VPC Endpoints for Bedrock
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Lesson: Securing Generative AI with VPC Endpoints for Amazon Bedrock
Introduction: The Imperative of Private Connectivity
In the modern enterprise, the adoption of generative AI is no longer a question of "if," but "how." As organizations integrate Large Language Models (LLMs) into their internal workflows, the primary concern shifts from innovation to security. When you use a managed service like Amazon Bedrock, your data is processed by high-performance models. However, by default, traffic between your private applications and the Bedrock API often traverses the public internet. While this traffic is encrypted in transit, many highly regulated industries—such as healthcare, finance, and government—require that data never leaves their private network boundary.
This is where Virtual Private Cloud (VPC) Endpoints come into play. A VPC Endpoint allows you to connect your VPC to supported AWS services, including Amazon Bedrock, privately. By using an interface endpoint powered by AWS PrivateLink, you can keep your data within the AWS network, effectively bypassing the public internet entirely. This lesson explores the technical architecture, implementation steps, and security governance required to deploy VPC endpoints for Bedrock, ensuring your AI initiatives meet the highest standards of data privacy.
Understanding the Architecture of PrivateLink
To understand why VPC endpoints are critical, we must first look at the traditional networking path. Without an endpoint, your application running on an Amazon EC2 instance or an Amazon ECS container must reach out to the Bedrock public API endpoint. Even though the request is encrypted via TLS, it must be routed through an Internet Gateway and across the public web. This creates a potential surface area for interception and introduces dependency on public routing tables.
AWS PrivateLink changes this paradigm by creating a direct, private connection. When you provision an Interface VPC Endpoint, AWS places an Elastic Network Interface (ENI) directly into your VPC subnets. This ENI is assigned a private IP address from your subnet's CIDR range. When your application makes a request to the Bedrock service, it addresses the request to this private IP address. The traffic then flows across the AWS backbone network, never touching the public internet.
Callout: The Difference Between Interface and Gateway Endpoints It is important to distinguish between the two types of VPC endpoints. Gateway Endpoints are used for Amazon S3 and DynamoDB, and they operate at the routing table level. Interface Endpoints, which are required for Amazon Bedrock, use PrivateLink technology to provide a private IP address within your VPC. This allows for more granular control, including the ability to access the service from on-premises networks connected via VPN or Direct Connect.
Prerequisites for Implementation
Before configuring VPC Endpoints for Bedrock, you must ensure your environment is prepared. If you attempt to configure connectivity without these prerequisites, your applications will likely face connectivity timeouts or DNS resolution errors.
- VPC and Subnet Configuration: You need a VPC with at least one subnet. For production environments, it is highly recommended to deploy the endpoint across multiple Availability Zones (AZs) to ensure high availability.
- Security Groups: You must define a security group that allows inbound traffic on port 443 (HTTPS) from your application resources. The endpoint itself acts as a destination, so your application's security group must have an outbound rule allowing traffic to the endpoint's security group.
- IAM Permissions: While the network path is secured via the endpoint, the service request itself must still be authorized via IAM. Ensure your application has the necessary
bedrock:*permissions assigned to its execution role. - DNS Settings: Your VPC must have
enableDnsSupportandenableDnsHostnamesset to true. This allows the AWS-provided DNS server to resolve the Bedrock service names to the private IP addresses of your endpoints.
Step-by-Step Implementation Guide
Implementing a VPC endpoint involves a few distinct phases: network configuration, endpoint creation, and verification. Follow these steps to secure your Bedrock traffic.
Step 1: Create the Security Group
First, create a security group for the VPC endpoint. This group will act as a firewall for the entry point of the Bedrock service.
- Inbound Rules: Allow HTTPS (Port 443) from the security group associated with your application servers (e.g., EC2, Lambda, or ECS).
- Outbound Rules: Usually, you can leave the default outbound rule (allow all), or restrict it to only the necessary traffic if your organization follows strict egress filtering.
Step 2: Provision the Interface Endpoint
Navigate to the VPC console in your AWS account and follow these steps:
- Select "Endpoints" from the sidebar and click "Create endpoint."
- Search for "bedrock" in the service category list. You will see several options (e.g.,
com.amazonaws.[region].bedrock-runtimeandcom.amazonaws.[region].bedrock). - Select the
bedrock-runtimeendpoint if you are primarily performing inference (callingInvokeModel). Select the basebedrockendpoint if you need to manage model provisioning or fine-tuning. - Select your VPC and the subnets where you want the endpoint ENIs to reside.
- Attach the security group you created in Step 1.
Step 3: Configure Endpoint Policies
By default, an endpoint allows full access to the service for any identity that has IAM permissions. However, you can attach an Endpoint Policy to restrict access further. This is a powerful governance tool. For example, you can create a policy that restricts access to specific Bedrock models.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "bedrock:InvokeModel",
"Resource": "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-v2"
}
]
}
Note: The endpoint policy does not replace IAM policies; it works in conjunction with them. Both the IAM identity policy and the VPC endpoint policy must allow the action for the request to succeed. If either denies the action, the request is blocked.
Troubleshooting Common Connectivity Issues
Even with careful configuration, you may encounter issues where your application cannot communicate with Bedrock. Below are the most common pitfalls and their solutions.
1. DNS Resolution Failures
If your application receives a "Connection Timed Out" or "Could not resolve host" error, the issue is often DNS-related. If you have "Private DNS" enabled on the endpoint, AWS automatically maps the public Bedrock API endpoint (e.g., bedrock-runtime.us-east-1.amazonaws.com) to the private IP of your endpoint. If you have disabled Private DNS, you must manually update your application code or local host files to point to the endpoint-specific DNS name provided by AWS.
2. Security Group Mismatches
A common mistake is forgetting that security groups are stateful. If your application server is in a different security group than the VPC endpoint, ensure that the endpoint's security group explicitly allows inbound traffic from the application's security group ID. Using security group IDs instead of IP ranges is a best practice, as it handles dynamic scaling of your application resources more effectively.
3. Missing IAM Permissions
Remember that networking is only half the battle. If your networking is perfectly configured, but the application execution role lacks the bedrock:InvokeModel permission, the request will be rejected with a 403 Forbidden error. Always check your CloudTrail logs to see if the request is being denied by the IAM policy or the VPC Endpoint policy.
Advanced Governance: Restricting Access with Endpoint Policies
In highly secure environments, simply having a private connection isn't enough. You may want to ensure that only specific users or applications can access Bedrock, or that they can only access specific models. Endpoint policies allow you to enforce these constraints at the network layer.
Consider a scenario where you want to prevent users from accessing unauthorized third-party models. You can define an endpoint policy that explicitly allows only the specific model ARNs you have approved for use. This adds a layer of defense-in-depth, protecting against accidental or malicious use of unauthorized models even if a user has broad IAM permissions.
Practical Example: Restricting by Model
The following JSON policy shows how to restrict access to only allow the use of Titan Text models, effectively blocking any attempts to invoke Claude or other models.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOnlyTitanModels",
"Effect": "Allow",
"Principal": "*",
"Action": "bedrock:InvokeModel",
"Resource": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-*"
}
]
}
This policy is incredibly useful for compliance teams. By applying this at the VPC level, you ensure that no matter what code is deployed in the account, it cannot violate the model usage policy defined by the organization.
Integrating with On-Premises Networks
Many organizations operate in hybrid environments. If your application is running in an on-premises data center and needs to communicate with Amazon Bedrock, you can route that traffic through your AWS Direct Connect or Site-to-Site VPN.
Because the VPC endpoint provides a private IP address within your VPC, your on-premises DNS servers can resolve the Bedrock endpoint DNS name to that private IP. Once the traffic reaches your VPC via the VPN or Direct Connect, it is routed to the endpoint ENI. This ensures that sensitive data from your data center stays on private, dedicated connections all the way to the Bedrock service, satisfying strict data residency and security requirements.
Tip: When using on-premises connectivity, ensure your VPC route tables are correctly configured to propagate the routes for your on-premises network. Without proper routing, the return traffic from the VPC endpoint will not know how to find your on-premises gateway.
Best Practices for VPC Endpoints in Production
Maintaining a secure Bedrock environment requires consistent adherence to a set of best practices. Use this checklist to audit your current implementation:
- Multi-AZ Deployment: Always create endpoint network interfaces in at least two subnets across different Availability Zones. This prevents a single AZ outage from disabling your AI capabilities.
- Use Least Privilege Policies: Never use the default "Full Access" endpoint policy. Always define an explicit policy that limits access to the specific services and models your application requires.
- Enable VPC Flow Logs: VPC Flow Logs allow you to capture information about the IP traffic going to and from your endpoints. This is essential for auditing and identifying unauthorized access attempts.
- Monitor Endpoint Health: While AWS manages the endpoint, you should monitor your application logs for any connection failures. Integrate these logs with Amazon CloudWatch to trigger alerts when error rates spike.
- Centralized Governance: If you are using AWS Organizations, consider using Service Control Policies (SCPs) to mandate that all Bedrock traffic must pass through VPC endpoints, preventing developers from bypassing these controls.
Comparison: Public Access vs. VPC Endpoints
To visualize the security benefits, consider the following comparison of access methods.
| Feature | Public API Access | VPC Endpoint (PrivateLink) |
|---|---|---|
| Network Path | Public Internet | AWS Private Network |
| Traffic Exposure | Encrypted via TLS | Encrypted via TLS + Private Routing |
| Security Controls | IAM Only | IAM + VPC Endpoint Policy |
| Compliance | Suitable for general use | Suitable for HIPAA/PCI/FedRAMP |
| Connectivity | Requires Internet Gateway | Requires Private Routing/VPN/DX |
As the table shows, while public access is sufficient for prototyping or non-sensitive data, VPC Endpoints are the gold standard for enterprise-grade generative AI deployments.
Common Questions (FAQ)
Do I need a NAT Gateway if I use a VPC Endpoint?
No. If your only reason for having a NAT Gateway was to provide internet access to your instances so they could call the Bedrock API, you can remove the NAT Gateway entirely once the VPC Endpoint is configured. This not only improves security but also reduces your monthly AWS costs.
Can I access Bedrock from multiple VPCs?
Yes. You can use VPC Peering or AWS Transit Gateway to allow resources in one VPC to communicate with the VPC endpoint located in another VPC. This is a common pattern in "Hub and Spoke" networking architectures.
Does using a VPC endpoint impact the latency of my Bedrock calls?
Generally, no. The latency difference is negligible. In some cases, because the traffic is routed over the high-speed AWS backbone, it might even be slightly more consistent than routing through the public internet.
What happens if I delete my VPC endpoint?
If you delete the endpoint, your application will immediately lose connectivity to Bedrock. Any calls currently in progress will fail, and your application will need to be redeployed or reconfigured to use the public internet if you intend to revert to that method.
Summary and Key Takeaways
Securing your generative AI infrastructure is a fundamental requirement for long-term success. By leveraging VPC Endpoints for Amazon Bedrock, you move beyond basic encryption to a robust, private network architecture that keeps your data within your control.
Key Takeaways:
- Privacy by Design: VPC Endpoints ensure that your AI traffic never traverses the public internet, fulfilling the primary requirement for most high-compliance industries.
- Defense-in-Depth: Combining IAM policies with VPC Endpoint policies provides multiple layers of security, ensuring that only authorized identities can access authorized models.
- Network Simplification: By replacing NAT Gateways with VPC Endpoints for service-specific traffic, you reduce your exposure to the public internet and simplify your VPC routing architecture.
- Operational Resilience: Deploying endpoints across multiple Availability Zones ensures that your AI-powered applications remain highly available even during regional infrastructure events.
- Hybrid Connectivity: PrivateLink seamlessly extends your private network to your on-premises data centers, allowing for secure, private communication between your legacy systems and modern AI models.
- Continuous Monitoring: Always use VPC Flow Logs to maintain visibility into your network traffic, allowing you to detect anomalies or unauthorized attempts to reach your AI endpoints.
By following these guidelines and implementing the architectural patterns discussed, you can confidently integrate generative AI into your organization, knowing that your data remains private, secure, and fully governed. The transition from public to private connectivity is a significant step in maturing your AI operations, and it serves as a foundation for all future AI-driven initiatives.
Appendix: Implementation Checklist for Systems Administrators
If you are tasked with deploying this in your environment, use this final checklist to ensure nothing is missed:
- Identify Requirements: Determine which Bedrock models are needed and which VPCs require access.
- Plan Network CIDRs: Ensure your private subnets have enough IP space to accommodate the endpoint ENIs.
- Draft Endpoint Policy: Create a JSON policy that follows the principle of least privilege.
- Create Security Groups: Define the ingress rules based on the specific CIDR of your application tier.
- Deploy via IaC: Use Terraform or AWS CloudFormation to define your VPC Endpoints. This ensures that your network configuration is repeatable and version-controlled.
- Validation Test: Use a test instance to perform a
curlor SDK call to the Bedrock API and verify that it returns a response while the instance has no route to the internet. - Audit Logs: Verify that the calls are appearing in your CloudTrail logs and that the
sourceIPAddressreflects the internal private IP of your VPC endpoint.
By treating network security as a first-class citizen in your AI development lifecycle, you protect your organization from the risks associated with public data exposure and create a scalable, compliant, and reliable environment for innovation. Remember that as Bedrock evolves and new features are added, you should periodically review your endpoint policies to ensure they remain aligned with your evolving security posture.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons