You work as a machine learning specialist for a company that is required to follow the Securities and Exchange Commission (SEC) regulations.
One of the ways your company adheres to some of the SEC regulations is to apply a data security policy that does not allow the sending of your machine learning data over the internet.
You are building a SageMaker environment to use for your team's machine learning models.
Which is the best option to make the SageMaker service available in your company's AWS account without enabling direct internet access to your machine learning specialist's SageMaker notebook instances?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: B.
Option A is incorrect.
A Transit Gateway is a network transit hub used for creating a VPC connection between your own VPCs and an on-premise network.
It is not used to communicate with AWS services like SageMaker.
VPC interface and gateway endpoints are used to accomplish private VPC connections to services like SageMaker.
Option B is correct.
Using an interface endpoint in your VPC, you can connect directly to the SageMaker API or the SageMaker runtime without ever connecting over the internet.
Using a VPC interface endpoint, communication between your VPC and the SageMaker runtime is conducted securely within the AWS network.
Option C is incorrect.
Routing your SageMaker machine learning data through your corporate data center network will not give you access to the Amazon VPC hosting SageMaker.
Option D is incorrect.
If you use a NAT Gateway, you will send your traffic over the internet.
The scenario explicitly states that you cannot send your machine learning data over the internet.
References:
Please see the Amazon Virtual Private Cloud AWS PrivateLink page titled VPC endpoints (https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints.html),
The Amazon SageMaker development guide titled Connect to SageMaker Through a VPC Interface Endpoint (https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html),
The Amazon Virtual Private Cloud transit gateways guide titled What is a Transit Gateway? (https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html),
The Amazon Virtual Private Cloud VPC peering pagetitled Unsupported VPC peering configurations (https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html)
The correct answer is B. Connect directly to the SageMaker runtime (the Amazon VPC hosting SageMaker) through an interface endpoint in your corporate VPC.
Explanation:
SageMaker is a fully managed machine learning service provided by AWS, which enables developers and data scientists to build, train, and deploy machine learning models at scale. When building a SageMaker environment to use for machine learning models, it is essential to ensure that the data security policies are in compliance with the regulations set by the Securities and Exchange Commission (SEC).
One of the SEC regulations requires that the machine learning data should not be sent over the internet. To comply with this regulation, it is essential to ensure that the SageMaker service is available in your company's AWS account without enabling direct internet access to your machine learning specialist's SageMaker notebook instances.
Option A: Use Transit Gateway between your corporate VPC and the Amazon VPC hosting SageMaker.
Transit Gateway is a service that enables customers to connect their VPCs and on-premises networks using a single gateway. While this option allows the connection between your corporate VPC and the Amazon VPC hosting SageMaker, it does not address the SEC regulation of not allowing the sending of machine learning data over the internet.
Option B: Connect directly to the SageMaker runtime (the Amazon VPC hosting SageMaker) through an interface endpoint in your corporate VPC.
This option provides a secure and private connection between your corporate VPC and the Amazon VPC hosting SageMaker without sending the machine learning data over the internet. An interface endpoint is a virtual device that enables private connectivity to a service. In this case, the interface endpoint is used to connect to the SageMaker runtime without using the internet. Therefore, this option is the best choice for complying with the SEC regulation.
Option C: Route your SageMaker traffic through a network in your corporate data center.
Routing your SageMaker traffic through a network in your corporate data center does not address the SEC regulation of not sending machine learning data over the internet. It may also introduce additional complexity and latency to your machine learning environment.
Option D: Use a NAT gateway in your corporate VPC to connect to the Amazon VPC hosting SageMaker.
A Network Address Translation (NAT) gateway enables instances in a private subnet to access the internet or other AWS services but does not address the SEC regulation of not sending machine learning data over the internet. It also adds additional costs and complexity to your machine learning environment. Therefore, this option is not the best choice for complying with the SEC regulation.
In conclusion, Option B: Connect directly to the SageMaker runtime (the Amazon VPC hosting SageMaker) through an interface endpoint in your corporate VPC is the best option to make the SageMaker service available in your company's AWS account without enabling direct internet access to your machine learning specialist's SageMaker notebook instances while complying with the SEC regulations.