Enterprise VPC deployment
Enterprise VPC lets you keep all AI content inside your own cloud account. You
host the DeepintShield data plane - the gateway, guardrails, and ML detectors,
with your own Postgres, Redis, and vector store - in your GKE / AKS / EKS
cluster. DeepintShield runs the control plane at app.deepintshield.com for
policy authoring, dashboards, and billing.
One data plane per organization serves every team and workspace under it.
Data-sovereignty guarantees
Section titled “Data-sovereignty guarantees”- Your content never leaves your VPC - prompts, completions, embeddings, retrieved chunks, provider keys, and audit records live only in your cloud.
- Outbound-only connection - the data plane dials out to the control plane over a single pinned mutual-TLS connection on port 443. There is no inbound path into your environment and no public ingress to the data plane.
- Only metadata crosses the boundary - signed configuration flows down; aggregate counts (for billing) flow up. No request or response content, ever.
- Zero added latency - all policy and configuration is cached locally and read in-process, so the control plane is never on the request hot path.
- Keeps running if disconnected - if the control plane is unreachable, the data plane keeps enforcing on the last-known-good configuration. An air-gapped variant needs no connectivity at all.
- Bring your own keys - provider keys are read from your own secret manager / KMS at runtime, decrypted only in memory, never logged or sent upstream.
Your cloud (GKE / AKS / EKS) DeepintShield ┌──────────────────────────────┐ outbound mTLS ┌──────────────────────┐ │ DATA PLANE │ ──── tunnel ───► │ CONTROL PLANE │ │ gateway + guardrails + models │ config down │ app.deepintshield.com│ │ Postgres · Redis · vectors │ counts up │ policy · dashboards │ │ ALL customer content stays │ │ NO customer payload │ └──────────────────────────────┘ └──────────────────────┘Prerequisites
Section titled “Prerequisites”- A Kubernetes cluster in your VPC (GKE / EKS / AKS), 3+ nodes.
- Private PostgreSQL (Cloud SQL / RDS / Azure DB) and Redis (Memorystore / ElastiCache / Azure Cache), reachable privately from the cluster.
- Egress to
app.deepintshield.com:443only. - Pull access to the DeepintShield image registry.
kubectlandhelm3.x.
Onboarding package
Section titled “Onboarding package”Your DeepintShield representative provisions your organization and hands you an onboarding package. Keep the private key secret.
ORG_ID=<your organization id>CP_ENDPOINT=app.deepintshield.com:443tunnel-client-cert.pem / tunnel-client-key.pem # your data plane's identityca.pem # to verify the signed config bundleCP_CERT_SHA256=<pinned control-plane cert sha256>config-bundle.tgz # your signed starting configurationIMAGE_TAG=<release, e.g. 2.0.0>Install (3 steps)
Section titled “Install (3 steps)”The data plane is one Helm chart pulled from the DeepintShield registry - no source code needed. The chart deploys the gateway, guardrails, and detectors together.
-
Configure your values. In
dp.values.yaml, set your private Postgres and Redis hosts, the image tag, and the control-plane connection:controlPlane:enabled: false # start in seed-only mode; enable the tunnel in step 3endpoint: app.deepintshield.com:443pinnedCpCertSha256: "<CP_CERT_SHA256>"orgId: "<ORG_ID>"Then copy
.env.exampleto.envand fill in your database password, the guard shared secret, andIMAGE_TAG. -
Provide credentials and starting config. Create your namespace, load the tunnel client certificate, and seed the signed configuration bundle:
Terminal window kubectl create namespace deepintshieldkubectl -n deepintshield create secret tls deepintshield-tunnel-client-cert \--cert=tunnel-client-cert.pem --key=tunnel-client-key.pemkubectl -n deepintshield create configmap deepintshield-seed-bundle \--from-file=config-bundle.tgz=./config-bundle.tgz -
Install. One command deploys the gateway, guardrails, and detectors and applies the internal-only network policy:
Terminal window ./install.shWait for the rollout (the detectors pull model weights on first boot, ~5–10 min):
Terminal window kubectl -n deepintshield rollout status deploy/deepintshield-server
Enable the live sync (optional)
Section titled “Enable the live sync (optional)”Once the data plane is healthy, turn on the connection to the control plane so it stays in sync with policy changes and reports aggregate usage:
helm upgrade --install deepintshield <chart> -n deepintshield \ --reuse-values --set controlPlane.enabled=trueUntil you enable it, the data plane runs fully standalone on the seeded configuration.
Verify
Section titled “Verify”# Data plane is healthy - all pods Running and Readykubectl -n deepintshield get pods
# A request through one of your virtual keys is served and governed locallycurl -X POST https://<your-deepintshield-host>/openai/v1/chat/completions \ -H "Authorization: Bearer sk-bf-your-virtual-key" \ -H "Content-Type: application/json" \ -d '{"model":"gpt-4o-mini","messages":[{"role":"user","content":"ping"}],"max_tokens":4}'Point your applications at your data plane’s internal hostname
(https://<your-deepintshield-host>/v1) exactly as they would the hosted cloud -
the API, SDK, virtual keys, and policies are identical.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Check |
|---|---|
| Client certificate rejected | Use the certificate from your onboarding package and confirm it hasn’t been revoked; request a re-issue if needed. |
| Empty configuration bundle | Your organization has no workspaces yet, or the ORG_ID is wrong - confirm with your representative. |
| Data plane serves nothing | Confirm the virtual key belongs to a workspace under this organization. |
| Detectors slow to start | First boot downloads model weights (5–10 min); subsequent restarts are fast (weights are cached on a volume). |
Next steps
Section titled “Next steps”- Deployment options - compare Cloud, Enterprise VPC, and Self-Hosted
- Virtual Keys - scope access, budgets, and policy per team
Your onboarding package includes the per-cloud install runbook (GKE, EKS, or AKS) tailored to your environment. Need it, or a different platform? Talk to sales.