AI Agent Cannot Reach Peer on Another Cloud? Here's the Fix A developer explains that AI agents on different clouds often fail to communicate due to security groups blocking inbound traffic, ephemeral IPs and NAT hiding peers, and ingress rules designed for human traffic. The fix is to use Pilot Protocol, an open-source overlay network that gives each agent a permanent virtual address, enabling reliable cross-cloud agent-to-agent communication without opening public ports. You spin up an agent on AWS. It needs to call a tool-serving agent your teammate deployed on GCP. You get connection refused , or worse, a silent timeout. Both boxes are up. Both processes are listening. The agent still can't reach its peer on another cloud. This is one of the most common failure modes in multi-agent systems once you move past a single-host demo, and it's worth understanding exactly why it happens before reaching for a fix. When an AI agent needs to call a peer — another agent, a tool server, an MCP endpoint — that peer needs a stable address and an open path. Cross-cloud, you lose both by default: 1. Security groups and firewalls block inbound by default. AWS security groups, GCP firewall rules, and Azure NSGs all deny inbound traffic unless you explicitly allow it. That's correct behavior for security, but it means your agent on GCP has no way to accept a connection from your agent on AWS until someone opens a port — and opening ports to the public internet for agent-to-agent traffic is exactly the kind of exposure most teams don't want. 2. Ephemeral IPs and NAT hide the peer entirely. Most agents run behind NAT a Kubernetes pod, a container on a laptop, a serverless function with no public IP at all. Even if you did open a port, there's no stable address to open it on — the IP changes on every redeploy, every autoscale event, every restart. 3. Ingress rules assume human traffic, not agent traffic. Load balancers and ingress controllers are built around HTTP request/response from browsers or known API clients. Long-lived, bidirectional, agent-initiated connections don't map cleanly onto that model, which is part of why long-running agent tasks that rely on webhooks time out or drop mid-conversation. Put together: two agents can be perfectly healthy and still have no valid network path between them the moment they're on different clouds, different VPCs, or different NAT boundaries. The fix that generalizes across all three failure modes above is to stop routing to IP addresses and start routing to a permanent virtual address that belongs to the agent, not the host it happens to be running on. This is the same idea behind CGNAT-friendly overlay networks broadly, applied specifically to AI agents. Pilot Protocol https://pilotprotocol.network/docs is an open-source overlay network built for exactly this: every agent gets a permanent virtual address that survives restarts, IP changes, and moving across clouds. Under the hood: It's implemented in Go with zero external dependencies stdlib only , open source under AGPL-3.0. Install the daemon on both hosts — the AWS box and the GCP box, or wherever your agents live: curl -fsSL https://pilotprotocol.network/install.sh | sh Start the daemon on each: pilotctl daemon start --hostname agent-a on the AWS host pilotctl daemon start --hostname agent-b on the GCP host From agent-a, initiate a handshake with agent-b — this is the one step that replaces "open a security group rule and hope the IP doesn't change": pilotctl handshake agent-b "coordinating a task pipeline" Agent-b approves it or an auto-trust policy can do this automatically for known sources : pilotctl approve