feat: add VPC network mode support#545
Merged
Merged
Conversation
Replace the PRIVATE network mode placeholder with VPC across the full CLI stack: schema validation, TUI wizards, CLI flags, template rendering, and CDK config persistence. Schema: - NetworkModeSchema enum: PUBLIC | PRIVATE → PUBLIC | VPC - Add NetworkConfigSchema with subnet/security group ID validation - Cross-field superRefine: VPC requires networkConfig, non-VPC forbids it CLI flags: - Add --network-mode, --subnets, --security-groups to create and add agent - Shared vpc-utils.ts with parseCommaSeparatedList, validateVpcOptions, validateSubnetIds, validateSecurityGroupIds, and VPC_ENDPOINT_WARNING TUI: - VPC prompts in both create (GenerateWizard) and BYO (AddAgentScreen) paths - Inline validation for subnet/SG ID format in TextInput fields - VPC endpoint warning on completion screens Template rendering: - Add isVpc flag to AgentRenderConfig - Skip Exa AI MCP example endpoint in VPC mode (unreachable without NAT) - VPC stubs return None/empty so main.py null-checks work unchanged Data persistence: - AgentPrimitive passes VPC config through both handleCreatePath and handleByoPath to agentcore.json - useAddAgent mappers (mapByoConfigToAgent, mapAddAgentConfigToGenerateConfig) thread VPC fields through TUI path Warnings: - dev command warns about VPC behavior differences in local mode - invoke command warns about VPC endpoint requirements
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
Contributor
Coverage Report
|
aidandaly24
reviewed
Mar 13, 2026
The original VPC commit accidentally replaced three test files instead of appending to them. This restores all existing tests from main and adds VPC-specific tests at the end of each file.
aidandaly24
reviewed
Mar 13, 2026
aidandaly24
previously approved these changes
Mar 13, 2026
aidandaly24
left a comment
aidandaly24
left a comment
Contributor
There was a problem hiding this comment.
Really clean PR, I have one small nit but it is not a necessary update for this PR. LGTM
…pcOptions type - validateVpcOptions now calls validateSubnetIds/validateSecurityGroupIds so the non-interactive CLI path gives friendly format errors instead of falling through to Zod regex failures - CreateOptions, AddAgentOptions, and AgentPrimitive.AddAgentOptions now extend VpcOptions instead of redeclaring networkMode/subnets/securityGroups
aidandaly24
previously approved these changes
Mar 13, 2026
The non-interactive CLI paths had VPC warnings but the TUI screens did not. - DevScreen: warn that local dev runs outside VPC - InvokeScreen: warn about VPC endpoint requirements - Thread networkMode through useInvokeFlow config
The GenerateWizard collected networkMode/subnets/securityGroups but useCreateFlow did not include them when building the GenerateConfig, so agents created via TUI always defaulted to PUBLIC.
aidandaly24
approved these changes
Mar 18, 2026
aidandaly24
left a comment
aidandaly24
left a comment
Contributor
There was a problem hiding this comment.
Thanks for making the update to add the warning. LGTM, approved.
tejaskash
added a commit
that referenced
this pull request
Mar 18, 2026
Resolve merge conflicts between protocol mode and VPC network mode features. Both feature sets are preserved: protocol (HTTP/MCP/A2A) and network mode (PUBLIC/VPC with subnets/securityGroups).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PRIVATEnetwork mode withVPCacross the full CLI stackNetworkConfigSchemawith Zod-validated subnet/security group IDs and cross-field.superRefine()enforcement--network-mode,--subnets,--security-groupsCLI flags tocreateandadd agentcommands with shared validation (vpc-utils.ts)AgentPrimitive.tsxto persist VPC config through bothhandleCreatePathandhandleByoPathtoagentcore.jsondev/invokecommandsVPC_ENDPOINT_WARNINGconstant andparseCommaSeparatedListutility to eliminate duplicationDepends on https://github.com/aws/agentcore-l3-cdk-constructs/pull/80 for CDK construct changes.
Test plan
npm run buildpassesnpm test— 489+ tests pass (schema, validation, mapper, vpc-utils, snapshots)agentcore add agent --name test --network-mode VPC --subnets subnet-12345678 --security-groups sg-12345678 --jsonworksagentcore add agent --name test --network-mode VPC --jsonfails with missing subnets errormcp_client/client.pycontains stub returning None, not Exa endpointmcp_client/client.pystill contains Exa exampleagentcore devwith VPC agent shows local dev warning