Safe ingress connectivity to Amazon Bedrock AgentCore Gateway utilizing interface VPC endpoints

Agentic AI functions signify a big growth in enterprise automation, the place clever brokers autonomously execute complicated workflows, entry delicate datasets, and make real-time choices throughout your group’s infrastructure. Amazon Bedrock AgentCore accelerates enterprise AI transformation by offering absolutely managed providers that take away infrastructure complexity, preserve session isolation, and allow seamless integration with enterprise instruments so organizations can deploy reliable AI brokers at scale. AgentCore Gateway, a modular service below AgentCore, simplifies integration by securely reworking APIs, AWS Lambda features, and providers into Mannequin Context Protocol (MCP)-compatible instruments and making them obtainable to brokers by means of a unified endpoint, with built-in authentication and serverless infrastructure that minimizes operational overhead.

In manufacturing environments, AI brokers are sometimes deployed inside digital non-public clouds (VPCs) to keep up safe, remoted community entry and to satisfy enterprise safety and compliance necessities. Amazon Net Providers (AWS) interface VPC endpoints can improve agentic AI safety by creating non-public connections between VPC-hosted brokers and AgentCore Gateway, conserving delicate communications inside the safe infrastructure of AWS. These endpoints use devoted community interfaces with non-public IP addresses to ship lowered latency and superior efficiency by means of direct connectivity. Moreover, VPC interface endpoints provide granular entry management by means of endpoint insurance policies, streamline operations by avoiding proxy server administration, cut back knowledge switch prices, and set up the safe basis that autonomous AI programs require when processing confidential knowledge in regulated environments at enterprise scale.

On this submit, we exhibit the right way to entry AgentCore Gateway by means of a VPC interface endpoint from an Amazon Elastic Compute Cloud (Amazon EC2) occasion in a VPC. We additionally present the right way to configure your VPC endpoint coverage to offer safe entry to the AgentCore Gateway whereas sustaining the precept of least privilege entry.

Structure overview

This structure diagram illustrates a person accessing an utility supported by backend brokers deployed throughout varied AWS compute providers, together with EC2 cases, Lambda features, Amazon Elastic Kubernetes Service (Amazon EKS), or Amazon Elastic Container Service (Amazon ECS), all working inside a VPC setting. These brokers talk with AgentCore Gateway to find, entry, and invoke exterior instruments and providers which were remodeled into agent-compatible sources, reminiscent of enterprise APIs and Lambda features. In the usual configuration, agent requests to AgentCore Gateway traverse the general public web. By implementing interface VPC endpoints, organizations can route these communications by means of the AWS safe inner community spine as an alternative, delivering important advantages that may embody enhanced safety, lowered latency, and improved compliance alignment for regulated workloads that require strict community isolation and knowledge safety requirements. The answer follows this workflow:

• AI agent interplay – An agent operating inside the VPC obtains the required inbound authorization from id suppliers, authenticates with Gateway, and sends a tool-use request (invokes the MCP software) to the gateway by means of the interface VPC endpoint.
• Gateway processing: Gateway manages OAuth authorization to verify solely legitimate customers and brokers can entry instruments and sources. The inbound request is allowed by Gateway. Converts agent requests utilizing protocols like Mannequin Context Protocol (MCP) into API requests and Lambda invocations
• Safe entry: The gateway handles credential injection for every software, enabling brokers to make use of instruments with completely different authentication necessities seamlessly. It makes use of AgentCore Identification to securely entry backend sources (the targets) on behalf of the agent.
• Goal execution: The gateway knowledge airplane invokes the goal, which generally is a Lambda perform, an OpenAPI specification, or a Smithy mannequin.
• Monitoring: AgentCore Gateway supplies built-in observability and auditing. Moreover, AWS PrivateLink publishes metrics to Amazon CloudWatch for monitoring interface endpoints. You may optionally allow VPC Movement Logs for logging IP visitors to AgentCore Gateway.

