🟠AWS Architecture Blog·November 19, 2025

Building an AI Gateway for Amazon Bedrock with AWS API Gateway

This article details a reference architecture for an AI gateway using Amazon API Gateway to control access to Amazon Bedrock. The design focuses on implementing critical enterprise governance features like authorization, quota management, tenant isolation, and cost control for generative AI applications. It leverages managed AWS services to provide a scalable and transparent solution for integrating foundation models.

API Design AI & ML Infrastructure Cloud & Infrastructure

Read original on AWS Architecture Blog

Enterprises building generative AI applications often face challenges in governing foundation model usage, requiring robust mechanisms for authorization, quota management, and cost control. This article presents a reusable reference architecture for an AI gateway that addresses these concerns by placing Amazon API Gateway in front of Amazon Bedrock.

Core Architecture Components

The proposed AI gateway architecture relies on several AWS services to provide granular control and a transparent experience for client applications. The key components include:

Amazon API Gateway: Acts as the primary entry point, offering features like request authorization, throttling, lifecycle management, and canary releases.
AWS Lambda Authorizer: Handles custom authorization logic, such as validating JWT tokens against existing identity systems.
Lambda Integration: A dynamic request forwarder that signs incoming requests with AWS credentials and routes them to the appropriate Amazon Bedrock endpoints. This design ensures the gateway supports current and future Bedrock APIs without code changes.
Amazon Bedrock: Provides access to various foundation models and AI capabilities.
Amazon Route 53 (optional): Manages custom domain routing for client access.

💡

Architectural Benefit: Transparency

The transparency to client applications is a significant benefit. Clients can use standard AWS SDKs to interact with Amazon Bedrock, while the AI gateway transparently handles governance aspects like authorization and quota management behind the scenes.

Request Flow and Future-Proofing

When a client makes an Amazon Bedrock API call to the AI gateway endpoint, the Lambda integration function captures the original request details, applies AWS Signature Version 4 authentication, and forwards it to the correct Amazon Bedrock service endpoint. This approach allows the gateway to adapt to new Bedrock features without requiring specific API knowledge or code updates, minimizing maintenance overhead as the platform evolves.

yaml

Parameters:
  EndpointType:
    Type: String
    Default: PRIVATE
    AllowedValues: [PRIVATE, REGIONAL]
    Description: API Gateway endpoint accessibility (PRIVATE or REGIONAL)
  EnableAuthorizer:
    Type: String
    Default: 'false'
    AllowedValues: ['true', 'false']
    Description: Enable Lambda Authorizer for API Gateway
  CustomDomain:
    Type: String
    Default: ''
    Description: Custom domain name for API Gateway (optional)
Outputs:
  GatewayUrl:
    Description: The URL of the API Gateway endpoint
    Value: !GetAtt ApiGateway.Outputs.ApiEndpoint

API GatewayAmazon BedrockAI GatewayServerlessAWS LambdaAuthorizationQuota ManagementAccess Control

Comments

Loading comments...

Architecture Design

Design this yourself

Design a scalable AI gateway for managing access to multiple foundational models (FMs), including features for authentication, authorization, rate limiting, and cost monitoring. Consider how to integrate new FMs or APIs without significant gateway modifications.