[ PERFORMANCE AT A GLANCE ]
[ ARCHITECTURE ]
Complete Bedrock Gateway Solution
Your existing Bedrock calls flow through Bifrost with zero code changes. Governance, guardrails, and failover across regions and providers built in.
Your Applications
- Existing boto3 Bedrock clients
- Converse API and Invoke API calls
- Streaming and batch workloads
- No SDK changes required
Bifrost Gateway
- Governance and budget enforcement
- Bedrock Guardrails integration
- Multi-region routing and failover
- Observability and audit logs
[ CORE CAPABILITIES ]
What Bifrost Adds to Bedrock
Every capability works with your existing Bedrock SDK. No migration, no SDK swap, no API format changes.
Native Bedrock SDK Drop-in
Point boto3 at Bifrost's /bedrock endpoint. Converse, Invoke, and streaming just work. IAM role auth supported.
Multi-Region Failover
Set up weighted routing across Bedrock regions. When us-east-1 throttles, Bifrost shifts traffic to us-west-2. Add Anthropic or OpenAI as a fallback tier.
Bedrock Guardrails Enforcement
Attach Bedrock Guardrail ARNs at the gateway level. Layer with Azure Content Safety or Patronus AI for defense-in-depth.
Per-Team Budget Controls
Virtual keys give every team, project, or environment its own spending cap, rate limit, and model allowlist, all enforced before requests reach Bedrock.
In-VPC Deployment
Bifrost runs entirely inside your AWS VPC. API keys stay in Secrets Manager with automatic sync and zero-downtime rotation.
Full Request Observability
Every request logged with prompt/response metadata, latency, tokens, cost, and guardrail actions. Built-in dashboard, OpenTelemetry, Datadog, or BigQuery.
[ HOW IT WORKS ]
Go Live in Three Steps
Route your existing Bedrock SDK traffic through Bifrost without changing application logic.
Deploy Bifrost
Run Bifrost inside your VPC with Docker or Kubernetes. Zero configuration needed to start.
Configure Bedrock Provider
Add your Bedrock regions and IAM credentials in the Bifrost config. Supports multiple regions with weighted routing.
Update endpoint_url
Point your existing boto3 client at Bifrost. One line change. Your Converse and Invoke API calls work as-is.
Same SDK. Same API. Now with governance, guardrails, fallbacks, and observability.
[ GUARDRAILS ]
Bedrock Guardrails, Enforced at the Gateway
Connect your existing Bedrock Guardrail ARNs and enforce them globally. No per-request application code needed.
PII Detection
Connect your existing Bedrock Guardrail ARN for automatic PII filtering across all requests.
Content Filtering
Block harmful outputs across all teams and models at the gateway level.
Prompt Injection Prevention
Real-time input validation before requests reach Bedrock.
Image Scanning
PNG and JPEG content scanning through Bedrock Guardrails.
Defense-in-Depth
Stack Bedrock + Azure Content Safety + Patronus AI for layered protection.
Usage Metrics
Detailed guardrail invocation metrics for cost tracking and monitoring.
curl -X POST http://localhost:8080/api/enterprise/guardrails/providers \
-H "Content-Type: application/json" \
-d '{
"provider_name": "bedrock",
"policy_name": "PII Detection",
"enabled": true,
"config": {
"guardrail_arn": "arn:aws:bedrock:us-east-1:...:guardrail/abc123",
"guardrail_version": "1",
"region": "us-east-1"
}
}'[ COMPARISON ]
Bedrock Native vs Bedrock + Bifrost
| Capability | Bedrock Native | Bedrock + Bifrost |
|---|---|---|
| Multi-region failover | CRI profiles | Automatic with health monitoring |
| Cross-provider fallback | Not available | 20+ providers as escape hatch |
| Per-team budget caps | IAM-based, no real-time limits | Virtual keys with real-time enforcement |
| Guardrails enforcement | Native | Gateway-level, global enforcement |
| Semantic caching | Not available | Built-in, configurable per key |
| Request observability | CloudWatch logs | Full tracing, OTEL, Datadog, BigQuery |
| MCP tool governance | Not available | Per-key filtering with audit trails |
| API key rotation | Manual | Auto via Secrets Manager sync |
| Added latency | - | 11µs |
[ SECURITY ]
Enterprise Security, Built In
VPC Isolation
Full In-VPC deployment with private networking and zero external data exposure.
AWS Secrets Manager
Native integration with automatic key sync and zero-downtime rotation.
Vault Support
Also works with HashiCorp Vault, Google Secret Manager, and Azure Key Vault.
Immutable Audit Trails
Every request logged for SOC 2 Type II, GDPR, HIPAA, and ISO 27001 compliance.
RBAC
OpenID Connect integration with user-level governance and team sync.
Log Exports
Automated export to S3, data lakes, or your SIEM.
[ USE CASES ]
How Teams Use Bifrost with Bedrock
Multi-team AI platform
Central platform team deploys Bifrost as the AI gateway. Each product team gets a virtual key with independent budgets, model allowlists, and guardrail policies.
Cross-region resilience
Production agents route through Bifrost with Bedrock us-east-1 as primary and us-west-2 as fallback. If the primary throttles, Bifrost switches automatically. Anthropic Direct serves as a third-tier escape hatch.
Regulated industry compliance
Healthcare or financial services teams needing HIPAA/SOC 2 Type II for all AI interactions. Bifrost deploys in-VPC, enforces Bedrock Guardrails for PII detection, logs immutable audit trails, and exports to SIEM.
Cost optimization at scale
Customer support agents on Bedrock with semantic caching for repetitive queries. Similar questions return cached responses instantly, cutting token spend. Per-team budgets prevent overspend.
MCP tool governance
Bifrost centralizes MCP tool access with per-key filtering and audit trails. Code Mode cuts token usage by 50% by orchestrating tools via Python.
Multi-provider flexibility
Start on Bedrock for compliance, but route specific workloads to OpenAI for cost or Groq for speed. Your application code never changes when you add providers.
[ WHY BIFROST ]
Why Teams Choose Bifrost for Bedrock
[ BIFROST FEATURES ]
Open Source & Enterprise
Everything you need to run AI in production, from free open source to enterprise-grade features.
01 Governance
SAML support for SSO and Role-based access control and policy enforcement for team collaboration.
02 Adaptive Load Balancing
Automatically optimizes traffic distribution across provider keys and models based on real-time performance metrics.
03 Cluster Mode
High availability deployment with automatic failover and load balancing. Peer-to-peer clustering where every instance is equal.
04 Alerts
Real-time notifications for budget limits, failures, and performance issues on Email, Slack, PagerDuty, Teams, Webhook and more.
05 Log Exports
Export and analyze request logs, traces, and telemetry data from Bifrost with enterprise-grade data export capabilities for compliance, monitoring, and analytics.
06 Audit Logs
Comprehensive logging and audit trails for compliance and debugging.
07 Vault Support
Secure API key management with HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, and Azure Key Vault integration.
08 VPC Deployment
Deploy Bifrost within your private cloud infrastructure with VPC isolation, custom networking, and enhanced security controls.
09 Guardrails
Automatically detect and block unsafe model outputs with real-time policy enforcement and content moderation across all agents.
[ SHIP RELIABLE AI ]
Try Bifrost Enterprise with a 14-day Free Trial
Drop-in replacement for any AI SDK
Change just one line of code. Works with OpenAI, Anthropic, Vercel AI SDK, LangChain, and more.
[ FAQ ]
Frequently Asked Questions
No. Point your boto3 client's endpoint_url to Bifrost. Your existing Bedrock SDK code works as-is. No SDK swap, no API format changes.
Yes. When both access_key and secret_key are empty, Bifrost automatically uses the IAM role attached to the host. No credentials need to be exposed.
Yes. Bifrost integrates directly with your Bedrock Guardrail ARNs. Enforce them globally at the gateway without per-request application code.
11 microseconds per request at 5,000 req/s sustained throughput. [Read more about Bifrost becnhmarks](https://getmaxim.ai/bifrost/resources/benchmarks).
Inside your VPC, next to your Bedrock endpoints. Supports Kubernetes, Docker, and direct binary deployment. No data leaves your private network.
Yes. Configure fallback chains like Bedrock us-east-1 → Bedrock us-west-2 → Anthropic Direct → OpenAI. Your applications never go down even if an entire region is unavailable.
Native AWS Secrets Manager integration with periodic sync. Keys rotate with zero downtime. Also supports HashiCorp Vault, Google Secret Manager, and Azure Key Vault.
Yes. Apache 2.0 license. Enterprise features including guardrails, adaptive load balancing, clustering, in-VPC deployments, and audit logs are available with a 14-day free trial. [Get 14 days free enterprise trial](https://www.getmaxim.ai/bifrost/enterprise).