Safe ingress connectivity to Amazon Bedrock AgentCore Gateway utilizing interface VPC endpoints

Agentic AI functions signify a big growth in enterprise automation, the place clever brokers autonomously execute advanced workflows, entry delicate datasets, and make real-time selections throughout your group’s infrastructure. Amazon Bedrock AgentCore accelerates enterprise AI transformation by offering totally managed companies that take away infrastructure complexity, preserve session isolation, and allow seamless integration with enterprise instruments so organizations can deploy reliable AI brokers at scale. AgentCore Gateway, a modular service underneath AgentCore, simplifies integration by securely remodeling APIs, AWS Lambda features, and companies into Mannequin Context Protocol (MCP)-compatible instruments and making them accessible to brokers by a unified endpoint, with built-in authentication and serverless infrastructure that minimizes operational overhead.

In manufacturing environments, AI brokers are sometimes deployed inside digital non-public clouds (VPCs) to keep up safe, remoted community entry and to satisfy enterprise safety and compliance necessities. Amazon Internet Providers (AWS) interface VPC endpoints can improve agentic AI safety by creating non-public connections between VPC-hosted brokers and AgentCore Gateway, conserving delicate communications throughout the safe infrastructure of AWS. These endpoints use devoted community interfaces with non-public IP addresses to ship lowered latency and superior efficiency by direct connectivity. Moreover, VPC interface endpoints supply granular entry management by endpoint insurance policies, streamline operations by avoiding proxy server administration, scale back knowledge switch prices, and set up the safe basis that autonomous AI techniques require when processing confidential knowledge in regulated environments at enterprise scale.

On this publish, we show learn how to entry AgentCore Gateway by a VPC interface endpoint from an Amazon Elastic Compute Cloud (Amazon EC2) occasion in a VPC. We additionally present learn how to configure your VPC endpoint coverage to supply safe entry to the AgentCore Gateway whereas sustaining the precept of least privilege entry.

Structure overview

This structure diagram illustrates a person accessing an utility supported by backend brokers deployed throughout varied AWS compute companies, together with EC2 cases, Lambda features, Amazon Elastic Kubernetes Service (Amazon EKS), or Amazon Elastic Container Service (Amazon ECS), all working inside a VPC surroundings. These brokers talk with AgentCore Gateway to find, entry, and invoke exterior instruments and companies which were reworked into agent-compatible assets, equivalent to enterprise APIs and Lambda features. In the usual configuration, agent requests to AgentCore Gateway traverse the general public web. By implementing interface VPC endpoints, organizations can route these communications by the AWS safe inner community spine as a substitute, delivering important advantages that may embrace enhanced safety, lowered latency, and improved compliance alignment for regulated workloads that require strict community isolation and knowledge safety requirements. The answer follows this workflow:

• AI agent interplay – An agent operating throughout the VPC obtains the required inbound authorization from id suppliers, authenticates with Gateway, and sends a tool-use request (invokes the MCP instrument) to the gateway by the interface VPC endpoint.
• Gateway processing: Gateway manages OAuth authorization to ensure solely legitimate customers and brokers can entry instruments and assets. The inbound request is permitted by Gateway. Converts agent requests utilizing protocols like Mannequin Context Protocol (MCP) into API requests and Lambda invocations
• Safe entry: The gateway handles credential injection for every instrument, enabling brokers to make use of instruments with totally different authentication necessities seamlessly. It makes use of AgentCore Id to securely entry backend assets (the targets) on behalf of the agent.
• Goal execution: The gateway knowledge airplane invokes the goal, which could be a Lambda perform, an OpenAPI specification, or a Smithy mannequin.
• Monitoring: AgentCore Gateway supplies built-in observability and auditing. Moreover, AWS PrivateLink publishes metrics to Amazon CloudWatch for monitoring interface endpoints. You’ll be able to optionally allow VPC Circulation Logs for logging IP visitors to AgentCore Gateway.

Pay attention to the next key concerns:

• Non-public and public community communication – The interface VPC endpoint permits safe communication for inbound visitors from brokers to AgentCore Gateway by AWS PrivateLink, ensuring this visitors stays throughout the non-public community. Nonetheless, authentication workflows—together with OAuth entry token retrieval and credential alternate processes between brokers and exterior Id Supplier techniques for each inbound and outbound flows—and outbound entry from the gateway to MCP instruments proceed to require web connectivity for establishing safe classes with id techniques and exterior assets hosted exterior the AWS surroundings.
• Knowledge airplane scope – It’s necessary to grasp that, presently, the interface VPC endpoint help is relevant solely to the knowledge airplane endpoints of your gateway—the runtime endpoints the place your functions work together with agent instruments. To make clear the excellence: though now you can entry your gateway’s runtime endpoint by the interface VPC endpoint, the management airplane operations, equivalent to creating gateways, managing instruments, and configuring safety settings, should nonetheless be carried out by the usual public AgentCore management airplane endpoint (for instance, bedrock-agentcore-control..amazonaws.com)

Conditions

To carry out the answer, you want the next stipulations:

• An AWS account with acceptable AWS Id and Entry Administration (IAM) permissions for VPC and Amazon Elastic Compute Cloud (Amazon EC2) administration
• Present VPC setup with subnet configuration and route tables
• AgentCore Gateway already provisioned and configured in your AWS account
• Fundamental understanding of VPC networking ideas and safety group configurations

Answer walkthrough

Within the following sections, we show learn how to configure the interface VPC endpoint utilizing the AWS Administration Console and set up safe connectivity from a check EC2 occasion throughout the VPC to AgentCore Gateway.

Create a safety group for the EC2 occasion

To create a safety group for the EC2 occasion, observe these steps, as proven within the following screenshot:

1. Navigate to the Amazon EC2 console in your most popular AWS Area and select Safety Teams within the navigation pane underneath Community & Safety.
2. Select Create safety group.
3. For Safety group title, enter a descriptive title equivalent to ec2-agent-sg.
4. For Description, enter a significant description equivalent to Safety group for EC2 cases operating AI brokers.
5. For VPC, select your goal VPC.
6. Add related Inbound guidelines for the EC2 occasion administration equivalent to SSH (port 22) out of your administration community or bastion host.
7. Depart Outbound guidelines as default (permits all outbound visitors) to ensure brokers can talk with obligatory companies.
8. Select Create safety group.

Create a safety group for the interface VPC endpoint

To create a safety group for the interface VPC endpoint, observe these steps:

Create a second safety group named vpce-agentcore-sg that can be hooked up to the AgentCore Gateway interface VPC endpoint utilizing related steps to the previous directions and choosing the identical VPC. For this safety group, configure the next guidelines to allow safe and restricted entry:

• Inbound guidelines – Enable HTTPS (port 443) for safe communication to the AgentCore Gateway
• Supply – Choose the EC2 safety group (ec2-agent-sg) you created within the previous part to permit visitors solely from licensed agent cases
• Outbound guidelines – Depart as default (all visitors allowed) to help response visitors

This safety group configuration implements the precept of least privilege by ensuring solely EC2 cases with the agent safety group can entry the VPC endpoint whereas blocking unauthorized entry from different assets within the VPC. These steps are illustrated by the next screenshot.

Provision an EC2 occasion throughout the VPC

Provision an EC2 occasion in the identical VPC and choose an acceptable Availability Zone in your workload necessities. Configure the occasion with the community settings proven within the following record, ensuring you choose the identical VPC and be aware the chosen subnet for VPC endpoint configuration:

• VPC – Choose your goal VPC
• Subnet – Select a personal subnet for enhanced safety (be aware this subnet for VPC endpoint configuration)
• Safety group – Connect the EC2 safety group (ec2-agent-sg) you created within the earlier steps
• IAM position – Configure an IAM position with obligatory permissions for Amazon Bedrock and AgentCore Gateway entry
• Occasion kind – Select an acceptable occasion kind primarily based in your agent workload necessities

Bear in mind the chosen subnet since you’ll must configure the VPC endpoint in the identical subnet to facilitate optimum community routing and minimal latency. These configurations are proven within the following screenshot.

