nerdexam
ExamsMLA-C01Questions#130
AmazonAmazon

MLA-C01 · Question #130

MLA-C01 Question #130: Real Exam Question with Answer & Explanation

The correct answer is B: Use AWS PrivateLink to access Amazon Bedrock through an interface VPC endpoint.. Option B is correct because AWS PrivateLink with an interface VPC endpoint allows EC2 instances in a private subnet to communicate with Amazon Bedrock over the AWS private network - no internet gateway, NAT device, or public IP required, keeping the instances fully private. Why t

Deployment and Orchestration of ML Workflows

Question

A company is exploring generative AI and wants to add a new product feature. An ML engineer is making API calls from existing Amazon EC2 instances to Amazon Bedrock. The EC2 instances are in a private subnet and must remain private during the implementation. The EC2 instances have an assigned security group that allows access to all IP addresses in the private subnet. What should the ML engineer do to establish a connection between the EC2 instances and Amazon Bedrock?

Options

  • AModify the security group to allow inbound and outbound traffic to and from Amazon Bedrock.
  • BUse AWS PrivateLink to access Amazon Bedrock through an interface VPC endpoint.
  • CConfigure Amazon Bedrock to use the private subnet where the EC2 instances are deployed.
  • DLink the existing VPC to Amazon Bedrock by using an AWS Direct Connect connection.

Explanation

Option B is correct because AWS PrivateLink with an interface VPC endpoint allows EC2 instances in a private subnet to communicate with Amazon Bedrock over the AWS private network - no internet gateway, NAT device, or public IP required, keeping the instances fully private.

Why the distractors fail:

  • A is wrong because security groups control traffic between resources, not access to managed AWS services like Bedrock - you can't add a security group rule pointing "to Bedrock."
  • C is wrong because Bedrock is a managed AWS service; you cannot configure it to join or use your VPC subnet - traffic flows the other way (your VPC reaches out to Bedrock).
  • D is wrong because AWS Direct Connect is for connecting on-premises data centers to AWS, not for routing traffic between services already inside AWS.

Memory tip: When a private resource inside a VPC needs to reach an AWS-managed service (Bedrock, S3, DynamoDB, etc.) without going through the public internet, the answer is almost always a VPC endpoint - either an interface endpoint (PrivateLink) for most services, or a gateway endpoint for S3/DynamoDB.

Topics

#AWS PrivateLink#VPC Endpoints#Private Networking#Amazon Bedrock

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full MLA-C01 PracticeBrowse All MLA-C01 Questions