Coder Social home page Coder Social logo

amazon-sagemaker-studio-vpc-blog's Introduction

SageMaker Studio VPC Mode

With the VPC Mode enabled on SageMaker Studio, all traffic from the SageMaker instances flow through the customer selected VPC. This CloudFormation template deploys an infrastructure ready to test this functionality, containing:

  1. sm-studio-vpc-infra.template.yaml: Main template whihc launches a set of nested templates to provision the products in their entirety
  2. vpc_template.yaml: Creates a secure project VPC without internet connectivity and a private subnet. Also creates the VPC Endpoints to allow Studio to securely connect to other AWS Services as S3
  3. iam_template.yaml: Provisions the IAM Execution Role to be used by SageMaker Studio
  4. s3_template.yaml: Creates a sample S3 buckets that will be used to demonstrate the secure connectivity

Once the environment is ready, you can create the SageMaker Studio Domain with the following CLI command. The EXECUTION_ROLE_NAME and SECURITY_GROUP can be found on the Output section of the CloudFormation template above.

#Fill out below params first
REGION=
AWS_ACCOUNT_ID=
EXECUTION_ROLE_NAME=
VPC_ID=
#Provide the private subnet Ids here
SUBNET_IDS=
SECURITY_GROUP=

aws --region $REGION sagemaker create-domain --domain-name "vpc-domain" --vpc-id $VPC_ID --subnet-ids $SUBNET_IDS --app-network-access-type VpcOnly --auth-mode IAM --default-user-settings "ExecutionRole=arn:aws:iam::${AWS_ACCOUNT_ID}:role/${EXECUTION_ROLE_NAME},SecurityGroups=${SECURITY_GROUP}"

To create a Studio user profile:

#Fill out Domain Id from last step
#You can change user-profile-name to create more users under same domain
DOMAIN_ID=
aws --region $REGION sagemaker create-user-profile --domain-id $DOMAIN_ID --user-profile-name user1

To access Studio:

Create a pre-signed URL

#Fill out Domain Id and User Profile Name from last step
DOMAIN_ID=
USER_PROFILE_NAME="user1"
aws --region $REGION sagemaker create-presigned-domain-url --domain-id $DOMAIN_ID --user-profile-name $USER_PROFILE_NAME

Since Studio is now connected to the VPC, you require access to this VPC to access Studio

In your web browser, visit the presigned URL generated from create-presigned-domain-url above

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

amazon-sagemaker-studio-vpc-blog's People

Contributors

amazon-auto avatar lukaszjankowski avatar stefannatu avatar suguiura-aws avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

knaresh stefannatu tmcfadde curious-shobhit rajagopal2312 jbeninson priemens lukaszjankowski sagy arq-christianb naoya-nagai hyogrin craigbosco thecloudgarage

amazon-sagemaker-studio-vpc-blog's Issues

Add new SageMaker VPC Endpoints to the template

The CloudFormation template does not include every SageMaker VPC Endpoint. While it is not explicitly stated in the blog post that all of them are provisioned, it is creating friction and confusion for customers that are exploring SageMaker. Ideally, all of the SageMaker Sample Notebooks can be executed successfully after this blog post is followed.

Services to be added:

  • com.amazonaws.us-west-2.sagemaker.featurestore-runtime
  • com.amazonaws.us-west-2.sagemaker.metrics

Recommend to add enough description on stack cleaning

This is not a problem, but it will be great to put some description to advise below situation:

there are two ways to address the problem on cleaning all:

  1. login the account as root and empty the bucket
  2. update S3 VPC endpoint policy to allow proper access (such as including s3 delete permissions)
  3. update IAM role permissions on user profile to allow s3 delete permissions
  4. use Studio system terminal to empty the s3 bucket.

VPCOnly SG configuration?

Official AWS documentation refers to below configuration:

https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html

NFS traffic over TCP on port 2049 between the domain and the Amazon EFS volume.

TCP traffic within the security group. This is required for connectivity between the JupyterServer app and the KernelGateway apps.

and your repo seem to allow only 443 traffic

https://github.com/aws-samples/amazon-sagemaker-studio-vpc-blog/blob/main/templates/vpc_template.yaml#L92

Does your narrower configuration still support a "full" setup?

https://aws.amazon.com/blogs/machine-learning/securing-amazon-sagemaker-studio-connectivity-using-a-private-vpc/

Unable to shutdown image sagemaker-....

Any one else getting this error when trying to shut down a notebook instance. Im using the role created from the stack.

An error occurred (AccessDeniedException) when calling the DeleteApp operation: User: arn:aws:sts::######:assumed-role/xxxx/SageMaker is not authorized to perform: sagemaker:DeleteApp on resource: arn:aws:sagemaker:us-east-1:####:app/d-dqyprgsponza/default-1624412688447/kernelgateway/sagemaker-jumpstart-t-ml-t3-medium-4f49623cd36e410a2e80bdc467dc

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.