To centralize access control and secure connectivity across your agentic workflows, you can set up an Agent Gateway resource to manage ingress or egress traffic.
Before you set up a gateway, review the conceptual basics and core components in the Agent Gateway overview.
Required permissions
The following permissions are required to create and manage Agent Gateways. You can get these permissions either with custom roles or by using other predefined roles.
Required permissions
compute.networkAttachments.listcompute.regions.listmodelarmor.templates.listmodelarmor.templates.listnetworksecurity.authzPolicies.createnetworksecurity.authzPolicies.deletenetworksecurity.authzPolicies.getnetworksecurity.authzPolicies.listnetworksecurity.operations.getnetworkservices.agentGateways.createnetworkservices.agentGateways.deletenetworkservices.agentGateways.getnetworkservices.agentGateways.listnetworkservices.agentGateways.updatenetworkservices.agentGateways.usenetworkservices.authzExtensions.createnetworkservices.authzExtensions.deletenetworkservices.authzExtensions.getnetworkservices.authzExtensions.listnetworkservices.authzExtensions.updatenetworkservices.authzExtensions.usenetworkservices.operations.get
Required APIs
Enable the following APIs in the Google Cloud project that you are using for this guide. These APIs let you access the full suite of capabilities offered by Gemini Enterprise Agent Platform.
Required APIs
- Compute Engine API (
compute.googleapis.com) - Network Security API (
networksecurity.googleapis.com) - Network Services API (
networkservices.googleapis.com) - Cloud DNS API (
dns.googleapis.com) - Identity and Access Management API (
iam.googleapis.com) - Agent Registry API (
agentregistry.googleapis.com) - Vertex AI API (
aiplatform.googleapis.com) - Discovery Engine API (
discoveryengine.googleapis.com) - Cloud Storage API (
storage.googleapis.com) - Model Armor API (
modelarmor.googleapis.com) - Observability API (
observability.googleapis.com) - Telemetry API (
telemetry.googleapis.com) - Cloud Monitoring API (
monitoring.googleapis.com) - Cloud Trace API (
cloudtrace.googleapis.com) - Cloud Logging API (
logging.googleapis.com) - App Hub API (
apphub.googleapis.com) - App Topology API (
apptopology.googleapis.com) - Cloud API Registry (
cloudapiregistry.googleapis.com) - Notebooks API (
notebooks.googleapis.com) - Text-to-Speech API (
texttospeech.googleapis.com) - Dataform API (
dataform.googleapis.com)
Plan your Agent Gateway deployment
Use this section to plan your Agent Gateway deployment and understand the requirements for the setup to work. The following sections outline the essential components, but they don't represent a strict order of steps. You can register endpoints and MCP servers, and assign roles to the agent, either during initial setup or on an ongoing basis as more requirements arise.
Choose your deployment mode
Agent Gateway supports two deployment modes:
- Client-to-Agent (ingress): Secures communications from clients to your agents running on Google Cloud.
- Agent-to-Anywhere (egress): Secures communications from your agents to external targets, public APIs, and MCP servers.
Select your runtime and region of deployment
Agent Gateway governs traffic from agents running on Gemini Enterprise and Runtime. To centralize governance of agents across Gemini Enterprise and Runtime, you can use a single Agent Gateway. Alternatively, you can also deploy independent Agent Gateway instances for Gemini Enterprise and Runtime.
Note that the Gemini Enterprise app, Runtime agents, Agent Gateway, and its associated Agent Registry all need to be in the same Google Cloud project.
Here are some sample deployment patterns for your consideration:
- Pattern 1: Centralized governance for Gemini Enterprise and Runtime agents
Your Gemini Enterprise app is deployed as a multi-region deployment (in either
usoreu) while all the other resources (Runtime, Agent Gateway, and Agent Registry) are deployed within a single region corresponding to the Gemini Enterprise multi-region setup.In such a deployment, both the Gemini Enterprise app and Runtime route their traffic through a single, local Agent Gateway directly to the final destination.
Gemini Enterprise app location Runtime region Agent Gateway region Agent Registry instance1 globalorusus-central1us-central1The single Agent Gateway must be associated with the us-central1registry.eueurope-west1europe-west1The single Agent Gateway must be associated with the europe-west1registry.1 For the agent to communicate with endpoints and servers, including Google Cloud MCP servers, you must manually register them with the regional Agent Registry instance.- Pattern 2: Independent governance for Gemini Enterprise (using Google Cloud MCP servers) and Runtime agents
Your Gemini Enterprise app is deployed as a multi-region deployment (in either
global,us, oreu) while Runtime agents are deployed in separate regions as needed. Agent Gateway instances are deployed in each region where runtimes are located.This pattern ensures regional isolation, with each region having a dedicated Agent Gateway to monitor and govern agent traffic.
Gemini Enterprise app location Runtime region Agent Gateway region Agent Registry instance1 globalAny region One Agent Gateway in
us-central1for Gemini EnterpriseAn Agent Gateway in each region where you want to govern Runtime agents
The Agent Gateway for Gemini Enterprise must be associated with the
globalregistry.The Agent Gateway for Runtime must be associated with the corresponding regional registry.
usAny region One Agent Gateway in
us-central1for Gemini EnterpriseAn Agent Gateway in each region where you want to govern Runtime agents
The Agent Gateway for Gemini Enterprise must be associated with the
globalregistry.The Agent Gateway for Runtime must be associated with the corresponding regional registry.
euAny region One Agent Gateway in
europe-west1for Gemini EnterpriseAn Agent Gateway in each region where you want to govern Runtime agents
The Agent Gateway for Gemini Enterprise must be associated with the
globalregistry.The Agent Gateway for Runtime must be associated with the corresponding regional registry.
1 You must manually register your Runtime agents with the global Agent Registry instance to be able to govern connectivity between the Gemini Enterprise app and the Runtime agent.- Pattern 3: Independent governance for Gemini Enterprise, Google Workspace, and Runtime agents
Your Gemini Enterprise, Google Workspace and Runtime agents are deployed as multi-region or regional deployments as needed. The Agent Gateway instances are deployed in each region where runtimes are located.
If your Google Workspace agents are multi-region, you'll need to associate the multi-region registry with Agent Gateway as shown in the following table.
Gemini Enterprise app and Google Workspace location Runtime region Agent Gateway region Agent Registry instance usAny region One Agent Gateway in
us-central1for Gemini Enterprise and Google WorkspaceAn Agent Gateway in each region where you want to govern Runtime agents
The Agent Gateway for Gemini Enterprise and Google Workspace must be associated with the
usregistry.The Agent Gateway for Runtime must be associated with the corresponding regional registry.
euAny region One Agent Gateway in
europe-west1for Gemini Enterprise and Google WorkspaceAn Agent Gateway in each region where you want to govern Runtime agents
The Agent Gateway for Gemini Enterprise and Google Workspace must be associated with the
euregistry.The Agent Gateway for Runtime must be associated with the corresponding regional registry.
Register your agents, endpoints, servers, and tools
To enable secure communication, you must identify your Agent Registry instance and register the resources that your gateway will govern.
Identify the Agent Registry instance that you will be using.
- For Agent Runtime, you reference the regional registry
(
//agentregistry.googleapis.com/projects/PROJECT_ID/locations/REGION) in the same project and region where the Agent Runtime agents are deployed and where the gateway will be deployed. - For Gemini Enterprise, you reference either the global, multi-region, or regional registry in the same project where the Gemini Enterprise agents are deployed and where the gateway will be deployed. See the Plan your deployment section for guidance on which registry is suitable for your deployment.
- For Agent Runtime, you reference the regional registry
(
Register your agents with Agent Registry. If you haven't already created the agent, you must complete this step later. For instructions, see Register agents.
Identify and register all tools, MCP servers, and API endpoints your agents will call. Registering these resources is required because Agent Gateway blocks all outbound traffic to hosts not registered in Agent Registry.
For instructions, see the following guides:
Configure access control mechanisms
Every Agent Gateway requires an associated authorization policy.
- IAP
By default, Agent Gateway uses IAP to authenticate agents, endpoints, and servers by using the policies defined in Identity and Access Management (IAM).
To validate your configuration without blocking traffic, we recommend that you deploy IAP in dry-run mode initially.
- Model Armor
(Optional) If your deployment requires safeguarding against prompt injection attacks, jailbreaks, toxic content, or sensitive data leakage, you should plan your Model Armor guardrail integration and create templates with the safety filters you require.
For more information, see the following documents:
- Semantic Governance Policies
(Optional) You can opt to add natural language-based context-aware controls on your agents to enable protections against toxic combinations of tools.
We recommend that you start by deploying Semantic Governance Policies in dry-run mode so that you can validate your configuration without blocking traffic. For details, see Configure semantic governance policies.
