Everything you need to know before deploying Camphor AI Gateway. Can't find your answer? Email us.
It's a full EC2 appliance running in your VPC. Traffic never leaves your network. Camphor sits in the data path as a transparent gateway -- your instances route through it exactly like a NAT gateway, but with firewall, load balancing, and AI proxy built in. No agents, no sidecars, no code changes to your applications.
Yes. Deploy into an existing VPC or let the CloudFormation stack create a new one. Both modes are supported. Point your private subnet route tables at the Camphor ENI and traffic flows through automatically -- no re-IP, no downtime.
Near-zero. NAT and firewall run in kernel space using nftables and IPVS -- no userspace packet copies. A c6in.xlarge handles 25+ Gbps sustained. Vertical scaling automatically upgrades the instance type as traffic grows, with zero-downtime live migration.
Yes. A custom Terraform provider ships with every release. Deploy via CloudFormation, then configure every feature (NAT rules, firewall policies, AI proxy routes, peering groups, Kubernetes) entirely through Terraform or the same REST API the dashboard uses.
Each AZ runs its own Auto Scaling Group with a warm pool, so replacement completes in under 10 seconds. Elastic IPs automatically re-associate. In multi-instance mode, GWLB distributes traffic across gateways with continuous health checking, so a single instance failure causes zero visible downtime.
The master instance owns a pool of Elastic IPs and assigns them to secondary private IPs on each network interface. If an instance is replaced, the new instance inherits the same secondary IP and EIP within seconds. Per-AZ DNS records track each AZ's active egress IP, so DNS never needs to change during failover.
You change the instance type via the dashboard or Terraform and the ASG replaces the instance in-place. The new instance picks up the same EIP, secondary IPs, and configuration from SSM Parameter Store. NAT and firewall resume within 10 seconds. No route table changes needed.
When a single instance can't absorb your peak throughput, or when you want active-active redundancy instead of warm-pool failover. GWLB distributes traffic across two or more gateways using ECMP, each in a separate AZ. The hub-spoke agent is an alternative that achieves similar ECMP without GWLB endpoint fees.
Identical prompts return cached responses instantly -- 0ms latency and zero API cost. The cache is configurable per model and per route. Enterprise tier adds semantic caching, which matches similar-but-not-identical prompts by embedding similarity, typically achieving 50-70% cache hit rates across a team sharing the same gateway.
OpenAI (GPT-4o, o3, etc.), Anthropic Claude (auto-translated from OpenAI format), and AWS Bedrock (SigV4 signing handled transparently). Use the standard OpenAI Python or Node SDK -- just set base_url to the gateway address and change the model name. Zero code changes beyond that.
A conversational interface built into the dashboard that lets you query your gateway in natural language. Powered by Amazon Bedrock. Ask questions like "what's my current egress IP in us-east-1?" or "which spoke VPCs have active GRE tunnels?". Responses stream in real time via SSE. Requires Bedrock model access in your region.
No. The AI proxy runs entirely within your VPC. Prompts flow from your applications to the gateway and then to the LLM provider of your choice -- Camphor never sees the payload. Audit logs (model, tokens, source IP, latency) are written to CloudWatch in your account only.
Transit Gateway charges $0.02/GB for every byte that crosses it, plus $0.05/hour per attachment. At 100 TB/month that's over $2,000/month just in data fees. Camphor uses free VPC peering with auto-created routes, full-mesh topology, cross-account management, and route propagation -- all at $0/GB data-plane cost.
A lightweight agent binary runs on instances in each spoke VPC. It registers with the hub gateway, establishes a GRE tunnel (or WireGuard for encrypted tunnels), and installs routes for the spoke's CIDR. The hub gateway NATsall spoke egress traffic through its EIP. ECMP across multiple hub gateways distributes load. Spoke instances need no VPC peering or route table changes -- only the agent matters.
The K8s control plane runs on the hub gateway EC2 instance in your hub VPC. Worker nodes in spoke VPCs and other accounts bootstrap using a CAMPHOR_ROLE=k8s-worker environment variable and join via the Calico IPIP overlay, which traverses VPC peering links. Camphor's custom Karpenter provider handles cross-account node provisioning. A single cluster can span 3 accounts, 3 regions, and 8 VPCs with 17 worker nodes today.
AWS is generally available today via AWS Marketplace. GCP and Azure ports are on the roadmap -- the core networking stack (nftables, IPVS, Suricata) is cloud-agnostic, so the main work is adapting the instance metadata and SDK calls. Contact us if you have a specific timeline requirement.
camphor_firewall_sync reads your AWS Network Firewall rule groups via API and translates them to native Suricata rules -- no Network Firewall endpoints required ($0/month vs. $700+/month). Rules update automatically when you change your AWS Firewall policy. ET Open threat intelligence (30,000+ rules) is pre-cached in the AMI for offline operation.
DNS-based allow/block lists enforced by Suricata at the packet level. Add a domain to the blocklist via the dashboard or Terraform and Suricata drops all matching DNS responses and subsequent TCP/UDP flows. Works for both plain DNS and SNI-based HTTPS filtering without SSL interception.
TLS termination uses ACM Private CA to export the certificate, which is stored on-disk on the gateway EC2 instance only. HAProxy terminates the connection and re-encrypts to backend instances if needed. The private key never leaves your VPC. TLS inspection (SSL bump) is optional and must be explicitly enabled.
Camphor uses a least-privilege instance profile scoped to your stack's resources by tag and ARN. Permissions cover EC2 describe/modify for NICs and EIPs, Route53 for DNS, SSM for config storage, CloudWatch for metrics, and optionally cross-account STS for transit and peering. The full policy ships in the CloudFormation template and is auditable before deployment.
Email us directly or schedule a 30-minute call. We respond within one business day.