Secure Hosting of LLMs with OCI Virtual Cloud Network

Question

Pulumi · Accepted Answer

To host Large Language Models (LLMs) securely, you would typically set up a Virtual Cloud Network (VCN) within Oracle Cloud Infrastructure (OCI). A VCN creates an isolated network space where you can create and manage your cloud resources, like compute instances to run your LLM, with secure access controls.

The key components usually involved would be:

1. **Virtual Cloud Network (VCN)**: This acts as the main network in OCI that provides a customizable private space in Oracle Cloud. It's similar to a traditional network that you'd operate in your own data center, but with the benefits of scalable infrastructure in the cloud.

2. **Subnets**: These are subdivisions of your VCN. You can launch resources like compute instances into a subnet.

3. **Security Lists**: These act as virtual firewalls to define ingress and egress rules for types of traffic that are allowed to and from resources within a subnet.

4. **Route Tables**: This will determine the path network traffic will take from your VCN.

5. **Internet Gateway (IG) or NAT Gateway**: If your LLM requires access to the internet, you need an Internet Gateway or a NAT Gateway to enable that access.

6. **Compute Instances**: This is where you would deploy your LLMs. You might also consider OCI Container Engine if you are deploying containerized applications.

7. **Load Balancer (optional)**: If you expect high traffic, you might want to use a load balancer to distribute traffic across multiple instances of your LLM for better performance and redundancy.

Let's start writing a Pulumi program in Python to create these resources in OCI. In this example, I'll show you how to set up a simple VCN along with a subnet and security list, a pre-requisite for hosting any application securely on OCI.

```python
import pulumi
import pulumi_oci as oci

# Replace the following with your own compartment ID
compartment_id = 'ocid1.compartment.oc1..exampleuniqueID'

# Create a new VCN
vcn = oci.core.VirtualNetwork("llmVcn",
    compartment_id=compartment_id,
    cidr_block="10.0.0.0/16",
    display_name="LLM VCN")

# Create a subnet in the VCN
subnet = oci.core.Subnet("llmSubnet",
    compartment_id=compartment_id,
    vcn_id=vcn.id,
    cidr_block="10.0.1.0/24",
    display_name="LLMLSUbnet")

# Create a security list for the VCN
security_list = oci.core.SecurityList("llmSecurityList",
    compartment_id=compartment_id,
    vcn_id=vcn.id,
    display_name="LLM SecurityList",
    egress_security_rules=[ # Allows all outbound traffic from resources in the subnet
        oci.core.SecurityListEgressSecurityRuleArgs(
            destination="0.0.0.0/0",
            protocol="all",
        ),
    ],
    ingress_security_rules=[ # You would specify your own rules here
        oci.core.SecurityListIngressSecurityRuleArgs(
            protocol="all",
            source="0.0.0.0/0",
            description="Allow HTTPS traffic", 
            tcp_options=oci.core.SecurityListIngressSecurityRuleTcpOptionsArgs(
                max=443,
                min=443,
            ),
        ),
    ])

# Create an Internet Gateway for external access, if needed
internet_gateway = oci.core.InternetGateway("llmInternetGateway",
    compartment_id=compartment_id,
    vcn_id=vcn.id,
    display_name="LLM Internet Gateway",
    is_enabled=True)

# Create a route table for the subnet
route_table = oci.core.RouteTable("llmRouteTable",
    compartment_id=compartment_id,
    vcn_id=vcn.id,
    display_name="LLM Route Table",
    route_rules=[
        oci.core.RouteTableRouteRuleArgs(
            destination="0.0.0.0/0",
            destination_type="CIDR_BLOCK",
            network_entity_id=internet_gateway.id,
        ),
    ])

# Attach the route table to the subnet
subnet.route_table_id = route_table.id

# Now you can create your compute instances in the subnet
# And possibly a Load Balancer if needed, based on your traffic requirements

# Output the VCN and Subnet OCIDs for reference
pulumi.export('vcn_id', vcn.id)
pulumi.export('subnet_id', subnet.id)
```

In this program, we've set up a foundational network with a virtual firewall and a routing table, preparing a secure environment to deploy LLM workloads.

- We start by creating a VCN with a defined CIDR range.
- A subnet is created within the VCN where our compute resources can be placed.
- We define security lists which are vital for maintaining fine-grained control over the traffic flowing in and out of our subnet.
- An Internet Gateway is added for the VCN to allow internet access. This is optional and depends on whether your LLM needs to access the internet.
- Lastly, we create a route table with a default route through our internet gateway (if external access is needed), and associate it with our subnet.

Please ensure that the compartment ID referenced in the code is replaced with the actual ID from your OCI compartment where you want these resources to be hosted. The program then exports the identifiers of the VCN and subnet, which you can use to configure further resources or outputs as needed.