diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/README.md b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/README.md
index 92b81963..9ab6d5cd 100644
--- a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/README.md
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/README.md
@@ -1,205 +1,7 @@
-# Minimal WebRTC Voice Agent with KVS
+# ⚠️ This sample has moved
 
-Minimal example demonstrating WebRTC audio streaming with AWS Nova Sonic.
+The **Nova Sonic WebRTC Agent (KVS TURN)** sample has been consolidated into the bidirectional streaming tutorial folder:
 
-## Project Structure
+👉 [**06-bi-directional-streaming/05-bedrock-sonic-kvs-wr**](../06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/)
 
-```
-agent/
-  bot.py              - FastAPI server, WebRTC offer/answer, ICE handling
-  kvs.py              - KVS signaling channel and TURN server helpers
-  audio.py            - Audio resampling (av) and WebRTC output track (av.AudioFifo)
-  nova_sonic.py       - Nova Sonic bidirectional streaming session
-  requirements.txt
-  Dockerfile
-  .env.example
-server/
-  index.html          - Browser client (WebRTC + optional AgentCore Runtime)
-  server.py           - Static file server
-  requirements.txt
-kvs-iam-policy.json     - Minimal IAM policy for KVS
-bedrock-iam-policy.json - Minimal IAM policy for Nova Sonic
-```
-
-## Requirements
-
-- **Python 3.12+** (required for aws-sdk-bedrock-runtime)
-- AWS credentials configured
-- **VPC with internet egress** for AgentCore Runtime deployment (see setup below)
-
-## VPC Setup for AgentCore Runtime
-
-The agent needs internet egress to reach KVS TURN servers for WebRTC connectivity. If you already have a VPC with a private subnet that has NAT gateway access, skip to [Deploying to AgentCore Runtime](#deploying-to-agentcore-runtime).
-
-### 1. Create a VPC with public and private subnets
-
-1. Open the [VPC console](https://console.aws.amazon.com/vpc/)
-2. Click **Create VPC**
-3. Select **VPC and more**
-4. Set a name (e.g. `webrtc-bot-example`)
-5. Keep the default CIDR (`10.0.0.0/16`)
-6. Set **Number of Availability Zones** to **1**
-7. Set **Number of public subnets** to **1**
-8. Set **Number of private subnets** to **1**
-9. Set **NAT gateways** to **In 1 AZ**
-10. Click **Create VPC**
-
-### 2. Note the IDs
-
-From the VPC console, copy:
-- **Private subnet ID** (e.g. `subnet-0123456789abcdef0`) — this is where the agent runs
-- **Security group ID** — the default security group created with the VPC (e.g. `sg-0123456789abcdef0`)
-
-You'll use these in the `agentcore configure` step below.
-
-## Local Setup
-
-### 1. Agent
-
-```bash
-cd agent
-python3.12 -m venv venv
-source venv/bin/activate
-pip install -r requirements.txt
-cp .env.example .env  # Edit with your AWS credentials
-python bot.py          # http://localhost:8080
-```
-
-### 2. Server
-
-```bash
-cd server
-pip install -r requirements.txt
-python server.py       # http://localhost:7860
-```
-
-### 3. Test
-
-Open `http://localhost:7860` and click "Connect".
-
-## Deploying to AgentCore Runtime
-
-### 1. Install the starter toolkit
-
-```bash
-pip install bedrock-agentcore-starter-toolkit
-```
-
-### 2. Configure
-
-From the `agent/` directory:
-
-```bash
-cd agent
-
-export SUBNET_IDS=subnet-0123456789abcdef0  # private subnet (with NAT gateway for internet egress)
-export SECURITY_GROUP_ID=sg-0123456789abcdef0
-
-agentcore configure \
-  -e bot.py \
-  --deployment-type container \
-  --disable-memory \
-  --vpc \
-  --subnets $SUBNET_IDS \
-  --security-groups $SECURITY_GROUP_ID \
-  --non-interactive
-```
-
-VPC network mode is required because PUBLIC network mode does not support outbound UDP connectivity. 
-
-### 3. Deploy
-
-```bash
-agentcore deploy --env KVS_CHANNEL_NAME=voice-agent-minimal --env AWS_REGION=us-west-2
-```
-
-This builds an ARM64 container via CodeBuild (no Docker required locally) and deploys it to AgentCore Runtime. Note the ARN in the output.
-
-### 4. Attach IAM permissions
-
-The execution role created by the toolkit needs KVS and Bedrock permissions. First, update `ACCOUNT_ID` in `kvs-iam-policy.json` and `bedrock-iam-policy.json` with your AWS account ID. Then replace `ROLE_NAME` with the role name from the deploy output (e.g. `AmazonBedrockAgentCoreSDKRuntime-us-west-2-9d74932bdb`):
-
-```bash
-ROLE_NAME=ROLE_HERE
-
-aws iam put-role-policy \
-  --role-name $ROLE_NAME \
-  --policy-name kvs-access \
-  --policy-document file://kvs-iam-policy.json
-
-aws iam put-role-policy \
-  --role-name $ROLE_NAME \
-  --policy-name bedrock-nova-sonic \
-  --policy-document file://bedrock-iam-policy.json
-```
-
-### 5. Test
-
-Enter the agent ARN output from `agentcore deploy` in the browser client at `http://localhost:7860` along with AWS credentials, then click Connect. Once connected, speak into your microphone — the agent will respond with spoken audio in real time.
-
-### Cleanup
-
-```bash
-agentcore destroy
-```
-
-## How It Works
-
-### Audio Flow
-
-**Browser → Nova Sonic:**
-1. WebRTC captures microphone audio
-2. `aiortc` receives audio frames on the agent
-3. `av.AudioResampler` converts to 16kHz/16-bit/mono PCM
-4. Base64-encoded and streamed to Nova Sonic
-
-**Nova Sonic → Browser:**
-1. Agent receives audio chunks from Nova Sonic
-2. Raw PCM bytes buffered in `av.AudioFifo`
-3. `OutputTrack` serves fixed-size 20ms frames to WebRTC
-4. Browser plays audio via `<audio>` element
-
-### Audio Configuration
-
-| Parameter | Value |
-|-----------|-------|
-| Input Sample Rate | 16kHz |
-| Output Sample Rate | 24kHz |
-| Format | 16-bit PCM mono |
-| Model | amazon.nova-2-sonic-v1:0 |
-| Voice | matthew |
-
-## Key Dependencies
-
-| Package | Purpose |
-|---------|---------|
-| `aws-sdk-bedrock-runtime` | Nova Sonic streaming (requires Python 3.12+) |
-| `aiortc` | WebRTC peer connections |
-| `av` | Audio resampling and frame buffering (FFmpeg) |
-| `boto3` | KVS signaling channel and TURN servers |
-| `fastapi` / `uvicorn` | HTTP server |
-
-## IAM Permissions
-
-The agent needs KVS permissions for TURN server access. See `kvs-iam-policy.json` for the minimal policy — replace `ACCOUNT_ID` with your AWS account ID.
