Skip to content

[FEATURE] Add VPC Endpoint Support to BedrockModel Class #496

New issue
New issue
Open
Open
[FEATURE] Add VPC Endpoint Support to BedrockModel Class#496
Labels
area-providerRelated to model providersenhancementNew feature or request
@dbavro19

Description

@dbavro19
dbavro19
opened on Jul 18, 2025

Problem Statement

[FEATURE] Add VPC Endpoint Support to BedrockModel Class

Description

The Strands SDK currently doesn't support custom endpoint URLs for the BedrockModel class, which prevents usage in environments that require AWS VPC endpoints (PrivateLink) for Bedrock access. Many enterprise environments enforce endpoint policies that block direct internet access to Bedrock, requiring all traffic to flow through VPC endpoints for security and compliance.

Proposed Solution

Add an optional endpoint_url parameter to the BedrockModel class constructor:

from strands.models import BedrockModel

# Using VPC endpoint
model = BedrockModel(
    model_id="us.anthropic.claude-sonnet-4-20250514-v1:0",
    endpoint_url="https://vpce-1234567-abcd.bedrock-runtime.us-west-2.vpce.amazonaws.com",
    region_name="us-west-2"
)

Implementation Details

The change would involve modifying the BedrockModel class to accept an optional endpoint_url parameter and updating the boto3 client initialization:

# In BedrockModel.__init__(), add endpoint_url parameter
def __init__(self, ..., endpoint_url: Optional[str] = None, ...):
    self.endpoint_url = endpoint_url
    
# Update client creation in the class
self.client = session.client(
    service_name="bedrock-runtime",
    config=client_config,
    endpoint_url=self.endpoint_url,  # Add this line
    region_name=resolved_region,
)

Use Case

  • Enterprise Security: Organizations requiring all AWS API calls to traverse private networks only
  • Compliance Requirements: Industries with strict data governance requiring private connectivity to AWS services
  • Restricted Environments: Networks where internet access to AWS services is blocked without VPC endpoints

Alternatives Solutions

Currently, users must modify network policies and IAM policies to allow access to Bedrock via public endpoint in order to use Strands with Bedrock, which may not be feasible in enterprise environments.

Additional Context

AWS Bedrock supports VPC interface endpoints through PrivateLink ([documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/vpc-interface-endpoints.html)). This change would be backward compatible with existing code.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-providerRelated to model providersenhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions