💡 Questions at the exam that are VPC related are usually for deploying models privately and accessing AWS services without going through the internet
VPC & Subnets Primer
- 🔧 VPC = Virtual Private Cloud
- Virtual Private Network (VPN) in AWS
- Many AWS resources require to be deployed to a VPC
- VPCs can be partitioned into subnets (smaller NWs inside a VPC)
- VPC → regional level
- Subnet → Availability Zone (AZ) level
- Internet accessibility:
- Public subnet → accessible from the public internet
- Private subnet → NOT accessible from the public internet
- ‼️ VPCs are private by default!
- Example of a VPC with 4 subnets deployed in 2 AZs: 2 public and 2 private (1 per AZ)
Internet Gateway & NAT Gateway
- Internet Gateway (IGW)
- Allows resources deployed in public subnets to access the internet
- Public Subnets have a default route pointing to the IGW
- NAT Gateway (NATGW)
- AWS-managed
- Deployed inside a public subnet
- Allows resources deployed in private subnets to access the internet (while remaining private)
VPC Endpoints and PrivateLink
- Many AWS services are by default accessed over the public internet (e.g. Bedrock, S3…)
- …but applications deployed in private subnets in a VPC may not have internet access
- VPC endpoint (VPCE)
- Allows private access to an AWS service without going over the public internet
- Usually powered by AWS PrivateLink
- NW traffic remains internal within AWS
- Example: your application deployed in a VPC can access a Bedrock model privately
S3 Gateway Endpoint
- 🔧 Allows private access to an S3 bucket
- S3 Interface Endpoints also exist (alternative)
- Example: SageMaker notebooks can access S3 data privately