Control AI Agents' Access to Internet Domains

AI agents capable of browsing the web open powerful possibilities—from research automation to real-time data gathering. However, giving an AI agent unrestricted internet access raises security and compliance concerns. What happens if the agent accesses unauthorized websites? How can sensitive data be protected from being exfiltrated to external domains?

Amazon Bedrock AgentCore provides managed tools that enable AI agents to interact with the web, execute code, and host agents. When deployed in an Amazon Virtual Private Cloud (Amazon VPC), you can control tool network access using AWS Network Firewall to implement domain-based filtering. AWS Network Firewall also offers managed rules to help reduce access to botnets, known-malware domains, and other high-risk resources.

This post shows how to configure AWS Network Firewall to restrict AgentCore resources to an allowlist of approved internet domains. You can use this architecture to permit access only to specified domains, such as wikipedia.org and stackoverflow.com, and explicitly block certain categories, like social media sites, using rule templates. Logging connection attempts aids in audit and compliance alignment, while a default-deny policy can be applied for unspecified domains.

The focus of this post is on domain-level filtering using SNI inspection—the first layer of a defense-in-depth approach. For DNS-level filtering and content inspection techniques, see the section on 'Going further' at the end of this post. For inbound access control, you can also refer to Resource-based policies for Amazon Bedrock AgentCore.

Enterprise security requirements demand that customers deploying AI agents in regulated industries maintain strict network ingress and egress control. Enterprise organizations with high security requirements and those conducting security reviews for AI agent deployments consistently inquire about network isolation and egress control, requiring detailed explanations of how agent traffic is managed and audited.

The solution deploys AgentCore Browser in a private subnet with no direct internet access. Outbound traffic routes through AWS Network Firewall, which inspects TLS SNI headers to determine the destination domain and apply filtering rules. You can also monitor Network Firewall actions taken to restrict traffic through its integration with Amazon CloudWatch.