This page guides you through the process of creating an Agent Gateway resource. If you haven't already done so, review the conceptual basics and the core components of an Agent Gateway deployment. See Agent Gateway overview .
Required permissions
The following permissions are required to create and manage Agent Gateways. You can get these permissions either with custom roles or by using other predefined roles .
Required permissions
-
compute.networkAttachments.list -
compute.regions.list -
modelarmor.templates.list -
modelarmor.templates.list -
networksecurity.authzPolicies.create -
networksecurity.authzPolicies.delete -
networksecurity.authzPolicies.get -
networksecurity.authzPolicies.list -
networksecurity.operations.get -
networkservices.agentGateways.create -
networkservices.agentGateways.delete -
networkservices.agentGateways.get -
networkservices.agentGateways.list -
networkservices.agentGateways.update -
networkservices.agentGateways.use -
networkservices.authzExtensions.create -
networkservices.authzExtensions.delete -
networkservices.authzExtensions.get -
networkservices.authzExtensions.list -
networkservices.authzExtensions.update -
networkservices.authzExtensions.use -
networkservices.operations.get
Required APIs
Enable the following APIs in the Google Cloud project that you are using for this guide:
- Compute Engine API
- Network Security API
- Network Services API
Optional APIs:
- Model Armor API
Configure Agent Gateway in Agent-to-Anywhere (Egress) mode
This section shows you how to set up an Agent Gateway for Agent-to-Anywhere communications.
Use the following steps to create an Agent Gateway resource.
Google Cloud console
- In the Google Cloud console, go to the Agent Gatewaypage.
- Click Add gateway.
- Enter a Name.
- From the Regionlist, select a region.
- For Deployment mode, verify that Google-managedis selected.
- For Agent Registry, select a registry from the list. For
Agent Runtime agents, select a regional registry
(
//agentregistry.googleapis.com/projects/ PROJECT_ID /locations/ REGION). For Gemini Enterprise, select the project's global registry (//agentregistry.googleapis.com/projects/ PROJECT_ID /locations/global). - From the Governed Access Pathlist, select Agent-to-Anywhere (Agent Egress).
-
In the Access Authorizationsection, choose how traffic is handled by IAP:
- To deploy the gateway in a dry-run mode where the gateway permits all traffic through and only generates audit logs , select Audit-only. Your IAM policies are not enforced by IAP in dry-run mode. Once you gain confidence, you can disable dry-run mode to enforce IAM policies.
- To block requests that don't have an explicit
AllowIAM policy, select Enforce policies. This option is recommended for production environments.
-
Optional: In the AI Securitysection, configure additional security:
- To protect AI model interactions with Model Armor, turn on Enable Model Armor.
- Select a template that applies to incoming requests to the gateway from the list.
-
To use a different template for responses, clear Use same template for requests and responsesand select a template from the list.
-
Click Add Gateway.
gcloud
You define Agent Gateways declaratively using YAML.
-
Define the resource and save the configuration to a YAML file. For this example, we use
my-agent-gateway.yaml.name : AGENT_GATEWAY_NAME protocols : - MCP googleManaged : governedAccessPath : AGENT_TO_ANYWHERE registries : - AGENT_REGISTRY_PATHReplace the following:
-
AGENT_GATEWAY_NAME: The name of the Agent Gateway resource. -
AGENT_REGISTRY_PATH: The path to the Agent Registry. For Agent Runtime agents, use a regional registry (//agentregistry.googleapis.com/projects/ PROJECT_ID /locations/ REGION). For Gemini Enterprise, use the project's global registry (//agentregistry.googleapis.com/projects/ PROJECT_ID /locations/global).
-
-
Run the following command to create an Agent Gateway resource based on the YAML specification:
gcloud alpha network-services agent-gateways import AGENT_GATEWAY_NAME \ --source="my-agent-gateway.yaml" \ --location= LOCATION
Replace
LOCATIONwith the location where you want to create the Agent Gateway resource. For example,us-central1.
After an Agent Gateway has been created, it serves as the primary connection point for routing agent traffic within your project and chosen region. You can now use this endpoint to establish secure, encrypted, and authenticated communication channels between agents and their destinations (tools, other agents, or other endpoints).
Next, learn how to deploy agents and route traffic through Agent Gateway .
Configure VPC connectivity
To configure Agent Gateway for private outbound communication with a VPC network in your organization, you must perform the following additional steps:
-
Create a Private Service Connect network attachment in the VPC network that you want to connect to.
Note the following requirements:
- Agent Gateway requires a minimum
/28subnetwork for the network attachment. -
Agent Gateway can only send to the following subnet ranges. Therefore, the subnet of the network attachment must fall within these ranges:
-
10.0.0.0/8 -
172.16.0.0/12 -
192.168.0.0/16
-
-
Agent Gateway can't send traffic to the following subnet ranges. Therefore, if you use the
10.0.0.0/8range for the network attachment, you must ensure that it doesn't overlap with the following subnet ranges:-
10.0.0.0/24 -
10.0.1.0/24 -
10.0.2.0/24
-
For instructions, see Create and manage Private Service Connect network attachments .
If you have a Shared VPC setup, note the additional permissions required as documented in the Using Private Service Connect interface with Shared VPC section.
Note the URI of the network attachment. You'll need it when you update the Agent Gateway resource.
- Agent Gateway requires a minimum
-
Configure DNS peering for the service that you are connecting to. With DNS peering, your agents can connect to services in the target VPC network using stable, human-readable DNS names instead of IP addresses. DNS peering lets Agent Gateway resolve DNS names using the records from a Cloud DNS private zone in your VPC.