Pay attention to the next key concerns:

• Personal and public community communication – The interface VPC endpoint allows safe communication for inbound visitors from brokers to AgentCore Gateway by means of AWS PrivateLink, ensuring this visitors stays inside the non-public community. Nevertheless, authentication workflows—together with OAuth entry token retrieval and credential alternate processes between brokers and exterior Identification Supplier programs for each inbound and outbound flows—and outbound entry from the gateway to MCP instruments proceed to require web connectivity for establishing safe periods with id programs and exterior sources hosted outdoors the AWS setting.
• Knowledge airplane scope – It’s vital to know that, at the moment, the interface VPC endpoint assist is relevant solely to the knowledge airplane endpoints of your gateway—the runtime endpoints the place your functions work together with agent instruments. To make clear the excellence: though now you can entry your gateway’s runtime endpoint by means of the interface VPC endpoint, the management airplane operations, reminiscent of creating gateways, managing instruments, and configuring safety settings, should nonetheless be carried out by means of the usual public AgentCore management airplane endpoint (for instance, bedrock-agentcore-control..amazonaws.com)

Stipulations

To carry out the answer, you want the next stipulations:

• An AWS account with acceptable AWS Identification and Entry Administration (IAM) permissions for VPC and Amazon Elastic Compute Cloud (Amazon EC2) administration
• Current VPC setup with subnet configuration and route tables
• AgentCore Gateway already provisioned and configured in your AWS account
• Fundamental understanding of VPC networking ideas and safety group configurations

Answer walkthrough

Within the following sections, we exhibit the right way to configure the interface VPC endpoint utilizing the AWS Administration Console and set up safe connectivity from a take a look at EC2 occasion inside the VPC to AgentCore Gateway.

Create a safety group for the EC2 occasion

To create a safety group for the EC2 occasion, comply with these steps, as proven within the following screenshot:

1. Navigate to the Amazon EC2 console in your most well-liked AWS Area and select Safety Teams within the navigation pane below Community & Safety.
2. Select Create safety group.
3. For Safety group identify, enter a descriptive identify reminiscent of ec2-agent-sg.
4. For Description, enter a significant description reminiscent of Safety group for EC2 cases operating AI brokers.
5. For VPC, select your goal VPC.
6. Add related Inbound guidelines for the EC2 occasion administration reminiscent of SSH (port 22) out of your administration community or bastion host.
7. Go away Outbound guidelines as default (permits all outbound visitors) to verify brokers can talk with needed providers.
8. Select Create safety group.

Create a safety group for the interface VPC endpoint

To create a safety group for the interface VPC endpoint, comply with these steps:

Create a second safety group named vpce-agentcore-sg that shall be hooked up to the AgentCore Gateway interface VPC endpoint utilizing related steps to the previous directions and choosing the identical VPC. For this safety group, configure the next guidelines to allow safe and restricted entry:

• Inbound guidelines – Enable HTTPS (port 443) for safe communication to the AgentCore Gateway
• Supply – Choose the EC2 safety group (ec2-agent-sg) you created within the previous part to permit visitors solely from approved agent cases
• Outbound guidelines – Go away as default (all visitors allowed) to assist response visitors

This safety group configuration implements the precept of least privilege by ensuring solely EC2 cases with the agent safety group can entry the VPC endpoint whereas blocking unauthorized entry from different sources within the VPC. These steps are illustrated by the next screenshot.

Provision an EC2 occasion inside the VPC

Provision an EC2 occasion in the identical VPC and choose an acceptable Availability Zone to your workload necessities. Configure the occasion with the community settings proven within the following listing, ensuring you choose the identical VPC and word the chosen subnet for VPC endpoint configuration:

• VPC – Choose your goal VPC
• Subnet – Select a personal subnet for enhanced safety (word this subnet for VPC endpoint configuration)
• Safety group – Connect the EC2 safety group (ec2-agent-sg) you created within the earlier steps
• IAM function – Configure an IAM function with needed permissions for Amazon Bedrock and AgentCore Gateway entry
• Occasion kind – Select an acceptable occasion kind based mostly in your agent workload necessities

Keep in mind the chosen subnet since you’ll must configure the VPC endpoint in the identical subnet to facilitate optimum community routing and minimal latency. These configurations are proven within the following screenshot.