-
-Additionally, the agent needs `bedrock:InvokeModelWithBidirectionalStream` permission for the Nova Sonic model.
-
-## Troubleshooting
-
-**Python version error** (`Could not find aws-sdk-bedrock-runtime`):
-Use Python 3.12+.
-
-**Audio not working:**
-- Check microphone permissions in browser
-- Verify AWS credentials have Bedrock access
-- Run agent with `-v` for verbose logging
-
-**Connection fails:**
-- Ensure both agent and server are running
-- Check KVS IAM permissions
-- Verify TURN server connectivity
-
-## Reference
-
-Based on: https://github.com/aws-samples/sample-nova-sonic-speech2speech-webrtc
+Please follow the instructions in the new location to deploy and run the WebRTC voice agent.
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/.gitignore b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/.gitignore
similarity index 100%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/.gitignore
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/.gitignore
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/README.md b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/README.md
new file mode 100644
index 00000000..21ff1e8e
--- /dev/null
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/README.md
@@ -0,0 +1,273 @@
+# Nova Sonic WebRTC Agent (KVS TURN)
+
+A bidirectional voice agent using **Nova Sonic** with **WebRTC** audio transport via **Amazon Kinesis Video Streams (KVS)** TURN servers. Unlike the WebSocket-based samples (01–04), this agent uses WebRTC peer connections for lower-latency audio with built-in NAT traversal.
+
+## Architecture
+
+![Network Architecture](../assets/architecture-webrtc-kvs.svg)
+
+The browser captures microphone audio via WebRTC and relays it through KVS TURN servers to the agent running on AgentCore Runtime. The agent resamples the audio to 16kHz PCM, streams it to Nova Sonic, and plays back the 24kHz spoken response through the same WebRTC connection.
+
+## Prerequisites
+
+- **Python 3.12+** (required by `aws-sdk-bedrock-runtime`)
+- AWS credentials configured (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`)
+- A **VPC with a private subnet** that has NAT gateway internet egress (see [Step 1](#step-1-set-up-a-vpc))
+
+## Quick Start
+
+| Step | What | Time |
+|------|------|------|
+| 1 | [Set up a VPC](#step-1-set-up-a-vpc) (skip if you have one) | ~5 min |
+| 2 | [Deploy to AgentCore](#step-2-deploy-to-agentcore) | ~5 min |
+| 3 | [Attach IAM permissions](#step-3-attach-iam-permissions) | ~1 min |
+| 4 | [Connect from the browser](#step-4-connect-from-the-browser) | ~1 min |
+
+---
+
+## Step 1: Set Up a VPC
+
+> **Already have a VPC?** You need a private subnet with NAT gateway access in a supported AZ. Skip to [Find your VPC parameters](#find-your-vpc-parameters) to look up the IDs, then go to [Step 2](#step-2-deploy-to-agentcore).
+
+### Check supported availability zones
+
+AgentCore Runtime only works in specific AZs. The mapping from AZ name to AZ ID varies per account:
+
+```bash
+aws ec2 describe-availability-zones \
+  --query 'AvailabilityZones[*].{Name:ZoneName,ID:ZoneId}' \
+  --output table
+```
+
+For `us-east-1`, supported AZ IDs are: **use1-az1**, **use1-az2**, **use1-az4**. Deploying to an unsupported AZ will fail.
+
+### Create a VPC
+
+1. Open the [VPC console](https://console.aws.amazon.com/vpc/) → **Create VPC** → **VPC and more**
+2. Name it (e.g. `webrtc-bot-example`), keep default CIDR (`10.0.0.0/16`)
+3. **1 AZ** (pick one that maps to a supported AZ ID), **1 public subnet**, **1 private subnet**
+4. **NAT gateways: In 1 AZ**
+5. Click **Create VPC**
+
+### Find your VPC parameters
+
+You'll need a **private subnet ID** and a **security group ID** for deployment:
+
+```bash
+# 1. Find your VPC ID
+aws ec2 describe-vpcs --region us-east-1 \
+  --query 'Vpcs[*].{VpcId:VpcId,Name:Tags[?Key==`Name`].Value|[0]}' \
+  --output table
+
+# 2. List subnets — pick the private one (typically named "...-private-...")
+aws ec2 describe-subnets --region us-east-1 \
+  --filters "Name=vpc-id,Values=YOUR_VPC_ID" \
+  --query 'Subnets[*].{SubnetId:SubnetId,AZ:AvailabilityZone,Name:Tags[?Key==`Name`].Value|[0]}' \
+  --output table
+
+# 3. List security groups
+aws ec2 describe-security-groups --region us-east-1 \
+  --filters "Name=vpc-id,Values=YOUR_VPC_ID" \
+  --query 'SecurityGroups[*].{GroupId:GroupId,Name:GroupName}' \
+  --output table
+```
+
+### Verify the route table
+
+Make sure the private subnet routes `0.0.0.0/0` through a NAT gateway (`nat-xxx`). Without this, the agent can't reach the internet and will time out on startup.
+
+```bash
+aws ec2 describe-route-tables \
+  --filters "Name=association.subnet-id,Values=YOUR_PRIVATE_SUBNET_ID" \
+  --query 'RouteTables[0].Routes' --output table
+```
+
+---
+
+## Step 2: Deploy to AgentCore
+
+This agent requires **VPC network mode** — PUBLIC mode doesn't support the outbound UDP connectivity needed for WebRTC/TURN.
+
+```bash
+# Navigate to the tutorial root
+cd 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming
+
+# Set up environment
+python3 -m venv .venv && source .venv/bin/activate
+pip install -r utils/requirements.txt
+
+# Configure AWS
+export ACCOUNT_ID=123456789012
+export AWS_ACCESS_KEY_ID=your-access-key
+export AWS_SECRET_ACCESS_KEY=your-secret-key
+export AWS_REGION=us-east-1
+
+# Deploy (replace with your subnet and security group from Step 1)
+python utils/deploy.py 05-bedrock-sonic-kvs-wr \
+  --subnet-ids subnet-0123456789abcdef0 \
+  --security-group-id sg-0123456789abcdef0
+```
+
+> **Tip:** You can pass multiple subnets as a comma-separated list: `--subnet-ids subnet-aaa,subnet-bbb`
+
+<details>
+<summary>Alternative: manual deployment with AgentCore CLI</summary>
+
+```bash
+cd 05-bedrock-sonic-kvs-wr/websocket
+pip install bedrock-agentcore-starter-toolkit
+
+agentcore configure \
+  -e bot.py \
+  --deployment-type container \
+  --disable-memory \
+  --vpc \
+  --subnets subnet-0123456789abcdef0 \
+  --security-groups sg-0123456789abcdef0 \
+  --non-interactive
+
+agentcore deploy --env KVS_CHANNEL_NAME=voice-agent-minimal --env AWS_REGION=us-east-1
+```
+</details>
+
+---
+
+## Step 3: Attach IAM Permissions
