Integrate with Agent Gateway

Gemini Enterprise Agent Platform is a platform for building and managing enterprise-grade AI agents. Agent Gateway serves as a control plane that manages, secures, and governs how AI agents connect and interact within the Google Cloud environment and with external agents, AI applications, and LLMs. The integration of Model Armor and Agent Gateway embeds Model Armor's screening capabilities directly into the communication pathways Gemini Enterprise Agent Platform manages. When content passes through Agent Gateway, it invokes Model Armor to enforce your predefined security templates. You can configure your template to either block and redact content that violates policies, or to only inspect content and log any violations that are detected. This mitigates risks such as prompt injection, jailbreaks, exposure to harmful content, and sensitive data leakage.

When Model Armor detects policy violations in content passing through Agent Gateway, it can be configured to log these events. You can view these findings on the Model Armor page in the Google Cloud console (Go to Model Armor). These findings are also surfaced in Security Command Center. For more information, see View Model Armor findings.

Limitations

Consider the following limitations when integrating Model Armor with Agent Gateway:

Streaming support for Agent-to-Anywhere: Model Armor does not support streaming sanitization for Agent-to-Anywhere egress traffic.
Cross-project template usage: When using a Model Armor template in one project to sanitize requests for a service, like Agent Gateway, in a different project, the API quota for Model Armor needs to be sufficient in both the project hosting the template and the project hosting the calling service. For more information, see Manage quota.
Regional alignment: Model Armor and the services it integrates with must be deployed within the same Google Cloud region. Cross-region calls to Model Armor are not supported.
Egress integration compatibility: Model Armor's inline protection on egress traffic is limited to integrations with MCP servers, services following the OpenAI format, and A2A through Agent Gateway.
Ingress integration compatibility: Inline ingress protection with Model Armor is only supported for agents built using the Agent Development Kit (ADK).

Before you begin

Before you set up Model Armor and Agent Gateway, complete the following configuration and permission steps:

Enable the Model Armor API in the project where you want to create the Model Armor templates.
Create one or more Model Armor templates in the same region where you plan to add the gateway. You can use the same template for both ingress and egress traffic.

Take note of the template names. To copy the name of a template in the Google Cloud console, view the template's details and click Copy to clipboard next to the template name.
Set up Agent Gateway in the same region where the Model Armor templates are stored. For the Client-to-Agent (ingress) gateway, specify the Model Armor templates that you created for ingress traffic. For the Agent-to-Anywhere (egress) gateway, specify the Model Armor templates that you created for egress traffic. You can use the same template for both traffic flows.
If your Model Armor templates are in a project different from the gateway, you must grant the required IAM roles to the appropriate service accounts:
- Client-to-Agent (ingress): Grant the AI Platform Reasoning Engine Service Agent service account the following roles:
  - The Model Armor Callout User (roles/modelarmor.calloutUser) role in the project that contains the AI agent.
  - The Model Armor User (roles/modelarmor.user) role in the project that contains the Model Armor template.
- Agent-to-Anywhere (egress): Grant the Agent Gateway service account the following roles:
  - The Model Armor Callout User (roles/modelarmor.calloutUser) and Service Usage Consumer (roles/serviceusage.serviceUsageConsumer) roles in the project that contains the gateway.
  - The Model Armor User (roles/modelarmor.user) role in the project that contains the Model Armor template.
For instructions, see Delegate authorization to Model Armor.

For general information about how to grant a role, see Grant a single IAM role.

Ingress and egress traffic

In the context of Agent Gateway and Model Armor integration, the terms ingress and egress are used from the perspective of the AI agent's interactions:

Ingress Traffic (Client-to-Agent): Refers to the communication flow between a client and the agent. Model Armor can protect both the incoming requests from the client to the agent and the outgoing responses from the agent back to the client.
Egress Traffic (Agent-to-Anywhere): Refers to the communication flow between the agent and an external system. Model Armor can protect both the outgoing requests from the agent to the external system and the incoming responses from the external system back to the agent.

Client-to-Agent (ingress) protection

You define templates that Model Armor uses to evaluate:

Incoming requests from the client (end users or calling applications) to your AI agent.
Outgoing responses from the AI agent back to the client.

You can apply a single template to both directions or configure different templates for each.

Traffic flow for Client-to-Agent

A client sends a prompt to the agent. Agent Gateway intercepts the request and sends the payload to Model Armor.
Model Armor screens the request. If blocked, the client receives an error.
If allowed, the request reaches the AI agent.
The AI agent generates a response. Agent Gateway intercepts this response before it reaches the client.
Model Armor screens the response, and Agent Gateway either allows or blocks it based on the verdict.

Agent-to-Anywhere (egress) protection