Description
Harness supports VPC mode by passing subnetIds and securityGroupIds on the network configuration. For users who already have a Harness-compatible VPC, this is straightforward. For users who don’t, or aren’t sure whether their existing VPC meets the requirements (NAT gateway for ECR Public egress, correct security group rules, multi-AZ subnets), there’s no one-command path today.
Integrations like the n8n community node surface subnet IDs and security group IDs as raw fields in their credential UI. A standalone command that provisions a minimal harness-compatible VPC and outputs the IDs would let these integrations offer a one-command setup step, parallel to the standalone IAM role command.
Suggested shape:
agentcore vpc create-harness-network \
--name MyHarnessNetwork \
[--region us-west-2] \
[--cidr 10.0.0.0/16] \
[--az-count 2] \
[--output text|json]
Optional companion subcommand agentcore vpc validate --subnets ... --security-groups ... that checks whether a caller-supplied VPC/subnet/SG combination meets harness requirements and reports what’s missing. Useful for the “I already have a VPC” path.
Acceptance Criteria
• Command provisions a minimal Harness-compatible VPC: subnets across at least two AZs, security group with egress permitting public.ecr.aws, and a NAT gateway with route to an internet gateway
• Output includes VPC ID, subnet IDs, and security group ID (plain text by default, JSON with --output json)
• Idempotent on --name: re-running returns the existing resources rather than creating duplicates
• --region, --cidr, and --az-count flags honored with sensible defaults
• Optional agentcore vpc validate subcommand reports whether an existing VPC/subnet/SG combination meets Harness requirements, with clear messages on anything missing
• Help text describes the integration use case
• README updated alongside the IAM command section
Additional Context
• Reference for Harness network configuration requirements: https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/harness-security.html (Network configuration section)
• Driving use case: the n8n community node — npm: [[npm link](https://www.npmjs.com/package/@aws/n8n-nodes-agentcore)], repo: [[repo link](https://github.com/aws/n8n-nodes-agentcore)]
• Same pattern as the standalone IAM role command (separate issue): the goal is a small set of one-command building blocks that integrations can compose into a “from zero to working Harness” path for their users
• A CloudFormation quick-create template wrapping the same underlying construct would be a useful companion for fully no-code audiences
Description
Harness supports VPC mode by passing subnetIds and securityGroupIds on the network configuration. For users who already have a Harness-compatible VPC, this is straightforward. For users who don’t, or aren’t sure whether their existing VPC meets the requirements (NAT gateway for ECR Public egress, correct security group rules, multi-AZ subnets), there’s no one-command path today.
Integrations like the n8n community node surface subnet IDs and security group IDs as raw fields in their credential UI. A standalone command that provisions a minimal harness-compatible VPC and outputs the IDs would let these integrations offer a one-command setup step, parallel to the standalone IAM role command.
Suggested shape:
Optional companion subcommand
agentcore vpc validate --subnets ... --security-groups ... that checks whether a caller-supplied VPC/subnet/SG combination meets harness requirements and reports what’s missing. Useful for the “I already have a VPC” path.Acceptance Criteria
Additional Context