Connect SageMaker Studio Notebooks to Resources in a VPC - Amazon SageMaker

Connect SageMaker Studio Notebooks to Resources in a VPC

The following topic gives information on how to connect Studio Notebooks to resources in a VPC.

Default communication with the internet

By default, SageMaker Studio provides a network interface that allows communication with the internet through a VPC managed by SageMaker. Traffic to AWS services like Amazon S3 and CloudWatch goes through an internet gateway, as does traffic that accesses the SageMaker API and SageMaker runtime. Traffic between the domain and your Amazon EFS volume goes through the VPC that you specified when you onboarded to Studio or called the CreateDomain API. The following diagram shows the default configuration.


                    Diagram of SageMaker Studio VPC using direct internet access

VPC only communication with the internet

To prevent SageMaker from providing internet access to your Studio notebooks, you can disable internet access by specifying the VPC only network access type when you onboard to Studio or call the CreateDomain API. As a result, you won't be able to run a Studio notebook unless your VPC has an interface endpoint to the SageMaker API and runtime, or a NAT gateway with internet access, and your security groups allow outbound connections. The following diagram shows a configuration for using VPC-only mode.


                    Diagram of SageMaker Studio VPC using VPC-only mode

Requirements to use VPC only mode

When you choose VpcOnly, follow these steps:

  1. Ensure your subnets have one IP address for each instance. For more information, see VPC and subnet sizing for IPv4.

    Note

    You can configure only subnets with a default tenancy VPC in which your instance runs on shared hardware. For more information on the tenancy attribute for VPCs, see Dedicated Instances.

  2. Set up one or more security groups with inbound and outbound rules that together allow the following traffic:

  3. If you want to allow internet access, you must use a NAT gateway with access to the internet, for example through an internet gateway.

  4. If you don't want to allow internet access, create interface VPC endpoints (AWS PrivateLink) to allow Studio to access the following services with the corresponding service names. You must also associate the security groups for your VPC with these endpoints.

    • SageMaker API : com.amazonaws.us-east-1.sagemaker.api

    • SageMaker runtime: com.amazonaws.us-east-1.sagemaker.runtime. This is required to run Studio notebooks and to train and host models.

    • Amazon S3: com.amazonaws.us-east-1.s3.

    • To use SageMaker Projects: com.amazonaws.us-east-1.servicecatalog.

    • Any other AWS services you require.

Note

For a customer working within VPC mode, company firewalls can cause connection issues with SageMaker Studio or between JupyterServer and the KernelGateway. Make the following checks if you encounter one of these issues when using SageMaker Studio from behind a firewall.

  • Check that the Studio URL is in your networks allowlist.

  • Check that the websocket connections are not blocked. Jupyter uses websocket under the hood. If the KernelGateway application is InService, JupyterServer may not be able to connect to the KernelGateway. You should see this problem when opening System Terminal as well.