Create an interface VPC endpoint

Create an interface VPC endpoint utilizing Amazon Digital Non-public Cloud (Amazon VPC) that robotically makes use of AWS PrivateLink know-how, enabling safe communication out of your EC2 occasion to AgentCore Gateway with out traversing the general public web. Comply with these steps:

1. Navigate to the Amazon VPC console and select Endpoints within the navigation pane underneath the PrivateLink and Lattice part.
2. Select Create endpoint.
3. For Identify tag, enter a descriptive title (for instance, vpce-agentcore-gateway).
4. For Service class, select AWS companies.
5. For Providers, seek for and select com.amazonaws..bedrock-agentcore.gateway (change along with your precise AWS Area).

These settings are proven within the following screenshot.

6. Set the VPC to the identical VPC you’ve been working with all through this setup.
7. Choose Allow DNS title to permit entry to the AgentCore Gateway utilizing its default area title, which simplifies utility configuration and maintains compatibility with current code.
8. Specify the subnet the place the EC2 occasion is operating to keep up optimum community routing and minimal latency, as proven within the following screenshot.

9. Set the safety group to the VPC endpoint safety group (vpce-agentcore-sg) you created earlier to manage entry to the endpoint.
10. For preliminary testing, go away the coverage set to Full entry to permit brokers inside your VPC to speak with AgentCore Gateway in your AWS account. In manufacturing environments, implement extra restrictive insurance policies primarily based on the precept of least privilege.

After you create the endpoint, it’s going to take roughly 2–5 minutes to grow to be accessible. You’ll be able to monitor the standing on the Amazon VPC console, and when it exhibits as Accessible, you may proceed with testing the connection.

Take a look at the connection

Log in to the EC2 occasion to carry out following the checks.

Verify visitors movement over an interface VPC endpoint

To verify the visitors movement by the Amazon Bedrock AgentCore Gateway endpoint, test the IP deal with of the supply useful resource that connects to the AgentCore Gateway endpoint. Whenever you arrange an interface VPC endpoint, AWS deploys an elastic community interface with a personal IP deal with within the subnet. This deployment permits communication with AgentCore Gateway from assets throughout the Amazon VPC and on-premises assets that connect with the interface VPC endpoint by AWS Direct Join or AWS Web site-to-Web site VPN. It additionally permits communication with assets in different Amazon VPC endpoints if you use centralized interface VPC endpoint structure patterns.

Verify whether or not you turned on non-public DNS for the AgentCore Gateway endpoint. Should you activate non-public DNS, then AgentCore Gateway endpoints resolve to the non-public endpoint IP addresses. For AgentCore Gateway, enabling non-public DNS means your brokers can proceed utilizing the usual gateway endpoint URL whereas benefiting from non-public community routing by the VPC endpoint.

Earlier than VPC interface endpoint, as proven within the following instance, the DNS resolves to a public IP deal with for AgentCore Gateway endpoint:

nslookup gateway.bedrock-agentcoreamazonaws.com

Non-authoritative reply:
Identify: gateway.bedrock-agentcore..amazonaws.com
Handle: 52.86.152.150

After VPC interface endpoint creation with non-public DNS decision, as proven within the following instance, the DNS resolves to non-public IP deal with from the CIDR vary of the subnet of the VPC through which the VPC endpoint was created.

nslookup .gateway.bedrock-agentcore..amazonaws.com

Non-authoritative reply:
Identify: .gateway.bedrock-agentcore..amazonaws.com
Handle: 172.31.91.174

When you choose Allow DNS title for AgentCore Gateway VPC interface endpoints, by default AWS activates the Allow non-public DNS just for inbound endpoints choice.

Non-public DNS enabled (cURL) (advisable)

When non-public DNS is enabled, your functions can seamlessly use the usual gateway URL endpoint within the format https://{gateway-id}.gateway.bedrock-agentcore.{area}.amazonaws.com whereas visitors robotically routes by the VPC endpoint.

The next is a pattern cURL request to be executed from a useful resource throughout the VPC. The command sends a JSON-RPC POST request to retrieve accessible instruments from the AgentCore Gateway:

curl -sS -i -X POST https://.gateway.bedrock-agentcore..amazonaws.com/mcp 
--header 'Content material-Kind: utility/json'  
--header "Authorization: Bearer $TOKEN"  
--data '{
"jsonrpc": "2.0",
"id": "'"$UNIQUE_ID"'",
"technique": "instruments/record",
"params": {}
}' 

This cURL command sends a JSON-RPC 2.0 POST request to the AgentCore Gateway MCP endpoint to retrieve an inventory of obtainable instruments. It makes use of bearer token authentication and contains response headers within the output, calling the instruments/record technique to find what instruments are accessible by the gateway.

Non-public DNS disabled (Python)

When Non-public DNS is disabled, you may’t entry the gateway immediately by the usual AgentCore Gateway endpoint. As a substitute, you have to route visitors by the VPC DNS title proven within the following screenshot and embrace the unique gateway area title within the Host header.

curl -sS -i -X POST https:///mcp 
  --header 'Host: .gateway.bedrock-agentcore..amazonaws.com 
  --header 'Content material-Kind: utility/json' 
  --header "Authorization: Bearer $TOKEN" 
  --data '{
    "jsonrpc": "2.0",
    "id": "'$UNIQUE_ID'",
    "technique": "instruments/record",
    "params": {}
  }'

The next steps under stroll by executing a Python script that makes use of the Host header:

1. Entry your EC2 occasion. Log in to your EC2 occasion that has entry to the VPC endpoint.
2. Configure the required surroundings variables for the connection:
3. GATEWAY_URL – The VPC endpoint URL used to entry the AgentCore Gateway by your non-public community connection
4. TOKEN – Your authentication bearer token for accessing the gateway
5. GATEWAY_HOST – The unique AgentCore Gateway area title that should be included within the Host header when Non-public DNS is disabled

For instance:

export GATEWAY_URL=https://.gateway.bedrock-agentcore.ap-southeast-2.vpce.amazonaws.com/mcp
export TOKEN=
export GATEWAY_HOST=.gateway.bedrock-agentcore.ap-southeast-2.amazonaws.com

6. Create and execute the check script.
   1. Copy the next Python code right into a file named agent.py. This code checks the AgentCore Gateway workflow by discovering accessible instruments, making a Strands Agent with the instruments, after which testing each conversational interactions (instrument itemizing and climate queries) and direct MCP instrument calls. Copy the code:

from strands.fashions import BedrockModel
from mcp.consumer.streamable_http import streamablehttp_client
from strands.instruments.mcp.mcp_client import MCPClient
from strands import Agent
import logging
import os

# Learn authentication token and gateway URL from surroundings variables
token = os.getenv('TOKEN')
gatewayURL = os.getenv('GATEWAY_URL')  #vpc endpoint url
gatewayHost = os.getenv('GATEWAY_HOST') #area title of the agentcore gateway

def create_streamable_http_transport():
    """Create HTTP transport with correct authentication headers"""
    return streamablehttp_client(
        gatewayURL, 
        headers={
            "Authorization": f"Bearer {token}",
            "Host":gatewayHost
        }
    )
# Initialize MCP consumer with the transport
consumer = MCPClient(create_streamable_http_transport)

# Configure Bedrock mannequin - guarantee IAM credentials in ~/.aws/credentials have Bedrock entry
yourmodel = BedrockModel(
    model_id="amazon.nova-pro-v1:0",
    temperature=0.7,
)

