Using generative AI for building AWS networks

In today’s rapidly evolving cloud landscape, network architects, engineers, and cloud teams need to move faster to design, deploy, and manage complex Amazon Web Services (AWS) networking infrastructure at scale. The emergence of generative AI capabilities, particularly Amazon Bedrock and Amazon Q, offers unprecedented opportunities to transform how we approach these challenges and solve them in new ways. These technologies can also help reduce the time to deploy new AWS networks and modernize existing AWS networks.

In this post we cover real-world examples mainly focusing on greenfield networks. While demonstrating these capabilities, we can see that generative AI tools can help us across the entire network lifecycle—from discovery and implementation to testing, rollback, and optimization. We focus on the following use cases in this post:

• Build AWS Cloud WAN global network using Amazon Q Developer CLI Agentic AI
• Build AWS Cloud WAN global network using Amazon Bedrock
• Migrate from AWS Transit Gateway network to Amazon VPC Lattice using Agentic AI
• Build AWS networks with infrastructure as code (IaC) using Amazon Q
• Analyze/optimize AWS networks using Amazon Bedrock

Let’s start with the first use-case where we will use Agentic AI to build a net-new AWS Cloud WAN network.

Build AWS Cloud WAN global network using Amazon Q Developer CLI Agentic AI

An AI agentic workflow refers to a process where an AI agent works autonomously or semi-autonomously to complete tasks by making decisions, taking actions, and interacting with various systems to achieve specific goals.

In this section, we see the capability of Amazon Q command line interface (CLI) Agent to create an AWS Cloud WAN global network within minutes. We are focusing on a greenfield AWS Cloud WAN setup in this use case, but you can also use it to add updates to your existing AWS Cloud WAN network. The section assumes that you are familiar with these AWS Cloud WAN components: global network, core network, core network policy, and network segments.

The intent here is to build an AWS Cloud WAN global network across three AWS Regions, as shown in Figure 1:

Figure 1: AWS Cloud WAN intended architecture

Refer to the AWS documentation for installing Amazon Q for CLI and setting up the necessary authentication.

Here we already have the CLI installed, so we run q chat in the CLI terminal to begin a new conversation with the agent. Then, we ask Q Developer to create an AWS Cloud WAN global network as the first step, as shown in Figure 2.

Figure 2: Create AWS Cloud WAN global network

Within just a few seconds the agent could create global network by running the necessary API calls in the background. Furthermore, not only did the agent create the global network, but it also listed the next steps needed to complete the setup.

As a next step, as shown in Figure 3, we ask the agent to create a core network in the newly created global network. It could do the discovery and identify that there are two global networks configured in this account. Based on the prompt, it created the core network in the newly created Global Network.

Figure 3: Create AWS Cloud WAN core network

We can validate in the AWS console. So far we were able to create the global network and core network. When you create a new core network in the AWS console, it automatically creates the baseline policy. In this case, Amazon Q CLI only created the core network using specific API calls and not the baseline policy. Figure 4 shows the newly created core network in the console.

Figure 4: Verify newly created core network in the AWS console

As a next step, we ask the CLI agent to create a new AWS Cloud WAN policy.

This is the prompt used:

Create a new Core Network Policy, use BGP ASN range 64512-64612, Deploy Cloud WAN in 3 Edge locations: us-east-1, ap-northeast-1, eu-central-1. Create default segment with segment name as Production.

Figure 5 shows a truncated output. The Amazon Q CLI Agent runs multiple API calls in the background to do the discovery and execute the changes:

list-core-networks 
put-core-network-policy 
get-core-network-change-set 
execute-core-network-change-set 
get-core-network-policy

Refer to the Network Manager API Reference guide for explanation of these API calls.

Figure 5: Create AWS Cloud WAN core network policy

Verify that the policy has been successfully created in the console and that it aligns with the original intent, as shown in Figure 6.

Figure 6: Verify the policy creation in the AWS console

We can see how with just three natural language prompts Amazon Q CLI Agent was able to deploy the AWS Cloud WAN global network across three AWS Regions within just minutes. It can do multi-step processing, has the ability to do discovery, and more importantly is context-aware. In Figure 7 we can see the AWS Cloud WAN global topology in the AWS console.

Figure 7: Verify the AWS Cloud WAN topology in the AWS console

As the AWS Cloud WAN network grows, the JSON policies can become lengthy and complex to manage. The Amazon Q CLI Agent can speed up and greatly streamline deployment, and it can also be used to rollback changes.

Update AWS Cloud WAN global network using Amazon Bedrock

In this section we show how we can use Amazon Bedrock to make changes to an existing AWS Cloud WAN network. In this example we import the existing AWS Cloud WAN JSON policy as an attachment in the Amazon Bedrock LLM chat/playground section.

At the time of writing, you can choose Anthropic’s Claude Sonnet models in Amazon Q CLI. In Amazon Bedrock, you have the option to choose from various industry-leading foundation models (FMs). You can use Amazon Bedrock in cases where you want to use a specific specialty large language model (LLM) of your choice. In this example, we have used Anthropic’s Claude 3.7 Sonnet model.

Figure 8 shows the intended network state.

Figure 8: Intended network with other segment

Here is the prompt used to generate the new AWS Cloud WAN JSON policy:

Attached is an AWS Cloud WAN JSON policy, create a new policy which should add a new segment, name it SDWAN and implement it in all 3 edge locations us-east-1, eu-central-1 and ap-northeast-1

Figure 9 shows how to use the Amazon Bedrock chat/text playground in the AWS console to generate the policy.

Figure 9: Use Amazon Bedrock to generate the new AWS Cloud WAN policy

Amazon Bedrock was able to quickly generate the new AWS Cloud WAN JSON policy. We can now easily implement the newly created JSON policy in AWS Cloud WAN. In AWS Cloud WAN you can observe the configuration delta between the old and the new policy. You can also rollback to the previous policy if needed.

Figure 10 shows that Amazon Bedrock generated correct policy according to the intent.

Figure 10: Old and new policy delta in the AWS console

This example shows how we can quickly generate new AWS Cloud WAN JSON policies within seconds using Amazon Bedrock. This is especially useful if you are dealing with lengthy AWS Cloud WAN JSON policies that have hundreds of lines of JSON code. You can use generative AI tools such as Amazon Bedrock to not only create but also verify the JSON policies. Furthermore, Amazon Bedrock can also suggest next logical steps in the build process such as attachment policies.

Modernize AWS network using Amazon VPC Lattice and Agentic AI

In this section we discuss how Amazon Q Developer CLI agent can be used to accelerate network modernization.

We often hear from users that they want to modernize their networks but are blocked due to resource constraints, learning curve, and other priorities. The time it takes to evaluate their current network, understand the migration steps, and identify and mitigate risks becomes too much and the discussion ends there. Amazon Q Developer CLI agent provides you with on-demand access to an expert with the context of your AWS account. You can ask Amazon Q Developer CLI Agent to provide a migration plan, identify risks, and even recommend other considerations that you may not have thought about yet. In the rest of this section, we walk through an example.

Suppose we have a network of VPCs that are interconnected via a Transit Gateway. The network architect intends to modernize the network by migrating to Amazon VPC Lattice, as illustrated in the following figure.

Figure 11: Transit Gateway to Amazon VPC Lattice migration topology diagram

We can ask Amazon Q Developer CLI agent to discover the existing network, and it provides an overview, as shown in the following figure.

Figure 12: Network discovery across AWS Regions within an AWS account

As shown in the previous section, Amazon Q can perform network discovery to understand the existing configuration. Amazon Q Developer CLI agent maintains context, thus we can ask Amazon Q to provide a phased migration that minimizes downtime based on the existing network, as shown in the following figure.

Figure 13: Migration phases

When the migration plan is reviewed and validated by a change control board, we can perform the steps in the production network during an approved maintenance window. Providing us with a detailed migration plan in minutes allows Amazon Q Developer CLI agent to significantly reduce the time needed to plan for migrations to a modern network. This means that we have more time to perform testing, execute the migration phases, and validate that we have achieved the desired outcome.

Build AWS networks with IaC using Amazon Q

If you already have an IaC or DevOps practice in place, then you can quickly start using Amazon Q in IDE such as Visual Studio Code to generate code for deploying AWS networks. Figure 14 shows how to use Amazon Q Developer with a prompt to generate an AWS CloudFormation template for a well-architected Amazon Virtual Private Cloud (Amazon VPC). Figure 15 shows the corresponding output. Amazon Q automatically determines all the relevant resources, such as internet gateway (IGW), NAT Gateways, and so on that are necessary for creating a well-architected VPC.

Figure 14: Prompt to Amazon Q Developer for generating a CloudFormation template for a well-architected VPC

Figure 15: Amazon Q Developer generating a CloudFormation template for a well-architected Amazon VPC

Amazon Q Developer creates an IaC template on your local machine. This allows you to modify or incrementally add more AWS resources to your template using Amazon Q Developer in an interactive manner and using natural language. It also provides a summary of the resources it creates, as shown in Figure 15, and the steps for deploying the template. Furthermore, this capability allows you to learn and ask questions about AWS networking services as you build your template. You can also take an existing template and ask Amazon Q to explain it, modify it, or add/remove resources from it. This reduces the time for creating and deploying IaC. Amazon Q Developer supports both CloudFormation and Terraform templates. You can read more about Terraform support in the post Accelerate your Terraform development with Amazon Q Developer.

Analyze AWS networks using Amazon Bedrock

Amazon Bedrock can significantly enhance network diagram analysis for AWS infrastructures. Amazon Bedrock provides models from leading AI companies and Amazon Nova models through a single API. This allows you to choose the best model to assist in automating the interpretation of complex network diagrams, identifying potential security vulnerabilities, and suggesting optimizations for network architectures. Engineers can input their AWS network diagrams into Amazon Bedrock-powered tools, which can analyze the topology, detect misconfiguration, and provide recommendations for improving performance and security. This AI-driven approach can save considerable time and reduce human error in analyzing large-scale network infrastructures.

Figure 16 shows a multi-VPC architecture with centralized inspection and hybrid connectivity from this AWS whitepaper. We analyze this architecture diagram with Claude 3.5 Sonnet model using Amazon Bedrock.

Figure 16: Multi-VPC centralized inspection architecture for Amazon Bedrock network analysis

We upload the preceding diagram to Amazon Bedrock and ask it to explain it with a direct prompt as shown in Figure 17.

Figure 17: Amazon Bedrock analyzing an AWS network architecture diagram

You can also ask Amazon Bedrock to provide recommendations to improve this architecture as shown in the following figure and ask follow up questions about the AWS services.

Figure 18: Amazon Bedrock providing recommendations for improving AWS network architecture

You can use Amazon Bedrock to estimate the cost of this architecture, as shown in Figure 19, by making certain assumptions as shown under Base Assumptions. In this instance, Amazon Bedrock is assuming 100 TB/month data processing and 50 TB/month data transfer. You can provide your own assumptions to the model to make the output more relevant to your use-case. For more accurate results, consider providing more examples to the model and use the chat functionality to tweak the assumptions as necessary. It’s also a best practice to validate the estimates and recommendations.

Figure 19: Amazon Bedrock providing cost estimate for AWS network architecture

In this section, we explored how Amazon Bedrock can be used to improve networks–from diagram analysis, answering questions, and cost optimization suggestions, to implementing best practices, Amazon Bedrock addresses a wide variety of use cases.

Considerations

• Test the generative AI capabilities in the development/test/lower environments (low risk) first, before adapting/implementing into production networks.
• Follow the Generative AI Lens – AWS Well-Architected Framework guidance that covers key areas aligned with the six well-architected pillars: Operational excellence, Security, Reliability, Performance efficiency, Cost optimization, and Sustainability.
• Security is a top priority, consider using Amazon Bedrock and Amazon Q security capabilities such as AWS Identity and Access Management (IAM) best practices.
• Implement appropriate Amazon Bedrock Guardrails where applicable.
• Incorporating human judgment is crucial, especially in complex and high-risk decision-making scenarios. This involves building a human-in-the-loop process where humans play an active role in decision making alongside the AI system.
• Prompts used in this post are just examples. For use in your environment, you should tweak or create the prompts as necessary. Refer to documentation for more information and best practices on prompt engineering.

Conclusion

In this post we demonstrated how generative AI tools such as Amazon Bedrock and Amazon Q can significantly augment our capabilities across the entire network lifecycle—from discovery and implementation to testing, rollback, and optimization. Automating network discovery allows generative AI to provide real-time visibility into all configurations, enabling faster and more accurate mapping. When implementing new networks or fixing sub-optimal ones, generative AI can recommend optimal configurations and suggest targeted improvements, which streamlines network management. For testing and rollback, AI-driven automation enables rapid validation of changes and supports immediate rollback strategies, minimizing downtime and risk during deployments. These efficiencies not only reduce manual effort but also accelerate time-to-market.

Get started with Amazon Bedrock and install Amazon Q CLI for building AWS networks today!

About the authors