+
+The agent's execution role needs access to KVS (signaling/TURN) and Bedrock (Nova Sonic). Update `REGION` and `ACCOUNT_ID` in the policy files, then attach:
+
+```bash
+ROLE_NAME=WebSocket05-bedrock-sonic-kvs-wrAgentRole   # from deploy output
+
+# KVS access (signaling channels + TURN)
+aws iam put-role-policy \
+  --role-name $ROLE_NAME \
+  --policy-name kvs-access \
+  --policy-document file://05-bedrock-sonic-kvs-wr/kvs-iam-policy.json
+
+# Bedrock Nova Sonic access
+aws iam put-role-policy \
+  --role-name $ROLE_NAME \
+  --policy-name bedrock-nova-sonic \
+  --policy-document file://05-bedrock-sonic-kvs-wr/bedrock-iam-policy.json
+```
+
+> **Note:** The Bedrock policy uses an empty account ID in the ARN: `arn:aws:bedrock:REGION::foundation-model/amazon.nova-2-sonic-v1:0`
+
+---
+
+## Step 4: Connect from the Browser
+
+```bash
+./utils/start_client.sh 05-bedrock-sonic-kvs-wr
+```
+
+1. Enter the **Agent Runtime ARN** (from deploy output) and your AWS credentials
+2. "Force TURN only" is auto-checked when an ARN is provided (required for VPC)
+3. Click **Connect** and speak into your microphone
+
+---
+
+## Local Testing (No AWS Deployment)
+
+Run everything locally without deploying to AgentCore:
+
+```bash
+# Terminal 1 — agent server
+cd 05-bedrock-sonic-kvs-wr/websocket
+pip install -r requirements.txt
+cp .env.example .env   # add your AWS credentials
+python bot.py           # → http://localhost:8080
+
+# Terminal 2 — browser client
+cd 05-bedrock-sonic-kvs-wr/client
+pip install -r requirements.txt
+python client.py        # → http://localhost:7860
+```
+
+Open `http://localhost:7860`, click **Connect** (no ARN needed locally).
+
+---
+
+## Cleanup
+
+```bash
+python utils/cleanup.py 05-bedrock-sonic-kvs-wr
+```
+
+---
+
+## How It Works
+
+### Audio flow
+
+| Direction | Path |
+|-----------|------|
+| Browser → Nova Sonic | Mic (48kHz) → WebRTC → KVS TURN → Agent → `av.AudioResampler` (16kHz PCM) → Nova Sonic |
+| Nova Sonic → Browser | Nova Sonic (24kHz PCM) → `av.AudioFifo` → `OutputTrack` (20ms frames) → WebRTC → KVS TURN → `<audio>` |
+
+### Why TURN relay?
+
+The agent runs in a VPC private subnet behind NAT — direct peer-to-peer isn't possible. Both sides use KVS TURN:
+- Agent: fetches TURN credentials with `client_id="server"`, forces `turn_only=True`
+- Browser: fetches TURN credentials with `client_id="web-client"`, auto-enables relay when an ARN is provided
+
+### Audio configuration
+
+| Parameter | Value |
+|-----------|-------|
+| Input sample rate | 16 kHz |
+| Output sample rate | 24 kHz |
+| Format | 16-bit PCM mono |
+| Model | `amazon.nova-2-sonic-v1:0` |
+| Voice | `matthew` |
+
+---
+
+## Project Structure
+
+```
+websocket/                    # Agent (runs on AgentCore Runtime)
+  bot.py                      #   FastAPI server — WebRTC offer/answer, ICE handling
+  kvs.py                      #   KVS signaling channel + TURN credential helpers
+  audio.py                    #   Audio resampling and WebRTC output track
+  nova_sonic.py               #   Nova Sonic bidirectional streaming session
+  requirements.txt
+  Dockerfile
+  .env.example
+client/                       # Browser client
+  index.html                  #   WebRTC UI + optional AgentCore Runtime invocation
+  client.py                   #   Static file server
+  requirements.txt
+kvs-iam-policy.json           # IAM policy for KVS
+bedrock-iam-policy.json       # IAM policy for Nova Sonic
+```
+
+---
+
+## Troubleshooting
+
+| Problem | Cause | Fix |
+|---------|-------|-----|
+| Deployment fails with "unsupported availability zones" | Subnet is in an AZ AgentCore doesn't support | Use a subnet in `use1-az1`, `use1-az2`, or `use1-az4`. See [Step 1](#check-supported-availability-zones) |
+| Runtime initialization timeout (120s) | Agent can't reach the internet | Verify private subnet routes `0.0.0.0/0` to a NAT gateway |
+| STUN transaction failed (403) | Agent not using TURN relay | Ensure `turn_only=True` in `bot.py` and "Force TURN only" checked in browser |
+| No audio playback | Mic permissions or TURN not enabled | Check mic permissions; ensure "Force TURN only" is checked for AgentCore deployments |
+
+Check agent logs:
+```bash
+aws logs tail /aws/bedrock-agentcore/runtimes/YOUR_AGENT_ID-DEFAULT \
+  --log-stream-name-prefix "$(date -u +%Y/%m/%d)/[runtime-logs]" --since 10m
+```
+
+---
+
+## Key Dependencies
+
+| Package | Purpose |
+|---------|---------|
+| `aws-sdk-bedrock-runtime` | Nova Sonic streaming (Python 3.12+) |
+| `aiortc` | WebRTC peer connections |
+| `av` | Audio resampling and frame buffering (FFmpeg) |
+| `boto3` | KVS signaling channels and TURN servers |
+| `fastapi` / `uvicorn` | HTTP server |
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/bedrock-iam-policy.json b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/bedrock-iam-policy.json
similarity index 62%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/bedrock-iam-policy.json
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/bedrock-iam-policy.json
index 14bdbba3..b437ec4c 100644
--- a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/bedrock-iam-policy.json
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/bedrock-iam-policy.json
@@ -4,7 +4,7 @@
         {
             "Effect": "Allow",
             "Action": "bedrock:InvokeModelWithBidirectionalStream",
-            "Resource": "arn:aws:bedrock:us-west-2:ACCOUNT_ID:foundation-model/amazon.nova-2-sonic-v1:0"
+            "Resource": "arn:aws:bedrock:us-east-1::foundation-model/amazon.nova-2-sonic-v1:0"
         }
     ]
 }
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/server/server.py b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/client/client.py
similarity index 63%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/server/server.py
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/client/client.py
index 3f81bf07..0bcc43ea 100644
--- a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/server/server.py
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/client/client.py
@@ -1,13 +1,16 @@
+import os
 import uvicorn
 from fastapi import FastAPI
 from fastapi.responses import FileResponse
 
