Configuring Amazon Bedrock AgentCore Gateway for secure access to private resources

This article explains how to configure Amazon Bedrock AgentCore Gateway for secure access to private resources using VPC connectivity without exposing traffic to the public internet.

• AgentCore Gateway supports two VPC egress modes: managed and self-managed Lattice resource
• Managed mode: AgentCore creates and manages Resource Gateway; simpler setup, less control
• Self-managed mode: You create Resource Gateway; more control, cross-account support via AWS RAM
• Resource Gateway provisions ENIs in your VPC subnets to route traffic securely
• Three practical scenarios: private API Gateway, MCP server on EKS, private REST API
• Managed mode requires VPC ID, subnet IDs, and security group IDs in CreateGatewayTarget call
• Traffic flows through Resource Gateway ENIs governed by security group rules
• Self-managed mode offers visibility, governance, and granular access revocation capabilities

AgentCore Gateway VPC egress enables AI agents to securely access internal APIs, databases, and MCP servers without internet exposure, with choice between simplified managed setup or controlled self-managed deployment.