The verified answer is A. AWS PrivateLink. The requirement is that API calls between generative AI applications and foundation models must not travel across the public internet. AWS documentation states that AWS PrivateLink can create a private connection between a VPC and Amazon Bedrock. With this configuration, applications can access Amazon Bedrock as if it were inside the VPC, without requiring an internet gateway, NAT device, VPN connection, or Direct Connect connection. AWS also states that instances in the VPC do not need public IP addresses to access Amazon Bedrock. This exactly satisfies the requirement for private API communication to foundation models.
Amazon Q is incorrect because Amazon Q is a generative AI assistant service for business, developer, and data use cases. It is not the network service used to privately route API calls between applications and FMs.
Amazon CloudFront is incorrect because CloudFront is a content delivery network. It caches and delivers content through edge locations, but it is not the correct service for private VPC-to-AWS-service connectivity that avoids the public internet.
AWS CloudTrail is incorrect because CloudTrail records account activity and API events for governance, audit, and security analysis. It helps track what happened, but it does not provide private network connectivity.
The key phrase is “must not travel across the public internet.” In AWS architecture, that requirement points to private connectivity using VPC endpoints powered by AWS PrivateLink. Therefore, the correct service is AWS PrivateLink.