ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Machine Learning - Specialty All Questions

View all questions & answers for the AWS Certified Machine Learning - Specialty exam
Go to Exam

Exam AWS Certified Machine Learning - Specialty topic 1 question 47 discussion

Exam question from Amazon's AWS Certified Machine Learning - Specialty
Question #: 47
Topic #: 1
[All AWS Certified Machine Learning - Specialty Questions]

A company is setting up an Amazon SageMaker environment. The corporate data security policy does not allow communication over the internet.
How can the company enable the Amazon SageMaker service without enabling direct internet access to Amazon SageMaker notebook instances?

  • A. Create a NAT gateway within the corporate VPC.
  • B. Route Amazon SageMaker traffic through an on-premises network.
  • C. Create Amazon SageMaker VPC interface endpoints within the corporate VPC.
  • D. Create VPC peering with Amazon VPC hosting Amazon SageMaker.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by DonaldCMLIN at Nov. 17, 2019, 12:59 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DonaldCMLIN
Highly Voted 3 years, 3 months ago
NAT CLOUD GO OUT TO THE INTERNET, IT STILL CANNOT PREVENT DOWNLOAD MALICIOUS BY YOURSELF. THE RIGHT ANSWER IS C. C.INTERFACE VPC ENDPOINT https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-dg.pdf (516) https://docs.aws.amazon.com/zh_tw/vpc/latest/userguide/vpc-endpoints.html
upvoted 46 times
rsimham
3 years, 3 months ago
Not sure if C is correct in this particular scenario. From https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-dg.pdf Page 202 of the SageMaker Guide has: If you allowed access to resources from your VPC, enable direct internet access. For Direct internet access, choose Enable. Without internet access, you can't train or host models from notebooks on this notebook instance unless your VPC has a NAT gateway and your security group allows outbound connect
upvoted 2 times
Selectron
3 years, 3 months ago
There are two possible solutions, but the safer solution and easier is trough VPC endpoints. You can connect to your notebook instance from your VPC through an interface endpoint in your Virtual Private Cloud (VPC) instead of connecting over the internet. When you use a VPC interface endpoint, communication between your VPC and the notebook instance is conducted entirely and securely within the AWS network. And there is not problem that the notebooks does not have public internet. Because Amazon SageMaker notebook instances support Amazon Virtual Private Cloud (Amazon VPC) interface endpoints that are powered by AWS PrivateLink. Each VPC endpoint is represented by one or more Elastic Network Interfaces (ENIs) with private IP addresses in your VPC subnets. Each VPC endpoint is represented by one or more Elastic Network Interfaces (ENIs) with private IP addresses in your VPC subnets... so the Answer is C.
upvoted 5 times
...
rsimham
3 years, 3 months ago
A may the right answer
upvoted 1 times
...
...
...
tap123
Highly Voted 3 years, 3 months ago
C is correct. "The VPC interface endpoint connects your VPC directly to the Amazon SageMaker API or Runtime without an internet gateway, **NAT** device, VPN connection, or AWS Direct Connect connection." https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html
upvoted 16 times
...
JonSno
Most Recent 4 months, 3 weeks ago
Selected Answer: C
Explanation: The company's data security policy does not allow internet access, so the solution must allow Amazon SageMaker to function privately within the VPC without internet access. VPC Interface Endpoints (AWS PrivateLink) for SageMaker allow services to communicate privately over the AWS network, without requiring an Internet Gateway (IGW) or NAT Gateway. Explanation: The company's data security policy does not allow internet access, so the solution must allow Amazon SageMaker to function privately within the VPC without internet access. VPC Interface Endpoints (AWS PrivateLink) for SageMaker allow services to communicate privately over the AWS network, without requiring an Internet Gateway (IGW) or NAT Gateway.
upvoted 1 times
...
Denise123
11 months, 1 week ago
The answer is C. - If you want to allow internet access, you must use a NAT gateway with access to the internet, for example through an internet gateway. - If you don't want to allow internet access, create interface VPC endpoints (AWS PrivateLink) to allow Studio Classic to access the following services with the corresponding service names. You must also associate the security groups for your VPC with these endpoints. This is exactly what's written in the ref. doc given in the answer section of the question. (Check page Security and Permissions 1120- 1121) https://docs.aws.amazon.com/pdfs/sagemaker/latest/dg/sagemaker-dg.pdf
upvoted 1 times
...
phdykd
1 year ago
