For years, bioinformatics teams running workflows on AWS HealthOmics faced a structural constraint: their pipelines operated in an isolated compute environment, cut off from the public internet, private repositories, and external databases. That limitation is now lifted. AWS HealthOmics has introduced VPC connected workflows, a capability that routes workflow traffic through a customer-controlled Amazon Virtual Private Cloud, enabling direct connectivity to public data repositories, internal services, and licensed third-party tools during execution.
The change addresses one of the more persistent friction points in production genomics: the gap between where data lives and where computation happens.
Why Network Isolation Created Real Operational Costs
Genomics pipelines rarely operate on static data. Reference databases like ClinVar, dbSNP, and Ensembl are updated on rolling schedules. Variant annotation services pull from continuously revised clinical evidence. When workflows run in a network-isolated environment, every external dependency must be manually pre-staged into cloud storage before execution begins. That is not a one-time effort. It becomes a recurring operational task: transferring files, tracking versions, updating pipelines when a pre-staged database falls out of date, and investigating failures caused by stale inputs.
For clinical diagnostics teams where annotation accuracy carries direct downstream consequences, working against an outdated version of a reference database is not a minor inconvenience. It is a data quality risk. Drug discovery pipelines face comparable issues when integrating licensed annotation tools that require runtime authentication with external license servers - a step that was simply not possible in restricted network mode.
How the New Connectivity Model Works
VPC connected workflows attach an Elastic Network Interface to a private subnet inside the customer's VPC when a run begins. Outbound traffic from workflow tasks is routed through that interface, passing through a NAT gateway in a public subnet to reach external resources. For AWS services, traffic is directed to VPC endpoints, which provide private connectivity without traversing the public internet. Security groups and network access control lists govern which destinations are reachable, and DNS requests are resolved through the configured VPC DNS resolver.
The architecture gives operations teams fine-grained control over network behavior. VPC Flow Logs can capture traffic metadata for auditing and debugging. Customers who previously relied on a HealthOmics service-hosted proxy to validate Sentieon licenses can now connect directly to Sentieon's license servers and inspect those connections independently.
The setup requires a VPC with both public and private subnets, at least one NAT gateway in a public subnet, and a private subnet route table directing outbound traffic through that gateway. Configuration is handled through the AWS Management Console or API and, according to AWS, most teams complete the initial setup in under an hour. The change is a network configuration, not a code change - existing workflow definitions do not need to be rewritten.
What Becomes Possible That Was Not Before
The practical scope of what VPC connected workflows unlock is broad. Pipelines can now pull directly from NCBI and Ensembl at runtime, eliminating the need to mirror public datasets into private storage. They can authenticate against AWS Secrets Manager to retrieve credentials without embedding tokens in workflow code - a meaningful security improvement for teams handling protected health information or proprietary data. They can query internal resources such as Amazon RDS databases and DynamoDB tables, connecting genomic computation to operational data that previously had to be exported and staged separately.
Cross-region S3 access is also now possible without deploying HealthOmics infrastructure in additional regions. Workflows can transfer data from FTP and SFTP endpoints mid-run, which matters for teams that receive genomic data from sequencing centers or clinical partners through standard file transfer protocols. S3 Tables support opens a path for loading variant data directly into analytics-ready formats, removing an intermediate write step that added latency and complexity.
- Direct access to public repositories including NCBI, Ensembl, and licensed annotation services during workflow execution
- Runtime credential retrieval via AWS Secrets Manager, replacing hardcoded tokens in pipeline code
- Connectivity to private VPC resources such as internal databases and operational services
- Support for FTP and SFTP data transfers within workflow tasks
- Cross-region S3 access without additional regional deployments
- Independent license server connectivity with auditable VPC Flow Log records
The Broader Shift in Cloud-Native Bioinformatics
The introduction of VPC connected workflows reflects a broader maturation in how cloud platforms approach scientific computing. Early managed bioinformatics services prioritized security and simplicity by enforcing strict isolation. That was a reasonable starting point, but production genomics workflows have grown more complex. They integrate licensed software, real-time databases, institutional data systems, and regulated credential management. An architecture that treats the network boundary as fixed becomes a constraint as pipelines mature.
Giving teams control over network topology - rather than imposing a single model - aligns managed bioinformatics services more closely with how enterprise infrastructure teams already operate. The tradeoff is that customers now own more of the configuration surface: subnet design, NAT gateway availability, security group rules, and routing tables all become relevant to workflow reliability. For production environments, AWS recommends one NAT gateway per availability zone to avoid single points of failure. That guidance reflects the same operational discipline expected in any networked production system, applied now to genomics pipelines that may inform clinical decisions.
