How to Intermediate · 3 min read

AWS Bedrock VPC configuration

Quick answer
To configure AWS Bedrock with a VPC, create VPC endpoints for Bedrock service in your private subnet and update your Bedrock client to use the VPC endpoint URL. This setup ensures secure, private network access to Bedrock models without traversing the public internet.

PREREQUISITES

  • AWS CLI installed and configured
  • AWS account with Bedrock access
  • Python 3.8+
  • boto3 installed (pip install boto3)
  • IAM permissions to create VPC endpoints and Bedrock access

Setup VPC endpoints for Bedrock

Create interface VPC endpoints for the Bedrock service in your AWS VPC to enable private connectivity. This involves specifying the Bedrock service name and associating security groups and subnets.

bash
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-0123456789abcdef0 \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.us-east-1.bedrock \
  --subnet-ids subnet-0abc1234def567890 \
  --security-group-ids sg-0123456789abcdef0 \
  --private-dns-enabled
output 
{
    "VpcEndpoint": {
        "VpcEndpointId": "vpce-0abcd1234ef567890",
        "VpcId": "vpc-0123456789abcdef0",
        "ServiceName": "com.amazonaws.us-east-1.bedrock",
        "VpcEndpointType": "Interface",
        "State": "available"
    }
}

Step by step: Python Bedrock client with VPC endpoint

Use boto3 to create a Bedrock client specifying the endpoint_url as your VPC endpoint DNS. This routes requests through your VPC endpoint securely.

python
import boto3
import os

# Replace with your VPC endpoint DNS
vpc_endpoint_url = "https://vpce-0abcd1234ef567890-bedrock.us-east-1.vpce.amazonaws.com"

client = boto3.client(
    'bedrock-runtime',
    region_name='us-east-1',
    endpoint_url=vpc_endpoint_url,
    aws_access_key_id=os.environ['AWS_ACCESS_KEY_ID'],
    aws_secret_access_key=os.environ['AWS_SECRET_ACCESS_KEY']
)

response = client.invoke_model(
    modelId='anthropic.claude-3-5-sonnet-20241022-v2:0',
    body=b'{"inputText": "Hello from VPC!"}'
)

print(response['body'].read().decode('utf-8'))
output 
{"completion": "Hello from VPC! How can I assist you today?"}

Common variations

  • Use AWS SDKs other than boto3 with the endpoint_url parameter set to your VPC endpoint.
  • Configure multiple subnets and security groups for high availability.
  • Use IAM roles attached to EC2 or Lambda instead of explicit credentials.

Troubleshooting

  • If you get EndpointConnectionError, verify your VPC endpoint is in the correct subnet and security groups allow traffic.
  • Ensure your Bedrock service name matches your AWS region.
  • Check IAM permissions for Bedrock and VPC endpoint usage.

Key Takeaways

  • Create interface VPC endpoints for Bedrock service in your AWS VPC to enable private access.
  • Configure your Bedrock client with the VPC endpoint URL to route requests securely inside your network.
  • Use IAM roles and security groups to control access and traffic to the Bedrock VPC endpoint.
  • Verify subnet and security group settings if connection errors occur.
  • AWS Bedrock VPC configuration enhances security by avoiding public internet exposure.
Verified 2026-04 · anthropic.claude-3-5-sonnet-20241022-v2:0
Verify ↗

People also ask

🛠 AWS Bedrock audit logging aws-bedrock-enterprise 🛠 AWS Bedrock CloudTrail integration aws-bedrock-enterprise 🛠 AWS Bedrock compliance certifications aws-bedrock-enterprise 🛠 AWS Bedrock cost monitoring with CloudWatch aws-bedrock-enterprise 🛠 AWS Bedrock cost optimization strategies aws-bedrock-enterprise

Up next

⚖️ AWS Bedrock vs OpenAI Enterprise comparison 🛠 AWS Bedrock with AWS IAM Identity Center 🛠 AWS Bedrock with AWS Lake Formation 🛠 How to evaluate AWS Bedrock for enterprise

More in Guides

🛠 AWS Bedrock audit logging 🛠 AWS Bedrock CloudTrail integration 🛠 AWS Bedrock compliance certifications 🛠 AWS Bedrock cost monitoring with CloudWatch