Skip to content

/AWS1/CL_BDOVPCCONFIG

VpcConfig for the Agent.

CONSTRUCTOR

IMPORTING

Required arguments:

it_securitygroups TYPE /AWS1/CL_BDOSECURITYGROUPS_W=>TT_SECURITYGROUPS TT_SECURITYGROUPS

The security groups associated with the VPC configuration.

it_subnets TYPE /AWS1/CL_BDOSUBNETS_W=>TT_SUBNETS TT_SUBNETS

The subnets associated with the VPC configuration.

Optional arguments:

iv_requireservices3endpoint TYPE /AWS1/BDOBOOLEAN /AWS1/BDOBOOLEAN

This field applies only to Agent Runtimes. It is not applicable to Browsers or Code Interpreters.

Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.

Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.

Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.

This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.

Queryable Attributes

securityGroups

The security groups associated with the VPC configuration.

Accessible with the following methods

Method Description
GET_SECURITYGROUPS() Getter for SECURITYGROUPS, with configurable default
ASK_SECURITYGROUPS() Getter for SECURITYGROUPS w/ exceptions if field has no valu
HAS_SECURITYGROUPS() Determine if SECURITYGROUPS has a value

subnets

The subnets associated with the VPC configuration.

Accessible with the following methods

Method Description
GET_SUBNETS() Getter for SUBNETS, with configurable default
ASK_SUBNETS() Getter for SUBNETS w/ exceptions if field has no value
HAS_SUBNETS() Determine if SUBNETS has a value

requireServiceS3Endpoint

This field applies only to Agent Runtimes. It is not applicable to Browsers or Code Interpreters.

Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.

Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.

Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.

This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.

Accessible with the following methods

Method Description
GET_REQUIRESERVICES3ENDPOINT() Getter for REQUIRESERVICES3ENDPOINT, with configurable defau
ASK_REQUIRESERVICES3ENDPOINT() Getter for REQUIRESERVICES3ENDPOINT w/ exceptions if field h
HAS_REQUIRESERVICES3ENDPOINT() Determine if REQUIRESERVICES3ENDPOINT has a value