Menu
InfoQ Architecture·July 15, 2026

Self-Hosted Control Plane for AI Model Access and Governance: The Claude Apps Gateway

AWS has launched the Claude Apps Gateway, a self-hosted control plane designed to centralize access, cost, and policy management for Claude Code and Claude Desktop within enterprise environments. This gateway routes AI inference requests, replaces disparate credential management, and offers robust features for identity, policy enforcement, telemetry, routing, and spend caps. It represents a significant architectural shift towards vendor-provided, enterprise-grade control layers for AI tooling.

Read original on InfoQ Architecture

Architectural Shift in AI Tool Governance

The release of the Claude Apps Gateway by AWS, following Anthropic's own introduction, signals a notable shift in the architectural landscape for managing enterprise AI tools. Traditionally, control layers for AI access, policy, and cost attribution were handled by third-party gateways or in-house solutions. This move by major AI model providers like Anthropic (with AWS and Google Cloud offering deployment guidance) demonstrates a push towards first-party infrastructure for these critical governance functions, shipping as part of the client binary.

Key Responsibilities of the Claude Apps Gateway

The Claude Apps Gateway functions as a single, stateless container, typically deployed on platforms like Amazon ECS, EKS, or EC2 behind an internal Application Load Balancer. It utilizes Amazon RDS for PostgreSQL to manage short-lived sign-in state and rate-limit counters. Its core responsibilities are critical for enterprise adoption of AI tools:

  • Identity Management: Acts as an OpenID Connect relying party, facilitating single sign-on (SSO) and issuing short-lived tokens. Sessions automatically expire if a user is removed from the identity provider.
  • Policy Enforcement: Administrators define managed settings (allowed models, tool permissions, defaults) scoped by identity provider groups, preventing local overrides by developers.
  • Telemetry: Clients stamp usage metrics on every request, which the gateway relays via OpenTelemetry Protocol to a configurable collector (e.g., CloudWatch, Prometheus).
  • Routing & Failover: Holds upstream credentials and forwards requests to AI models (Amazon Bedrock, Claude Platform, Google Cloud's Agent Platform, Microsoft Foundry, Anthropic API) with optional failover across AWS Regions or accounts.
  • Spend Caps: Enforces daily, weekly, and monthly limits per organization, group, or user, blocking requests when limits are exceeded, addressing a significant barrier to enterprise AI adoption.
💡

Stateless vs. Stateful Components

The gateway itself is stateless, relying on Amazon RDS for PostgreSQL to manage its short-lived state (sign-in state, rate-limit counters). This separation of concerns allows for easier scaling and resilience of the gateway instances, while leveraging a managed database for persistent state management.

AWSAI GatewayControl PlaneAnthropic ClaudeIdentity ManagementPolicy EnforcementCost ManagementDistributed Systems

Comments

Loading comments...