Create an interface VPC endpoint

Create an interface VPC endpoint utilizing Amazon Digital Personal Cloud (Amazon VPC) that mechanically makes use of AWS PrivateLink expertise, enabling safe communication out of your EC2 occasion to AgentCore Gateway with out traversing the general public web. Observe these steps:

1. Navigate to the Amazon VPC console and select Endpoints within the navigation pane below the PrivateLink and Lattice part.
2. Select Create endpoint.
3. For Title tag, enter a descriptive identify (for instance, vpce-agentcore-gateway).
4. For Service class, select AWS providers.
5. For Providers, seek for and select com.amazonaws..bedrock-agentcore.gateway (change along with your precise AWS Area).

These settings are proven within the following screenshot.

6. Set the VPC to the identical VPC you’ve been working with all through this setup.
7. Choose Allow DNS identify to permit entry to the AgentCore Gateway utilizing its default area identify, which simplifies utility configuration and maintains compatibility with present code.
8. Specify the subnet the place the EC2 occasion is operating to keep up optimum community routing and minimal latency, as proven within the following screenshot.

9. Set the safety group to the VPC endpoint safety group (vpce-agentcore-sg) you created earlier to manage entry to the endpoint.
10. For preliminary testing, depart the coverage set to Full entry to permit brokers inside your VPC to speak with AgentCore Gateway in your AWS account. In manufacturing environments, implement extra restrictive insurance policies based mostly on the precept of least privilege.

After you create the endpoint, it should take roughly 2–5 minutes to change into obtainable. You may monitor the standing on the Amazon VPC console, and when it reveals as Accessible, you may proceed with testing the connection.

Take a look at the connection

Log in to the EC2 occasion to carry out following the checks.

Examine visitors move over an interface VPC endpoint

To verify the visitors move by means of the Amazon Bedrock AgentCore Gateway endpoint, examine the IP deal with of the supply useful resource that connects to the AgentCore Gateway endpoint. If you arrange an interface VPC endpoint, AWS deploys an elastic community interface with a personal IP deal with within the subnet. This deployment permits communication with AgentCore Gateway from sources inside the Amazon VPC and on-premises sources that hook up with the interface VPC endpoint by means of AWS Direct Join or AWS Web site-to-Web site VPN. It additionally permits communication with sources in different Amazon VPC endpoints whenever you use centralized interface VPC endpoint structure patterns.

Examine whether or not you turned on non-public DNS for the AgentCore Gateway endpoint. Should you activate non-public DNS, then AgentCore Gateway endpoints resolve to the non-public endpoint IP addresses. For AgentCore Gateway, enabling non-public DNS means your brokers can proceed utilizing the usual gateway endpoint URL whereas benefiting from non-public community routing by means of the VPC endpoint.

Earlier than VPC interface endpoint, as proven within the following instance, the DNS resolves to a public IP deal with for AgentCore Gateway endpoint:

nslookup gateway.bedrock-agentcoreamazonaws.com

Non-authoritative reply:
Title: gateway.bedrock-agentcore..amazonaws.com
Handle: 52.86.152.150

After VPC interface endpoint creation with non-public DNS decision, as proven within the following instance, the DNS resolves to non-public IP deal with from the CIDR vary of the subnet of the VPC by which the VPC endpoint was created.

nslookup .gateway.bedrock-agentcore..amazonaws.com

Non-authoritative reply:
Title: .gateway.bedrock-agentcore..amazonaws.com
Handle: 172.31.91.174

When you choose Allow DNS identify for AgentCore Gateway VPC interface endpoints, by default AWS activates the Allow non-public DNS just for inbound endpoints choice.

