AWS Certified Machine Learning Engineer – Associate (MLA-C01) — Question 116

A company is exploring generative AI and wants to add a new product feature. An ML engineer is making API calls from existing Amazon EC2 instances to Amazon Bedrock. The EC2 instances are in a private subnet and must remain private during the implementation. The EC2 instances have an assigned security group that allows access to all IP addresses in the private subnet.

What should the ML engineer do to establish a connection between the EC2 instances and Amazon Bedrock?

Answer options

• A. Modify the security group to allow inbound and outbound traffic to and from Amazon Bedrock.
• B. Use AWS PrivateLink to access Amazon Bedrock through an interface VPC endpoint.
• C. Configure Amazon Bedrock to use the private subnet where the EC2 instances are deployed.
• D. Link the existing VPC to Amazon Bedrock by using an AWS Direct Connect connection.

Correct answer: B

Explanation

The correct answer is B because AWS PrivateLink provides a secure and private connection to Amazon Bedrock without exposing the EC2 instances to the public internet. Option A is incorrect as modifying the security group does not ensure privacy; C is not valid since Amazon Bedrock cannot be configured to use a private subnet directly, and D is incorrect because AWS Direct Connect is not needed for this type of connection.