15.2 Cloud Provider Setup
Course: Claude Code - Enterprise Development Section: 15 - Enterprise Deployment Video Length: 3-4 minutes Presenter: Daniel Treasure
Opening Hook
"Claude Code runs on cloud infrastructure. Today, we're connecting it to the big three—AWS Bedrock, Google Vertex AI, and Azure Foundry. We'll walk through why you pick each one, how to configure credentials, and how to lock down network access."
Key Talking Points
1. Three Cloud Providers: When to Pick Which
What to say: - "Bedrock is AWS's managed Claude service. If you're all-in on AWS, if you need VPC isolation, or if you're running in AWS regions already—Bedrock is your path." - "Vertex AI is Google's play. It integrates with BigQuery, Dataflow, your Google Cloud data lake. Pick Vertex if you're living in GCP." - "Azure Foundry is Microsoft's gateway. Use it if you're a Microsoft shop—deep integration with Entra ID, Azure storage, Copilot enterprise." - "The choice isn't about which is better; it's which fits your infrastructure."
What to show on screen: - Comparison table: Bedrock (AWS), Vertex AI (GCP), Foundry (Azure) - Columns: auth method, network isolation, regional availability, compliance certifications - Visual: your company logo + cloud provider = happy path
2. Centralized Authentication & Credentials
What to say: - "All three providers use service accounts or assumed roles. Claude Code doesn't store credentials—it uses temporary tokens generated on-demand." - "With Bedrock, you assume an IAM role. With Vertex, a service account. With Foundry, Azure Managed Identity. Each org controls who can generate those tokens." - "This means: an engineer leaves, their access revokes immediately. No rekeying across 1000 machines."
What to show on screen:
- Env var examples for each:
- CLAUDE_CODE_USE_BEDROCK=1 + AWS credentials flow
- CLAUDE_CODE_USE_VERTEX=1 + gcloud auth
- CLAUDE_CODE_USE_FOUNDRY=1 + Azure CLI or Managed Identity
- Diagram: User → Cloud Auth → Temporary Token → Claude Code Agent
3. Network Isolation & Security
What to say: - "One of the biggest wins of cloud providers is network isolation. Your Claude Code agents run in your VPC, on your network. No data leaving your perimeter." - "Region selection matters for compliance. GDPR? Your data stays in EU-WEST. HIPAA? US regions with encryption." - "You can put the agents behind a corporate proxy, route all traffic through your firewall, inspect and log every API call."
What to show on screen: - VPC diagram: Claude Code Agent inside VPC → can reach internal databases, repos, services - Arrows out to cloud provider API within same region/account boundary - Security icon: checkmark for "no egress to internet" if configured correctly
4. Model Configuration per Provider
What to say: - "Each cloud provider has available models. Bedrock has Sonnet, Opus, Haiku. Vertex has the same. Foundry mirrors the lineup." - "But you can pin which version. You want Sonnet 4.1 on prod, Haiku on dev? Set environment variables and every agent respects that." - "Upgrade paths are controlled. Your org decides when to roll new models, not the market."
What to show on screen:
- Env vars:
ANTHROPIC_DEFAULT_OPUS_MODEL=claude-opus-4-6
ANTHROPIC_DEFAULT_SONNET_MODEL=claude-sonnet-4-1
ANTHROPIC_DEFAULT_HAIKU_MODEL=claude-haiku-4-5
- Show how to override per-team or per-project in managed config
5. Compliance, Encryption & Audit Logs
What to say: - "All three providers offer SOC 2, ISO 27001, HIPAA, PCI-DSS. But they're not automatic—you need to enable and configure." - "Encryption: data in transit is TLS. Data at rest? Each provider handles it differently. Bedrock stores in AWS KMS, Vertex in GCP, Foundry in Azure Key Vault." - "Audit logs—every model call, every auth attempt, every region failover—is logged to CloudTrail (AWS), Cloud Logging (GCP), or Monitor (Azure)."
What to show on screen: - Screenshot or diagram of audit log entries in each provider - One example entry per provider showing timestamp, user, action, model, region - Security checklist: encryption enabled, audit logging enabled, VPC isolation enabled
Demo Plan
Setup (30 seconds)
- Open terminal
- Check current environment:
echo $AWS_ACCOUNT_IDorgcloud config get-value project - Say: "We're in Account [ID] / Project [name]. This is where our agents will run."
Step 1: Bedrock Setup (60 seconds)
- Show AWS console → Bedrock service
- Navigate to Model Access tab
- Highlight: "These models are available in our account. Team leads submitted access requests, and they're all green."
- Go back to terminal, show:
bash export CLAUDE_CODE_USE_BEDROCK=1 export AWS_REGION=us-west-2 export ANTHROPIC_DEFAULT_SONNET_MODEL=claude-sonnet-4-1 - Run:
claude --versionto confirm Bedrock is active
Step 2: Vertex AI Setup (60 seconds)
- Switch to GCP console → Vertex AI section
- Show: "Model Garden" with available models
- Show: "Credentials" tab with service account setup
- Terminal:
bash export CLAUDE_CODE_USE_VERTEX=1 export GOOGLE_CLOUD_PROJECT=my-org-project gcloud auth application-default login - Run:
claude --version
Step 3: VPC & Network Configuration (60 seconds)
- Show VPC diagram in console (AWS or GCP)
- Highlight: security groups / firewall rules limiting egress
- Show proxy configuration:
bash export HTTP_PROXY=http://corporate-proxy:3128 export HTTPS_PROXY=http://corporate-proxy:3128 export NO_PROXY=localhost,127.0.0.1,internal.company.com - Explain: "All Claude Code traffic routes through corporate proxy. Compliance team sees everything."
Step 4: Region & Compliance (30 seconds)
- Show region selector in cloud console
- Point out: "EU_WEST for GDPR data, US_EAST for standard, AP_SOUTHEAST for APAC."
- Show env var:
bash export AWS_REGION=eu-west-1 # GDPR-compliant
Wrap-up (30 seconds)
- Recap: "Three paths to the cloud, same security controls, your infrastructure."
- Preview: "Next video—network and security hardening. How to make your Claude Code agents bulletproof."
Code Examples & Commands
AWS Bedrock activation
export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION=us-west-2
export AWS_PROFILE=my-org-profile
# Optional: pin model versions
export ANTHROPIC_DEFAULT_OPUS_MODEL=claude-opus-4-6
export ANTHROPIC_DEFAULT_SONNET_MODEL=claude-sonnet-4-1
claude --version
Google Vertex AI activation
export CLAUDE_CODE_USE_VERTEX=1
export GOOGLE_CLOUD_PROJECT=my-org-project
# Authenticate
gcloud auth application-default login
# Optional: set region
export GOOGLE_CLOUD_REGION=us-central1
claude --version
Azure Foundry activation
export CLAUDE_CODE_USE_FOUNDRY=1
export ANTHROPIC_FOUNDRY_BASE_URL=https://my-foundry-instance.azure.com
export ANTHROPIC_FOUNDRY_API_KEY=${AZURE_FOUNDRY_KEY}
# Optional: use Managed Identity instead of API key
export AZURE_TENANT_ID=...
export AZURE_CLIENT_ID=...
claude --version
Corporate proxy + cloud provider
export HTTP_PROXY=http://proxy.internal:3128
export HTTPS_PROXY=http://proxy.internal:3128
export NO_PROXY=localhost,127.0.0.1,internal-vpc.company.com
# All Claude Code traffic routes through proxy
export CLAUDE_CODE_USE_BEDROCK=1
claude session start
Verify auth and model availability
# Bedrock: check IAM permissions
aws iam get-user
aws bedrock list-foundation-models --region us-west-2
# Vertex AI: check service account
gcloud auth list
gcloud ml list-models --region=us-central1
# Foundry: check connection
curl -H "Authorization: Bearer ${ANTHROPIC_FOUNDRY_API_KEY}" \
${ANTHROPIC_FOUNDRY_BASE_URL}/models
Gotchas & Tips
Gotcha: "Credentials leak into logs"
- Never print AWS_PROFILE, API keys, or tokens in terminal output.
- Use set +x before credential-related commands, set -x after.
- Or: use cloud provider's credential chain (IAM roles, Managed Identity) instead of explicit keys.
Tip: "Test region and VPC before going to prod" - Spin up a test agent, verify it can reach internal services. - Some VPCs block certain model calls. Test early.
Gotcha: "Model availability varies by region" - Bedrock's us-west-2 might have Opus, but not eu-west-1 yet. - Check the provider's region-model matrix before setting up.
Tip: "Use service accounts, not personal credentials" - Create org-wide service accounts for Claude Code, rotate them quarterly. - Link them to your ITSM workflow for audit trail.
Gotcha: "Proxy inspection breaks TLS"
- If your proxy does SSL inspection, cloud provider certs might not validate.
- Solution: install internal CA cert on Claude Code machines (NODE_EXTRA_CA_CERTS).
Lead-out
"You're now running Claude Code on enterprise cloud infrastructure. Next stop: locking down the network and hardening against threats. Network proxies, mTLS, certificate pinning—we're going full security mode."
Reference URLs
- AWS Bedrock Setup: https://docs.anthropic.com/claude-code/bedrock-setup
- Google Vertex AI Setup: https://docs.anthropic.com/claude-code/vertex-ai-setup
- Azure Foundry Setup: https://docs.anthropic.com/claude-code/foundry-setup
- Cloud Provider Auth Comparison: https://docs.anthropic.com/claude-code/cloud-auth
- Regional Compliance Guide: https://docs.anthropic.com/claude-code/regional-compliance
Prep Reading
- AWS: Bedrock model availability by region
- Google: Vertex AI service account best practices
- Microsoft: Azure Foundry networking & compliance
- Your org: approved cloud regions, compliance matrix, VPC topology
Notes for Daniel
- Keep the tone practical. Engineers have cloud fatigue. "Here's your one config file, go" beats a 30-minute deep dive.
- Use your actual org's cloud accounts if you can (sanitized). "We use AWS in us-west-2 for latency" is more believable than generic examples.
- Don't dwell on cloud provider differences—there aren't many for Claude Code's purposes. Focus on the setup steps.
- When you get to the proxy section, pause. Network proxies trip up a lot of teams. Make sure people understand: traffic goes proxy → cloud provider, not everywhere.
- The compliance checkbox section might seem dry. But it's what CFOs care about. Quick mention of SOC 2, HIPAA, PCI-DSS, then move on.
- Demo should be brisk—show the console, show the env vars, show
claude --versionworks. Done.