How to Intermediate · 3 min read

AWS Bedrock private endpoints

Quick answer

Use AWS Bedrock private endpoints to access Bedrock models securely within your VPC by configuring AWS PrivateLink. This enables private network traffic between your VPC and Bedrock without traversing the public internet, enhancing security and compliance.

PREREQUISITES

AWS CLI installed and configured
AWS account with Bedrock access
VPC with private subnets
IAM permissions for Bedrock and VPC endpoint management

Setup AWS Bedrock private endpoint

To securely access AWS Bedrock models within your VPC, create a VPC endpoint using AWS PrivateLink. This allows private connectivity to Bedrock APIs without using the public internet.

Ensure your VPC has private subnets and proper route tables configured.

bash

aws ec2 create-vpc-endpoint \
    --vpc-id vpc-0123456789abcdef0 \
    --service-name com.amazonaws.us-east-1.bedrock \
    --vpc-endpoint-type Interface \
    --subnet-ids subnet-0abc1234def567890 subnet-0def1234abc567890 \
    --security-group-ids sg-0123456789abcdef0

output

{
    "VpcEndpoint": {
        "VpcEndpointId": "vpce-0abcd1234ef567890",
        "VpcId": "vpc-0123456789abcdef0",
        "ServiceName": "com.amazonaws.us-east-1.bedrock",
        "VpcEndpointType": "Interface",
        "State": "pendingAcceptance"
    }
}

Step by step usage with AWS SDK

After creating the VPC endpoint, configure your AWS SDK or CLI to use the private endpoint DNS. This ensures all Bedrock API calls route through the private network.

python

import boto3
import os

# Use boto3 client with region and endpoint override
client = boto3.client(
    'bedrock-runtime',
    region_name='us-east-1',
    endpoint_url='https://vpce-0abcd1234ef567890-bedrock.us-east-1.vpce.amazonaws.com'
)

response = client.invoke_model(
    modelId='anthropic.claude-3-5-sonnet-20241022-v2:0',
    body='{"messages": [{"role": "user", "content": "Hello from private endpoint"}]}'
)

print(response['body'].read().decode('utf-8'))

output

{"id":"chatcmpl-xyz","object":"chat.completion","created":1680000000,"choices":[{"message":{"role":"assistant","content":"Hello from private endpoint!"},"finish_reason":"stop"}]}

Common variations

Use AWS CLI with --endpoint-url to test Bedrock calls via private endpoint.
Configure SDKs in other languages similarly by overriding the endpoint URL.
Use security groups to restrict access to the VPC endpoint.

bash

aws bedrock-runtime invoke-model \
    --model-id anthropic.claude-3-5-sonnet-20241022-v2:0 \
    --body '{"messages": [{"role": "user", "content": "Test private endpoint"}]}' \
    --endpoint-url https://vpce-0abcd1234ef567890-bedrock.us-east-1.vpce.amazonaws.com

output

{"id":"chatcmpl-abc","object":"chat.completion","created":1680000000,"choices":[{"message":{"role":"assistant","content":"Test successful via private endpoint."},"finish_reason":"stop"}]}

Troubleshooting private endpoint issues

If Bedrock API calls time out, verify your VPC endpoint DNS is correctly configured and your subnet route tables allow traffic.
Check security group rules attached to the VPC endpoint allow inbound traffic from your client.
Ensure Bedrock service quotas and permissions are correctly set in IAM.

✅

Key Takeaways

AWS Bedrock private endpoints use AWS PrivateLink to enable secure, private access within your VPC.
Create an interface VPC endpoint for Bedrock and configure your SDK or CLI to use its DNS endpoint.
Use security groups and subnet routing to control and secure access to the Bedrock endpoint.
Override the endpoint URL in SDKs to route Bedrock API calls through the private endpoint.
Troubleshoot connectivity by verifying VPC endpoint state, DNS resolution, and IAM permissions.

Verified 2026-04 · anthropic.claude-3-5-sonnet-20241022-v2:0

Verify ↗