 app = FastAPI()
 
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+
 
 @app.get("/")
 async def serve_index():
-    return FileResponse("index.html")
+    return FileResponse(os.path.join(BASE_DIR, "index.html"))
 
 
 if __name__ == "__main__":
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/server/index.html b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/client/index.html
similarity index 97%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/server/index.html
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/client/index.html
index 27637742..1cbd3db8 100644
--- a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/server/index.html
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/client/index.html
@@ -46,7 +46,10 @@ <h1>Minimal WebRTC Voice Agent (KVS)</h1>
     <script>
         // Toggle AWS credentials section (outside module so it works even if SDK import fails)
         document.getElementById("agent-arn").addEventListener('input', function() {
-            document.getElementById("aws-creds-section").style.display = this.value.trim() ? 'block' : 'none'
+            const hasArn = this.value.trim()
+            document.getElementById("aws-creds-section").style.display = hasArn ? 'block' : 'none'
+            // Auto-enable TURN only when using AgentCore Runtime (VPC requires relay mode)
+            if (hasArn) document.getElementById("turn-only").checked = true
         })
     </script>
 
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/server/requirements.txt b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/client/requirements.txt
similarity index 100%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/server/requirements.txt
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/client/requirements.txt
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/kvs-iam-policy.json b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/kvs-iam-policy.json
similarity index 79%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/kvs-iam-policy.json
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/kvs-iam-policy.json
index 50b21ed3..294a24a5 100644
--- a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/kvs-iam-policy.json
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/kvs-iam-policy.json
@@ -9,7 +9,7 @@
                 "kinesisvideo:GetSignalingChannelEndpoint",
                 "kinesisvideo:GetIceServerConfig"
             ],
-            "Resource": "arn:aws:kinesisvideo:us-west-2:ACCOUNT_ID:channel/voice-agent-minimal/*"
+            "Resource": "*"
         }
     ]
 }
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/.dockerignore b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/.dockerignore
similarity index 100%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/.dockerignore
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/.dockerignore
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/.env.example b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/.env.example
similarity index 100%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/.env.example
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/.env.example
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/Dockerfile b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/Dockerfile
similarity index 77%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/Dockerfile
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/Dockerfile
index bbb1e3bb..2b41530c 100644
--- a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/Dockerfile
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.12-slim
+FROM public.ecr.aws/docker/library/python:3.12-slim
 
 WORKDIR /app
 
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/audio.py b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/audio.py
similarity index 100%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/audio.py
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/audio.py
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/bot.py b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/bot.py
similarity index 98%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/bot.py
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/bot.py
index 91ee71e1..66d88062 100644
--- a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/bot.py
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/bot.py
@@ -105,7 +105,7 @@ def _handle_ice_config():
 async def _handle_offer(data, background_tasks):
     """Accept a WebRTC offer, create a peer connection, return an answer."""
     ice_servers = kvs.get_rtc_ice_servers(
-        AWS_REGION, client_id="server", turn_only=data.get("turnOnly", False)
+        AWS_REGION, client_id="server", turn_only=True
     )
 
     # Create peer connection with output audio track
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/kvs.py b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/kvs.py
similarity index 100%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/kvs.py
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/kvs.py
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/nova_sonic.py b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/nova_sonic.py
similarity index 100%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/nova_sonic.py
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/nova_sonic.py
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/requirements.txt b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/requirements.txt
similarity index 93%
rename from 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/requirements.txt
rename to 01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/requirements.txt
index c7d63b65..bd0d3d00 100644
--- a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming-webrtc/agent/requirements.txt
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/05-bedrock-sonic-kvs-wr/websocket/requirements.txt
@@ -9,4 +9,4 @@ aws-sdk-bedrock-runtime
 smithy-aws-core
 smithy-core
 smithy-http
-aiohttp
\ No newline at end of file
+aiohttp
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/README.md b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/README.md
index a2dcd3d5..b789c4a2 100644
--- a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/README.md
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/README.md
@@ -9,6 +9,7 @@ Build real-time voice agents using [Amazon Nova Sonic](https://docs.aws.amazon.c
 Voice agents need persistent, low-latency connections — a browser streams audio in, the agent processes it through a model, and streams spoken responses back. [AgentCore Runtime](https://docs.aws.amazon.com/bedrock-agentcore/) provides the managed infrastructure to make this work in production:
 
 - **WebSocket proxy with SigV4 authentication** — clients connect through AgentCore's authenticated endpoint, so your agent doesn't need to handle auth
+- **WebRTC support via KVS TURN** — deploy WebRTC agents in VPC with NAT traversal through Amazon Kinesis Video Streams TURN servers, enabling low-latency peer-to-peer audio without exposing your agent to the public internet
 - **Container deployment via CodeBuild** — package your agent as a Docker container and deploy without managing infrastructure (no local Docker required)
 - **IAM role management** — AgentCore provisions execution roles with Bedrock model access
 - **MCP Gateway integration** — connect agents to external tools (databases, APIs, knowledge bases) through the [Model Context Protocol](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/mcp-gateway.html)
@@ -30,6 +31,7 @@ These samples demonstrate two architecture patterns for voice agents:
 | 02 | [Strands](02-strands-ws/) | Native S2S (multi-model) | Strands BidiAgent | MCP Gateways, multi-model (Nova Sonic / Gemini / OpenAI) |
 | 03 | [LangChain + Transcribe + Polly](03-langchain-transcribe-polly-ws/) | Sandwich (STT→LLM→TTS) | LangChain + Transcribe + Polly | Text LLM with voice I/O pipeline, custom VAD |
 | 04 | [Pipecat Sonic](04-pipecat-sonic-ws/) | Native S2S | Pipecat pipeline | Open-source framework, RTVI/Protobuf, Silero VAD |
+| 05 | [Bedrock Sonic KVS WebRTC](05-bedrock-sonic-kvs-wr/) | Native S2S | Raw Bedrock SDK + aiortc | WebRTC audio via KVS TURN, NAT traversal, VPC deployment |
 
 ### [01 — Bedrock Sonic](01-bedrock-sonic-ws/README.md)
 
@@ -47,6 +49,10 @@ Demonstrates the STT → Agent → TTS "sandwich" pattern using Amazon Transcrib
 
 Uses the [Pipecat](https://github.com/pipecat-ai/pipecat) open-source framework with `AWSNovaSonicLLMService` for native speech-to-speech. Includes Silero VAD, RTVI protocol with Protobuf serialization, and a Vite-based browser client.
 
+### [05 — Bedrock Sonic KVS WebRTC](05-bedrock-sonic-kvs-wr/README.md)
+
+WebRTC-based voice agent using Nova Sonic with KVS TURN servers for audio transport. Unlike the WebSocket samples (01–04), this uses `aiortc` peer connections for browser-to-agent audio streaming with built-in NAT traversal. Designed for VPC deployments where direct peer-to-peer connections aren't possible.
+
 ## Getting Started
 
 Each sample includes its own README with setup, deployment, and local testing instructions. Pick a sample and follow its guide:
@@ -55,6 +61,7 @@ Each sample includes its own README with setup, deployment, and local testing in
 - [02-strands-ws/README.md](02-strands-ws/README.md) — start here for the full-featured agent with tools
 - [03-langchain-transcribe-polly-ws/README.md](03-langchain-transcribe-polly-ws/README.md) — start here for the sandwich architecture
 - [04-pipecat-sonic-ws/README.md](04-pipecat-sonic-ws/README.md) — start here for the Pipecat framework
+- [05-bedrock-sonic-kvs-wr/README.md](05-bedrock-sonic-kvs-wr/README.md) — start here for WebRTC with KVS TURN
 
