Unlocking commercial AI models in AWS GovCloud (US): Secure cross-partition access with Amazon Bedrock

In this post, we walk through three solutions that allow AWS GovCloud (US) workloads to securely connect into the Amazon Web Services (AWS) commercial partition to perform inference with Amazon Bedrock. Each approach comes with different trade-offs, and by the end you’ll have a clear view of which path might be right for your organization.

Generative AI is moving fast, with new foundation models (FMs) and features being released at a rapid pace. These capabilities are introduced first in the AWS commercial partition. For organizations in sensitive and regulated environments, the challenge is keeping pace with this innovation while being able to experiment quickly, gather customer feedback, and mature new features into mission-ready functionality.

How cross-partition access works

AWS GovCloud (US) workloads call Amazon Bedrock by directing requests to the service API in the commercial partition. Instead of invoking an Amazon Bedrock endpoint in AWS GovCloud (US), the application sends the call across the chosen network connection into the commercial partition where Amazon Bedrock is hosted.

Because there is intentionally no native interconnectivity between AWS GovCloud (US) and commercial, the partitions are both logically and physically isolated. To communicate between them, organizations must use a connection path such as the public endpoint, AWS Site-to-Site VPN, or AWS Direct Connect. These connections carry requests between partitions.

When traffic flows between AWS GovCloud (US) and commercial, it generally traverses the AWS backbone. As the Amazon VPC FAQ explains, “Packets that originate from the AWS network with a destination on the AWS network stay on the AWS global network, except traffic to or from AWS China Regions.” For additional background on AWS backbone networking, see the blog post Introduction to Network Transformation on AWS.

Amazon Bedrock service API calls using HTTPS, which encrypts requests with TLS from AWS GovCloud (US) to the commercial partition. This provides encryption for cross-partition communication regardless of which connectivity option you choose. For workloads that require FIPS 140-validated cryptographic modules, Bedrock provides dedicated FIPS endpoints as documented in the AWS General Reference for Amazon Bedrock.

The application logic remains entirely within AWS GovCloud (US). Amazon API Gateway exposes an endpoint to workloads. AWS Lambda handles the request, retrieves the Amazon Bedrock API key from AWS Secrets Manager, and sends the inference request to Bedrock in the commercial partition. Amazon Bedrock processes the request and returns the response to the Lambda function, which then passes the result back to the application. Amazon CloudWatch in AWS GovCloud (US) records application logs for performance monitoring and troubleshooting, while AWS CloudTrail in the commercial partition provides an audit trail of all API calls to Amazon Bedrock, including who made the request and when, allowing for tracking across both partitions.

When a Site-to-Site VPN or AWS Direct Connect is used, both AWS GovCloud (US) and commercial host Amazon Virtual Private Cloud (Amazon VPC)s are linked through the connection. The only difference across public endpoint, VPN, or Direct Connect is the path the request takes between AWS GovCloud (US) and commercial.

Three connectivity options

There are three connectivity options for linking AWS GovCloud (US) to the commercial partition. Selecting the right option depends on your organization’s security requirements, performance expectations, and operational considerations.

Before selecting a connection option, set up authentication with an Amazon Bedrock API key in the commercial partition account. For details, refer to Accelerate AI development with Amazon Bedrock API keys. Organizations should also apply key rotation best practices to these API keys. Because AWS GovCloud (US) can initiate outbound connections to the commercial partition, key rotation can be handled programmatically from AWS GovCloud (US), reducing operational overhead and strengthening security posture.

The Lambda function in AWS GovCloud (US) retrieves this key from Secrets Manager and uses it to authenticate with Amazon Bedrock in the commercial partition. AWS GovCloud (US) workloads never hold the key directly, reducing risk. AWS Secrets Manager in AWS GovCloud (US) stores the key securely so it can be rotated automatically and is only accessible by the Lambda function. AWS Identity and Access Management (IAM) policies enforce least privilege so that only the components that need the key can access it.

In addition to the Bedrock API key, enable model access to Bedrock in the commercial account for each foundation model you intend to use, and configure inference profiles where required, such as for Anthropic’s Claude 4.

For VPN and Direct Connect scenarios, plan private VPC endpoints in the commercial VPC for Amazon Bedrock and any other services your solution will use, such as CloudWatch Logs, and Secrets Manager. VPC endpoints keep traffic on the AWS network, prevent it from traversing the public internet, and allow you to enforce fine-grained IAM and resource policies. For more details, see the Amazon VPC endpoints documentation

Option 1: Public endpoint option

The easy option uses the AWS backbone to connect AWS GovCloud (US) to the commercial partition. AWS GovCloud (US) applications send HTTPS requests to an API Gateway endpoint. TLS encrypts data in transit, while IAM and Secrets Manager provide authentication and credential isolation.

The following are required for this option in the commercial partition:

• An Amazon Bedrock API key for authentication
• Model access enabled for each FM you intend to use
• Inference profiles for models that require them, such as Anthropic’s Claude 4.

This option is well-suited for proofs of concept or pilot projects where the priority is speed of deployment. It can usually be deployed in a matter of weeks with minimal infrastructure. The trade-off is that traffic traverses the public internet, which might not meet the strictest security requirements. The following diagram shows the architecture for this option.

Figure 1: High-level architecture that shows the public endpoint option, where AWS GovCloud (US) applications call Amazon Bedrock directly in the commercial partition using HTTPS.

Option 2: AWS Site-to-Site VPN connectivity with private endpoints

For organizations that require stronger security and prefer to avoid the public internet, an AWS Site-to-Site VPN connection provides an encrypted tunnel between AWS GovCloud (US) and the commercial partition VPCs. All traffic flows through the Site-to-Site VPN connection, improving confidentiality and reducing exposure. VPC endpoints for Amazon Bedrock and supporting services are used to keep traffic on the AWS network, while not traversing the public internet.

The following are required for this option in the commercial partition:

• Everything required in option 1
• A VPN gateway configured to connect with AWS GovCloud (US)
• VPC endpoints to access AWS services without traversing the internet

This option offers better compliance alignment and stronger security, making it more suitable for production workloads. The trade-off is added complexity, longer setup time, and operational overhead. For step-by-step setup instructions, refer to Get started with AWS Site-to-Site VPN in the AWS documentation. The following diagram shows the architecture for this option.

Figure 2: High-level architecture that shows the AWS Site-to-Site VPN connectivity with private endpoints option, where AWS GovCloud (US) and commercial VPCs are connected through an encrypted tunnel and AWS GovCloud (US) applications call, through the encrypted tunnel, Amazon Bedrock in commercial.

Option 3: AWS Direct Connect

The final option uses AWS Direct Connect to establish a dedicated private connection between AWS GovCloud (US) and the commercial partition. AWS Direct Connect provides the highest throughput and lowest latency, making it ideal for mission-critical or high-volume AI workloads. This also uses VPC endpoints for Amazon Bedrock and supporting services keeping traffic on the AWS network while not traversing the public internet.

It is important to note that Direct Connect does not provide a native private path directly between AWS GovCloud (US) and commercial. To enable cross-partition traffic over Direct Connect, customers terminate separate connections from each partition into their own network (for example, in a colocation facility) and route between them there. This design gives customers control of the traffic path but adds latency and incurs data transfer costs in both accounts.

The following are required for this option in the commercial partition:

• Everything required in option 1
• A Direct Connect gateway, with connections from both partitions terminating in the customer’s network to enable routing
• VPC endpoints to access AWS services without traversing the internet

This option provides the strongest security posture and consistent performance backed by service level agreements (SLAs). Because of the need to provision circuits and manage routing through a customer network, it requires significant investment in networking infrastructure and longer lead times. Agencies typically adopt AWS Direct Connect when workloads have matured and demand predictable performance at scale. For more on establishing a Direct Connect between commercial and AWS GovCloud (US) read this blog post Hybrid connectivity to AWS GovCloud (US) and commercial Regions using AWS Direct Connect. The following diagram shows the architecture for this option.

Figure 3: High-level architecture that shows the AWS Direct Connect option for AWS GovCloud (US) to commercial. Separate Direct Connect links from each partition terminate in the customer’s network, where traffic is routed before reaching the Amazon Bedrock service in commercial.

Picking the right connectivity option

The right choice depends on your compliance requirements, data sensitivity, and existing network investments. Some organizations might be fine with encrypted internet traffic for pilots, whereas others will mandate VPN or AWS Direct Connect from the start.

When you use these options, the data you pass in the prompt is sent to the Amazon Bedrock service running in the commercial partition. It is important to understand that prompts and any associated context leave AWS GovCloud (US) and are processed in commercial. Organizations should review this flow carefully to verify it aligns with their compliance and data-handling requirements.

You should also account for transfer costs. Because traffic crosses partitions, egress charges are incurred in both the AWS GovCloud (US) account and the commercial account. For workloads that move large volumes of data, these charges can become a meaningful factor in the total cost of ownership.

Selecting the right connectivity path isn’t about starting small and then upgrading. Instead, it’s about matching your organization’s security posture and the type of data you are sending to Amazon Bedrock. Each option has different trade-offs.

AWS Direct Connect allows you to manage where the traffic goes. Data flows over a dedicated private link between your environment and the commercial partition. If you already have Direct Connect in place, adding another connection is straightforward. If not, provisioning a new Direct Connect typically takes several weeks to a few months, depending on circuit ordering, colocation facility setup, and provider timelines.

AWS Site-to-Site VPN with private endpoints provides a strong middle ground. When traffic flows between AWS GovCloud (US) and commercial, it generally traverses the AWS backbone. As the Amazon VPC FAQ explains, “Packets that originate from the AWS network with a destination on the AWS network stay on the AWS global network, except traffic to or from AWS China Regions.” The VPN tunnel provides encryption in transit, and with Infrastructure as Code, a VPN can often be configured in minutes. This makes it a practical option for production workloads without the heavy lift of Direct Connect.

The public endpoint option is the easiest and fastest to deploy. Traffic typically traverses the AWS backbone between AWS GovCloud (US) and commercial, but because it relies on the internet path, you should assume that data may leave the backbone. While TLS provides encryption in transit, some organizations may not be comfortable with data leaving their controlled network environment.

Conclusion

Cross-partition inference provides a secure and scalable way for AWS GovCloud (US) customers to unlock the latest AI models available in the AWS commercial partition. By combining network connectivity over the internet, through a VPN tunnel, or with AWS Direct Connect, organizations can use Amazon Bedrock in AWS commercial partition from AWS GovCloud (US), if the approach aligns with their compliance requirements and risk tolerance.

This architecture allows agencies operating in AWS GovCloud (US) with sensitive data and strict compliance requirements to test and innovate with cutting-edge generative AI capabilities as soon as they become available in the commercial partition. It provides a pathway to balance innovation with the controls needed for secure and compliant operations.