Personal DNS enabled (cURL) (advisable)

When non-public DNS is enabled, your functions can seamlessly use the usual gateway URL endpoint within the format https://{gateway-id}.gateway.bedrock-agentcore.{area}.amazonaws.com whereas visitors mechanically routes by means of the VPC endpoint.

The next is a pattern cURL request to be executed from a useful resource inside the VPC. The command sends a JSON-RPC POST request to retrieve obtainable instruments from the AgentCore Gateway:

curl -sS -i -X POST https://.gateway.bedrock-agentcore..amazonaws.com/mcp 
--header 'Content material-Sort: utility/json'  
--header "Authorization: Bearer $TOKEN"  
--data '{
"jsonrpc": "2.0",
"id": "'"$UNIQUE_ID"'",
"methodology": "instruments/listing",
"params": {}
}' 

This cURL command sends a JSON-RPC 2.0 POST request to the AgentCore Gateway MCP endpoint to retrieve a listing of obtainable instruments. It makes use of bearer token authentication and consists of response headers within the output, calling the instruments/listing methodology to find what instruments are accessible by means of the gateway.

Personal DNS disabled (Python)

When Personal DNS is disabled, you may’t entry the gateway immediately by means of the usual AgentCore Gateway endpoint. As an alternative, you could route visitors by means of the VPC DNS identify proven within the following screenshot and embody the unique gateway area identify within the Host header.

curl -sS -i -X POST https:///mcp 
  --header 'Host: .gateway.bedrock-agentcore..amazonaws.com 
  --header 'Content material-Sort: utility/json' 
  --header "Authorization: Bearer $TOKEN" 
  --data '{
    "jsonrpc": "2.0",
    "id": "'$UNIQUE_ID'",
    "methodology": "instruments/listing",
    "params": {}
  }'

The next steps beneath stroll by means of executing a Python script that makes use of the Host header:

1. Entry your EC2 occasion. Log in to your EC2 occasion that has entry to the VPC endpoint.
2. Configure the required setting variables for the connection:
3. GATEWAY_URL – The VPC endpoint URL used to entry the AgentCore Gateway by means of your non-public community connection
4. TOKEN – Your authentication bearer token for accessing the gateway
5. GATEWAY_HOST – The unique AgentCore Gateway area identify that should be included within the Host header when Personal DNS is disabled

For instance:

export GATEWAY_URL=https://.gateway.bedrock-agentcore.ap-southeast-2.vpce.amazonaws.com/mcp
export TOKEN=
export GATEWAY_HOST=.gateway.bedrock-agentcore.ap-southeast-2.amazonaws.com

6. Create and execute the take a look at script.
   1. Copy the next Python code right into a file named agent.py. This code checks the AgentCore Gateway workflow by discovering obtainable instruments, making a Strands Agent with the instruments, after which testing each conversational interactions (software itemizing and climate queries) and direct MCP software calls. Copy the code:

from strands.fashions import BedrockModel
from mcp.shopper.streamable_http import streamablehttp_client
from strands.instruments.mcp.mcp_client import MCPClient
from strands import Agent
import logging
import os

# Learn authentication token and gateway URL from setting variables
token = os.getenv('TOKEN')
gatewayURL = os.getenv('GATEWAY_URL')  #vpc endpoint url
gatewayHost = os.getenv('GATEWAY_HOST') #area identify of the agentcore gateway

def create_streamable_http_transport():
    """Create HTTP transport with correct authentication headers"""
    return streamablehttp_client(
        gatewayURL, 
        headers={
            "Authorization": f"Bearer {token}",
            "Host":gatewayHost
        }
    )
# Initialize MCP shopper with the transport
shopper = MCPClient(create_streamable_http_transport)

# Configure Bedrock mannequin - guarantee IAM credentials in ~/.aws/credentials have Bedrock entry
yourmodel = BedrockModel(
    model_id="amazon.nova-pro-v1:0",
    temperature=0.7,
)

# Configure logging for debugging and monitoring
logging.getLogger("strands").setLevel(logging.INFO)
logging.basicConfig(
    format="%(levelname)s | %(identify)s | %(message)s",
    handlers=[logging.StreamHandler()]
)

# Take a look at the entire agent workflow
with shopper:
    targetname="TestGatewayTarget36cb2ebf"
    
    # Listing obtainable instruments from the MCP server
    instruments = shopper.list_tools_sync()
    
    # Create an Agent with the mannequin and obtainable instruments
    agent = Agent(mannequin=yourmodel, instruments=instruments)
    print(f"Instruments loaded within the agent: {agent.tool_names}")
    
    # Take a look at agent with a easy question to listing obtainable instruments
    response1 = agent("Hello, are you able to listing all instruments obtainable to you?")
    print(f"Agent response for software itemizing: {response1}")
    
    # Take a look at agent with a software invocation request
    response2 = agent("Get the present climate for Seattle and present me the precise response from the software")
    print(f"Agent response for climate question: {response2}")
    
    # Direct MCP software invocation for validation
    outcome = shopper.call_tool_sync(
        tool_use_id="get-weather-seattle-call-1",  # Distinctive identifier for this name
        identify=f"{targetname}___get_weather",  # Instrument identify format for Lambda targets
        arguments={"location": "Seattle"}
    )
    print(f"Direct MCP software response: {outcome}")

7. Invoke the script utilizing the next command:

python3 agent.py

Superior configuration: VPC endpoint entry insurance policies

A VPC endpoint coverage is a resource-based coverage that controls entry to AWS providers by means of the endpoint. Not like identity-based insurance policies, endpoint insurance policies present a further layer of entry management on the community degree. You may configure entry insurance policies for AgentCore Gateway VPC endpoints with particular concerns.When creating endpoint insurance policies for AgentCore Gateway, take into account these key parts:

• Principal configuration – The Principal discipline can’t be modified as a result of AgentCore Gateway doesn’t use IAM for authentication. Authentication is dealt with by means of bearer tokens moderately than IAM principals.
• Useful resource specification – Clearly outline the Useful resource discipline if you wish to limit entry to particular gateway endpoints. Use the total Amazon Useful resource Title (ARN) format to focus on specific gateways inside your account as proven within the following pattern coverage construction.
• Motion permissions – For the Motion discipline, keep away from specifying management airplane operations. Use a wildcard (*) to permit the mandatory knowledge airplane operations for gateway performance.

Here’s a pattern coverage construction:

{
"Model": "2012-10-17",
"Assertion": [
{
"Principal": "*",
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:bedrock-agentcore:::gateway/"
}
]
}

When the VPC endpoint coverage blocks a request, you will note error responses reminiscent of:

{"jsonrpc":"2.0","id":2,"error":{"code":-32002,"message":"Authorization error - Inadequate permissions"}}

Coverage caching habits

AgentCore Gateway implements a caching mechanism for entry insurance policies that introduces a delay of as much as quarter-hour earlier than coverage adjustments take impact. Though this caching considerably improves gateway efficiency, it signifies that coverage modifications won’t be instantly mirrored in entry controls. To work successfully with this habits, you must enable no less than quarter-hour for coverage adjustments to completely propagate all through the system after making updates. When doable, schedule coverage modifications throughout deliberate upkeep home windows to attenuate operational affect. At all times take a look at coverage adjustments in nonproduction environments earlier than making use of them to manufacturing gateways and issue within the caching delay when diagnosing access-related points to keep away from untimely troubleshooting efforts.

Superior patterns

In a shared gateway, a number of brokers sample, a number of brokers from completely different providers entry a single centralized gateway by means of a shared VPC endpoint, simplifying community structure whereas sustaining safety by means of token-based authentication. This sample is illustrated within the following diagram.

In a multi-gateway, multi-agent sample, which is proven within the following diagram, a number of brokers throughout completely different functions entry a number of specialised gateways by means of devoted VPC endpoints, offering most safety isolation with entry management per gateway.

In a cross-VPC gateway entry sample, proven within the following diagram, brokers in a number of VPCs can entry AgentCore Gateway by means of VPC peering or AWS Transit Gateway connections, permitting centralized gateway entry throughout community boundaries whereas sustaining isolation.

In a hybrid cloud gateway sample, on-premises brokers can entry cloud-based gateways by means of VPC endpoints with non-public DNS disabled, enabling hybrid cloud deployments by means of Direct Join or VPN connections. The next diagram illustrates this sample.

Clear up

To keep away from ongoing expenses and preserve good useful resource hygiene, clear up your sources by finishing the next steps so as:Delete the EC2 occasion:

1. Navigate to the Amazon EC2 console and choose your take a look at occasion
2. Select Occasion state and Cease occasion, then look forward to it to cease
3. Select Occasion state and Terminate occasion to completely delete the occasion

Delete the VPC endpoint:

4. Navigate to the Amazon VPC console and select Endpoints
5. Choose the VPC endpoint (vpce-agentcore-gateway) you created
6. Select Actions and Delete VPC endpoints
7. Affirm the deletion

Delete the safety teams:

8. Navigate to the Amazon EC2 console and select Safety teams
9. Choose the EC2 safety group (ec2-agent-sg) you created
10. Select Actions and Delete safety teams
11. Repeat for the VPC endpoint safety group (vpce-agentcore-sg)

Conclusion

On this submit, we demonstrated the right way to set up safe, non-public connectivity between VPC-hosted sources and Amazon Bedrock AgentCore Gateway utilizing VPC interface endpoints and AWS PrivateLink. This structure delivers complete advantages for enterprise agentic AI deployments by implementing networks which can be remoted from the web, offering enhanced safety by means of devoted non-public community paths. The answer implements a strong knowledge perimeter by means of VPC endpoint insurance policies, which create granular entry controls that set up strict knowledge boundaries round your AI sources. Moreover, the structure allows non-public connectivity to Gateway endpoints for on-premises environments, supporting distributed AI architectures that span cloud and on-premises infrastructure. For organizations deploying autonomous AI programs at scale, implementing VPC interface endpoints creates the safe networking basis needed for environment friendly agent operations whereas delivering lowered latency by means of optimized community paths. This enterprise-grade strategy helps allow your agentic AI functions to realize improved efficiency and lowered response occasions whereas assembly safety and compliance necessities.

To be taught extra about implementing these patterns and finest practices, go to the Amazon Bedrock documentation and AWS PrivateLink documentation for complete steering on AI deployments.

Concerning the authors

Dhawal Patel is a Principal Machine Studying Architect at Amazon Net Providers (AWS). He has labored with organizations starting from giant enterprises to midsized startups on issues associated to distributed computing and AI. He focuses on deep studying, together with pure language processing (NLP) and pc imaginative and prescient domains. He helps prospects obtain high-performance mannequin inference on Amazon SageMaker.

Sindhura Palakodety is a Senior Options Architect at Amazon Net Providers (AWS) and Single-Threaded Chief (STL) for ISV Generative AI, the place she is devoted to empowering prospects in growing enterprise-scale, Effectively-Architected options. She makes a speciality of generative AI and knowledge analytics domains, enabling organizations to leverage revolutionary applied sciences for transformative enterprise outcomes.

Thomas Mathew Veppumthara is a Sr. Software program Engineer at Amazon Net Providers (AWS) with Amazon Bedrock AgentCore. He has earlier generative AI management expertise in Amazon Bedrock Brokers and almost a decade of distributed programs experience throughout Amazon eCommerce Providers and Amazon Elastic Block Retailer (Amazon EBS). He holds a number of patents in distributed programs, storage, and generative AI applied sciences.

June Received is a Principal Product Supervisor with Amazon SageMaker JumpStart. He focuses on making basis fashions (FMs) simply discoverable and usable to assist prospects construct generative AI functions. His expertise at Amazon additionally consists of cellular buying functions and last-mile supply.