What is Bedrock AgentCore Runtime?

It's AWS's managed service for deploying voice and text agents with low-latency responses. It maintains a warm pool of pre-provisioned VMs to ensure quick invocation times. The trade-off: those VMs refresh their container images regularly, which can generate surprising S3 and NAT Gateway costs if not properly isolated with VPC endpoints.

Do I need an S3 Gateway Endpoint in every VPC?

Yes, if your VPC has private subnets and a NAT Gateway. It's free and eliminates data transfer charges for any S3 traffic. If you're not using S3, it won't hurt anything. If you are using S3 (and you probably are), not having one is leaving money on the table every single day.

Will this happen with other AWS services running in VPCs?

Absolutely. Any service that pulls container images from ECR—Lambda with container images, ECS, AppRunner—will generate the same S3 traffic. Anything that downloads data from S3 within a private subnet will route through your NAT Gateway and cost money unless you have a Gateway Endpoint in place.

☁️ Cloud & Databases

AWS Bedrock AgentCore Ate My NAT Gateway Budget—Here's Why

A voice agent on AWS Bedrock AgentCore Runtime racked up $29 in NAT Gateway charges in six days—almost entirely from invisible S3 traffic. Here's what actually happened, and why your VPC setup is probably vulnerable to the same surprise.

Open Source Beat Apr 03, 2026 5 min read 17 views

AWS CloudWatch metrics showing inbound NAT Gateway traffic spike with S3 IP addresses identified in VPC Flow Logs

⚡ Key Takeaways

Bedrock AgentCore Runtime's warm pool continuously recycles container images from S3, generating massive hidden data transfer costs through NAT Gateways 𝕏
A free S3 Gateway VPC Endpoint completely eliminates this cost and should be standard infrastructure for any VPC with private subnets 𝕏
This pattern affects all containerized workloads on AWS—the problem isn't Bedrock-specific, it's systemic and largely undocumented 𝕏

Published by

Open Source Beat

Community-driven. Code-first.

#aws-vpc-costs #bedrock-agentcore #container-image-optimization #nat-gateway-billing #s3-gateway-endpoint

Worth sharing?

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by Dev.to

⚡ Key Takeaways

The 60-Second TL;DR

Open Source Beat

Share this article

Worth sharing?

Related Stories

Claude Edges OpenAI in the 2026 Agent SDK Wars—Here's Why After Building Them All

MLOps to LLMOps: Why AWS Teams Are Still Fumbling Production AI

Stop Watching Tutorials: Your First Gemini API Project Takes 15 Minutes

Why Deterministic Workflows Beat LLM-Powered Routing: The Claude Sub-agents vs. duckflux Case

Stay in the loop