NetBox Private Copilot
NetBox Private Copilot is an AI-powered assistant built into NetBox Enterprise. It can answer questions about your network, help build queries, and interact with your NetBox data using natural language — powered by Anthropic Claude, accessed either directly through the Anthropic API or via Amazon Bedrock.
Private Copilot is available to customers with an active Private Copilot license entitlement. Contact your NetBox Labs account representative to enable it.
Network Requirements
The Private Copilot backend service makes outbound HTTPS connections from your NBE cluster to external endpoints. Ensure your firewall or egress policy allows the following before enabling Private Copilot.
LLM Provider Endpoints
These endpoints are required for Private Copilot to process requests. Only the endpoint for your configured provider needs to be allowed.
| Provider | Hostname | Port | Protocol |
|---|---|---|---|
| Anthropic | api.anthropic.com | 443 | HTTPS |
| Amazon Bedrock | bedrock-runtime.<region>.amazonaws.com | 443 | HTTPS |
For Amazon Bedrock, replace <region> with your AWS region (default: us-east-2). For example: bedrock-runtime.us-east-2.amazonaws.com.
NetBox Enterprise includes a preflight check that tests connectivity to the configured LLM endpoint. A warning is shown if the endpoint is unreachable, but installation is not blocked. Resolve any firewall issues before enabling Private Copilot.
Documentation Search Endpoint
Private Copilot uses Algolia to search the NetBox Labs documentation when answering questions. This endpoint must be reachable for the documentation search tool to function.
| Hostname | Port | Protocol |
|---|---|---|
xcf0tw7mcd-dsn.algolia.net | 443 | HTTPS |
If this endpoint is blocked, Private Copilot will continue to function but will not be able to search the NetBox documentation when answering questions.
Enabling Private Copilot on Embedded Cluster
Private Copilot is disabled by default. To enable it:
- Open the KOTS Admin Console at
https://<your-host>:30000 - Navigate to Config
- Under the Private Copilot section, check Enable Private Copilot
- Select your LLM Provider (Anthropic or Amazon Bedrock)
- Configure the provider-specific settings (see below)
- Click Save config and then Deploy
LLM Provider Configuration
Private Copilot supports Anthropic Claude models only. Choose your access method: directly via the Anthropic API, or through Amazon Bedrock. Other model providers (OpenAI, etc.) are not supported.
Anthropic
| Setting | Description |
|---|---|
| LLM Provider | Anthropic |
| LLM Model | Model identifier, e.g. anthropic/claude-sonnet-4-6 |
| LLM API Key | Your Anthropic API key from console.anthropic.com |
Amazon Bedrock
| Setting | Description |
|---|---|
| LLM Provider | Amazon Bedrock |
| LLM Model | Bedrock inference profile ID prefixed with bedrock/, e.g. bedrock/us.anthropic.claude-sonnet-4-6 |
| LLM API Key | Leave blank — Bedrock uses IAM credentials, not an API key |
| AWS Access Key ID | Optional. AWS access key for explicit credential configuration (see below) |
| AWS Secret Access Key | Optional. AWS secret key for explicit credential configuration (see below) |
Bedrock model ID format
The LLM Model field must use a Bedrock inference profile ID, not an on-demand model ID. Newer Claude models require inference profiles — using a bare on-demand model ID (e.g. anthropic.claude-sonnet-4-20250514-v1:0) returns:
Invocation of model ID ... with on-demand throughput isn't supported.
Inference profile IDs use the format <scope>.<provider>.<model>, where scope is us (single-region US) or global (cross-region). Prefix with bedrock/ when entering in the Admin Console:
bedrock/us.anthropic.claude-sonnet-4-6
To list available inference profiles in your target region:
aws bedrock list-inference-profiles \
--region us-east-2 \
--query "inferenceProfileSummaries[?contains(inferenceProfileId, 'claude')].[inferenceProfileId,inferenceProfileName]" \
--output table
Run this in the specific region you're deploying to — Bedrock model availability varies by region. Use the inferenceProfileId value from the output, prefixed with bedrock/.
Bedrock credentials and IAM
Private Copilot supports two methods for AWS credential resolution:
- Explicit credentials — enter your AWS Access Key ID and AWS Secret Access Key directly in the Admin Console. Use this for the Embedded Cluster appliance or any environment where IRSA and EC2 instance profiles are not available. Static credentials work on any cluster (DigitalOcean, bare metal, EKS, etc.). Both fields must be filled in; if either is blank, no credentials secret is created.
- Ambient credentials (IRSA / instance profile) — leave both fields blank. The Private Copilot pod resolves credentials from the environment automatically. Use this for EKS clusters with IRSA configured.
The IAM user or role needs permission to call bedrock:InvokeModel (or bedrock:InvokeModelWithResponseStream) on the inference profile ARN. Example policy:
{
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": "arn:aws:bedrock:us-east-2::foundation-model/anthropic.claude-sonnet-4-6*"
}
AWS_DEFAULT_REGION defaults to us-east-2. If your Bedrock models are in a different region, set it via Advanced → Extra Environment Variables in the Admin Console.
Private Copilot Database
Private Copilot stores its session and configuration data in a PostgreSQL database. When the built-in PostgreSQL is enabled, Private Copilot uses it automatically. When you have configured an external PostgreSQL server, configure a database for Private Copilot under the Private Copilot Database Configuration section of the KOTS config.
| Setting | Description |
|---|---|
| Private Copilot Database Name | Name of the database to use (default: copilot) |
| Private Copilot Database Username | Database user (default: copilot) |
| Private Copilot Database Password | Password for the database user |
| Use Same PostgreSQL Server as NetBox | Reuse the host, port, and SSL settings already configured for NetBox. The Private Copilot database name and credentials are still separate. |
| Private Copilot Database Host | PostgreSQL hostname or IP (only when not reusing NetBox) |
| Private Copilot Database Port | PostgreSQL port (default: 5432) |
| Private Copilot Database SSL Mode | disable, allow, prefer, require (default), verify-ca, or verify-full |
| Private Copilot Database PostgreSQL CA Certificate File | Custom CA certificate. Required for verify-ca and verify-full when the server uses a self-signed or internal CA. |
The database user needs sufficient privileges to create and manage its own schema. The following psql commands work in most cases:
\c copilot;
ALTER DATABASE copilot OWNER TO copilot;
GRANT ALL PRIVILEGES ON DATABASE copilot TO copilot;
GRANT ALL ON SCHEMA public TO copilot;
Replace copilot with the database name and username you configured if they differ from the defaults.
The operator validates the Private Copilot database configuration at reconcile time. If the database host is unreachable or the credentials are rejected, the operator status reports an actionable error and retries on the next reconcile.
Disabling Private Copilot on Embedded Cluster
To disable Private Copilot in Embedded Cluster, uncheck Enable Private Copilot in the KOTS Admin Console and deploy. The Private Copilot backend pod and associated resources are removed on the next operator reconcile.
If your Private Copilot license entitlement is revoked, Private Copilot will be disabled automatically after the next license sync. Trigger an immediate sync via License → Sync license in the Admin Console followed by a redeploy.