-
Set up your private DNS zone for DNS resolution and traffic routing. To add DNS records to your private DNS zone, see Add a resource record set .
-
If you're using a Shared VPC setup and the target project and VPC network are in a different project than the gateway, assign the DNS
Peer(roles/dns.peer)role to the Agent Gateway service account.Perform this step in the project where the Agent Gateway was created.
gcloud alpha projects add-iam-policy-binding TARGET_PROJECT_ID \ --member=serviceAccount:service- GATEWAY_PROJECT_NUMBER @gcp-sa-dep.iam.gserviceaccount.com \ --role=roles/dns.peer
-
Gather the DNS information to enable peering. This includes the domain name, the target project ID, and the name of the VPC network you want to connect to. You'll need this information when you update the Agent Gateway resource.
-
-
Update your Agent Gateway to include the network attachment and DNS peering information. Edit the
my-agent-gateway.yamlYAML file as follows:name : AGENT_GATEWAY_NAME protocols : - MCP googleManaged : governedAccessPath : AGENT_TO_ANYWHERE registries : - AGENT_REGISTRY_PATH networkConfig : egress : networkAttachment : PSC_NETWORK_ATTACHMENT_URI dnsPeeringConfig : domains : - DOMAIN_NAME targetProject : TARGET_PROJECT_ID targetNetwork : TARGET_NETWORK_URIReplace the following:
-
AGENT_GATEWAY_NAME: The name of the Agent Gateway resource. -
AGENT_REGISTRY_PATH: The path to the Agent Registry. For Agent Runtime agents, use a regional registry (//agentregistry.googleapis.com/projects/ PROJECT_ID /locations/ REGION). For Gemini Enterprise, use the project's global registry (//agentregistry.googleapis.com/projects/ PROJECT_ID /locations/global). -
PSC_NETWORK_ATTACHMENT_URI: The PSC interface network attachment for connectivity to VPCs. If the network attachment is created in a project (such as the Shared VPC host project) different from where you deployed the agent, you need to pass the full path of your network attachment. -
DOMAIN_NAME: A domain name for DNS peering. This value is required and must end with a dot (.). -
TARGET_PROJECT_ID: The target project for DNS peering. -
TARGET_NETWORK_URI: The target network where you created the network attachment. This must be of the form:projects/ TARGET_PROJECT_ID /global/networks/ NETWORK_NAME.
-
-
Run the following command to update the resource based on the YAML specification:
gcloud alpha network-services agent-gateways import AGENT_GATEWAY_NAME \ --source="my-agent-gateway.yaml" \ --location= LOCATION
Replace
LOCATIONwith the location where you want to create the Agent Gateway resource. For example,us-central1.
Configure authorization policies
In Agent-to-Anywhere mode, you can use authorization policies to enforce centralized access control and governance policies on traffic passing through Agent Gateway.
You can either enable these policies while creating the gateway as shown in the previous section, or add them to a pre-deployed gateway as demonstrated in Delegate authorization with Service Extensions .
Configure Agent Gateway in Client-to-Agent (Ingress) mode
This section shows you how to set up an Agent Gateway for Client-to-Agent communications.
Use the following steps to create an Agent Gateway resource.
Google Cloud console
- In the Google Cloud console, go to the Agent Gatewaypage.
- Click Add gateway.
- Enter a Name.
- From the Regionlist, select a region.
- For Deployment mode, verify that Google-managedis selected.
- Leave the Agent registrysetting as is. The registry isn't used for ingress.
- From the Governed Access Pathlist, select Client-to-Agent (ingress).
-
Optional: In the AI Securitysection, configure additional security:
-
To protect AI model interactions with Model Armor, turn on Enable Model Armor.
-
Select a template that applies to incoming requests to the gateway from the list.
-
To use a different template for responses, clear Use same template for requests and responsesand select a template from the list.
-
-
Click Add Gateway.
gcloud
You define Agent Gateways declaratively using YAML.
-
Define the resource and save the configuration to a YAML file. For this example, we use
my-agent-gateway.yaml.name : AGENT_GATEWAY_NAME protocols : - MCP googleManaged : governedAccessPath : CLIENT_TO_AGENTReplace AGENT_GATEWAY_NAME with a name for the Agent Gateway resource.
-
Run the following command to create an Agent Gateway resource based on the YAML specification:
gcloud alpha network-services agent-gateways import AGENT_GATEWAY_NAME \ --source="my-agent-gateway.yaml" \ --location= LOCATION
Replace
LOCATIONwith the location where you want to create the Agent Gateway resource. For example,us-central1.
After an Agent Gateway has been created, it serves as the primary connection point for routing traffic to agents in your project and chosen region.
Next, learn how to deploy agents and route traffic through Agent Gateway.
Deploy agents and route traffic through Agent Gateway
To deploy a Agent Runtime agent that routes traffic through Agent Gateway, see Route traffic through Agent Gateway .
To deploy a Gemini Enterprise agent that routes traffic through Agent Gateway, see Route Gemini Enterprise traffic through Agent Gateway .
What's next
Route agent traffic through Agent Gateway
Learn how to route Agent Platform Runtime traffic through Agent Gateway for secure and governed connectivity.
Delegate authorization for Agent Gateway
Learn how to delegate authorization for Agent Gateway to IAP, Model Armor, or your own custom authorization service.
