Safe ingress connectivity to Amazon Bedrock AgentCore Gateway utilizing interface VPC endpoints

Agentic AI functions signify a big improvement in enterprise automation, the place clever brokers autonomously execute advanced workflows, entry delicate datasets, and make real-time selections throughout your group’s infrastructure. Amazon Bedrock AgentCore accelerates enterprise AI transformation by offering totally managed companies that take away infrastructure complexity, keep session isolation, and allow seamless integration with enterprise instruments so organizations can deploy reliable AI brokers at scale. AgentCore Gateway, a modular service underneath AgentCore, simplifies integration by securely reworking APIs, AWS Lambda capabilities, and companies into Model Context Protocol (MCP)-compatible instruments and making them obtainable to brokers by way of a unified endpoint, with built-in authentication and serverless infrastructure that minimizes operational overhead.

In manufacturing environments, AI brokers are sometimes deployed inside digital non-public clouds (VPCs) to keep up safe, remoted community entry and to fulfill enterprise safety and compliance necessities. Amazon Web Services (AWS) interface VPC endpoints can improve agentic AI safety by creating non-public connections between VPC-hosted brokers and AgentCore Gateway, holding delicate communications inside the safe infrastructure of AWS. These endpoints use devoted community interfaces with non-public IP addresses to ship diminished latency and superior efficiency by way of direct connectivity. Moreover, VPC interface endpoints provide granular entry management by way of endpoint insurance policies, streamline operations by avoiding proxy server administration, cut back knowledge switch prices, and set up the safe basis that autonomous AI techniques require when processing confidential knowledge in regulated environments at enterprise scale.

On this submit, we show the right way to entry AgentCore Gateway by way of a VPC interface endpoint from an Amazon Elastic Compute Cloud (Amazon EC2) occasion in a VPC. We additionally present the right way to configure your VPC endpoint coverage to supply safe entry to the AgentCore Gateway whereas sustaining the precept of least privilege entry.

Structure overview

This structure diagram illustrates a consumer accessing an utility supported by backend brokers deployed throughout numerous AWS compute companies, together with EC2 cases, Lambda capabilities, Amazon Elastic Kubernetes Service (Amazon EKS), or Amazon Elastic Container Service (Amazon ECS), all working inside a VPC atmosphere. These brokers talk with AgentCore Gateway to find, entry, and invoke exterior instruments and companies which were reworked into agent-compatible assets, similar to enterprise APIs and Lambda capabilities. In the usual configuration, agent requests to AgentCore Gateway traverse the general public web. By implementing interface VPC endpoints, organizations can route these communications by way of the AWS safe inside community spine as an alternative, delivering important advantages that may embrace enhanced safety, diminished latency, and improved compliance alignment for regulated workloads that require strict community isolation and knowledge safety requirements. The answer follows this workflow:

• AI agent interplay – An agent operating inside the VPC obtains the required inbound authorization from id suppliers, authenticates with Gateway, and sends a tool-use request (invokes the MCP device) to the gateway by way of the interface VPC endpoint.
• Gateway processing: Gateway manages OAuth authorization to ensure solely legitimate customers and brokers can entry instruments and assets. The inbound request is permitted by Gateway. Converts agent requests utilizing protocols like Mannequin Context Protocol (MCP) into API requests and Lambda invocations
• Safe entry: The gateway handles credential injection for every device, enabling brokers to make use of instruments with completely different authentication necessities seamlessly. It makes use of AgentCore Identity to securely entry backend assets (the targets) on behalf of the agent.
• Goal execution: The gateway knowledge aircraft invokes the goal, which could be a Lambda operate, an OpenAPI specification, or a Smithy mannequin.
• Monitoring: AgentCore Gateway gives built-in observability and auditing. Moreover, AWS PrivateLink publishes metrics to Amazon CloudWatch for monitoring interface endpoints. You’ll be able to optionally allow VPC Flow Logs for logging IP site visitors to AgentCore Gateway.

Pay attention to the next key issues:

• Personal and public community communication – The interface VPC endpoint permits safe communication for inbound site visitors from brokers to AgentCore Gateway by way of AWS PrivateLink, ensuring this site visitors stays inside the non-public community. Nonetheless, authentication workflows—together with OAuth entry token retrieval and credential trade processes between brokers and exterior Identification Supplier techniques for each inbound and outbound flows—and outbound entry from the gateway to MCP instruments proceed to require web connectivity for establishing safe periods with id techniques and exterior assets hosted exterior the AWS atmosphere.
• Knowledge aircraft scope – It’s vital to know that, at the moment, the interface VPC endpoint help is relevant solely to the data plane endpoints of your gateway—the runtime endpoints the place your functions work together with agent instruments. To make clear the excellence: though now you can entry your gateway’s runtime endpoint by way of the interface VPC endpoint, the management aircraft operations, similar to creating gateways, managing instruments, and configuring safety settings, should nonetheless be carried out by way of the usual public AgentCore management aircraft endpoint (for instance, bedrock-agentcore-control.<area>.amazonaws.com)

Conditions

To carry out the answer, you want the next stipulations:

• An AWS account with applicable AWS Identity and Access Management (IAM) permissions for VPC and Amazon Elastic Compute Cloud (Amazon EC2) administration
• Present VPC setup with subnet configuration and route tables
• AgentCore Gateway already provisioned and configured in your AWS account
• Primary understanding of VPC networking ideas and safety group configurations

Answer walkthrough

Within the following sections, we show the right way to configure the interface VPC endpoint utilizing the AWS Management Console and set up safe connectivity from a check EC2 occasion inside the VPC to AgentCore Gateway.

Create a safety group for the EC2 occasion

To create a safety group for the EC2 occasion, comply with these steps, as proven within the following screenshot:

1. Navigate to the Amazon EC2 console in your most popular AWS Region and select Safety Teams within the navigation pane underneath Community & Safety.
2. Select Create safety group.
3. For Safety group title, enter a descriptive title similar to ec2-agent-sg.
4. For Description, enter a significant description similar to Safety group for EC2 cases operating AI brokers.
5. For VPC, select your goal VPC.
6. Add related Inbound guidelines for the EC2 occasion administration similar to SSH (port 22) out of your administration community or bastion host.
7. Depart Outbound guidelines as default (permits all outbound site visitors) to ensure brokers can talk with vital companies.
8. Select Create safety group.

Create a safety group for the interface VPC endpoint

To create a safety group for the interface VPC endpoint, comply with these steps:

Create a second safety group named vpce-agentcore-sg that will likely be connected to the AgentCore Gateway interface VPC endpoint utilizing related steps to the previous directions and choosing the identical VPC. For this safety group, configure the next guidelines to allow safe and restricted entry:

• Inbound guidelines – Permit HTTPS (port 443) for safe communication to the AgentCore Gateway
• Supply – Choose the EC2 safety group (ec2-agent-sg) you created within the previous part to permit site visitors solely from approved agent cases
• Outbound guidelines – Depart as default (all site visitors allowed) to help response site visitors

This safety group configuration implements the precept of least privilege by ensuring solely EC2 cases with the agent safety group can entry the VPC endpoint whereas blocking unauthorized entry from different assets within the VPC. These steps are illustrated by the next screenshot.

Provision an EC2 occasion inside the VPC

Provision an EC2 occasion in the identical VPC and choose an applicable Availability Zone on your workload necessities. Configure the occasion with the community settings proven within the following listing, ensuring you choose the identical VPC and observe the chosen subnet for VPC endpoint configuration:

• VPC – Choose your goal VPC
• Subnet – Select a non-public subnet for enhanced safety (observe this subnet for VPC endpoint configuration)
• Safety group – Connect the EC2 safety group (ec2-agent-sg) you created within the earlier steps
• IAM position – Configure an IAM position with vital permissions for Amazon Bedrock and AgentCore Gateway entry
• Occasion kind – Select an applicable occasion kind based mostly in your agent workload necessities

Keep in mind the chosen subnet since you’ll have to configure the VPC endpoint in the identical subnet to facilitate optimum community routing and minimal latency. These configurations are proven within the following screenshot.

Create an interface VPC endpoint

Create an interface VPC endpoint utilizing Amazon Virtual Private Cloud (Amazon VPC) that mechanically makes use of AWS PrivateLink expertise, enabling safe communication out of your EC2 occasion to AgentCore Gateway with out traversing the general public web. Comply with these steps:

1. Navigate to the Amazon VPC console and select Endpoints within the navigation pane underneath the PrivateLink and Lattice part.
2. Select Create endpoint.
3. For Title tag, enter a descriptive title (for instance, vpce-agentcore-gateway).
4. For Service class, select AWS companies.
5. For Providers, seek for and select com.amazonaws.<area>.bedrock-agentcore.gateway (substitute <area> together with your precise AWS Area).

These settings are proven within the following screenshot.

6. Set the VPC to the identical VPC you’ve been working with all through this setup.
7. Choose Allow DNS title to permit entry to the AgentCore Gateway utilizing its default area title, which simplifies utility configuration and maintains compatibility with current code.
8. Specify the subnet the place the EC2 occasion is operating to keep up optimum community routing and minimal latency, as proven within the following screenshot.

9. Set the safety group to the VPC endpoint safety group (vpce-agentcore-sg) you created earlier to manage entry to the endpoint.
10. For preliminary testing, go away the coverage set to Full entry to permit brokers inside your VPC to speak with AgentCore Gateway in your AWS account. In manufacturing environments, implement extra restrictive insurance policies based mostly on the precept of least privilege.

After you create the endpoint, it can take roughly 2–5 minutes to grow to be obtainable. You’ll be able to monitor the standing on the Amazon VPC console, and when it reveals as Obtainable, you’ll be able to proceed with testing the connection.

Check the connection

Log in to the EC2 occasion to carry out following the exams.

Examine site visitors movement over an interface VPC endpoint

To verify the site visitors movement by way of the Amazon Bedrock AgentCore Gateway endpoint, check the IP address of the source resource that connects to the AgentCore Gateway endpoint. If you arrange an interface VPC endpoint, AWS deploys an elastic community interface with a non-public IP deal with within the subnet. This deployment permits communication with AgentCore Gateway from assets inside the Amazon VPC and on-premises assets that hook up with the interface VPC endpoint by way of AWS Direct Connect or AWS Site-to-Site VPN. It additionally permits communication with assets in different Amazon VPC endpoints whenever you use centralized interface VPC endpoint architecture patterns.

Examine whether or not you turned on non-public DNS for the AgentCore Gateway endpoint. Should you activate non-public DNS, then AgentCore Gateway endpoints resolve to the non-public endpoint IP addresses. For AgentCore Gateway, enabling non-public DNS means your brokers can proceed utilizing the usual gateway endpoint URL whereas benefiting from non-public community routing by way of the VPC endpoint.

Earlier than VPC interface endpoint, as proven within the following instance, the DNS resolves to a public IP deal with for AgentCore Gateway endpoint:

nslookup gateway.bedrock-agentcoreamazonaws.com

Non-authoritative reply:
Title: gateway.bedrock-agentcore..amazonaws.com
Tackle: 52.86.152.150

After VPC interface endpoint creation with non-public DNS decision, as proven within the following instance, the DNS resolves to non-public IP deal with from the CIDR vary of the subnet of the VPC by which the VPC endpoint was created.

nslookup .gateway.bedrock-agentcore..amazonaws.com

Non-authoritative reply:
Title: .gateway.bedrock-agentcore..amazonaws.com
Tackle: 172.31.91.174

When you choose Allow DNS title for AgentCore Gateway VPC interface endpoints, by default AWS activates the Allow non-public DNS just for inbound endpoints choice.

Personal DNS enabled (cURL) (beneficial)

When non-public DNS is enabled, your functions can seamlessly use the usual gateway URL endpoint within the format https://{gateway-id}.gateway.bedrock-agentcore.{area}.amazonaws.com whereas site visitors mechanically routes by way of the VPC endpoint.

The next is a pattern cURL request to be executed from a useful resource inside the VPC. The command sends a JSON-RPC POST request to retrieve obtainable instruments from the AgentCore Gateway:

curl -sS -i -X POST https://<gatewayid>.gateway.bedrock-agentcore.<area>.amazonaws.com/mcp 
--header 'Content material-Kind: utility/json'  
--header "Authorization: Bearer $TOKEN"  
--data '{
"jsonrpc": "2.0",
"id": "'"$UNIQUE_ID"'",
"technique": "instruments/listing",
"params": {}
}' 

This cURL command sends a JSON-RPC 2.0 POST request to the AgentCore Gateway MCP endpoint to retrieve a listing of obtainable instruments. It makes use of bearer token authentication and consists of response headers within the output, calling the instruments/listing technique to find what instruments are accessible by way of the gateway.

Personal DNS disabled (Python)

When Personal DNS is disabled, you’ll be able to’t entry the gateway immediately by way of the usual AgentCore Gateway endpoint. As a substitute, you should route site visitors by way of the VPC DNS title proven within the following screenshot and embrace the unique gateway area title within the Host header.

curl -sS -i -X POST https://<vpce-dns-name>/mcp 
  --header 'Host: <gatewayid>.gateway.bedrock-agentcore.<area>.amazonaws.com 
  --header 'Content material-Kind: utility/json' 
  --header "Authorization: Bearer $TOKEN" 
  --data '{
    "jsonrpc": "2.0",
    "id": "'$UNIQUE_ID'",
    "technique": "instruments/listing",
    "params": {}
  }'

The next steps under stroll by way of executing a Python script that makes use of the Host header:

1. Entry your EC2 occasion. Log in to your EC2 occasion that has entry to the VPC endpoint.
2. Configure the required atmosphere variables for the connection:
3. GATEWAY_URL – The VPC endpoint URL used to entry the AgentCore Gateway by way of your non-public community connection
4. TOKEN – Your authentication bearer token for accessing the gateway
5. GATEWAY_HOST – The unique AgentCore Gateway area title that should be included within the Host header when Personal DNS is disabled

For instance:

export GATEWAY_URL=https://<vpce_id>.gateway.bedrock-agentcore.ap-southeast-2.vpce.amazonaws.com/mcp
export TOKEN=<your-token-here>
export GATEWAY_HOST=<gateway_id>.gateway.bedrock-agentcore.ap-southeast-2.amazonaws.com

6. Create and execute the check script.
   1. Copy the next Python code right into a file named agent.py. This code exams the AgentCore Gateway workflow by discovering obtainable instruments, making a Strands Agent with the instruments, after which testing each conversational interactions (device itemizing and climate queries) and direct MCP device calls. Copy the code:

from strands.fashions import BedrockModel
from mcp.consumer.streamable_http import streamablehttp_client
from strands.instruments.mcp.mcp_client import MCPClient
from strands import Agent
import logging
import os

# Learn authentication token and gateway URL from atmosphere variables
token = os.getenv('TOKEN')
gatewayURL = os.getenv('GATEWAY_URL')  #vpc endpoint url
gatewayHost = os.getenv('GATEWAY_HOST') #area title of the agentcore gateway

def create_streamable_http_transport():
    """Create HTTP transport with correct authentication headers"""
    return streamablehttp_client(
        gatewayURL, 
        headers={
            "Authorization": f"Bearer {token}",
            "Host":gatewayHost
        }
    )
# Initialize MCP consumer with the transport
consumer = MCPClient(create_streamable_http_transport)

# Configure Bedrock mannequin - guarantee IAM credentials in ~/.aws/credentials have Bedrock entry
yourmodel = BedrockModel(
    model_id="amazon.nova-pro-v1:0",
    temperature=0.7,
)

