Secure Your AWS DevOps Agent Private Connections: A Complete VPC Setup Guide

Setting up AWS DevOps Agent private connections is critical for teams needing to securely link their operations teammate to internal systems without exposing them to the public internet. By leveraging the power of Amazon VPC Lattice, organizations can now grant the agent access to private package registries, self-hosted observability platforms, and internal documentation APIs running safely inside an Amazon Virtual Private Cloud (Amazon VPC). This secure network path ensures that your telemetry, code, and deployment data remain protected while significantly reducing Mean Time To Repair (MTTR).

Under the hood, a private connection creates a secure network path between the agent and a target resource in your VPC. The service automatically deploys a managed resource gateway and provisions elastic network interfaces (ENIs) in your specified subnets. These ENIs serve as the entry point for private traffic and strictly refuse inbound connections from the internet.

The architecture relies on multiple layers of security to protect your internal data and maintain compliance. You retain full control over the network flow through your own configurations.

• No public internet exposure: All traffic stays on the AWS network, meaning your target service never needs a public IP address or internet gateway.
• Service-controlled resource gateway: The gateway is read-only in your account and can only be used by the agent, which is verifiable via AWS CloudTrail logs.
• Strict security groups: You control outbound traffic from the ENIs through your own security group rules, ensuring least-privilege access.

Before initiating the setup, you must have an active Agent Space configured within your account. Your target service, such as a Model Context Protocol (MCP) server or observability platform, must be reachable at a known private IP address or publicly resolvable DNS name.

Additionally, you need to identify one subnet per Availability Zone to host the resource gateway ENIs. For high availability, selecting subnets across multiple zones is highly recommended, and you should prepare up to five security group IDs to attach to these interfaces.

You can establish this secure link using the AWS Command Line Interface (AWS CLI). Run the following command to provision the connection, ensuring you replace the placeholder values with your specific VPC and subnet IDs.

aws devops-agent create-private-connection \
    --name my-test-private-connection \
    --mode '{
        "serviceManaged": {
            "hostAddress": "mymcpserver.test.skipv5.net",
            "resourceGatewayConfig": {
                "create": {
                    "vpcId": "vpc-00ef99bef2632b9ac",
                    "subnetIds": [
                        "subnet-034f636837473de13",
                        "subnet-00bdfb9edf7cc1ca7"
                    ],
                    "securityGroupIds": [
                        "sg-082788aaec0517905"
                    ]
                }
            }
        }
    }'

Once executed, the system will return a status indicating the creation is in progress. You can monitor the deployment using the description command to verify when the network path is ready.

aws devops-agent describe-private-connection \
    --name my-test-private-connection

When the status changes to Completed, your secure network path is fully operational. You can then verify the connection by starting a new chat session in your Agent Space and invoking a command that relies on the private integration.

One of the most common use cases is linking the agent to a self-hosted Grafana instance (v9.1 and later) running inside a VPC. The service provides a dedicated integration that hosts the official open-source Grafana MCP server on your behalf, eliminating the need to manage MCP infrastructure.

Follow these chronological steps to configure the integration securely and grant the agent read-only access to your dashboards and alerts.

1. Create a service account in your Grafana instance with Viewer role permissions and generate an access token.
2. Create a private connection targeting your Grafana instance's internal address using the AWS CLI.

aws devops-agent create-private-connection \
    --name grafana-connection \
    --mode '{
        "serviceManaged": {
            "hostAddress": "grafana.internal.example.com",
            "resourceGatewayConfig": {
                "create": {
                    "vpcId": "vpc-0123456789abcdef0",
                    "subnetIds": [
                        "subnet-0123456789abcdef0",
                        "subnet-0123456789abcdef1"
                    ],
                    "portRanges": ["443"]
                }
            }
        }
    }'

3. Register the Grafana service with your instance URL and the generated service account token.

aws devops-agent register-service \
    --service mcpservergrafana \
    --private-connection-name grafana-connection \
    --service-details '{
        "mcpservergrafana": {
            "name": "grafana",
            "endpoint": "https://grafana.internal.example.com",
            "authorizationConfig": {
                "bearerToken": {
                    "tokenName": "grafana-sa-token",
                    "tokenValue": ""
                }
            }
        }
    }' \
    --region us-east-1

4. Associate the registered service with your Agent Space using the returned service ID.
5. Optionally, configure a webhook contact point in Grafana to automatically trigger agent investigations during alerts.

For organizations already utilizing Amazon VPC Lattice, you can deploy a self-managed connection. This method requires providing the Amazon Resource Name (ARN) of an existing resource configuration rather than having the agent create a gateway for you.

This advanced approach is ideal for hub-and-spoke network architectures or environments requiring zero-trust fine-grained access controls. To avoid unnecessary ongoing charges, always delete private connections that you no longer need.

aws devops-agent delete-private-connection \
    --name my-test-private-connection

The introduction of private connections for the AWS DevOps Agent represents a significant maturity milestone for cloud-native observability. By leveraging Amazon VPC Lattice, AWS has effectively removed the friction between utilizing advanced AI operations and maintaining strict corporate security postures. Teams no longer have to choose between exposing internal tools to the public internet or missing out on automated incident resolution.

The seamless integration with the Model Context Protocol (MCP) is particularly noteworthy. By allowing the agent to securely query self-hosted platforms like Grafana or internal GitLab instances, the agent transforms from a generic assistant into a deeply contextualized operations teammate. This direct access to internal telemetry and documentation is what ultimately drives down the Mean Time To Repair (MTTR) during critical outages.

Looking ahead, this architecture sets a new standard for how AI agents interact with enterprise environments. The reliance on service-linked roles with least privilege and read-only resource gateways ensures that security teams can confidently approve these integrations. As more organizations adopt custom MCP servers, this secure networking foundation will be the critical enabler for scaling AI-driven site reliability engineering (SRE) tasks across complex, multi-cloud infrastructures.