Amazon Bedrock AgentCore Gateway Supports Private Connectivity Patterns

AWS has published technical guidance describing how to keep traffic to Amazon Bedrock AgentCore Gateway targets off the public internet for compliance and auditability. According to AWS machine learning and networking blog posts and the AgentCore documentation, the approaches include connecting resources through Amazon VPC Lattice in managed and self-managed modes, reaching REST API targets via private endpoints, using interface VPC endpoints (AWS PrivateLink), and attaching AWS targets through Elastic Network Interfaces. The AgentCore docs list three PrivateLink endpoints for the data plane, control plane, and gateway, and provide a compatibility matrix showing which AgentCore primitives are supported over each, noting some, such as Evaluations, are not yet supported on the data plane. AWS community guides add practitioner tradeoffs, such as choosing between NAT gateways and VPC endpoints for outbound access.
What happened
AWS has published technical guidance, across machine learning and networking blog posts and the Amazon Bedrock AgentCore documentation, on keeping traffic to AgentCore Gateway targets off the public internet for compliance and auditability. The guidance covers connecting resources via Amazon VPC Lattice, reaching REST API targets through private endpoints, using interface VPC endpoints (AWS PrivateLink), and attaching AWS targets through Elastic Network Interfaces.
Technical details
The AgentCore documentation describes using interface VPC endpoints to create private connections between a VPC and AgentCore "without the use of an internet gateway, NAT device, VPN connection, or Direct Connect connection." It lists three PrivateLink endpoints: data plane com.amazonaws.region.bedrock-agentcore, control plane com.amazonaws.region.bedrock-agentcore-control, and gateway com.amazonaws.region.bedrock-agentcore.gateway. A compatibility table shows which primitives are supported over each endpoint, including a note that Evaluations are not yet supported on the data plane.
Connectivity patterns
AWS describes two VPC Lattice modes for integrating MCP servers: a managed option where AgentCore provisions and manages Lattice resources, and a self-managed option that the customer controls for added governance and visibility. AWS deployment guides add companion design choices, such as whether to use a NAT gateway for outbound internet access or rely on VPC endpoints when only AWS service access is required.
Editorial analysis
Platform teams building agentic workloads commonly require private connectivity to reduce compliance scope and centralize auditing. The typical tradeoffs are ease of configuration (managed VPC Lattice), granular API-level control (PrivateLink), and full network-level attachment (ENIs) for low-latency or native VPC presence. Region availability of the PrivateLink endpoints and the evolving compatibility matrix are worth tracking before standardizing on a pattern.
Key Points
- 1AWS documents multiple private-connectivity options for Bedrock AgentCore Gateway, spanning VPC Lattice (managed and self-managed), private REST API endpoints, PrivateLink interface endpoints, and ENI attachment.
- 2The AgentCore docs define three PrivateLink endpoints (data plane, control plane, gateway) and a compatibility matrix, noting some primitives such as Evaluations are not yet supported on the data plane.
- 3Editorial analysis (generic industry): teams typically combine PrivateLink for secure API traffic with VPC Lattice for routing, and ENIs when agents must appear as native VPC workloads.
Scoring Rationale
This is a useful infrastructure reference for platform and cloud engineers building agentic workloads on AWS, documenting supported private-connectivity options, endpoint names, and a compatibility matrix. It is practical implementation guidance rather than a new product or research result, so it rates as notable but not industry-shaking.
Sources
Public references used for this report.
Practice with real Telecom & ISP data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Telecom & ISP problems