# Configure logging for debugging and monitoring
logging.getLogger("strands").setLevel(logging.INFO)
logging.basicConfig(
    format="%(levelname)s | %(title)s | %(message)s",
    handlers=[logging.StreamHandler()]
)

# Take a look at the whole agent workflow
with consumer:
    targetname="TestGatewayTarget36cb2ebf"
    
    # Listing accessible instruments from the MCP server
    instruments = consumer.list_tools_sync()
    
    # Create an Agent with the mannequin and accessible instruments
    agent = Agent(mannequin=yourmodel, instruments=instruments)
    print(f"Instruments loaded within the agent: {agent.tool_names}")
    
    # Take a look at agent with a easy question to record accessible instruments
    response1 = agent("Hello, are you able to record all instruments accessible to you?")
    print(f"Agent response for instrument itemizing: {response1}")
    
    # Take a look at agent with a instrument invocation request
    response2 = agent("Get the present climate for Seattle and present me the precise response from the instrument")
    print(f"Agent response for climate question: {response2}")
    
    # Direct MCP instrument invocation for validation
    end result = consumer.call_tool_sync(
        tool_use_id="get-weather-seattle-call-1",  # Distinctive identifier for this name
        title=f"{targetname}___get_weather",  # Software title format for Lambda targets
        arguments={"location": "Seattle"}
    )
    print(f"Direct MCP instrument response: {end result}")

7. Invoke the script utilizing the next command:

python3 agent.py

Superior configuration: VPC endpoint entry insurance policies

A VPC endpoint coverage is a resource-based coverage that controls entry to AWS companies by the endpoint. In contrast to identity-based insurance policies, endpoint insurance policies present an extra layer of entry management on the community degree. You’ll be able to configure entry insurance policies for AgentCore Gateway VPC endpoints with particular concerns.When creating endpoint insurance policies for AgentCore Gateway, think about these key components:

• Principal configuration – The Principal discipline can’t be modified as a result of AgentCore Gateway doesn’t use IAM for authentication. Authentication is dealt with by bearer tokens slightly than IAM principals.
• Useful resource specification – Clearly outline the Useful resource discipline if you wish to limit entry to particular gateway endpoints. Use the total Amazon Useful resource Identify (ARN) format to focus on explicit gateways inside your account as proven within the following pattern coverage construction.
• Motion permissions – For the Motion discipline, keep away from specifying management airplane operations. Use a wildcard (*) to permit the mandatory knowledge airplane operations for gateway performance.

Here’s a pattern coverage construction:

{
"Model": "2012-10-17",
"Assertion": [
{
"Principal": "*",
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:bedrock-agentcore:::gateway/"
}
]
}

When the VPC endpoint coverage blocks a request, you will note error responses equivalent to:

{"jsonrpc":"2.0","id":2,"error":{"code":-32002,"message":"Authorization error - Inadequate permissions"}}

Coverage caching conduct

AgentCore Gateway implements a caching mechanism for entry insurance policies that introduces a delay of as much as quarter-hour earlier than coverage modifications take impact. Though this caching considerably improves gateway efficiency, it signifies that coverage modifications may not be instantly mirrored in entry controls. To work successfully with this conduct, it’s best to enable not less than quarter-hour for coverage modifications to totally propagate all through the system after making updates. When doable, schedule coverage modifications throughout deliberate upkeep home windows to attenuate operational impression. At all times check coverage modifications in nonproduction environments earlier than making use of them to manufacturing gateways and issue within the caching delay when diagnosing access-related points to keep away from untimely troubleshooting efforts.

Superior patterns

In a shared gateway, a number of brokers sample, a number of brokers from totally different companies entry a single centralized gateway by a shared VPC endpoint, simplifying community structure whereas sustaining safety by token-based authentication. This sample is illustrated within the following diagram.

In a multi-gateway, multi-agent sample, which is proven within the following diagram, a number of brokers throughout totally different functions entry a number of specialised gateways by devoted VPC endpoints, offering most safety isolation with entry management per gateway.

