aws-samples · tbrand · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025 · Oct 15, 2025
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -36,6 +36,7 @@ To send us a pull request, please:
 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation.
 
 For detailed development guidelines including linting and code style requirements, please refer to:
+
 - [DEVELOPMENT.md (English)](docs/en/DEVELOPMENT.md)
 - [DEVELOPMENT.md (日本語)](docs/ja/DEVELOPMENT.md)
 

diff --git a/docs/en/CLOSED_NETWORK.md b/docs/en/CLOSED_NETWORK.md
@@ -32,7 +32,6 @@ Options related to closed network mode have the `closedNetwork` prefix. The foll
 - Since various resources are created, when importing an existing VPC, it's recommended to use as clean an environment as possible.
 - SAML integration is not available.
 - Voice Chat use case is currently not available.
-- AgentCore Chat use case is currently not available.
 
 ## Example of Valid Configuration File
 

diff --git a/docs/ja/CLOSED_NETWORK.md b/docs/ja/CLOSED_NETWORK.md
@@ -32,7 +32,6 @@
 - 様々なリソースを作成するため、既存の VPC をインポートする場合は可能な限り clean な環境を利用することを推奨します。
 - SAML 連携は利用できません。
 - Voice Chat のユースケースは現状利用できません。
-- AgentCore Chat のユースケースは現状利用できません。
 
 ## 有効な設定ファイルの例
 
@@ -153,6 +152,7 @@ Certificate body には ssl.crt の中身、Certificate private key には ssl.k
 | Amazon Transcribe           | 文字起こし                     | transcribe.\<region>.amazonaws.com                          | エンドポイントは固定                                                                     |
 | Amazon Transcribe Streaming | リアルタイム文字起こし         | transcribestreaming.\<region>.amazonaws.com                 | エンドポイントは固定                                                                     |
 | Amazon Polly                | 文字の読み上げ                 | polly.\<region>.amazonaws.com                               | エンドポイントは固定                                                                     |
+| Bedrock AgentCore Runtime   | AgentCore Runtime の実行       | bedrock-agentcore.\<region>.amazonaws.com                   | エンドポイントは固定                                                                     |
 
 上の表のすべてのエンドポイントのリゾルバー (フォワーダー) として Resolver Endpoint の IP アドレスを指定するように DNS サーバーの設定を変更してください。
 Resolver Endpoint の IP アドレスは、[Route53](https://console.aws.amazon.com/route53resolver) を開き、Inbound endpoints を選択して、作成したエンドポイントをクリックすることで確認できます。
@@ -176,6 +176,7 @@ Resolver Endpoint の IP アドレスは、[Route53](https://console.aws.amazon.
 | Amazon Transcribe           | 文字起こし                     | transcribe.\<region>.amazonaws.com                          | 方法2                 |
 | Amazon Transcribe Streaming | リアルタイム文字起こし         | transcribestreaming.\<region>.amazonaws.com                 | 方法2                 |
 | Amazon Polly                | 文字の読み上げ                 | polly.\<region>.amazonaws.com                               | 方法2                 |
+| Bedrock AgentCore Runtime   | AgentCore Runtime の実行       | bedrock-agentcore.\<region>.amazonaws.com                   | 方法2                 |
 
 - 方法1: [EC2](https://console.aws.amazon.com/ec2/home) の Network Interfaces を開き、「elb」と検索してください。Security group names が ClosedNetworkStack... となっているものが対象の ENI です。Network interface ID をクリックすると Private IPv4 address が確認できます。複数あるため、そのうち 1 つを選択してください。
 - 方法2: [VPC](https://console.aws.amazon.com/vpcconsole/home) の Endpoints を開き、該当するサービス名を探してください。サービス名はエンドポイントを反転させたものです。(ただし API Gateway は ID を省略したものです。) VPC endpoint ID をクリックすると、ページ下部にデプロイされた Subnet と IP アドレスが表示されています。複数あるため、そのうち 1 つを選択してください。
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/cdk/lib/construct/closedNetwork/closed-vpc.ts b/packages/cdk/lib/construct/closedNetwork/closed-vpc.ts
@@ -9,6 +9,7 @@ const VPC_ENDPOINTS: Record<string, ec2.InterfaceVpcEndpointAwsService> = {
   Transcribe: ec2.InterfaceVpcEndpointAwsService.TRANSCRIBE,
   TranscribeStreaming: ec2.InterfaceVpcEndpointAwsService.TRANSCRIBE_STREAMING,
   Polly: ec2.InterfaceVpcEndpointAwsService.POLLY,
+  AgentCore: ec2.InterfaceVpcEndpointAwsService.BEDROCK_AGENTCORE,
   // VPC Endpoints required by app side
   Bedrock: ec2.InterfaceVpcEndpointAwsService.BEDROCK_RUNTIME,
   BedrockAgent: ec2.InterfaceVpcEndpointAwsService.BEDROCK_AGENT_RUNTIME,

