# Amazon Bedrock AgentCore Gateway Supports Private Connectivity Patterns > Source: > Published: 2026-06-03 19:55:46.237277+00:00 # Amazon Bedrock AgentCore Gateway Supports Private Connectivity Patterns AWS published a technical blog post that describes four private connectivity patterns for **Amazon Bedrock AgentCore Gateway** targets, aimed at keeping traffic off the public internet for compliance and auditability, according to the post on the AWS Networking and Content Delivery blog. The patterns cover connecting **MCP servers** via Amazon VPC Lattice (managed and self-managed modes), exposing REST API targets through private endpoints, using interface VPC endpoints (AWS PrivateLink), and attaching AWS targets via Elastic Network Interfaces, per the blog. The AWS documentation for AgentCore notes three PrivateLink endpoints, com.amazonaws.region.bedrock-agentcore, com.amazonaws.region.bedrock-agentcore-control, and com.amazonaws.region.bedrock-agentcore.gateway, and lists which AgentCore primitives are supported over PrivateLink. AWS community posts and deployment guides illustrate common practitioner tradeoffs such as NAT Gateway versus VPC endpoints for outbound access. ### What happened AWS published a technical blog post titled "Private connectivity patterns for Amazon Bedrock AgentCore Gateway Targets" that walks engineers through four approaches to keep AgentCore Gateway traffic off the public internet, with examples and architecture diagrams, according to the AWS Networking and Content Delivery blog. The post enumerates patterns for connecting **MCP servers**, REST API targets (via private endpoints), targets reachable through VPC Lattice, and AWS targets using **Elastic Network Interfaces (ENIs)**, per the blog. ### Technical details The AWS documentation for AgentCore describes using interface VPC endpoints (AWS PrivateLink) to create private connections between a VPC and AgentCore, allowing access "without the use of an internet gateway, NAT device, VPN connection, or Direct Connect connection," according to the AgentCore VPC interface endpoints doc. The docs list three PrivateLink endpoints: **data plane** com.amazonaws.region.bedrock-agentcore, **control plane** com.amazonaws.region.bedrock-agentcore-control, and **gateway** com.amazonaws.region.bedrock-agentcore.gateway. The docs also include a compatibility table showing which AgentCore primitives are supported over the data and control plane endpoints, including a note that **Evaluations** are "Not yet supported" on the data plane, per the same documentation. ### Architecture notes from AWS blog The blog explains two Amazon VPC Lattice deployment modes for MCP server integration: a **managed** Lattice option where AgentCore Gateway provisions and manages Lattice resources on your behalf, and a **self-managed** option that the user controls, per the blog post. The AWS step-by-step guide on deploying AgentCore Runtime in a VPC provides a companion perspective on VPC design choices such as using a NAT Gateway for outbound internet access versus relying on VPC endpoints when only AWS service access is required, per the builder tutorial. ### Industry context Editorial analysis: Companies building agentic workflows and platform teams commonly require private connectivity to reduce compliance scope and centralize auditing. Industry-pattern observations: Practitioners typically weigh three tradeoffs when choosing a pattern: ease of configuration (managed constructs like VPC Lattice), granular API-level control (PrivateLink interface endpoints), and full network-level attachment (ENIs) when low-latency or native VPC presence is needed. ### What to watch Editorial analysis: Observers should monitor region availability of the AgentCore PrivateLink endpoints and the evolving compatibility matrix in AWS docs (for example, the current note that Evaluations are not supported on the data plane). Platform engineers will also watch for documentation or tooling that simplifies cross-account Lattice or PrivateLink policies, since the blog notes cross-account connectivity scenarios in the managed Lattice discussion. Community Q&A threads and deployment walkthroughs can surface operational gotchas such as how to surface private OpenAPI schemas to Gateway targets; community posts referenced in AWS forums and third-party guides highlight differing approaches and tradeoffs. ### For practitioners Editorial analysis: When designing private connectivity for agentic workloads, teams should treat the AWS blog and AgentCore docs as primary references for supported primitives and endpoint names, and validate support for specific AgentCore primitives in their target region. Industry-pattern observations: Common patterns include combining PrivateLink for secure API traffic with VPC Lattice for service routing and using ENIs when agents must appear as native VPC workloads. These patterns affect networking, IAM endpoint policies, and authentication flows (the docs note differences in how VPC endpoint policies interact with SigV4 versus OAuth-based requests). ## Scoring Rationale This is a notable infrastructure update for platform and cloud engineers building agentic workloads because it documents supported private connectivity options and endpoint names. The story is practical rather than groundbreaking, so it rates as notable but not industry-shaking. Recent publication timing reduces the score slightly. Practice with real Telecom & ISP data 90 SQL & Python problems · 15 industry datasets [Active Residential CustomersEasy](/problems/sql/active-residential-customers) [Unlimited Fiber Plans 500Mbps+Medium](/problems/sql/unlimited-fiber-plans-above-500mbps) [Customer Churn Risk AssessmentHard](/problems/sql/customer-churn-risk-assessment) 250 free problems · No credit card [See all Telecom & ISP problems](/problems/datasets/telecom)