C. To enable Amazon SageMaker service without enabling direct internet access to Amazon SageMaker notebook instances, while adhering to a corporate data security policy that restricts internet communication, the company can: C. Create Amazon SageMaker VPC interface endpoints within the corporate VPC. This option involves setting up VPC (Virtual Private Cloud) interface endpoints for Amazon SageMaker within the corporate VPC (Virtual Private Cloud). This is done using AWS PrivateLink, which allows private connectivity between AWS services using private IP addresses. By creating VPC interface endpoints, the traffic between the corporate VPC and Amazon SageMaker does not traverse the public internet, thereby meeting the corporate data security requirements.
upvoted 1 times
...
sonoluminescence
1 year, 2 months ago
Selected Answer: C
A would allow instances in a private subnet to initiate outbound internet traffic. This is against the requirement of no direct internet access.
upvoted 2 times
...
Sharath1783
1 year, 4 months ago
Selected Answer: C
NAT means data will go to internet. C is the right choice.
upvoted 2 times
...
Mickey321
1 year, 4 months ago
Selected Answer: C
Option c
upvoted 1 times
...
ADVIT
1 year, 6 months ago
Only C, endpoints.
upvoted 1 times
...
jackzhao
1 year, 10 months ago
C is correct, NAT allow outband traffic pass through internet.
upvoted 1 times
...
Nadia0012
1 year, 10 months ago
Selected Answer: C
To prevent SageMaker from providing internet access to your Studio notebooks, you can disable internet access by specifying the VPC only network access type when you the onboard to Studio or call CreateDomain API. As a result, you won't be able to run a Studio notebook unless your VPC has an interface endpoint to the SageMaker API and runtime, or a NAT gateway with internet access, and your security groups allow outbound connections.
upvoted 2 times
Nadia0012
1 year, 10 months ago
To disable direct internet access, under Direct Internet access, simply choose Disable – use VPC only , and select the Create notebook instance button at the bottom. You are ready to go. from: https://aws.amazon.com/blogs/machine-learning/customize-your-amazon-sagemaker-notebook-instances-with-lifecycle-configurations-and-the-option-to-disable-internet-access/#:~:text=To%20disable%20direct%20internet%20access%2C%20under%20Direct%20Internet%20access%2C%20simply,running%2C%20without%20direct%20internet%20access.
upvoted 1 times
...
Nadia0012
1 year, 10 months ago
If you want to allow internet access, you must use a example through an internet gateway. If you don't want to allow internet access, NAT gateway with access to the internet, for create interface VPC endpoints (AWS PrivateLink) to allow Studio to access the following services with the corresponding service names. You must also associate the security groups for your VPC with these endpoints.
upvoted 1 times
...
...
AjoseO
1 year, 11 months ago
Selected Answer: C
A VPC interface endpoint is a private connection between a VPC and Amazon SageMaker that is powered by AWS PrivateLink. With a VPC interface endpoint, traffic between the VPC and Amazon SageMaker never leaves the Amazon network.
upvoted 3 times
...
Ob1KN0B
2 years, 4 months ago
Selected Answer: C
Page 3438 of https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-dg.pdf
upvoted 2 times
...
ovokpus
2 years, 6 months ago
Selected Answer: C
VPC Interface endpoints
upvoted 3 times
...
gcpwhiz
3 years, 2 months ago
If the question just had the last sentence, the answer would be A or C, per this page:https://docs.aws.amazon.com/sagemaker/latest/dg/appendix-notebook-and-internet-access.html. "To disable direct internet access, you can specify a VPC for your notebook instance. By doing so, you prevent SageMaker from providing internet access to your notebook instance. As a result, the notebook instance won't be able to train or host models unless your VPC has an interface endpoint (PrivateLink) or a NAT gateway, and your security groups allow outbound connections." HOWEVER, the question has more context that internet access is not allowed by the corporate policy. ("When you use a VPC interface endpoint, communication between your VPC and the notebook instance is conducted entirely and securely within the AWS network.") Therefore, the answer must be ONLY C.
upvoted 5 times
...
scuzzy2010
3 years, 2 months ago
Answer is C. From https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html -> "The VPC interface endpoint connects your VPC directly to the SageMaker API or Runtime without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. The instances in your VPC don't need public IP addresses to communicate with the SageMaker API or Runtime."
upvoted 3 times
...
cloud_trail
3 years, 2 months ago
I see a lot of people employing pretzel logic to try to explain why they should be using NAT. The question states no internet communication. Period. No internet means no NAT. Answer is C.
upvoted 5 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel