Configuring Amazon Bedrock AgentCore Gateway for secure access to private resources

2026-04-30 · Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cloud Computing & IT Infrastructure · Depth: Intermediate, long

Summary

Amazon Bedrock AgentCore Gateway now offers VPC connectivity, enabling AI agents to securely access private resources like internal APIs, databases, and Model Context Protocol (MCP) servers within Amazon Virtual Private Cloud (Amazon VPC) boundaries without public internet exposure. This feature utilizes Resource Gateway, a managed construct that provisions Elastic Network Interfaces (ENIs) directly inside your Amazon VPC. The system supports two implementation modes: "managed VPC resource" where AgentCore Gateway handles Resource Gateway creation and management, and "self-managed Lattice resource" which provides users with full control over the Resource Gateway lifecycle and cross-account connectivity via AWS Resource Access Manager (AWS RAM). The post details configuration for connecting to private Amazon API Gateway endpoints, MCP servers on Amazon Elastic Kubernetes Service (Amazon EKS), and generic private REST APIs, primarily focusing on the managed mode.

Key takeaway

For AI Architects and MLOps Engineers deploying AI agents that require access to private AWS resources, Amazon Bedrock AgentCore Gateway's VPC egress capability simplifies secure connectivity. Evaluate whether the streamlined setup of "managed VPC resource" mode or the granular control and cross-account support of "self-managed Lattice resource" mode best fits your network architecture and governance needs. This eliminates the operational overhead of exposing internal APIs or configuring complex network paths for each agent-to-tool interaction.

Key insights

Amazon Bedrock AgentCore Gateway provides secure, private connectivity for AI agents to internal AWS resources.

Principles

• Isolate AI agent traffic from the public internet
• Scope connectivity to specific endpoints, not entire VPCs

Method

Configure AgentCore Gateway with a Resource Gateway (managed or self-managed) to provision ENIs in your VPC, routing agent traffic to private endpoints via defined security groups and resource configurations.

In practice

• Connect agents to private Amazon API Gateway
• Integrate with private MCP servers on Amazon EKS
• Access internal REST APIs securely

Topics

• Amazon Bedrock AgentCore Gateway
• VPC Egress
• Resource Gateway
• Managed VPC Resource Mode
• Self-Managed Lattice Resource Mode

Code references

• awslabs/agentcore-samples

Best for: AI Engineer, MLOps Engineer, AI Architect

Related on AIssential

• Extending MCP support for Amazon Bedrock AgentCore Gateway — AgentCore Gateway centralizes MCP server governance, enabling scalable, secure, and stateful enterprise agent workflows.
• Integrating Amazon Bedrock AgentCore with Slack — Integrate Amazon Bedrock AgentCore with Slack for in-workspace AI agents, managing security, context, and timeouts.
• Unity AI Gateway: How to Connect Agents to External MCPs Securely — Unity AI Gateway simplifies secure agent access to external tools by centralizing authentication and governance.
• OpenAI jumps out of Microsoft's bed, into Amazon's Bedrock — OpenAI models are now available on AWS Bedrock, offering enterprises enhanced data control and broader access.
• AWS Bedrock Agents: The Beginner’s Guide — AWS Bedrock Agents provide a managed platform for building and deploying AI agents with integrated orchestration and security.
• Google and AWS split the AI agent stack between control and execution — AI agent management is splitting into system-layer governance (Google) and execution-layer velocity (AWS) to address state drift.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.