Preview. This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms.
    Console
    Start free

    Set up Agent Gateway

    This page guides you through the process of creating an Agent Gateway resource. If you haven't already done so, review the conceptual basics and the core components of an Agent Gateway deployment. See Agent Gateway overview .

    Required permissions

    The following permissions are required to create and manage Agent Gateways. You can get these permissions either with custom roles or by using other predefined roles .

    Required permissions

    • compute.networkAttachments.list
    • compute.regions.list
    • modelarmor.templates.list
    • modelarmor.templates.list
    • networksecurity.authzPolicies.create
    • networksecurity.authzPolicies.delete
    • networksecurity.authzPolicies.get
    • networksecurity.authzPolicies.list
    • networksecurity.operations.get
    • networkservices.agentGateways.create
    • networkservices.agentGateways.delete
    • networkservices.agentGateways.get
    • networkservices.agentGateways.list
    • networkservices.agentGateways.update
    • networkservices.agentGateways.use
    • networkservices.authzExtensions.create
    • networkservices.authzExtensions.delete
    • networkservices.authzExtensions.get
    • networkservices.authzExtensions.list
    • networkservices.authzExtensions.update
    • networkservices.authzExtensions.use
    • networkservices.operations.get

    Required APIs

    Enable the following APIs in the Google Cloud project that you are using for this guide. These APIs let you access the full suite of capabilities offered by Gemini Enterprise Agent Platform.

    Required APIs

    • Compute Engine API ( compute.googleapis.com )
    • Network Security API ( networksecurity.googleapis.com )
    • Network Services API ( networkservices.googleapis.com )
    • Cloud DNS API ( dns.googleapis.com )
    • Identity and Access Management API ( iam.googleapis.com )
    • Agent Registry API ( agentregistry.googleapis.com )
    • Vertex AI API ( aiplatform.googleapis.com )
    • Discovery Engine API ( discoveryengine.googleapis.com )
    • Cloud Storage API ( storage.googleapis.com )
    • Model Armor API ( modelarmor.googleapis.com )
    • Observability API ( observability.googleapis.com )
    • Telemetry API ( telemetry.googleapis.com )
    • Cloud Monitoring API ( monitoring.googleapis.com )
    • Cloud Trace API ( cloudtrace.googleapis.com )
    • Cloud Logging API ( logging.googleapis.com )
    • App Hub API ( apphub.googleapis.com )
    • App Topology API ( apptopology.googleapis.com )
    • Cloud API Registry ( cloudapiregistry.googleapis.com )
    • Notebooks API ( notebooks.googleapis.com )
    • Text-to-Speech API ( texttospeech.googleapis.com )
    • Dataform API ( dataform.googleapis.com )

    Configure Agent Gateway in Agent-to-Anywhere (Egress) mode

    This section shows you how to set up an Agent Gateway for Agent-to-Anywhere communications.

    Note that a single Agent Gateway cannot simultaneously support both Gemini Enterprise and Agent Runtime integrations. Instead, you must deploy two mutually exclusive gateways: one configured with a global registry for Gemini Enterprise, and another with a regional registry for Agent Runtime.

    Use the following steps to create an Agent Gateway resource.

    Google Cloud console

    1. In the Google Cloud console, go to the Agent Gatewaypage.

      Go to Gateways

    2. Click Add gateway.
    3. Enter a Name.
    4. From the Regionlist, select a region.
    5. For Deployment mode, verify that Google-managedis selected.
    6. For Agent Registry, select a registry from the list. For Agent Runtime agents, select a regional registry ( //agentregistry.googleapis.com/projects/ PROJECT_ID /locations/ REGION ). For Gemini Enterprise, select the project's global registry ( //agentregistry.googleapis.com/projects/ PROJECT_ID /locations/global ).
    7. From the Governed Access Pathlist, select Agent-to-Anywhere (Agent Egress).

    8. In the Access Authorizationsection, choose how traffic is handled by IAP:

      • To deploy the gateway in a dry-run mode where the gateway permits all traffic through and only generates audit logs , select Audit-only. Your IAM policies are not enforced by IAP in dry-run mode. Once you gain confidence, you can disable dry-run mode to enforce IAM policies.
      • To block requests that don't have an explicit Allow IAM policy, select Enforce policies. This option is recommended for production environments.

    9. Optional: In the AI Securitysection, configure additional security:

      1. To protect AI model interactions with Model Armor, turn on Enable Model Armor.
      2. Select a template that applies to incoming requests to the gateway from the list.

      3. To use a different template for responses, clear Use same template for requests and responsesand select a template from the list.

    10. Click Add Gateway.

    gcloud

    You define Agent Gateways declaratively using YAML.

    1. Define the resource and save the configuration to a YAML file. For this example, we use my-agent-gateway-egress.yaml .

        name 
 : 
  
  AGENT_GATEWAY_NAME 
 
 protocols 
 : 
  
 - 
  
 MCP 
 googleManaged 
 : 
  
 governedAccessPath 
 : 
  
 AGENT_TO_ANYWHERE 
 registries 
 : 
  
 - 
  
  AGENT_REGISTRY_PATH

      Replace the following:

      • AGENT_GATEWAY_NAME : The name of the Agent Gateway resource.
      • AGENT_REGISTRY_PATH : The path to the Agent Registry. For Agent Runtime agents, use a regional registry ( //agentregistry.googleapis.com/projects/ PROJECT_ID /locations/ REGION ). For Gemini Enterprise, use the project's global registry ( //agentregistry.googleapis.com/projects/ PROJECT_ID /locations/global ).

    2. Run the following command to create an Agent Gateway resource based on the YAML specification:

      gcloud alpha network-services agent-gateways import AGENT_GATEWAY_NAME 
\
 --source="my-agent-gateway-egress.yaml" \
 --location= LOCATION

      Replace LOCATION with the location where you want to create the Agent Gateway resource. For example, us-central1 .

      Note that for Gemini Enterprise, you must deploy Agent Gateway in a region that corresponds to your multi-region setup. For the supported location mappings, see Route Gemini Enterprise traffic through Agent Gateway .

    3. To enforce centralized access control and governance policies on traffic passing through the Agent Gateway, configure an authorization policy.

      This step is required. Each Agent Gateway must have an associated authorization policy that targets the gateway. For details, see Delegate authorization with Service Extensions .

    After an Agent Gateway has been created, it serves as the primary connection point for routing agent traffic within your project and chosen region. You can now use this endpoint to establish secure, encrypted, and authenticated communication channels between agents and their destinations (tools, other agents, or other endpoints).

    Next, learn how to deploy agents and route traffic through Agent Gateway .

    Optional: Configure VPC connectivity

    To learn how to configure your Agent Gateway so that it can privately communicate with a VPC network in your organization, see Set up VPC connectivity for Agent Gateway .

    Configure Agent Gateway in Client-to-Agent (Ingress) mode

    This section shows you how to set up an Agent Gateway for Client-to-Agent communications.

    Use the following steps to create an Agent Gateway resource.

    Google Cloud console

    1. In the Google Cloud console, go to the Agent Gatewaypage.

      Go to Gateways

    2. Click Add gateway.
    3. Enter a Name.
    4. From the Regionlist, select a region.
    5. For Deployment mode, verify that Google-managedis selected.
    6. Leave the Agent registrysetting as is. The registry isn't used for ingress.
    7. From the Governed Access Pathlist, select Client-to-Agent (ingress).

    8. Optional: In the AI Securitysection, configure additional security:

      1. To protect AI model interactions with Model Armor, turn on Enable Model Armor.

      2. Select a template that applies to incoming requests to the gateway from the list.

      3. To use a different template for responses, clear Use same template for requests and responsesand select a template from the list.

    9. Click Add Gateway.

    gcloud

    You define Agent Gateways declaratively using YAML.

    1. Define the resource and save the configuration to a YAML file. For this example, we use my-agent-gateway-ingress.yaml .

        name 
 : 
  
  AGENT_GATEWAY_NAME 
 
 protocols 
 : 
  
 - 
  
 MCP 
 googleManaged 
 : 
  
 governedAccessPath 
 : 
  
 CLIENT_TO_AGENT

      Replace AGENT_GATEWAY_NAME with a name for the Agent Gateway resource.

    2. Run the following command to create an Agent Gateway resource based on the YAML specification:

      gcloud alpha network-services agent-gateways import AGENT_GATEWAY_NAME 
\
 --source="my-agent-gateway-ingress.yaml" \
 --location= LOCATION

      Replace LOCATION with the location where you want to create the Agent Gateway resource. For example, us-central1 .

    After an Agent Gateway has been created, it serves as the primary connection point for routing traffic to agents in your project and chosen region.

    Next, learn how to deploy agents and route traffic through Agent Gateway.

    Deploy agents and route traffic through Agent Gateway

    To deploy a Agent Runtime agent that routes traffic through Agent Gateway, see Route traffic through Agent Gateway .

    To deploy a Gemini Enterprise agent that routes traffic through Agent Gateway, see Route Gemini Enterprise traffic through Agent Gateway .

    What's next

    Guide

    Learn how to route Agent Platform Runtime traffic through Agent Gateway for secure and governed connectivity.

    Codelab

    Learn how to govern agentic workloads with Agent Gateway on Gemini Enterprise Agent Platform.

    Guide

    Learn how to delegate authorization for Agent Gateway to IAP, Model Armor, or your own custom authorization service.

    Guide

    Learn how to monitor Agent Gateway.

    Guide

    Learn how to route Gemini Enterprise traffic through Agent Gateway.
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: