Amazon SageMaker
Developer Guide

Connect to a Notebook Instance Through a VPC Interface Endpoint

You can connect to your notebook instance from your VPC through an interface endpoint in your Virtual Private Cloud (VPC) instead of connecting over the internet. When you use a VPC interface endpoint, communication between your VPC and the notebook instance is conducted entirely and securely within the AWS network.

Amazon SageMaker notebook instances support Amazon Virtual Private Cloud (Amazon VPC) interface endpoints that are powered by AWS PrivateLink. Each VPC endpoint is represented by one or more Elastic Network Interfaces (ENIs) with private IP addresses in your VPC subnets.

Note

Before you create an interface VPC endpoint to connect to a notebook instance, create an interface VPC endpoint to connect to the Amazon SageMaker API. That way, when users call CreatePresignedNotebookInstanceUrl to get the URL to connect to the notebook instance, that call also goes through the interface VPC endpoint. For information, see Connect to Amazon SageMaker Through a VPC Interface Endpoint.

You can create an interface endpoint to connect to your notebook instance with either the AWS console or AWS Command Line Interface (AWS CLI) commands. For instructions, see Creating an Interface Endpoint.

When you create the interface endpoint, specify aws.sagemaker.region.notebook as the service name. We recommend that you enable private DNS hostnames for your VPC endpoint. If you don't enable private DNS hostnames, users that connect to the notebook instance through the console will not connect through the interface endpoint. In other words, the console will attempt to connect over the internet.

After you have created a VPC endpoint, users can use it to connect to your notebook instance from within your VPC. If you enable private DNS hostnames for your VPC endpoint, users do not need to specify the VPC endpoint when connecting to the notebook instance. Anyone using the Amazon SageMaker API, the AWS CLI, or the console to connect to the notebook instance from within the VPC will connect to the VPC endpoint.

If you do not enable private DNS hostnames for your VPC endpoint, users have to specify the VPC endpoint name when connecting to the notebook instance.

Amazon SageMaker notebook instances support VPC endpoints in all AWS Regions where both Amazon VPC and Amazon SageMaker are available.

To connect to your notebook instance through your VPC, you either have to connect from an instance that is inside the VPC, or connect your private network to your VPC by using an Amazon Virtual Private Network (VPN) or AWS Direct Connect. For information about Amazon VPN, see VPN Connections in the Amazon Virtual Private Cloud User Guide. For information about AWS Direct Connect, see Creating a Connection in the AWS Direct Connect User Guide.

Even if you set up an interface endpoint in your VPC, individuals outside the VPC can connect to the notebook instance over the internet.

Important

If you apply an IAM policy similar to one of the following, users can't access the specified Amazon SageMaker APIs or the notebook instance through the console.

To restrict access to only connections made from within your VPC, create an AWS Identity and Access Management policy that restricts access to only calls that come from within your VPC. Then add that policy to every AWS Identity and Access Management user, group, or role used to access the notebook instance.

{ "Id": "notebook-example-1", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable Notebook Access", "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedNotebookInstanceUrl", "sagemaker:DescribeNotebookInstance" ], "Resource": "*", "Condition": { "StringEquals": { "aws:SourceVpc": "vpc-111bbaaa" } } } ] }

If you want to restrict access to the notebook instance to only connections made using the interface endpoint, use the aws:SourceVpce condition key instead of aws:SourceVpc:

{ "Id": "notebook-example-1", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable Notebook Access", "Effect": "Allow", "Action": [ "sagemaker:CreatePresignedNotebookInstanceUrl", "sagemaker:DescribeNotebookInstance" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "aws:sourceVpce": [ "vpce-111bbccc", "vpce-111bbddd" ] } } } ] }

Both of these policy examples assume that you have also created an interface endpoint for the Amazon SageMaker API. For more information, see Connect to Amazon SageMaker Through a VPC Interface Endpoint. In the second example, one of the values for aws:SourceVpce is the ID of the interface endpoint for the notebook instance. The other is the ID of the interface endpoint for the Amazon SageMaker API.

The policy examples here include DescribeNotebookInstance because typically you would call DescribeNotebookInstance to make sure that the NotebookInstanceStatus is InService before you try to connect to it. For example:

aws sagemaker describe-notebook-instance \ --notebook-instance-name myNotebookInstance { "NotebookInstanceArn": "arn:aws:sagemaker:us-west-2:1234567890ab:notebook-instance/mynotebookinstance", "NotebookInstanceName": "myNotebookInstance", "NotebookInstanceStatus": "InService", "Url": "mynotebookinstance.notebook.us-west-2.sagemaker.aws", "InstanceType": "ml.m4.xlarge", "RoleArn": "arn:aws:iam::1234567890ab:role/service-role/AmazonSageMaker-ExecutionRole-12345678T123456", "LastModifiedTime": 1540334777.501, "CreationTime": 1523050674.078, "DirectInternetAccess": "Disabled" } aws sagemaker create-presigned-notebook-instance-url --notebook-instance-name myNotebookInstance { "AuthorizedUrl": "https://mynotebookinstance.notebook.us-west-2.sagemaker.aws?authToken=AuthToken }

For both of these calls, if you did not enable private DNS hostnames for your VPC endpoint, or if you are using a version of the AWS SDK that was released before August 13, 2018, you must specify the endpoint URL in the call. For example, the call to create-presigned-notebook-instance-url would be:

aws sagemaker create-presigned-notebook-instance-url --notebook-instance-name myNotebookInstance --endpoint-url VPC_Endpoint_ID.api.sagemaker.Region.vpce.amazonaws.com