• Contents:

💡 Questions at the exam that are VPC related are usually for deploying models privately and accessing AWS services without going through the internet

VPC & Subnets Primer

• 🔧 VPC = Virtual Private Cloud
  • Virtual Private Network (VPN) in AWS
  • Many AWS resources require to be deployed to a VPC
• VPCs can be partitioned into subnets (smaller NWs inside a VPC)
  • VPC → regional level
  • Subnet → Availability Zone (AZ) level
• Internet accessibility:
  • Public subnet → accessible from the public internet
  • Private subnet → NOT accessible from the public internet
• ‼️ VPCs are private by default!

• Example of a VPC with 4 subnets deployed in 2 AZs: 2 public and 2 private (1 per AZ)

Internet Gateway & NAT Gateway

• Internet Gateway (IGW)
  • Allows resources deployed in public subnets to access the internet
  • Public Subnets have a default route pointing to the IGW
• NAT Gateway (NATGW)
  • AWS-managed
  • Deployed inside a public subnet
  • Allows resources deployed in private subnets to access the internet (while remaining private)

VPC Endpoints and PrivateLink

• Many AWS services are by default accessed over the public internet (e.g. Bedrock, S3…)
  • …but applications deployed in private subnets in a VPC may not have internet access
• VPC endpoint (VPCE)
  • Allows private access to an AWS service without going over the public internet
  • Usually powered by AWS PrivateLink
  • NW traffic remains internal within AWS
  • Example: your application deployed in a VPC can access a Bedrock model privately

S3 Gateway Endpoint

• 💡 S3 = Simple Storage Service
  • Contains e.g. training datasets inside S3 buckets
• S3 GW Endpoint → Allows private access to an S3 bucket
• There’s also an S3 Interface Endpoint
• Example: SageMaker notebooks can access S3 data privately

Security example: Deploy SageMaker Model in a private VPC

• SageMaker Model hosted inside a private subnet in a VPC, training dataset in an S3 bucket