Amazon SageMaker
Developer Guide

Connect to Amazon SageMaker Through a VPC Interface Endpoint

You can connect directly to the Amazon SageMaker API or to the Amazon SageMaker Runtime through an interface endpoint in your Virtual Private Cloud (VPC) instead of connecting over the internet. When you use a VPC interface endpoint, communication between your VPC and the Amazon SageMaker API or Runtime is conducted entirely and securely within the AWS network.

The Amazon SageMaker API and Runtime support Amazon Virtual Private Cloud (Amazon VPC) interface endpoints that are powered by AWS PrivateLink. Each VPC endpoint is represented by one or more Elastic Network Interfaces (ENIs) with private IP addresses in your VPC subnets.

The VPC interface endpoint connects your VPC directly to the Amazon SageMaker API or Runtime without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. The instances in your VPC don't need public IP addresses to communicate with the Amazon SageMaker API or Runtime.

You can create an interface endpoint to connect to Amazon SageMaker or to Amazon SageMaker Runtime with either the AWS console or AWS Command Line Interface (AWS CLI) commands. For instructions, see Creating an Interface Endpoint.

After you have created a VPC endpoint, you can use the following example CLI commands that use the endpoint-url parameter to specify interface endpoints to the Amazon SageMaker API or Runtime:

aws sagemaker list-notebook-instances –-endpoint-url VPC_Endpoint_ID.api.sagemaker.Region.vpce.amazonaws.com aws sagemaker list-training-jobs –-endpoint-url VPC_Endpoint_ID.api.sagemaker.Region.vpce.amazonaws.com aws sagemaker-runtime invoke-endpoint –-endpoint-url VPC_Endpoint_ID.runtime.sagemaker.Region.vpce.amazonaws.com \ --endpoint-name Endpoint_Name \ --body "Endpoint_Body" \ --content-type "Content_Type" \ Output_File

If you enable private DNS hostnames for your VPC endpoint, you don't need to specify the endpoint URL. The Amazon SageMaker API DNS hostname that the CLI and Amazon SageMaker SDK use by default (https://api.sagemaker.Region.amazonaws.com) resolves to your VPC endpoint. Similarly, the Amazon SageMaker Runtime DNS hostname that the CLI and Amazon SageMaker Runtime SDK use by default (https://runtime.sagemaker.Region.amazonaws.com) resolves to your VPC endpoint.

The Amazon SageMaker API and Runtime support VPC endpoints in all AWS Regions where both Amazon VPC and Amazon SageMaker are available. Amazon SageMaker supports making calls to all of its Actions inside your VPC. The result AuthorizedUrl from the CreatePresignedNotebookInstanceUrl is not supported by Private Link.

To learn more about AWS PrivateLink, see the AWS PrivateLink documentation and visit the AWS Blog. Refer to VPC Pricing for the price of VPC Endpoints. To learn more about VPC and Endpoints, see Amazon VPC.