%22%2F%3E%0A%3Ccircle%20cx%3D%22978%22%20cy%3D%22150%22%20r%3D%22210%22%20fill%3D%22rgba(124%2C166%2C199%2C0.16)%22%2F%3E%0A%3Ccircle%20cx%3D%22978%22%20cy%3D%22150%22%20r%3D%22122%22%20fill%3D%22rgba(255%2C255%2C255%2C0.04)%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.12)%22%2F%3E%0A%3Cpath%20d%3D%22M70%20428H1130%22%20stroke%3D%22rgba(208%2C122%2C85%2C0.28)%22%20stroke-width%3D%222%22%20stroke-dasharray%3D%2210%2014%22%2F%3E%0A%3Crect%20x%3D%2276%22%20y%3D%2272%22%20width%3D%22360%22%20height%3D%2242%22%20rx%3D%2221%22%20fill%3D%22rgba(255%2C255%2C255%2C0.06)%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.1)%22%2F%3E%0A%3Ctext%20x%3D%2298%22%20y%3D%2299%22%20fill%3D%22rgba(242%2C244%2C247%2C0.82)%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%20font-size%3D%2217%22%20font-weight%3D%22700%22%20letter-spacing%3D%223%22%3EAWS%20MACHINE%20LEARNING%20BLOG%3C%2Ftext%3E%0A%3Ctext%20x%3D%2278%22%20y%3D%22212%22%20fill%3D%22%23F2F4F7%22%20font-family%3D%22Georgia%2C%20'Times%20New%20Roman'%2C%20serif%22%20font-size%3D%2254%22%20font-weight%3D%22700%22%3E%3Ctspan%20x%3D%2278%22%20dy%3D%220%22%3EConfiguring%20Amazon%3C%2Ftspan%3E%3Ctspan%20x%3D%2278%22%20dy%3D%2262%22%3EBedrock%20AgentCore%3C%2Ftspan%3E%3Ctspan%20x%3D%2278%22%20dy%3D%2262%22%3EGateway...%3C%2Ftspan%3E%3C%2Ftext%3E%0A%3Crect%20x%3D%2278%22%20y%3D%22502%22%20width%3D%22260%22%20height%3D%2246%22%20rx%3D%2223%22%20fill%3D%22rgba(208%2C122%2C85%2C0.18)%22%20stroke%3D%22rgba(208%2C122%2C85%2C0.32)%22%2F%3E%0A%3Ctext%20x%3D%22104%22%20y%3D%22532%22%20fill%3D%22%23F2F4F7%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%20font-size%3D%2222%22%20font-weight%3D%22700%22%3ECore%20AI%3C%2Ftext%3E%0A%3Crect%20x%3D%22900%22%20y%3D%22410%22%20width%3D%22190%22%20height%3D%22190%22%20rx%3D%2238%22%20fill%3D%22rgba(255%2C255%2C255%2C0.06)%22%20stroke%3D%22rgba(255%2C255%2C255%2C0.12)%22%2F%3E%0A%3Ctext%20x%3D%22995%22%20y%3D%22522%22%20text-anchor%3D%22middle%22%20fill%3D%22%23F2F4F7%22%20font-family%3D%22Arial%2C%20Helvetica%2C%20sans-serif%22%20font-size%3D%2292%22%20font-weight%3D%22800%22%3EAW%3C%2Ftext%3E%0A%3C%2Fsvg%3E)
Original article excerpt
Server-side extracted preview paragraphs from the original source.
In this post, you will configure Amazon Bedrock AgentCore Gateway to access private endpoints using Resource Gateway, a managed construct that provisions Elastic Network Interfaces (ENIs) directly inside your Amazon VPC, one per subnet. You will explore two implementation modes (managed and self-managed) and walk through three practical scenarios: connecting to a private Amazon API Gateway endpoint, integrating with a MCP server on Amazon Elastic Kubernetes Service (Amazon EKS), and accessing a private REST API.
AI agents in production environments often need to reach internal APIs, databases, and private resources that sit behind Amazon Virtual Private Cloud (Amazon VPC) boundaries. Managing private connectivity for each agent-to-tool path adds operational overhead and slows deployment. Amazon Bedrock AgentCore VPC connectivity is designed to deploy AI agents and Model Context Protocol (MCP) servers without requiring the network traffic to be exposed to the public internet. This capability extends to managed Amazon VPC egress for Amazon Bedrock AgentCore Gateway, so you can connect to endpoints inside private networks across your AWS environment.
In this post, you will configure Amazon Bedrock AgentCore Gateway to access private endpoints using Resource Gateway, a managed construct that provisions Elastic Network Interfaces (ENIs) directly inside your Amazon VPC, one per subnet. You will explore two implementation modes (managed and self-managed) and walk through three practical scenarios: connecting to a private Amazon API Gateway endpoint, integrating with a MCP server on Amazon Elastic Kubernetes Service (Amazon EKS), and accessing a private REST API.
The following terms are used throughout this post. Review them before proceeding to understand how each component fits into the AgentCore Gateway VPC egress architecture.
Resource VPC: The Amazon VPC where your private resource lives. For example, the VPC containing your privately hosted MCP server or API endpoint. This is the Amazon VPC that AgentCore Gateway needs to reach. Resource VPC can either be in the same AWS account as the AgentCore Gateway account or in a different account.
AgentCore Gateway account: The AWS account where you create and manage your AgentCore Gateway resources. This account may or may not be the same account as the Resource VPC.
Resource Gateway: Resource gateway acts as the private entry point into your Resource VPC. When created, it provisions one ENI per subnet that you specify, each sitting inside your VPC. Traffic from AgentCore Gateway to your private resource arrives through these ENIs.