda: noneAWS-managedDevelopment, testing
Secure~$49-53Full (NAT Gateway)KMS CMK + VPC Flow LogsProduction
Compliant~$40-43None (VPC Endpoints)KMS CMK + VPC Flow LogsRegulated environments

Security Features (All Modes)

The following security features apply to every deployment mode:

  • Credential isolation: Session and refresh tokens are stored in AWS Secrets Manager per execution. Tokens never appear in Step Functions state — only the secret name is passed through the workflow. Secrets are encrypted at rest and deleted when the workflow completes.
  • No PII in logs or tags: Orchestration Lambdas log only opaque user IDs. SFN resource tags use user IDs, not email addresses.
  • API key for orchestration: Orchestration Lambdas (init, status-updater, finalizer) authenticate to the Pennsieve API using an API key stored in Secrets Manager, not the user's session token.
  • S3 log encryption: The log archive bucket uses SSE-KMS encryption.
  • S3 log retention: Logs transition to Glacier after 90 days and are automatically deleted after 7 years (2555 days), aligning with HIPAA data retention requirements.
  • SFN execution data: Step Functions logging has include_execution_data disabled, preventing state payloads from being written to CloudWatch.

Mode Details

1. Basic Mode (deployment_mode = "basic")

Architecture:

  • Uses AWS Default VPC with public subnets
  • ECS tasks get public IP addresses with direct internet access
  • Lambda processors run in the VPC but have no internet access (no public IP, no NAT)
  • No custom networking infrastructure

Security:

  • Secrets Manager credentials with AWS-managed encryption (free)
  • CloudWatch log groups use default AWS-owned encryption
  • No VPC Flow Logs

Costs:

  • EFS mount targets: ~$0.30
  • Secrets Manager: ~$0.40
  • S3 bucket (empty): ~$0
  • Total idle: ~$2-4/month

Best for:

  • Development and testing
  • Cost-sensitive proof-of-concepts
  • Non-production workloads

Note: Lambda processors in basic mode can read and write files on EFS normally but cannot make outbound internet calls (e.g., calling external APIs). ECS processors have full internet access.

2. Secure Mode (deployment_mode = "secure")

Architecture:

  • Custom VPC with public and private subnets
  • ECS tasks and Lambda processors run in private subnets behind a NAT Gateway
  • All processors have full internet access via NAT
  • VPC Flow Logs capture all network traffic metadata

Security:

  • KMS customer-managed keys (CMKs) for Step Functions state encryption
  • KMS CMK encryption on all CloudWatch log groups (SFN, Lambda, ECS)
  • VPC Flow Logs provide a complete audit trail of network connections
  • Secrets Manager credentials with AWS-managed encryption

Costs:

  • NAT Gateway: ~$45.00 (can be shared across compute nodes)
  • KMS keys (SFN + ECS): ~$2.00
  • VPC Flow Logs: ~$1-3
  • EFS mount targets: ~$0.30
  • Secrets Manager: ~$0.40
  • Total idle: ~$49-53/month

Best for:

  • Production workloads
  • Multi-tenant environments requiring network isolation
  • Processors that need external API access or package downloads
  • Standard enterprise deployments

3. Compliant Mode (deployment_mode = "compliant")

Architecture:

  • Custom VPC with private subnets only
  • No NAT Gateway — no internet access at all
  • VPC endpoints for all AWS service communication (S3, ECR, CloudWatch, Secrets Manager, STS)
  • All AWS API traffic stays within the AWS backbone network
  • VPC Flow Logs capture all network traffic metadata

Security:

  • KMS customer-managed keys (CMKs) for Step Functions state encryption
  • KMS CMK encryption on all CloudWatch log groups (SFN, Lambda, ECS)
  • VPC Flow Logs provide a complete audit trail of network connections
  • Secrets Manager credentials with AWS-managed encryption
  • No internet egress — eliminates data exfiltration risk

Costs:

  • VPC Endpoints (5): ~$36.00
  • KMS keys (SFN + ECS): ~$2.00
  • VPC Flow Logs: ~$1-3
  • EFS mount targets: ~$0.30
  • Secrets Manager: ~$0.40
  • Total idle: ~$40-43/month

Best for:

  • Regulated industries (healthcare, finance, government)
  • HIPAA and NIST 800-171 environments
  • Workflows processing sensitive data
  • Self-contained processor workloads that don't require external API calls

Note: Processors that require internet access (external APIs, package downloads) will not work in this mode. All container images must be pre-built and stored in ECR.

Updated about 18 hours ago

What’s Next