diff --git a/packages/cdk/package.json b/packages/cdk/package.json
@@ -18,15 +18,15 @@
     "@types/sanitize-html": "^2.13.0",
     "@typescript-eslint/eslint-plugin": "^7.6.0",
     "@typescript-eslint/parser": "^7.6.0",
-    "aws-cdk": "^2.154.1",
+    "aws-cdk": "^2.220.0",
     "eslint": "^8.56.0",
     "jest": "^29.7.0",
     "ts-jest": "^29.2.5",
     "ts-node": "^10.9.2",
     "typescript": "~5.4.5"
   },
   "dependencies": {
-    "@aws-cdk/aws-lambda-python-alpha": "^2.154.1-alpha.0",
+    "@aws-cdk/aws-lambda-python-alpha": "^2.220.0-alpha.0",
     "@aws-sdk/client-bedrock-agent": "^3.755.0",
     "@aws-sdk/client-bedrock-agent-runtime": "^3.755.0",
     "@aws-sdk/client-bedrock-agentcore": "^3.755.0",
@@ -45,7 +45,7 @@
     "@aws-solutions-constructs/aws-cloudfront-s3": "^2.68.0",
     "@smithy/node-http-handler": "^4.0.4",
     "aws-amplify": "^6.14.2",
-    "aws-cdk-lib": "^2.154.1",
+    "aws-cdk-lib": "^2.220.0",
     "aws-jwt-verify": "^4.0.0",
     "constructs": "^10.3.0",
     "deploy-time-build": "^0.3.17",