 ## Project Structure
 
@@ -73,6 +80,9 @@ Each sample includes its own README with setup, deployment, and local testing in
 ├── 04-pipecat-sonic-ws/               # Pipecat framework (Nova Sonic)
 │   ├── websocket/                     #   Server + Dockerfile
 │   └── client/                        #   Vite app + signing server
+├── 05-bedrock-sonic-kvs-wr/           # WebRTC via KVS TURN (Nova Sonic)
+│   ├── websocket/                     #   Server + Dockerfile (aiortc)
+│   └── client/                        #   Browser WebRTC client
 └── assets/                            # Architecture diagrams
 ```
 
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/assets/architecture-webrtc-kvs.svg b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/assets/architecture-webrtc-kvs.svg
new file mode 100644
index 00000000..f7cc0253
--- /dev/null
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/assets/architecture-webrtc-kvs.svg
@@ -0,0 +1,158 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 960 620" font-family="Segoe UI, Arial, sans-serif">
+  <defs>
+    <marker id="arrow" markerWidth="10" markerHeight="7" refX="10" refY="3.5" orient="auto">
+      <polygon points="0 0, 10 3.5, 0 7" fill="#555"/>
+    </marker>
+    <marker id="arrow-dark" markerWidth="10" markerHeight="7" refX="10" refY="3.5" orient="auto">
+      <polygon points="0 0, 10 3.5, 0 7" fill="#374151"/>
+    </marker>
+    <marker id="arrow-mid" markerWidth="10" markerHeight="7" refX="10" refY="3.5" orient="auto">
+      <polygon points="0 0, 10 3.5, 0 7" fill="#6b7280"/>
+    </marker>
+    <marker id="arrow-light" markerWidth="10" markerHeight="7" refX="10" refY="3.5" orient="auto">
+      <polygon points="0 0, 10 3.5, 0 7" fill="#9ca3af"/>
+    </marker>
+  </defs>
+
+  <!-- Background -->
+  <rect width="960" height="620" rx="12" fill="none" stroke="#d1d5db" stroke-width="1"/>
+
+  <!-- Title -->
+  <text x="480" y="35" text-anchor="middle" font-size="18" font-weight="600" fill="#111827">Nova Sonic WebRTC Agent with AgentCore and KVS - Network Architecture</text>
+
+  <!-- ============================================================ -->
+  <!-- BROWSER (left side) -->
+  <!-- ============================================================ -->
+  <rect x="30" y="60" width="250" height="240" rx="10" fill="none" stroke="#6b7280" stroke-width="1.5"/>
+  <text x="155" y="85" text-anchor="middle" font-size="13" font-weight="600" fill="#111827">Browser Client</text>
+
+  <!-- Microphone -->
+  <rect x="55" y="100" width="200" height="36" rx="6" fill="none" stroke="#9ca3af" stroke-width="1"/>
+  <text x="155" y="123" text-anchor="middle" font-size="11" fill="#374151">🎤 Microphone (getUserMedia)</text>
+
+  <!-- RTCPeerConnection -->
+  <rect x="55" y="148" width="200" height="36" rx="6" fill="none" stroke="#6b7280" stroke-width="1"/>
+  <text x="155" y="171" text-anchor="middle" font-size="11" font-weight="600" fill="#1f2937">RTCPeerConnection</text>
+
+  <!-- ICE transport policy -->
+  <rect x="55" y="196" width="200" height="30" rx="6" fill="none" stroke="#9ca3af" stroke-width="1"/>
+  <text x="155" y="215" text-anchor="middle" font-size="10" fill="#4b5563">iceTransportPolicy: "relay"</text>
+
+  <!-- Audio element -->
+  <rect x="55" y="238" width="200" height="36" rx="6" fill="none" stroke="#9ca3af" stroke-width="1"/>
+  <text x="155" y="261" text-anchor="middle" font-size="11" fill="#374151">🔊 &lt;audio&gt; Playback</text>
+
+  <!-- ============================================================ -->
+  <!-- KVS TURN SERVERS (center) -->
+  <!-- ============================================================ -->
+  <rect x="340" y="100" width="280" height="160" rx="10" fill="none" stroke="#6b7280" stroke-width="1.5"/>
+  <text x="480" y="125" text-anchor="middle" font-size="13" font-weight="600" fill="#111827">Amazon Kinesis Video Streams</text>
+  <text x="480" y="143" text-anchor="middle" font-size="11" fill="#4b5563">Signaling Channel (SINGLE_MASTER)</text>
+
+  <!-- TURN box -->
+  <rect x="370" y="158" width="220" height="44" rx="6" fill="none" stroke="#9ca3af" stroke-width="1"/>
+  <text x="480" y="176" text-anchor="middle" font-size="11" font-weight="600" fill="#1f2937">TURN Relay Servers</text>
+  <text x="480" y="192" text-anchor="middle" font-size="10" fill="#6b7280">UDP/TCP relay for NAT traversal</text>
+
+  <!-- ICE credentials -->
+  <rect x="370" y="212" width="220" height="34" rx="6" fill="none" stroke="#9ca3af" stroke-width="1"/>
+  <text x="480" y="234" text-anchor="middle" font-size="10" fill="#6b7280">ICE credentials (username + password)</text>
+
+  <!-- ============================================================ -->
+  <!-- VPC (large box) -->
+  <!-- ============================================================ -->
+  <rect x="30" y="340" width="900" height="260" rx="10" fill="none" stroke="#4b5563" stroke-width="1.5" stroke-dasharray="6 3"/>
+  <text x="480" y="365" text-anchor="middle" font-size="13" font-weight="600" fill="#111827">AWS VPC — Private Subnet (with NAT Gateway)</text>
+
+  <!-- AgentCore Runtime -->
+  <rect x="60" y="385" width="260" height="195" rx="8" fill="none" stroke="#6b7280" stroke-width="1.5"/>
+  <text x="190" y="410" text-anchor="middle" font-size="12" font-weight="600" fill="#111827">AgentCore Runtime</text>
+
+  <!-- bot.py -->
+  <rect x="80" y="422" width="220" height="34" rx="5" fill="none" stroke="#9ca3af" stroke-width="1"/>
+  <text x="190" y="444" text-anchor="middle" font-size="10" font-weight="600" fill="#1f2937">bot.py — FastAPI /invocations</text>
+
+  <!-- aiortc -->
+  <rect x="80" y="464" width="220" height="34" rx="5" fill="none" stroke="#9ca3af" stroke-width="1"/>
+  <text x="190" y="486" text-anchor="middle" font-size="10" fill="#374151">aiortc — RTCPeerConnection (TURN only)</text>
+
+  <!-- audio.py -->
+  <rect x="80" y="506" width="105" height="34" rx="5" fill="none" stroke="#9ca3af" stroke-width="1"/>
+  <text x="132" y="528" text-anchor="middle" font-size="10" fill="#374151">audio.py</text>
+
+  <!-- kvs.py -->
+  <rect x="195" y="506" width="105" height="34" rx="5" fill="none" stroke="#9ca3af" stroke-width="1"/>
+  <text x="247" y="528" text-anchor="middle" font-size="10" fill="#374151">kvs.py</text>
+
+  <!-- Audio resampling note -->
+  <rect x="80" y="548" width="220" height="28" rx="5" fill="none" stroke="#d1d5db" stroke-width="1"/>
+  <text x="190" y="566" text-anchor="middle" font-size="9" fill="#6b7280">48kHz → 16kHz in | 24kHz out → WebRTC</text>
+
+  <!-- Nova Sonic / Bedrock -->
+  <rect x="640" y="385" width="260" height="195" rx="8" fill="none" stroke="#6b7280" stroke-width="1.5"/>
+  <text x="770" y="410" text-anchor="middle" font-size="12" font-weight="600" fill="#111827">Amazon Bedrock</text>
+
+  <!-- Nova Sonic model -->
+  <rect x="660" y="425" width="220" height="44" rx="5" fill="none" stroke="#9ca3af" stroke-width="1"/>
+  <text x="770" y="445" text-anchor="middle" font-size="11" font-weight="600" fill="#1f2937">Nova Sonic</text>
+  <text x="770" y="461" text-anchor="middle" font-size="9" fill="#6b7280">amazon.nova-2-sonic-v1:0</text>
+
+  <!-- Bidirectional stream -->
+  <rect x="660" y="480" width="220" height="34" rx="5" fill="none" stroke="#9ca3af" stroke-width="1"/>
+  <text x="770" y="502" text-anchor="middle" font-size="10" fill="#374151">Bidirectional Streaming API</text>
+
+  <!-- Audio config -->
+  <rect x="660" y="524" width="105" height="44" rx="5" fill="none" stroke="#d1d5db" stroke-width="1"/>
+  <text x="712" y="542" text-anchor="middle" font-size="9" fill="#6b7280">Input: 16kHz</text>
+  <text x="712" y="556" text-anchor="middle" font-size="9" fill="#6b7280">PCM mono</text>
+
+  <rect x="775" y="524" width="105" height="44" rx="5" fill="none" stroke="#d1d5db" stroke-width="1"/>
+  <text x="827" y="542" text-anchor="middle" font-size="9" fill="#6b7280">Output: 24kHz</text>
+  <text x="827" y="556" text-anchor="middle" font-size="9" fill="#6b7280">PCM mono</text>
+
+  <!-- NAT Gateway -->
+  <rect x="380" y="430" width="180" height="50" rx="8" fill="none" stroke="#6b7280" stroke-width="1.5"/>
+  <text x="470" y="452" text-anchor="middle" font-size="11" font-weight="600" fill="#111827">NAT Gateway</text>
+  <text x="470" y="468" text-anchor="middle" font-size="9" fill="#6b7280">Internet egress for UDP/TCP</text>
+
+  <!-- ============================================================ -->
+  <!-- ARROWS / DATA FLOW -->
+  <!-- ============================================================ -->
+
+  <!-- Browser ↔ KVS TURN (WebRTC audio) — solid dark -->
+  <line x1="255" y1="166" x2="340" y2="166" stroke="#374151" stroke-width="2" marker-end="url(#arrow-dark)"/>
+  <line x1="340" y1="182" x2="255" y2="182" stroke="#374151" stroke-width="2" marker-end="url(#arrow-dark)"/>
+  <text x="298" y="158" text-anchor="middle" font-size="9" fill="#374151">Audio</text>
+  <text x="298" y="198" text-anchor="middle" font-size="9" fill="#374151">Audio</text>
+
+  <!-- KVS TURN ↔ Agent (via NAT) — solid dark -->
+  <line x1="440" y1="260" x2="440" y2="430" stroke="#374151" stroke-width="2" marker-end="url(#arrow-dark)"/>
+  <line x1="500" y1="430" x2="500" y2="260" stroke="#374151" stroke-width="2" marker-end="url(#arrow-dark)"/>
+  <text x="425" y="345" text-anchor="middle" font-size="9" fill="#374151" transform="rotate(-90,425,345)">WebRTC via TURN</text>
+  <text x="515" y="345" text-anchor="middle" font-size="9" fill="#374151" transform="rotate(-90,515,345)">WebRTC via TURN</text>
+
+  <!-- NAT ↔ Agent — medium gray -->
+  <line x1="380" y1="455" x2="320" y2="455" stroke="#9ca3af" stroke-width="1.5" marker-end="url(#arrow-light)"/>
+  <line x1="320" y1="465" x2="380" y2="465" stroke="#9ca3af" stroke-width="1.5" marker-end="url(#arrow-light)"/>
+
+  <!-- Agent → Bedrock (bidirectional stream) — dashed mid gray -->
+  <line x1="320" y1="497" x2="640" y2="497" stroke="#6b7280" stroke-width="2" marker-end="url(#arrow-mid)" stroke-dasharray="6 3"/>
+  <text x="480" y="510" text-anchor="middle" font-size="9" fill="#4b5563">Bidirectional Stream (HTTPS via NAT)</text>
+
+  <!-- Browser → Agent: SDP signaling — dashed light gray -->
+  <path d="M 155 300 L 155 320 Q 155 330 165 330 L 180 330 Q 190 330 190 340 L 190 385" fill="none" stroke="#9ca3af" stroke-width="1.5" stroke-dasharray="4 3" marker-end="url(#arrow-light)"/>
+  <text x="100" y="318" font-size="9" fill="#6b7280">SDP Offer/Answer</text>
+  <text x="100" y="330" font-size="9" fill="#6b7280">+ ICE Candidates</text>
+
+  <!-- Legend -->
+  <rect x="640" y="60" width="290" height="100" rx="8" fill="none" stroke="#d1d5db" stroke-width="1"/>
+  <text x="785" y="80" text-anchor="middle" font-size="11" font-weight="600" fill="#111827">Legend</text>
+  <line x1="660" y1="92" x2="700" y2="92" stroke="#374151" stroke-width="2"/>
+  <text x="710" y="96" font-size="10" fill="#374151">WebRTC Audio (via TURN relay)</text>
+  <line x1="660" y1="112" x2="700" y2="112" stroke="#9ca3af" stroke-width="1.5" stroke-dasharray="4 3"/>
+  <text x="710" y="116" font-size="10" fill="#374151">Signaling (SDP + ICE)</text>
+  <line x1="660" y1="132" x2="700" y2="132" stroke="#6b7280" stroke-width="2" stroke-dasharray="6 3"/>
+  <text x="710" y="136" font-size="10" fill="#374151">Nova Sonic Stream (HTTPS)</text>
+  <line x1="660" y1="148" x2="700" y2="148" stroke="#9ca3af" stroke-width="1.5"/>
+  <text x="710" y="152" font-size="10" fill="#374151">Internal VPC traffic</text>
+</svg>
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/utils/cleanup.py b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/utils/cleanup.py
index 56d063a9..b3a67e2a 100755
--- a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/utils/cleanup.py
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/utils/cleanup.py
@@ -724,6 +724,7 @@ def main():
             "03-langchain-transcribe-polly-ws",
             "04-pipecat-sonic-ws",
             "echo",
+            "05-bedrock-sonic-kvs-wr",
         ],
         help="Websocket folder to clean up",
     )
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/utils/deploy.py b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/utils/deploy.py
index 653e42ba..cfd007ca 100755
--- a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/utils/deploy.py
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/utils/deploy.py
@@ -374,6 +374,17 @@ def setup_agentcore_project(self):
             },
         }
 
+        # Use VPC mode when subnet and security group are provided
+        subnet_ids = getattr(self.args, "subnet_ids", None)
+        security_group_id = getattr(self.args, "security_group_id", None)
+        if subnet_ids and security_group_id:
+            config["bedrock_agentcore"]["network_mode"] = "VPC"
+            config["bedrock_agentcore"]["network_mode_config"] = {
+                "subnets": [s.strip() for s in subnet_ids.split(",")],
+                "security_groups": [security_group_id],
+            }
+            self._info(f"Using VPC network mode with subnets: {subnet_ids}")
+
         config_path = self.websocket_path / ".bedrock_agentcore.yaml"
 
         # Write configuration
@@ -522,6 +533,26 @@ def deploy_agent(
             # Prepare environment variables
             env_vars = {}
 
+            # Add VPC configuration if subnet and security group are provided
+            subnet_ids = getattr(self.args, "subnet_ids", None)
+            security_group_id = getattr(self.args, "security_group_id", None)
+            if subnet_ids and security_group_id:
+                subnets = [s.strip() for s in subnet_ids.split(",")]
+                agent_aws = config["agents"][self.agent_name]["aws"]
+                agent_aws["network_configuration"] = {
+                    "network_mode": "VPC",
+                    "network_mode_config": {
+                        "subnets": subnets,
+                        "security_groups": [security_group_id],
+                    },
+                }
+                self._info(f"Using VPC network mode with subnets: {subnet_ids}")
+
+            # Add KVS environment variables for webrtc folder
+            if self.websocket_folder == "05-bedrock-sonic-kvs-wr":
+                env_vars["KVS_CHANNEL_NAME"] = "voice-agent-minimal"
+                env_vars["AWS_REGION"] = self.aws_region
+
             # Add MCP Gateway environment variables if available (for strands and langchain)
             if (
                 self.websocket_folder
@@ -769,7 +800,7 @@ def main():
             "03-langchain-transcribe-polly-ws",
             "04-pipecat-sonic-ws",
             "echo",
-            "webrtc-kvs",
+            "05-bedrock-sonic-kvs-wr",
         ],
         help="Websocket folder to deploy",
     )
@@ -796,6 +827,16 @@ def main():
         help="Build locally, deploy to cloud (requires Docker)",
     )
 
+    parser.add_argument(
+        "--subnet-ids",
+        help="Comma-separated subnet IDs for VPC mode (required for 05-bedrock-sonic-kvs-wr)",
+    )
+
+    parser.add_argument(
+        "--security-group-id",
+        help="Security group ID for VPC mode (required for 05-bedrock-sonic-kvs-wr)",
+    )
+
     args = parser.parse_args()
 
     # Create deployer and run
diff --git a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/utils/start_client.sh b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/utils/start_client.sh
index 9409236f..01bfdd82 100755
--- a/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/utils/start_client.sh
+++ b/01-tutorials/01-AgentCore-runtime/06-bi-directional-streaming/utils/start_client.sh
@@ -45,7 +45,7 @@ if [ ! -d "$BASE_DIR/$WEBSOCKET_FOLDER" ]; then
     echo -e "${RED}❌ Error: Folder not found: $BASE_DIR/$WEBSOCKET_FOLDER${NC}"
     echo ""
     echo "Available folders:"
-    for dir in 01-bedrock-sonic-ws 02-strands-ws 03-langchain-transcribe-polly-ws 04-pipecat-sonic-ws webrtc-kvs; do
+    for dir in 01-bedrock-sonic-ws 02-strands-ws 03-langchain-transcribe-polly-ws 04-pipecat-sonic-ws 05-bedrock-sonic-kvs-wr; do
         if [ -d "$BASE_DIR/$dir" ]; then
             echo "  - $dir"
         fi
@@ -109,11 +109,10 @@ if [ "$WEBSOCKET_FOLDER" != "04-pipecat-sonic-ws" ]; then
         echo "Creating virtual environment..."
         python3 -m venv "$BASE_DIR/venv"
         source "$BASE_DIR/venv/bin/activate"
-        pip install -q -r "$BASE_DIR/$WEBSOCKET_FOLDER/client/requirements.txt"
-        echo -e "${GREEN}✅ Virtual environment created${NC}"
     else
         source "$BASE_DIR/venv/bin/activate"
     fi
+    pip install -q -r "$BASE_DIR/$WEBSOCKET_FOLDER/client/requirements.txt"
 fi
 
 # Start the client
@@ -162,7 +161,7 @@ case "$WEBSOCKET_FOLDER" in
         echo ""
         python "$BASE_DIR/$WEBSOCKET_FOLDER/client/client.py" --runtime-arn "$AGENT_ARN"
         ;;
-    "webrtc-kvs")
+    "05-bedrock-sonic-kvs-wr")
         echo -e "${YELLOW}Starting WebRTC KVS client...${NC}"
         echo -e "${YELLOW}The browser will open automatically${NC}"
         echo ""