Overview on Claude Code Wikihttp://www.markalston.net/claude-code-wiki/enterprise-rollout/00-overview/Recent content in Overview on Claude Code WikiHugoen-usExecutive Summaryhttp://www.markalston.net/claude-code-wiki/enterprise-rollout/00-overview/executive-summary/Mon, 01 Jan 0001 00:00:00 +0000http://www.markalston.net/claude-code-wiki/enterprise-rollout/00-overview/executive-summary/<h1 id="executive-summary">Executive Summary<a class="anchor" href="#executive-summary">#</a></h1> <h2 id="the-engagement">The Engagement<a class="anchor" href="#the-engagement">#</a></h2> <p>A 500-developer engineering organization with strict security requirements needs to adopt Claude Code as an enterprise-wide AI-assisted development tool. Their core constraint: <strong>no code can leave their network.</strong></p> <p>This document describes a 12-week implementation across three workstreams:</p> <ol> <li><strong>Infrastructure (30% effort):</strong> Cloud LLM service (AWS Bedrock / GCP Vertex AI / Azure Foundry) + private networking + LLM Gateway</li> <li><strong>Platform Engineering (40% effort):</strong> Managed configurations, CLAUDE.md architecture, skills library, developer environments</li> <li><strong>Change Management (30% effort):</strong> Phased rollout, champion program, productivity measurement</li> </ol> <h2 id="the-architecture-in-one-paragraph">The Architecture in One Paragraph<a class="anchor" href="#the-architecture-in-one-paragraph">#</a></h2> <p>Developer workstations connect through the corporate network to an internal LLM gateway (LiteLLM or Kong AI Gateway), which routes requests through a VPC endpoint via AWS PrivateLink to Amazon Bedrock. Bedrock hosts the Claude models within AWS&rsquo;s data boundary. No traffic touches the public internet. No code is retained or used for training. The LLM gateway provides per-user token budgets, centralized authentication, and audit logging. Managed settings enforce organization-wide security policies that individual developers cannot override.</p>Architecture Overviewhttp://www.markalston.net/claude-code-wiki/enterprise-rollout/00-overview/architecture-overview/Mon, 01 Jan 0001 00:00:00 +0000http://www.markalston.net/claude-code-wiki/enterprise-rollout/00-overview/architecture-overview/<h1 id="architecture-overview">Architecture Overview<a class="anchor" href="#architecture-overview">#</a></h1> <h2 id="end-to-end-request-flow">End-to-End Request Flow<a class="anchor" href="#end-to-end-request-flow">#</a></h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">┌─────────────────────────────────────────────────────────────────────┐ </span></span><span class="line"><span class="cl">│ CORPORATE NETWORK │ </span></span><span class="line"><span class="cl">│ │ </span></span><span class="line"><span class="cl">│ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ │ </span></span><span class="line"><span class="cl">│ │ Developer <span class="m">1</span> │ │ Developer <span class="m">2</span> │ │ Developer N │ │ </span></span><span class="line"><span class="cl">│ │ claude CLI │ │ claude CLI │ │ claude CLI │ │ </span></span><span class="line"><span class="cl">│ │ │ │ │ │ │ │ </span></span><span class="line"><span class="cl">│ │ managed- │ │ managed- │ │ managed- │ │ </span></span><span class="line"><span class="cl">│ │ settings.json│ │ settings.json│ │ settings.json│ │ </span></span><span class="line"><span class="cl">│ └──────┬────────┘ └──────┬────────┘ └──────┬────────┘ │ </span></span><span class="line"><span class="cl">│ │ │ │ │ </span></span><span class="line"><span class="cl">│ └──────────────────┼──────────────────┘ │ </span></span><span class="line"><span class="cl">│ │ │ </span></span><span class="line"><span class="cl">│ ▼ │ </span></span><span class="line"><span class="cl">│ ┌──────────────────────────┐ │ </span></span><span class="line"><span class="cl">│ │ LLM GATEWAY │ │ </span></span><span class="line"><span class="cl">│ │ <span class="o">(</span>LiteLLM / Kong AI<span class="o">)</span> │ │ </span></span><span class="line"><span class="cl">│ │ │ │ </span></span><span class="line"><span class="cl">│ │ • SSO authentication │ │ </span></span><span class="line"><span class="cl">│ │ • Per-user/team budgets │ │ </span></span><span class="line"><span class="cl">│ │ • Rate limiting │ │ </span></span><span class="line"><span class="cl">│ │ • Request logging │ │ </span></span><span class="line"><span class="cl">│ │ • Model routing │ │ </span></span><span class="line"><span class="cl">│ │ • Holds AWS credentials │ │ </span></span><span class="line"><span class="cl">│ └───────────┬──────────────┘ │ </span></span><span class="line"><span class="cl">│ │ │ </span></span><span class="line"><span class="cl">└──────────────────────────┼──────────────────────────────────────────┘ </span></span><span class="line"><span class="cl"> │ <span class="o">(</span>Direct Connect / Site-to-Site VPN<span class="o">)</span> </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl">┌──────────────────────────┼──────────────────────────────────────────┐ </span></span><span class="line"><span class="cl">│ AWS ACCOUNT <span class="o">(</span>Dedicated<span class="o">)</span> │ </span></span><span class="line"><span class="cl">│ │ │ </span></span><span class="line"><span class="cl">│ ┌───────────┴─────────────┐ │ </span></span><span class="line"><span class="cl">│ │ VPC ENDPOINT │ │ </span></span><span class="line"><span class="cl">│ │ <span class="o">(</span>PrivateLink<span class="o">)</span> │ │ </span></span><span class="line"><span class="cl">│ │ │ │ </span></span><span class="line"><span class="cl">│ │ com.amazonaws.<span class="o">{</span>region<span class="o">}</span> │ │ </span></span><span class="line"><span class="cl">│ │ .bedrock-runtime │ │ </span></span><span class="line"><span class="cl">│ │ │ │ </span></span><span class="line"><span class="cl">│ │ Policy: InvokeModel, │ │ </span></span><span class="line"><span class="cl">│ │ InvokeModelWith │ │ </span></span><span class="line"><span class="cl">│ │ ResponseStream ONLY │ │ </span></span><span class="line"><span class="cl">│ └───────────┬─────────────┘ │ </span></span><span class="line"><span class="cl">│ │ │ </span></span><span class="line"><span class="cl">│ ┌───────────┴─────────────┐ │ </span></span><span class="line"><span class="cl">│ │ AMAZON BEDROCK │ │ </span></span><span class="line"><span class="cl">│ │ │ │ </span></span><span class="line"><span class="cl">│ │ Claude Sonnet/Opus │ │ </span></span><span class="line"><span class="cl">│ │ <span class="o">(</span>primary model<span class="o">)</span> │ │ </span></span><span class="line"><span class="cl">│ │ │ │ </span></span><span class="line"><span class="cl">│ │ Claude Haiku │ │ </span></span><span class="line"><span class="cl">│ │ <span class="o">(</span>fast model<span class="o">)</span> │ │ </span></span><span class="line"><span class="cl">│ │ │ │ </span></span><span class="line"><span class="cl">│ │ • No data retention │ │ </span></span><span class="line"><span class="cl">│ │ • No training use │ │ </span></span><span class="line"><span class="cl">│ │ • CloudTrail audit │ │ </span></span><span class="line"><span class="cl">│ └─────────────────────────┘ │ </span></span><span class="line"><span class="cl">│ │ </span></span><span class="line"><span class="cl">│ ┌─────────────────────────────────────────────────────────────┐ │ </span></span><span class="line"><span class="cl">│ │ OBSERVABILITY │ │ </span></span><span class="line"><span class="cl">│ │ • CloudTrail → every InvokeModel call with IAM principal │ │ </span></span><span class="line"><span class="cl">│ │ • CloudWatch → token usage, latency, error rates │ │ </span></span><span class="line"><span class="cl">│ │ • Cost Explorer → per-account Bedrock spending │ │ </span></span><span class="line"><span class="cl">│ └─────────────────────────────────────────────────────────────┘ │ </span></span><span class="line"><span class="cl">│ │ </span></span><span class="line"><span class="cl">└─────────────────────────────────────────────────────────────────────┘</span></span></code></pre></div><p><strong>Note:</strong> This diagram shows AWS Bedrock deployment. Equivalent architectures for GCP Vertex AI (VPC Service Controls, Private Service Connect, Cloud Logging) and Azure Foundry (Private Endpoints, VNet integration, Azure Monitor) are documented in the Phase 0 infrastructure guides.</p>