Add VPC deployment support with UDP TURN for AgentCore WebRTC

[wirjo]

This update adds comprehensive VPC deployment support, making UDP TURN relay the recommended configuration for production deployments.

Key changes:

VPC Infrastructure:

• Add setup-vpc.sh script to create VPC with public/private subnets
• Add cleanup-vpc.sh script for VPC resource teardown
• Configure NAT Gateway to enable UDP TURN relay from private subnets
• Create security groups for appropriate network access

IAM Configuration:

• Add setup-iam-role.sh to automatically create execution role
• Update configure.sh to detect and create IAM role if needed
• Include full AgentCore runtime permissions (ECR, CloudWatch, Bedrock, X-Ray)

Documentation:

• Reposition VPC mode as recommended deployment method
• Update README with comprehensive VPC setup instructions
• Add WebRTC connectivity testing guide with browser DevTools
• Add intermediary server and CloudWatch logs monitoring
• Update env.example to use UDP TURN with multiple Cloudflare URLs
• Clarify pipeline architecture (Deepgram, Amazon Nova, Cartesia)

Deployment Scripts:

• Update launch.sh to detect VPC mode and prompt for setup
• Remove project-specific references for clean sample code
• Add VPC configuration validation

Repository Maintenance:

• Update .gitignore for generated files (vpc-config.env, .env, backups)
• Ensure env.example templates remain tracked in git

This enables production-grade deployments with better WebRTC reliability, lower latency, and enhanced security through private subnet isolation.

[kompfner]

Ah I think I get it. So, for my understanding: because now you need new, more specific IAM role configuration for the AgentCore execution, it has became more relevant to distinguish between execution roles and deployment roles, whereas we were sort of being hand-wavy and conflating them before?

[kompfner]

Nit: might be worth updating the "overview" comment at the top of the file to include the new work being done by this script.

[kompfner]

Just to confirm: if the user working through this demo simply wanted to go the "public mode" (TCP only) route, this new IAM role would still be suitable for that?

[kompfner]

Actually, just for my understanding: does the work done by the new setup-iam-role.sh include anything specific to enabling VPC mode, or is it simply to make the execution role setup and assignment explicit rather than silently relying on a default execution role?

If it's the latter, would this script also be recommended for the aws-agentcore-websocket example?

[kompfner]

At this step, I hit an error related to lacking permission to perform the ec2:CreateVpc action. Might be worth briefly describing how to add this permission in the "Set Up the Environment -> IAM Configuration" of this doc.

[kompfner]

I've been trying to get my IAM role set up properly by iteratively running this script, seeing which IAM permissions I'm missing, adding those to the BedrockAgentCoreCLI role (described in the "IAM Configuration" section of this doc), and running the script again.

It appears to attempt to create a new VPC each time, so I hit VpcLimitExceeded pretty quickly.

Some questions:

• Would it be possible to make this script idempotent, so it wouldn't create a new VPC for this particular purpose each time?
• If not, could we add either a section to this doc describing how to tear down the VPC, or include it as part of the destroy.sh script?

[kompfner]

I added this to the BedrockAgentCoreCLI role, and I believe that covers it...

		{
			"Sid": "EC2Access",
			"Effect": "Allow",
			"Action": [
				"ec2:CreateVpc",
				"ec2:CreateTags",
				"ec2:ModifyVpcAttribute",
				"ec2:CreateInternetGateway",
				"ec2:AttachInternetGateway",
				"ec2:DescribeAvailabilityZones",
				"ec2:CreateSubnet",
				"ec2:AllocateAddress",
				"ec2:CreateNatGateway",
				"ec2:DescribeNatGateways",
				"ec2:CreateRouteTable",
				"ec2:CreateRoute",
				"ec2:AssociateRouteTable",
				"ec2:CreateSecurityGroup",
				"ec2:AuthorizeSecurityGroupEgress"
			],
			"Resource": "*"
		}

[kompfner]

I also hit a "maximum number of addresses has been reached" error for elastic IP addresses. Switching to a region where we didn't already have a bunch of elastic IP addresses worked for me. Maybe worth a mention in this doc?

[kompfner]

could we add either a section to this doc describing how to tear down the VPC, or include it as part of the destroy.sh script?

Ah, just noticed cleanup-vpc.sh!

[kompfner]

Ah, the cleanup step also requires a slew of permissions as well.

Add these to the above:

                "ec2:DeleteNatGateway",
				"ec2:ReleaseAddress",
				"ec2:DetachInternetGateway",
				"ec2:DeleteInternetGateway",
				"ec2:DeleteSubnet",
				"ec2:DeleteRouteTable",
				"ec2:DeleteSecurityGroup",
				"ec2:DeleteVpc"

[kompfner]

Might be worth directing the reader here to the README's "Environment Variables Configuration" section, where you discuss how you'd modify this file for VPC v public mode.

[kompfner]

Hm, for some reason after following the "VPC mode" steps, I couldn't hear the bot at all (it gets stuck in "connecting")...does it still work for you?

Going to try again with public mode, in case something changed out from under us with a recent Pipecat release. I was testing with Pipecat 0.0.103, which was just released.

[kompfner]

Going to try again with public mode

Also doesn't work for me in public mode...

in case something changed out from under us with a recent Pipecat release. I was testing with Pipecat 0.0.103, which was just released.

Downgrading to Pipecat 0.0.99, which the example was initially written with, seems to work. Going to re-test VPC mode with Pipecat 0.0.99.

[kompfner]

Going to re-test VPC mode with Pipecat 0.0.99.

Works!

[kompfner]

Left a bit of minor feedback. Overall, looks great! And work great, too (at least w/Pipecat 0.0.99, which the example was developed with). Pre-emptively approving for when the feedback is addressed.

Our team will look into the not-working-with-Pipecat-0.0.103 issue separately.