In a cross-VPC gateway entry sample, proven within the following diagram, brokers in a number of VPCs can entry AgentCore Gateway by VPC peering or AWS Transit Gateway connections, permitting centralized gateway entry throughout community boundaries whereas sustaining isolation.

In a hybrid cloud gateway sample, on-premises brokers can entry cloud-based gateways by VPC endpoints with non-public DNS disabled, enabling hybrid cloud deployments by Direct Join or VPN connections. The next diagram illustrates this sample.

Clear up

To keep away from ongoing prices and preserve good useful resource hygiene, clear up your assets by finishing the next steps so as:Delete the EC2 occasion:

1. Navigate to the Amazon EC2 console and choose your check occasion
2. Select Occasion state and Cease occasion, then anticipate it to cease
3. Select Occasion state and Terminate occasion to completely delete the occasion

Delete the VPC endpoint:

4. Navigate to the Amazon VPC console and select Endpoints
5. Choose the VPC endpoint (vpce-agentcore-gateway) you created
6. Select Actions and Delete VPC endpoints
7. Affirm the deletion

Delete the safety teams:

8. Navigate to the Amazon EC2 console and select Safety teams
9. Choose the EC2 safety group (ec2-agent-sg) you created
10. Select Actions and Delete safety teams
11. Repeat for the VPC endpoint safety group (vpce-agentcore-sg)

Conclusion

On this publish, we demonstrated learn how to set up safe, non-public connectivity between VPC-hosted assets and Amazon Bedrock AgentCore Gateway utilizing VPC interface endpoints and AWS PrivateLink. This structure delivers complete advantages for enterprise agentic AI deployments by implementing networks which might be remoted from the web, offering enhanced safety by devoted non-public community paths. The answer implements a sturdy knowledge perimeter by VPC endpoint insurance policies, which create granular entry controls that set up strict knowledge boundaries round your AI assets. Moreover, the structure permits non-public connectivity to Gateway endpoints for on-premises environments, supporting distributed AI architectures that span cloud and on-premises infrastructure. For organizations deploying autonomous AI techniques at scale, implementing VPC interface endpoints creates the safe networking basis obligatory for environment friendly agent operations whereas delivering lowered latency by optimized community paths. This enterprise-grade method helps allow your agentic AI functions to realize improved efficiency and lowered response instances whereas assembly safety and compliance necessities.

To be taught extra about implementing these patterns and finest practices, go to the Amazon Bedrock documentation and AWS PrivateLink documentation for complete steerage on AI deployments.

Concerning the authors

Dhawal Patel is a Principal Machine Studying Architect at Amazon Internet Providers (AWS). He has labored with organizations starting from massive enterprises to midsized startups on issues associated to distributed computing and AI. He focuses on deep studying, together with pure language processing (NLP) and laptop imaginative and prescient domains. He helps clients obtain high-performance mannequin inference on Amazon SageMaker.

Sindhura Palakodety is a Senior Options Architect at Amazon Internet Providers (AWS) and Single-Threaded Chief (STL) for ISV Generative AI, the place she is devoted to empowering clients in creating enterprise-scale, Properly-Architected options. She makes a speciality of generative AI and knowledge analytics domains, enabling organizations to leverage progressive applied sciences for transformative enterprise outcomes.

Thomas Mathew Veppumthara is a Sr. Software program Engineer at Amazon Internet Providers (AWS) with Amazon Bedrock AgentCore. He has earlier generative AI management expertise in Amazon Bedrock Brokers and almost a decade of distributed techniques experience throughout Amazon eCommerce Providers and Amazon Elastic Block Retailer (Amazon EBS). He holds a number of patents in distributed techniques, storage, and generative AI applied sciences.

June Gained is a Principal Product Supervisor with Amazon SageMaker JumpStart. He focuses on making basis fashions (FMs) simply discoverable and usable to assist clients construct generative AI functions. His expertise at Amazon additionally contains cell procuring functions and last-mile supply.