AWS

VPC and PrivateLink for PHI workloads — the network architecture auditors love

Public subnets, NAT gateways, and "we restrict by security group" don't survive a HIPAA review. Here's the pattern that does.