- Newest
- Most votes
- Most comments
I should've read through my terraform code that created Sagemaker more carefully, I specified a VPC so I thought it would be in the VPC but it turns out I needed to specify the AppNetworkAccessType too.
bad:
resource "aws_sagemaker_domain" "my_domain" { domain_name = var.domain_name auth_mode = "IAM" vpc_id = var.vpc_id subnet_ids = var.subnet_ids
good:
resource "aws_sagemaker_domain" "my_domain" { domain_name = var.domain_name auth_mode = "IAM" vpc_id = var.vpc_id subnet_ids = var.subnet_ids app_network_access_type = "VpcOnly"
When you create a SageMaker Studio in a private subnet, it is associated with a NAT gateway that allows the Studio to access the internet. However, the IP address of the NAT gateway is not typically used for inbound connections to the Studio. Instead, the IP address of the VPC endpoint for SageMaker Studio is used for inbound connections.
The VPC endpoint for SageMaker Studio is a highly available, scalable, and secure connection to the SageMaker Studio service without the need to traverse the internet or a NAT gateway.
Therefore, if you want to allowlist the IP of the SageMaker Studio, you would need to whitelist the IP address of the VPC endpoint for SageMaker Studio, rather than the IP address of the NAT gateway.
You can find the IP address of the VPC endpoint for SageMaker Studio in the VPC console under "Endpoints" tab, or you can use aws ec2 describe-vpc-endpoints command to retrieve information about your VPC endpoint.
It is also possible to use security groups or Network ACLs to specify allowlisted IPs that can access the VPC endpoint.
Relevant content
- asked 2 months ago
- asked 15 days ago
- asked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Is the IP address of the VPC endpoint also used for outbound connections to public websites?
I never created a VPC endpoint for Sagemaker studio. I don't see any relevant endpoints in that tab.
It might help if I rephrased my question - when I open a studio instance, and curl ifconfig.me to see my IP, where does that IP come from?
Run this command to check the AppNetworkAccessType of your domain. Please replace the "<DOMAIN_ID>" with your actual domain id, which starts with "d-". aws sagemaker describe-domain --domain-id <DOMAIN_ID> | jq -r ".AppNetworkAccessType"
If PublicInternetOnly, SageMaker Studio provides a network interface that allows communication with the internet through a VPC managed by SageMaker. That IP is from the SageMaker Service AWS Account.
If VpcOnly and you want to allow internet access, you must use a NAT gateway with access to the internet, for example through an internet gateway. That IP is the IP of the NAT gateway. I have confirmed that in my own account. You can check the IP of the NAT gateway with this command, and compare with the output from "curl ". aws ec2 describe-nat-gateways | jq -r ".NatGateways[0].NatGatewayAddresses[0].PublicIp"
Please refer to this document [1] on how SageMaker communicates with the Internet in different modes.
[1] https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html