feat(gateway, gateway-target): VPC egress / NetworkConfiguration parity with Runtime

[aidandaly24]

Description

AWS::BedrockAgentCore::Runtime exposes NetworkConfiguration with NetworkMode (PUBLIC | VPC) and NetworkModeConfig of type VpcConfig (Subnets 1–16, SecurityGroups 1–16) — verified at the Runtime CFN docs. This is wired through the CLI today via networkMode + networkConfig on AgentEnvSpec (agent-env.ts:110–120) and the L3 AgentCoreRuntime construct.

The user ask is VPC Egress — Target, i.e. extending VPC network configuration to Gateway Target outbound traffic so a target's upstream call (e.g. a private API in a customer VPC, or a private Lambda endpoint) can be forced through a customer VPC.

Today AWS::BedrockAgentCore::Gateway and AWS::BedrockAgentCore::GatewayTarget expose no NetworkConfiguration, VpcConfig, PrivateEndpoint, or analog property at all. Verified across:

• Gateway properties: AuthorizerConfiguration, AuthorizerType, Description, ExceptionLevel, InterceptorConfigurations, KmsKeyArn, Name, PolicyEngineConfiguration, ProtocolConfiguration, ProtocolType, RoleArn, Tags — no network config.
• GatewayTarget properties: CredentialProviderConfigurations, Description, GatewayIdentifier, MetadataConfiguration, Name, TargetConfiguration — no network config.

Acceptance Criteria

• Confirm with the AgentCore service team whether VPC egress is supported on the data plane today for Gateway / GatewayTarget (control-plane API may have it before CFN).
• If the data plane supports it:
  • Extend AgentCoreGatewayTargetSchema (and possibly AgentCoreGatewaySchema) with a networkMode + networkConfig block, mirroring the existing Runtime shape (agent-env.ts:110–120).
  • Apply via post-deploy imperative call (same pattern as feat: support resource based policies. #542) until CFN catches up.
  • L3 construct passes through to whichever CFN/control-plane field the service uses.
• If the data plane does not support it: open a service-team request and link this issue.
• Add --network-mode, --vpc-subnets, --vpc-security-groups flags on agentcore add gateway-target (and optionally add gateway).
• Surface the configuration in the TUI advanced-options screen.
• When CFN ships network config on Gateway/Target, switch to the CDK path.

Additional Context

• CFN support on Runtime: YES — Runtime.NetworkConfiguration.{NetworkMode, NetworkModeConfig.{Subnets, SecurityGroups}}.
• CFN support on Gateway / GatewayTarget: NO — the only properties on either are listed above; no network config.
• Control-plane: needs internal confirmation; may be a service-team gap.
• Reuse the existing NetworkModeSchema / NetworkConfigSchema from agent-env.ts rather than redefining.