- Custom authorization engines
(Optional) If you want to delegate authorization to custom authorization engines or third party systems by using Service Extensions, you should ensure that the custom authorization engines are available when deploying the gateway.
Model Armor, Semantic Governance Policies, and any other custom authorization engines can be enabled either during initial Agent Gateway setup or attached post-deployment as an incremental security policy update.
Set up agent identity and permissions
The following steps are required to enable communications between the agent and the registered endpoints and MCP servers:
Create an agent identity for your agent. You can do this during deployment or after the agent is deployed. For instructions, see Use Agent Identity with Runtime.
Grant the agent identity principal the
roles/iap.egressor(IAP-secured Egressor) role for each of the endpoints and servers you registered in Agent Registry.You can grant this role at either the registry level or the individual resource level. Because registries can be global or regional, ensure that any registry-wide binding matches the agent type:
- For Gemini Enterprise agents, use the global registry.
- For Agent Runtime agents, use a regional registry.
Agent Gateway checks specifically for the
iap.webServiceVersions.egressViaIAPpermission, which is only granted by theroles/iap.egressorrole. By default, all egress traffic is denied unless explicitly allowed by this IAM policy.For instructions, see Create IAM agent policies.
Configure Agent Gateway in Agent-to-Anywhere (egress) mode
This section shows you how to set up an Agent Gateway for Agent-to-Anywhere communications.
Use the following steps to create an Agent Gateway resource.
Google Cloud console
- In the Google Cloud console, go to the Agent Gateway page.
- Click Add gateway.
- Enter a Name.
- From the Region list, select a region.
- For Deployment mode, verify that Google-managed is selected.
- For Agent Registry, select a registry from the list. For guidance on which registry to choose for your deployment, see Plan your Agent Gateway deployment.
- From the Governed Access Path list, select Agent-to-Anywhere (Agent Egress).
In the Access Authorization section, choose how traffic is handled by IAP:
- To deploy the gateway in a dry-run mode where the gateway permits all traffic through and only generates audit logs, select Audit-only. Your IAM policies are not enforced by IAP in dry-run mode. Once you gain confidence, you can disable dry-run mode to enforce IAM policies.
- To block requests that don't have an explicit
AllowIAM policy, select Enforce policies. This option is recommended for production environments.
Optional: In the AI Security section, configure additional security:
- To protect AI model interactions with Model Armor, turn on Enable Model Armor.
- Select a template that applies to incoming requests to the gateway from the list.
To use a different template for responses, clear Use same template for requests and responses and select a template from the list.
Click Add Gateway.
gcloud
You define Agent Gateways declaratively using YAML.
Define the resource and save the configuration to a YAML file. For this example, we use
my-agent-gateway-egress.yaml.name: AGENT_GATEWAY_NAME protocols: - MCP googleManaged: governedAccessPath: AGENT_TO_ANYWHERE registries: - AGENT_REGISTRY_PATHReplace the following:
AGENT_GATEWAY_NAME: The name of the Agent Gateway resource.AGENT_REGISTRY_PATH: The path to the Agent Registry. For guidance on which registry to choose for your deployment, see Plan your Agent Gateway deployment.
Run the following command to create an Agent Gateway resource based on the YAML specification:
gcloud network-services agent-gateways import AGENT_GATEWAY_NAME \ --source="my-agent-gateway-egress.yaml" \ --location=LOCATION
Replace
LOCATIONwith the location where you want to create the Agent Gateway resource. For example,us-central1.Note that for Gemini Enterprise, you must deploy Agent Gateway in a region that corresponds to your multi-region setup. For the supported location mappings, see Route Gemini Enterprise traffic through Agent Gateway.
Create an authorization policy to enforce centralized access control and governance policies on traffic passing through the Agent Gateway. The following steps show you how to configure an authorization policy that uses IAP.
Configure an authorization extension that points to IAP. Define the extension in a YAML file, such as
iap-request-authz-extension.yaml.To validate the policy configuration and routing without disrupting traffic, we recommend that you first deploy the extension in dry-run (audit-only) mode. To do this, you specify
DRY_RUNin theiamEnforcementModefield as shown in the example.cat >iap-request-authz-extension.yaml <<EOF name: AUTHORIZATION_EXTENSION_NAME service: iap.googleapis.com failOpen: true timeout: 1s metadata: iamEnforcementMode: "DRY_RUN" iapPolicyVersion: "V1" EOFImport the YAML configuration file to an authorization extension.
gcloud beta service-extensions authz-extensions import AUTHORIZATION_EXTENSION_NAME \ --source=iap-request-authz-extension.yaml \ --location=LOCATION
Replace
AUTHORIZATION_EXTENSION_NAMEwith the name of the authorization extension—for example,my-iap-request-authz-ext.Define an authorization policy in a YAML file, such as
iap-request-authz-policy.yaml, to associate the extension with your gateway:cat >iap-request-authz-policy.yaml <<EOF name: AUTHORIZATION_POLICY_NAME target: resources: - "projects/PROJECT_ID/locations/LOCATION/agentGateways/AGENT_GATEWAY_NAME" policyProfile: REQUEST_AUTHZ action: CUSTOM customProvider: authzExtension: resources: - "projects/PROJECT_ID/locations/LOCATION/authzExtensions/AUTHORIZATION_EXTENSION_NAME" EOFReplace the following:
AUTHORIZATION_POLICY_NAME: the name of the authorization policy—for example,my-iap-request-authz-policyPROJECT_ID: the project ID
Import the YAML configuration file to an authorization policy.
gcloud beta network-security authz-policies import AUTHORIZATION_POLICY_NAME \ --source=iap-request-authz-policy.yaml \ --location=LOCATION
Optional: If you want to configure Model Armor guardrails to help protect your deployment against prompt injection attacks and sensitive data leaks, see Delegate authorization to Model Armor.
After an Agent Gateway has been created, it serves as the primary connection point for routing agent traffic within your project and chosen region. You can now use this endpoint to establish secure, encrypted, and authenticated communication channels between agents and their destinations (tools, other agents, or other endpoints).
Next, learn how to deploy agents and route traffic through Agent Gateway.
Optional: Configure VPC connectivity
To learn how to configure your Agent Gateway so that it can privately communicate with a VPC network in your organization, see Set up VPC connectivity for Agent Gateway.
Configure Agent Gateway in Client-to-Agent (ingress) mode
This section shows you how to set up an Agent Gateway for Client-to-Agent communications.
Use the following steps to create an Agent Gateway resource.
Google Cloud console
- In the Google Cloud console, go to the Agent Gateway page.
- Click Add gateway.
- Enter a Name.
- From the Region list, select a region.
- For Deployment mode, verify that Google-managed is selected.
- Leave the Agent registry setting as is. The registry isn't used for ingress.
- From the Governed Access Path list, select Client-to-Agent (ingress).
Optional: In the AI Security section, configure additional security:
To protect AI model interactions with Model Armor, turn on Enable Model Armor.
Select a template that applies to incoming requests to the gateway from the list.
To use a different template for responses, clear Use same template for requests and responses and select a template from the list.
Click Add Gateway.
gcloud
You define Agent Gateways declaratively using YAML.
Define the resource and save the configuration to a YAML file. For this example, we use
my-agent-gateway-ingress.yaml.name: AGENT_GATEWAY_NAME protocols: - MCP googleManaged: governedAccessPath: CLIENT_TO_AGENTReplace AGENT_GATEWAY_NAME with a name for the Agent Gateway resource.
Run the following command to create an Agent Gateway resource based on the YAML specification:
gcloud network-services agent-gateways import AGENT_GATEWAY_NAME \ --source="my-agent-gateway-ingress.yaml" \ --location=LOCATION
Replace
LOCATIONwith the location where you want to create the Agent Gateway resource. For example,us-central1.
After an Agent Gateway has been created, it serves as the primary connection point for routing traffic to agents in your project and chosen region.
Next, learn how to deploy agents and route traffic through Agent Gateway.
Deploy agents and route traffic through Agent Gateway
To deploy a Agent Runtime agent that routes traffic through Agent Gateway, see Route traffic through Agent Gateway.
To deploy a Gemini Enterprise agent that routes traffic through Agent Gateway, see Route Gemini Enterprise traffic through Agent Gateway.
What's next
Route Agent Runtime traffic through Agent Gateway
Learn how to route Agent Runtime traffic through Agent Gateway for secure and governed connectivity.
Codelab: Govern agentic workloads with Agent Platform
Learn how to govern agentic workloads with Agent Gateway on Gemini Enterprise Agent Platform.
Delegate authorization for Agent Gateway
Learn how to delegate authorization for Agent Gateway to IAP, Model Armor, or your own custom authorization service.
Route Gemini Enterprise traffic through Agent Gateway
Learn how to route Gemini Enterprise traffic through Agent Gateway.