Add VPC deployment support with UDP TURN for AgentCore WebRTC#174
Add VPC deployment support with UDP TURN for AgentCore WebRTC#174wirjo wants to merge 1 commit intopipecat-ai:mainfrom
Conversation
This update adds comprehensive VPC deployment support, making UDP TURN relay the recommended configuration for production deployments. Key changes: VPC Infrastructure: - Add setup-vpc.sh script to create VPC with public/private subnets - Add cleanup-vpc.sh script for VPC resource teardown - Configure NAT Gateway to enable UDP TURN relay from private subnets - Create security groups for appropriate network access IAM Configuration: - Add setup-iam-role.sh to automatically create execution role - Update configure.sh to detect and create IAM role if needed - Include full AgentCore runtime permissions (ECR, CloudWatch, Bedrock, X-Ray) Documentation: - Reposition VPC mode as recommended deployment method - Update README with comprehensive VPC setup instructions - Add WebRTC connectivity testing guide with browser DevTools - Add intermediary server and CloudWatch logs monitoring - Update env.example to use UDP TURN with multiple Cloudflare URLs - Clarify pipeline architecture (Deepgram, Amazon Nova, Cartesia) Deployment Scripts: - Update launch.sh to detect VPC mode and prompt for setup - Remove project-specific references for clean sample code - Add VPC configuration validation Repository Maintenance: - Update .gitignore for generated files (vpc-config.env, .env, backups) - Ensure env.example templates remain tracked in git This enables production-grade deployments with better WebRTC reliability, lower latency, and enhanced security through private subnet isolation. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
| ### IAM Configuration | ||
|
|
||
| Configure your IAM user with the necessary policies for AgentCore usage. Start with these: | ||
| Configure your IAM user with the necessary policies for AgentCore deployment: |
There was a problem hiding this comment.
Ah I think I get it. So, for my understanding: because now you need new, more specific IAM role configuration for the AgentCore execution, it has became more relevant to distinguish between execution roles and deployment roles, whereas we were sort of being hand-wavy and conflating them before?
There was a problem hiding this comment.
Nit: might be worth updating the "overview" comment at the top of the file to include the new work being done by this script.
|
|
||
| ############################################### | ||
| # STEP 1 — Configure agentcore | ||
| # STEP 1 — Check if IAM role needs to be created |
There was a problem hiding this comment.
Just to confirm: if the user working through this demo simply wanted to go the "public mode" (TCP only) route, this new IAM role would still be suitable for that?
There was a problem hiding this comment.
Actually, just for my understanding: does the work done by the new setup-iam-role.sh include anything specific to enabling VPC mode, or is it simply to make the execution role setup and assignment explicit rather than silently relying on a default execution role?
If it's the latter, would this script also be recommended for the aws-agentcore-websocket example?
|
|
||
| ```bash | ||
| # First time: Create VPC infrastructure (NAT Gateway costs ~$32/month) | ||
| ./scripts/setup-vpc.sh |
There was a problem hiding this comment.
At this step, I hit an error related to lacking permission to perform the ec2:CreateVpc action. Might be worth briefly describing how to add this permission in the "Set Up the Environment -> IAM Configuration" of this doc.
There was a problem hiding this comment.
I've been trying to get my IAM role set up properly by iteratively running this script, seeing which IAM permissions I'm missing, adding those to the BedrockAgentCoreCLI role (described in the "IAM Configuration" section of this doc), and running the script again.
It appears to attempt to create a new VPC each time, so I hit VpcLimitExceeded pretty quickly.
Some questions:
- Would it be possible to make this script idempotent, so it wouldn't create a new VPC for this particular purpose each time?
- If not, could we add either a section to this doc describing how to tear down the VPC, or include it as part of the
destroy.shscript?
There was a problem hiding this comment.
I added this to the BedrockAgentCoreCLI role, and I believe that covers it...
{
"Sid": "EC2Access",
"Effect": "Allow",
"Action": [
"ec2:CreateVpc",
"ec2:CreateTags",
"ec2:ModifyVpcAttribute",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeAvailabilityZones",
"ec2:CreateSubnet",
"ec2:AllocateAddress",
"ec2:CreateNatGateway",
"ec2:DescribeNatGateways",
"ec2:CreateRouteTable",
"ec2:CreateRoute",
"ec2:AssociateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress"
],
"Resource": "*"
}
There was a problem hiding this comment.
I also hit a "maximum number of addresses has been reached" error for elastic IP addresses. Switching to a region where we didn't already have a bunch of elastic IP addresses worked for me. Maybe worth a mention in this doc?
There was a problem hiding this comment.
could we add either a section to this doc describing how to tear down the VPC, or include it as part of the destroy.sh script?
Ah, just noticed cleanup-vpc.sh!
There was a problem hiding this comment.
Ah, the cleanup step also requires a slew of permissions as well.
Add these to the above:
"ec2:DeleteNatGateway",
"ec2:ReleaseAddress",
"ec2:DetachInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:DeleteSubnet",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVpc"
|
|
||
| # Credentials for the TCP TURN servers | ||
| ICE_SERVER_URLS=turn:turn.cloudflare.com:3478?transport=tcp,turn:turn.cloudflare.com:80?transport=tcp,turns:turn.cloudflare.com:5349?transport=tcp,turns:turn.cloudflare.com:443?transport=tcp | ||
| # TURN server configuration (UDP recommended for VPC mode) |
There was a problem hiding this comment.
Might be worth directing the reader here to the README's "Environment Variables Configuration" section, where you discuss how you'd modify this file for VPC v public mode.
|
Hm, for some reason after following the "VPC mode" steps, I couldn't hear the bot at all (it gets stuck in "connecting")...does it still work for you? Going to try again with public mode, in case something changed out from under us with a recent Pipecat release. I was testing with Pipecat 0.0.103, which was just released. |
Also doesn't work for me in public mode...
Downgrading to Pipecat 0.0.99, which the example was initially written with, seems to work. Going to re-test VPC mode with Pipecat 0.0.99. |
Works! |
There was a problem hiding this comment.
Left a bit of minor feedback. Overall, looks great! And work great, too (at least w/Pipecat 0.0.99, which the example was developed with). Pre-emptively approving for when the feedback is addressed.
Our team will look into the not-working-with-Pipecat-0.0.103 issue separately.
This update adds comprehensive VPC deployment support, making UDP TURN relay the recommended configuration for production deployments.
Key changes:
VPC Infrastructure:
IAM Configuration:
Documentation:
Deployment Scripts:
Repository Maintenance:
This enables production-grade deployments with better WebRTC reliability, lower latency, and enhanced security through private subnet isolation.