diff --git a/packages/cdk/test/__snapshots__/generative-ai-use-cases.test.ts.snap b/packages/cdk/test/__snapshots__/generative-ai-use-cases.test.ts.snap
@@ -404,6 +404,33 @@ exports[`GenerativeAiUseCases matches the snapshot (closed network mode) 1`] = `
       },
       "Type": "AWS::EC2::SecurityGroup",
     },
+    "ClosedVpcVpcEndpointAgentCoreD50ADE6F": {
+      "Properties": {
+        "PrivateDnsEnabled": true,
+        "SecurityGroupIds": [
+          {
+            "Fn::GetAtt": [
+              "ClosedVpcSecurityGroup985DC3EC",
+              "GroupId",
+            ],
+          },
+        ],
+        "ServiceName": "com.amazonaws.us-east-1.bedrock-agentcore",
+        "SubnetIds": [
+          {
+            "Ref": "ClosedVpcisolatedSubnet1Subnet2EF6D3F3",
+          },
+          {
+            "Ref": "ClosedVpcisolatedSubnet2SubnetB169C8D3",
+          },
+        ],
+        "VpcEndpointType": "Interface",
+        "VpcId": {
+          "Ref": "ClosedVpcC15583C9",
+        },
+      },
+      "Type": "AWS::EC2::VPCEndpoint",
+    },
     "ClosedVpcVpcEndpointApiGateway6200AA11": {
       "Properties": {
         "PrivateDnsEnabled": true,
@@ -2753,7 +2780,7 @@ exports[`GenerativeAiUseCases matches the snapshot (closed network mode) 2`] = `
             "Arn",
           ],
         },
-        "Runtime": "python3.11",
+        "Runtime": "python3.13",
         "Timeout": 900,
       },
       "Type": "AWS::Lambda::Function",
@@ -3286,6 +3313,7 @@ exports[`GenerativeAiUseCases matches the snapshot (closed network mode) 2`] = `
         "SourceObjectKeys": [
           "HASH-REPLACED.zip",
         ],
+        "WaitForDistributionInvalidation": true,
       },
       "Type": "Custom::CDKBucketDeployment",
       "UpdateReplacePolicy": "Delete",
@@ -3649,6 +3677,7 @@ exports[`GenerativeAiUseCases matches the snapshot (closed network mode) 3`] = `
         "SourceObjectKeys": [
           "HASH-REPLACED.zip",
         ],
+        "WaitForDistributionInvalidation": true,
       },
       "Type": "Custom::CDKBucketDeployment",
       "UpdateReplacePolicy": "Delete",
@@ -4160,7 +4189,7 @@ Automatically detect the language of the user's request and think and answer in
             "Arn",
           ],
         },
-        "Runtime": "python3.11",
+        "Runtime": "python3.13",
         "Timeout": 900,
       },
       "Type": "AWS::Lambda::Function",
@@ -18538,6 +18567,7 @@ exports[`GenerativeAiUseCases matches the snapshot (closed network mode) 6`] = `
             ],
           },
         ],
+        "WaitForDistributionInvalidation": true,
       },
       "Type": "Custom::CDKBucketDeployment",
       "UpdateReplacePolicy": "Delete",
@@ -18595,7 +18625,7 @@ exports[`GenerativeAiUseCases matches the snapshot (closed network mode) 6`] = `
     "post_build": {
       "commands": [
         "echo Build completed on \`date\`",
-        "\\nSTATUS='SUCCESS'\\nif [ $CODEBUILD_BUILD_SUCCEEDING -ne 1 ] # Test if the build is failing\\nthen\\nSTATUS='FAILED'\\nREASON=\\"NodejsBuild failed. See CloudWatch Log stream for the detailed reason: \\nhttps://$AWS_REGION.console.aws.amazon.com/cloudwatch/home?region=$AWS_REGION#logsV2:log-groups/log-group/\\\\$252Faws\\\\$252Fcodebuild\\\\$252F$projectName/log-events/$CODEBUILD_LOG_PATH\\"\\nfi\\ncat <<EOF > payload.json\\n{\\n  \\"StackId\\": \\"$stackId\\",\\n  \\"RequestId\\": \\"$requestId\\",\\n  \\"LogicalResourceId\\":\\"$logicalResourceId\\",\\n  \\"PhysicalResourceId\\": \\"$logicalResourceId\\",\\n  \\"Status\\": \\"$STATUS\\",\\n  \\"Reason\\": \\"$REASON\\",\\n  \\"Data\\": {\\n    \\"destinationObjectKey\\": \\"$destinationObjectKey\\",\\n    \\"envFileKey\\": \\"$envFileKey\\"\\n  }\\n}\\nEOF\\ncurl -v -i -X PUT -H 'Content-Type:' -d \\"@payload.json\\" \\"$responseURL\\"\\n              "
+        "\\nSTATUS='SUCCESS'\\nif [ $CODEBUILD_BUILD_SUCCEEDING -ne 1 ] # Test if the build is failing\\nthen\\nSTATUS='FAILED'\\nREASON=\\"NodejsBuild failed. See CloudWatch Log stream for the detailed reason: \\nhttps://$AWS_REGION.console.aws.amazon.com/cloudwatch/home?region=$AWS_REGION#logsV2:log-groups/log-group/\\\\$252Faws\\\\$252Fcodebuild\\\\$252F$projectName/log-events/$CODEBUILD_LOG_PATH\\"\\nfi\\ncat <<EOF > payload.json\\n{\\n  \\"StackId\\": \\"$stackId\\",\\n  \\"RequestId\\": \\"$requestId\\",\\n  \\"LogicalResourceId\\":\\"$logicalResourceId\\",\\n  \\"PhysicalResourceId\\": \\"$logicalResourceId\\",\\n  \\"Status\\": \\"$STATUS\\",\\n  \\"Reason\\": \\"$REASON\\",\\n  \\"Data\\": {\\n    \\"destinationObjectKey\\": \\"$destinationObjectKey\\",\\n    \\"envFileKey\\": \\"$envFileKey\\"\\n  }\\n}\\nEOF\\ncurl -i -X PUT -H 'Content-Type:' -d \\"@payload.json\\" \\"$responseURL\\"\\n              "
       ]
     }
   }
@@ -19200,7 +19230,7 @@ exports[`GenerativeAiUseCases matches the snapshot (closed network mode) 6`] = `
             "Arn",
           ],
         },
-        "Runtime": "python3.11",
+        "Runtime": "python3.13",
         "Timeout": 900,
       },
       "Type": "AWS::Lambda::Function",
@@ -19357,7 +19387,7 @@ exports[`GenerativeAiUseCases matches the snapshot (closed network mode) 6`] = `
             "Arn",
           ],
         },
-        "Runtime": "python3.11",
+        "Runtime": "python3.13",
         "Timeout": 900,
       },
       "Type": "AWS::Lambda::Function",
@@ -19649,7 +19679,7 @@ exports[`GenerativeAiUseCases matches the snapshot (closed network mode) 6`] = `
             "Arn",
           ],
         },
-        "Runtime": "nodejs20.x",
+        "Runtime": "nodejs22.x",
         "Timeout": 300,
       },
       "Type": "AWS::Lambda::Function",
@@ -20151,6 +20181,7 @@ exports[`GenerativeAiUseCases matches the snapshot (closed network mode) 6`] = `
         "SourceObjectKeys": [
           "HASH-REPLACED.zip",
         ],
+        "WaitForDistributionInvalidation": true,
       },
       "Type": "Custom::CDKBucketDeployment",
       "UpdateReplacePolicy": "Delete",
@@ -24012,7 +24043,7 @@ exports[`GenerativeAiUseCases matches the snapshot 2`] = `
             "Arn",
           ],
         },
-        "Runtime": "python3.11",
+        "Runtime": "python3.13",
         "Timeout": 900,
       },
       "Type": "AWS::Lambda::Function",
@@ -24545,6 +24576,7 @@ exports[`GenerativeAiUseCases matches the snapshot 2`] = `
         "SourceObjectKeys": [
           "HASH-REPLACED.zip",
         ],
+        "WaitForDistributionInvalidation": true,
       },
       "Type": "Custom::CDKBucketDeployment",
       "UpdateReplacePolicy": "Delete",
@@ -24908,6 +24940,7 @@ exports[`GenerativeAiUseCases matches the snapshot 3`] = `
         "SourceObjectKeys": [
           "HASH-REPLACED.zip",
         ],
+        "WaitForDistributionInvalidation": true,
       },
       "Type": "Custom::CDKBucketDeployment",
       "UpdateReplacePolicy": "Delete",
@@ -25373,7 +25406,7 @@ Automatically detect the language of the user's request and think and answer in
             "Arn",
           ],
         },
-        "Runtime": "python3.11",
+        "Runtime": "python3.13",
         "Timeout": 900,
       },
       "Type": "AWS::Lambda::Function",
@@ -38750,6 +38783,7 @@ exports[`GenerativeAiUseCases matches the snapshot 6`] = `
             ],
           },
         ],
+        "WaitForDistributionInvalidation": true,
       },
       "Type": "Custom::CDKBucketDeployment",
       "UpdateReplacePolicy": "Delete",
@@ -38807,7 +38841,7 @@ exports[`GenerativeAiUseCases matches the snapshot 6`] = `
     "post_build": {
       "commands": [
         "echo Build completed on \`date\`",
-        "\\nSTATUS='SUCCESS'\\nif [ $CODEBUILD_BUILD_SUCCEEDING -ne 1 ] # Test if the build is failing\\nthen\\nSTATUS='FAILED'\\nREASON=\\"NodejsBuild failed. See CloudWatch Log stream for the detailed reason: \\nhttps://$AWS_REGION.console.aws.amazon.com/cloudwatch/home?region=$AWS_REGION#logsV2:log-groups/log-group/\\\\$252Faws\\\\$252Fcodebuild\\\\$252F$projectName/log-events/$CODEBUILD_LOG_PATH\\"\\nfi\\ncat <<EOF > payload.json\\n{\\n  \\"StackId\\": \\"$stackId\\",\\n  \\"RequestId\\": \\"$requestId\\",\\n  \\"LogicalResourceId\\":\\"$logicalResourceId\\",\\n  \\"PhysicalResourceId\\": \\"$logicalResourceId\\",\\n  \\"Status\\": \\"$STATUS\\",\\n  \\"Reason\\": \\"$REASON\\",\\n  \\"Data\\": {\\n    \\"destinationObjectKey\\": \\"$destinationObjectKey\\",\\n    \\"envFileKey\\": \\"$envFileKey\\"\\n  }\\n}\\nEOF\\ncurl -v -i -X PUT -H 'Content-Type:' -d \\"@payload.json\\" \\"$responseURL\\"\\n              "
+        "\\nSTATUS='SUCCESS'\\nif [ $CODEBUILD_BUILD_SUCCEEDING -ne 1 ] # Test if the build is failing\\nthen\\nSTATUS='FAILED'\\nREASON=\\"NodejsBuild failed. See CloudWatch Log stream for the detailed reason: \\nhttps://$AWS_REGION.console.aws.amazon.com/cloudwatch/home?region=$AWS_REGION#logsV2:log-groups/log-group/\\\\$252Faws\\\\$252Fcodebuild\\\\$252F$projectName/log-events/$CODEBUILD_LOG_PATH\\"\\nfi\\ncat <<EOF > payload.json\\n{\\n  \\"StackId\\": \\"$stackId\\",\\n  \\"RequestId\\": \\"$requestId\\",\\n  \\"LogicalResourceId\\":\\"$logicalResourceId\\",\\n  \\"PhysicalResourceId\\": \\"$logicalResourceId\\",\\n  \\"Status\\": \\"$STATUS\\",\\n  \\"Reason\\": \\"$REASON\\",\\n  \\"Data\\": {\\n    \\"destinationObjectKey\\": \\"$destinationObjectKey\\",\\n    \\"envFileKey\\": \\"$envFileKey\\"\\n  }\\n}\\nEOF\\ncurl -i -X PUT -H 'Content-Type:' -d \\"@payload.json\\" \\"$responseURL\\"\\n              "
       ]
     }
   }
@@ -40345,7 +40379,7 @@ exports[`GenerativeAiUseCases matches the snapshot 6`] = `
             "Arn",
           ],
         },
-        "Runtime": "python3.11",
+        "Runtime": "python3.13",
         "Timeout": 900,
       },
       "Type": "AWS::Lambda::Function",
@@ -40502,7 +40536,7 @@ exports[`GenerativeAiUseCases matches the snapshot 6`] = `
             "Arn",
           ],
         },
-        "Runtime": "python3.11",
+        "Runtime": "python3.13",
         "Timeout": 900,
       },
       "Type": "AWS::Lambda::Function",
@@ -40790,7 +40824,7 @@ exports[`GenerativeAiUseCases matches the snapshot 6`] = `
             "Arn",
           ],
         },
-        "Runtime": "nodejs20.x",
+        "Runtime": "nodejs22.x",
         "Timeout": 300,
       },
       "Type": "AWS::Lambda::Function",
@@ -41292,6 +41326,7 @@ exports[`GenerativeAiUseCases matches the snapshot 6`] = `
         "SourceObjectKeys": [
           "HASH-REPLACED.zip",
         ],
+        "WaitForDistributionInvalidation": true,
       },
       "Type": "Custom::CDKBucketDeployment",
       "UpdateReplacePolicy": "Delete",

diff --git a/packages/web/src/hooks/useAgentCoreApi.ts b/packages/web/src/hooks/useAgentCoreApi.ts
@@ -27,6 +27,8 @@ const region = import.meta.env.VITE_APP_REGION as string;
 const modelRegion = import.meta.env.VITE_APP_MODEL_REGION as string;
 const identityPoolId = import.meta.env.VITE_APP_IDENTITY_POOL_ID as string;
 const userPoolId = import.meta.env.VITE_APP_USER_POOL_ID as string;
+const cognitoIdentityPoolProxyEndpoint = import.meta.env
+  .VITE_APP_COGNITO_IDENTITY_POOL_PROXY_ENDPOINT;
 
 // Define simplified request interface for the hook
 export interface AgentCoreRuntimeRequest {
@@ -105,7 +107,12 @@ const useAgentCoreApi = (id: string) => {
         const clientRegion = getRegionFromArn(req.agentRuntimeArn) || region;
 
         // Create the Cognito Identity client
-        const cognito = new CognitoIdentityClient({ region });
+        const cognito = new CognitoIdentityClient({
+          region,
+          ...(cognitoIdentityPoolProxyEndpoint
+            ? { endpoint: cognitoIdentityPoolProxyEndpoint }
+            : {}),
+        });
         const providerName = `cognito-idp.${region}.amazonaws.com/${userPoolId}`;
 
         // Create the BedrockAgentCore client with the determined region