# Configure logging for debugging and monitoring
logging.getLogger("strands").setLevel(logging.INFO)
logging.basicConfig(
    format="%(levelname)s | %(title)s | %(message)s",
    handlers=[logging.StreamHandler()]
)

# Check the entire agent workflow
with consumer:
    targetname="TestGatewayTarget36cb2ebf"
    
    # Record obtainable instruments from the MCP server
    instruments = consumer.list_tools_sync()
    
    # Create an Agent with the mannequin and obtainable instruments
    agent = Agent(mannequin=yourmodel, instruments=instruments)
    print(f"Instruments loaded within the agent: {agent.tool_names}")
    
    # Check agent with a easy question to listing obtainable instruments
    response1 = agent("Hello, are you able to listing all instruments obtainable to you?")
    print(f"Agent response for device itemizing: {response1}")
    
    # Check agent with a device invocation request
    response2 = agent("Get the present climate for Seattle and present me the precise response from the device")
    print(f"Agent response for climate question: {response2}")
    
    # Direct MCP device invocation for validation
    outcome = consumer.call_tool_sync(
        tool_use_id="get-weather-seattle-call-1",  # Distinctive identifier for this name
        title=f"{targetname}___get_weather",  # Device title format for Lambda targets
        arguments={"location": "Seattle"}
    )
    print(f"Direct MCP device response: {outcome}")

7. Invoke the script utilizing the next command:

python3 agent.py

Superior configuration: VPC endpoint entry insurance policies

A VPC endpoint coverage is a resource-based coverage that controls entry to AWS companies by way of the endpoint. Not like identity-based insurance policies, endpoint insurance policies present a further layer of entry management on the community degree. You’ll be able to configure entry insurance policies for AgentCore Gateway VPC endpoints with particular issues.When creating endpoint insurance policies for AgentCore Gateway, contemplate these key parts:

• Principal configuration – The Principal discipline can’t be modified as a result of AgentCore Gateway doesn’t use IAM for authentication. Authentication is dealt with by way of bearer tokens fairly than IAM principals.
• Useful resource specification – Clearly outline the Useful resource discipline if you wish to prohibit entry to particular gateway endpoints. Use the total Amazon Resource Name (ARN) format to focus on specific gateways inside your account as proven within the following pattern coverage construction.
• Motion permissions – For the Motion discipline, keep away from specifying management aircraft operations. Use a wildcard (*) to permit the mandatory knowledge aircraft operations for gateway performance.

Here’s a pattern coverage construction:

{
"Model": "2012-10-17",
"Assertion": [
{
"Principal": "*",
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:bedrock-agentcore:<region>:<AWS_Account_ID>:gateway/<gateway_id>"
}
]
}

When the VPC endpoint coverage blocks a request, you will note error responses similar to:

{"jsonrpc":"2.0","id":2,"error":{"code":-32002,"message":"Authorization error - Inadequate permissions"}}

Coverage caching conduct

AgentCore Gateway implements a caching mechanism for entry insurance policies that introduces a delay of as much as quarter-hour earlier than coverage modifications take impact. Though this caching considerably improves gateway efficiency, it implies that coverage modifications may not be instantly mirrored in entry controls. To work successfully with this conduct, it’s best to permit at the least quarter-hour for coverage modifications to totally propagate all through the system after making updates. When attainable, schedule coverage modifications throughout deliberate upkeep home windows to attenuate operational impression. At all times check coverage modifications in nonproduction environments earlier than making use of them to manufacturing gateways and issue within the caching delay when diagnosing access-related points to keep away from untimely troubleshooting efforts.

Superior patterns

In a shared gateway, a number of brokers sample, a number of brokers from completely different companies entry a single centralized gateway by way of a shared VPC endpoint, simplifying community structure whereas sustaining safety by way of token-based authentication. This sample is illustrated within the following diagram.

In a multi-gateway, multi-agent sample, which is proven within the following diagram, a number of brokers throughout completely different functions entry a number of specialised gateways by way of devoted VPC endpoints, offering most safety isolation with entry management per gateway.

In a cross-VPC gateway entry sample, proven within the following diagram, brokers in a number of VPCs can entry AgentCore Gateway by way of VPC peering or AWS Transit Gateway connections, permitting centralized gateway entry throughout community boundaries whereas sustaining isolation.

In a hybrid cloud gateway sample, on-premises brokers can entry cloud-based gateways by way of VPC endpoints with non-public DNS disabled, enabling hybrid cloud deployments by way of Direct Join or VPN connections. The next diagram illustrates this sample.

Clear up

To keep away from ongoing expenses and keep good useful resource hygiene, clear up your assets by finishing the next steps so as:Delete the EC2 occasion:

1. Navigate to the Amazon EC2 console and choose your check occasion
2. Select Occasion state and Cease occasion, then watch for it to cease
3. Select Occasion state and Terminate occasion to completely delete the occasion

Delete the VPC endpoint:

4. Navigate to the Amazon VPC console and select Endpoints
5. Choose the VPC endpoint (vpce-agentcore-gateway) you created
6. Select Actions and Delete VPC endpoints
7. Verify the deletion

Delete the safety teams:

8. Navigate to the Amazon EC2 console and select Safety teams
9. Choose the EC2 safety group (ec2-agent-sg) you created
10. Select Actions and Delete safety teams
11. Repeat for the VPC endpoint safety group (vpce-agentcore-sg)

Conclusion

On this submit, we demonstrated the right way to set up safe, non-public connectivity between VPC-hosted assets and Amazon Bedrock AgentCore Gateway utilizing VPC interface endpoints and AWS PrivateLink. This structure delivers complete advantages for enterprise agentic AI deployments by implementing networks which might be remoted from the web, offering enhanced safety by way of devoted non-public community paths. The answer implements a sturdy knowledge perimeter by way of VPC endpoint insurance policies, which create granular entry controls that set up strict knowledge boundaries round your AI assets. Moreover, the structure permits non-public connectivity to Gateway endpoints for on-premises environments, supporting distributed AI architectures that span cloud and on-premises infrastructure. For organizations deploying autonomous AI techniques at scale, implementing VPC interface endpoints creates the safe networking basis vital for environment friendly agent operations whereas delivering diminished latency by way of optimized community paths. This enterprise-grade method helps allow your agentic AI functions to attain improved efficiency and diminished response instances whereas assembly safety and compliance necessities.

To be taught extra about implementing these patterns and finest practices, go to the Amazon Bedrock documentation and AWS PrivateLink documentation for complete steerage on AI deployments.

In regards to the authors

Dhawal Patel is a Principal Machine Studying Architect at Amazon Net Providers (AWS). He has labored with organizations starting from giant enterprises to midsized startups on issues associated to distributed computing and AI. He focuses on deep studying, together with pure language processing (NLP) and pc imaginative and prescient domains. He helps prospects obtain high-performance mannequin inference on Amazon SageMaker.

Sindhura Palakodety is a Senior Options Architect at Amazon Net Providers (AWS) and Single-Threaded Chief (STL) for ISV Generative AI, the place she is devoted to empowering prospects in growing enterprise-scale, Nicely-Architected options. She makes a speciality of generative AI and knowledge analytics domains, enabling organizations to leverage revolutionary applied sciences for transformative enterprise outcomes.

Thomas Mathew Veppumthara is a Sr. Software program Engineer at Amazon Net Providers (AWS) with Amazon Bedrock AgentCore. He has earlier generative AI management expertise in Amazon Bedrock Brokers and almost a decade of distributed techniques experience throughout Amazon eCommerce Providers and Amazon Elastic Block Retailer (Amazon EBS). He holds a number of patents in distributed techniques, storage, and generative AI applied sciences.

June Won is a Principal Product Supervisor with Amazon SageMaker JumpStart. He focuses on making basis fashions (FMs) simply discoverable and usable to assist prospects construct generative AI functions. His expertise at Amazon additionally consists of cellular buying functions and last-mile supply.