When deploying AI brokers to the Amazon Bedrock AgentCore runtime (at present previewing), clients need to use {custom} domains to create an expert, seamless expertise.
By default, the AgentCore runtime agent makes use of an endpoint https://bedrock-agentcore.{area}.amazonaws.com/runtimes/{EncodedAgentARN}/invocations.
On this put up, we’ll present you how you can convert these endpoints to a user-friendly {custom} area ( https://agent.yourcompany.com) Use Amazon CloudFront because the reverse proxy. This resolution combines CloudFront, Amazon Route 53, and AWS Certificates Supervisor (ACM) to create a safe, scalable {custom} area setup that works seamlessly with current brokers.
Advantages of the Amazon Bedrock Agentcore Runtime
For those who’re constructing an AI agent, you are in all probability coping with internet hosting challenges like managing infrastructure, dealing with authentication, scaling, and sustaining safety. The Amazon Bedrock AgentCore runtime can assist you deal with these points.
The Amazon Bedrock AgentCore runtime is framework dependent. Can be utilized collectively Langgraph, Kuruwai, Strand Agentor a {custom} agent you constructed from scratch. It helps as much as 8 hours of prolonged execution instances, making it preferrred for advanced inference duties that conventional serverless capabilities can not deal with. Every consumer session runs in its personal remoted Mycroph, offering crucial safety for enterprise purposes.
A consumption-based pricing mannequin means you solely pay for what you provide. Additionally, in contrast to different internet hosting options, the Amazon Bedrock AgentCore runtime consists of built-in authentication {and professional} observability for AI brokers.
Advantages of {custom} domains
In case you are utilizing the Amazon Bedrock AgentCore runtime Public approval (OAuth) Authentication, the appliance makes HTTPS requests on to the service endpoint. This works, however {custom} domains provide a number of benefits.
- Customized Branding – Show branded domains as an alternative of AWS infrastructure particulars in client-side purposes (net browsers, cell apps) community requests
- Enhance the developer expertise – Growth groups can use memorable branded endpoints as an alternative of copying and pasting lengthy AWS endpoints throughout their codebase and configuration
- Simplified upkeep – Customized domains make it simpler to handle endpoints when deploying a number of brokers or updating configurations throughout environments
Answer overview
This resolution makes use of CloudFront as a reverse proxy to transform requests from a {custom} area to Amazon Bedrock AgentCore runtime API calls. As a substitute of utilizing the default endpoint, the appliance could make requests to a user-friendly URL https://agent.yourcompany.com/.
The next diagram illustrates the answer structure.
The workflow consists of the next steps:
- The shopper utility is authenticated with Amazon Cognito and receives a bearer token.
- The shopper makes HTTPS requests to the {custom} area.
- Route 53 resolves DNS requests to CloudFront.
- CloudFront forwards authenticated requests to the Amazon Bedrock Runtime agent.
- The agent processes the request and returns a response through the identical path.
You should use the identical cloud entrance distribution to supply each front-end purposes and back-end brokers endpoints. Cross-Origin Resource Sharing (CORS) It causes issues as all the things comes from the identical area.
Conditions
To observe this walkthrough, you could:
The Amazon Bedrock AgentCore runtime will be in different supported AWS areas, however CloudFront requires you to make use of an SSL certificates. us-east-1 area.
You’ll be able to select from the next area choices:
- Use an current area – Add a subdomain
agent.yourcompany.com - Register a brand new area – Register should you wouldn’t have a site utilizing route 53
- Use the default URL for CloudFront – No area registration or configuration required
If you wish to rapidly take a look at your resolution earlier than configuring your {custom} area, select the third possibility.
Create an agent with inbound authentication
For those who already deploy the agent utilizing OAUTH authentication, you’ll be able to skip to the following part to arrange your {custom} area. In any other case, observe these steps to create a brand new agent utilizing Amazon Cognito as your OAuth supplier:
- Create a brand new listing for the agent with the next construction:
- Create the principle agent code
agent_example.py:
- Add a dependency to
necessities.txt:
- Run the next command to create an Amazon Cognito consumer pool and a take a look at consumer:
- Deploy the agent utilizing the Amazon Bedrock AgentCore command line interface (CLI) supplied by the Starter Toolkit.
After deployment, take note of the Agent Runtime Amazon Useful resource Identify (ARN). That is required for {custom} area configurations.
For extra examples and extra data, see Authentication and Authorization with Inbound and Outbound AUTH.
Arrange a {custom} area resolution
Subsequent, let’s implement a {custom} area resolution utilizing the AWS CDK. This part exhibits you how you can create a CloudFront Distribution to create a {custom} area request to Amazon Bedrock Agentcore runtime endpoint to create a proxy proxy.
- Create a brand new listing and initialize the AWS CDK venture.
- Encode the agent ARN and put together the CloudFront Origin configuration.
If the front-end utility is operating in a unique area than the agent endpoint, you could configure the CORS header. That is widespread when the frontend is hosted in a unique area (for instance, https://app.yourcompany.com telephone https://agent.yourcompany.com), or in case you are creating regionally (for instance, http://localhost:3000 (Invokes the endpoint of the manufacturing agent).
- To deal with CORS necessities, create a cloud entrance response header coverage.
- Create a cloud entrance supply that acts as a reverse proxy for the agent endpoint.
set cache_policy=CachePolicy.CACHING_DISABLED Be certain that the agent response is dynamic and never cached by CloudFront.
- In case you are utilizing a {custom} area, add the SSL certificates and DNS configuration to the stack.
The next code is an entire AWS CDK stack that mixes all of the elements:
- Configure the AWS CDK
appEntry Level:
Develop a {custom} area
Now you’ll be able to deploy the answer and confirm that it really works with each the {custom} and default domains. Full the next steps:
- Replace the next worth to
agentcore_custom_domain_stack.py:- Amazon Bedrock Agentcore Runtime Arn
- Area identify (in case you are utilizing a {custom} area)
- Hosted Zone ID (if utilizing a {custom} area)
- Deploy utilizing the AWS CDK:
Take a look at the endpoint
After you deploy a {custom} area, you’ll be able to take a look at the endpoint utilizing both a {custom} area or a CloudFront default area.
Take a look at it on a {custom} area utilizing the next code:
Alternatively, use the next code to check it within the default area of the cloud entrance:
Issues
When implementing this resolution in manufacturing, the next are some vital issues:
- Value influence – CloudFront provides information switch and requests prices. Examine Amazon CloudFront costs to grasp the influence of utilization patterns.
- Enhanced safety – Contemplate implementing the next safety measures:
- AWS WAF guidelines to assist shield towards widespread net exploits.
- Charge limits that assist stop abuse.
- Geography restrictions if the agent is simply accessible from a selected area.
- Monitoring – Allow Cloud Entrance Entry Logging and arrange Amazon CloudWatch alarms to observe error charges, latency, and request volumes.
cleansing
To keep away from ongoing prices, take away assets after they not want them.
Chances are you’ll must manually delete the Root 53 Hosted Zone and ACM Certificates from the respective Service Console.
Conclusion
On this put up, we confirmed you how you can use CloudFront as a reverse proxy to create a {custom} area identify on your Amazon Bedrock AgentCore Runtime Agent Agent agent endpoint. This resolution affords a number of vital advantages: Simplified integration of your improvement crew, {custom} domains matching your group, cleaner infrastructure abstractions, and simple upkeep when endpoints have to be up to date. Through the use of CloudFront as a reverse proxy, you can even present each front-end purposes and back-end agent endpoints from the identical area, avoiding the widespread CORS challenges.
We suggest exploring this resolution additional by adapting to your particular wants. It is strongly recommended to reinforce it with further security measures, arrange monitoring, and combine it with current infrastructure.
For extra details about constructing and deploying AI brokers, see the Amazon Bedrock AgentCore Developer Information. For superior configurations and greatest practices utilizing Cloud Entrance, see the Amazon CloudFront documentation. You’ll find extra details about SSL certificates within the AWS Certificates Supervisor documentation and area administration in Amazon Route 53 paperwork.
Amazon Bedrock AgentCore is at present previewed and topic to vary. Commonplace AWS pricing applies to further companies akin to CloudFront, Route 53, and Certificates Supervisor.
In regards to the creator
Rahmat Fedayizada I’m Senior Options Architect for the AWS Power and Utilities crew. He works with power firms to design and implement scalable, safe, and extremely obtainable architectures. Rahmat is captivated with reworking advanced technical necessities into actionable options that drive enterprise worth.
Parabuba He’s Senior Supervisor at Options Structure at AWS and leads a crew of Options Architects to assist power clients innovate and speed up their transformation. Beginning as a Options Architect in 2012, Para is captivated with architecting scalable options and constructing organizations targeted on utility modernization and AI initiatives.
