AWS · MLS-C01

Network Connectivity Design — AWS Machine Learning (MLS-C01)

4%of exam questions (8 of 200)

Bandwidth SLAs and compliance requirements split Direct Connect from VPN.

The exam presents hybrid connectivity scenarios where both Site-to-Site VPN and Direct Connect appear viable. The deciding variables are latency consistency, throughput guarantees, and compliance posture — not connectivity itself. VPN traverses the public internet and is subject to jitter; Direct Connect provides dedicated throughput with predictable latency. Transit Gateway determines whether you're aggregating multiple VPCs or on-premises sites. Parse the scenario's bandwidth, compliance, and topology requirements before selecting.

What This Pattern Tests

The exam describes a multi-VPC or hybrid network and tests connectivity model selection. VPC Peering is free, point-to-point, non-transitive — good for 2-3 VPCs. Transit Gateway is a hub-and-spoke router supporting thousands of VPCs, VPN connections, and Direct Connect gateways — costs $0.05/hour plus $0.02/GB. Direct Connect provides dedicated 1Gbps or 10Gbps links to AWS with consistent latency — costs vary by port speed and partner. The trap is using Transit Gateway for 2 VPCs (peering is simpler and free) or VPC Peering for 15 VPCs (peering is non-transitive, requiring N*(N-1)/2 connections — 105 peering connections vs. 15 Transit Gateway attachments).

Decision Axis

Network topology scale (few VPCs = peering, many = Transit Gateway) and connectivity type (internet VPN vs. dedicated link) determine the approach.

Associated Traps

Compliance Misconception (4)S3 encryption + HTTPS does not make you HIPAA-compliant — you still need a BAA and eligible services only.Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.

More Top Traps on This Exam

Over-Engineering · 34%CloudFront + Lambda@Edge + API Gateway + DynamoDB + SES — for a static site with a contact form.

Decision Rules

Whether routing Glue-to-S3 data transfers through a VPC gateway endpoint (private AWS-backbone path, no internet egress) versus a NAT gateway (public S3 endpoint via internet path, even with encryption) satisfies a compliance mandate that explicitly prohibits internet egress from the transformation subnet.

Amazon VPCAWS GlueAmazon S3

Whether to route Glue-to-S3 data transfer through a VPC gateway endpoint—keeping traffic on the AWS private backbone at zero per-GB cost—versus routing through a NAT gateway, which is internet-routed and incurs per-GB NAT processing charges that compound at multi-terabyte scale.

AWS GlueAmazon S3Amazon VPC

Domain Coverage

Data Engineering

Difficulty Breakdown

Hard: 4Expert: 4

Build recognition speed →

See all MLS-C01 patterns →