Amazon Bedrock AgentCore Secures Traffic with AWS WAF

For practitioners deploying generative-AI agents, an internet-facing HTTP path that preserves authentication and inspection is essential to apply WAF rules, rate limits, and audit controls without breaking runtime authentication. According to an AWS blog post, the company documents two architecture patterns that integrate AWS WAF with Amazon Bedrock AgentCore Runtime by using an internet-facing Application Load Balancer (ALB) that routes traffic through a VPC Interface Endpoint to AgentCore. The post explains that ALB health checks fail by default because AgentCore requires authentication (SigV4 or OAuth), and it presents Pattern 1, which inserts a proxy (for request transformation) between the ALB and the VPC Endpoint, and Pattern 2, which targets VPC Endpoint ENI IPs directly from the ALB and uses a resource policy to block direct-access bypasses. The patterns were tested end-to-end with SigV4 and OAuth (Amazon Cognito JWT), per the blog.
Editorial analysis
This guidance matters because production-grade agent deployments need both real-time authenticated traffic and perimeter controls. Engineers responsible for reliability, security, and observability will find the patterns directly applicable to managed Bedrock AgentCore deployments, and the post surfaces a practical tradeoff between request transformation control and infrastructure simplicity.
What happened, per the AWS blog
AWS outlines two architecture patterns to put AWS WAF in front of Amazon Bedrock AgentCore Runtime while preserving authentication. Both patterns use an internet-facing ALB that passes requests to AgentCore through a VPC Interface Endpoint. The post notes that ALBs require unauthenticated health checks, but AgentCore requires authenticated API calls, so default ALB health checks fail. To address this, Pattern 1 places a proxy (for request transformation) between the ALB and the VPC Endpoint to perform request transformation and return healthy responses to the ALB. Pattern 2 configures the ALB to target the VPC Endpoint ENI IP addresses directly, removing the proxy hop, and adds a resource policy on the AgentCore endpoint to prevent direct-access bypasses. The blog states both patterns were tested end-to-end with SigV4 and OAuth (Amazon Cognito JWT).
Technical details from the post
The blog emphasizes that Amazon CloudFront caching is not suitable because agent invocations are dynamic, and that Amazon API Gateway can cause double-authentication with AgentCore's built-in SigV4/OAuth flows. The ALB integration is recommended because it preserves headers and supports VPC-internal routing and attachment of an AWS WAF WebACL. The post gives concrete configuration guidance for health-check behavior, request rewriting in the proxy pattern, targeting ENI IPs from the ALB, and applying a restrictive resource policy to close the "backdoor".
Industry context
Companies operating managed agent runtimes commonly confront the same tension between upstream inspection (WAF) and downstream authentication. Patterns that centralize transformation in a dedicated proxy trade added operational complexity for finer-grained control, while direct-target approaches reduce hops but require careful network and resource-policy configuration to avoid bypasses.
What to watch
Observers deploying Bedrock AgentCore should validate ALB health-check tooling against their authentication scheme, decide whether the operational overhead of a proxy is acceptable, and verify resource-policy coverage to ensure WAF is the single inspection point.
Key Points
- 1Bedrock AgentCore requires authenticated API calls, so standard ALB health checks fail without adaptation, forcing architectural workarounds.
- 2A proxy between ALB and VPC endpoint gives full request-transformation control but adds operational complexity and latency.
- 3Targeting VPC Endpoint ENI IPs simplifies the path but needs restrictive resource policies to prevent direct-access bypasses.
Scoring Rationale
Practical, deployable guidance for securing managed AgentCore runtimes affects engineers running production generative-AI services on AWS, but the content is a vendor how-to rather than a broader platform or research break-through.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems


