By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to configure RS Security Group Ingress Rule to Accept Sagemaker Stuido Notebook Connection

0

Hello, I have below resources in the same account same VPC:

  1. one redshift cluster, public accessible, internet access is controlled by security group by TCP ports range.
  2. one Sagemaker domain, use Default communication with the internet, as in https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html.

My understanding is a Sagemaker Studio notebook (not the notebook instance) in above Sagemaker domain will have its boto3 connection to Redshift initiated via Internet. Thus, the Redshift security group should have proper inbound rule configured to allow the incoming traffic.

I am not able to find any information about the source (public IPs) of the sagemake domain (studio notebook) public traffic, of which the source should be owned by the Sagemaker service. How should I configure the Redshift security group in this case?

Thanks

Topics
Networking & Content DeliveryMachine Learning & AIAWS Well-Architected Framework
Tags
Amazon VPCAmazon SageMakerNetworking & Content DeliverySecuritySecurity Group
Language
English
rePost-User-6371389
asked a year ago335 views
1 Answer
-1

As described here - https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html your publicly-accessible Redshift cluster can also be accessible via private IP in your VPC. Sagemaker connects with your VPC so should use that private IP, so you can just open your inbound Security Group permissions to your VPC's IP range.

EXPERT
skinsman
answered a year ago
  • rePost-User-6371389
    a year ago

    Please see the doc link I mentioned in the original post, for Studio notebook: https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html "To prevent SageMaker from providing internet access to your Studio notebooks, you can disable internet access by specifying the VPC only network access type when you onboard to Studio"

    This will further cause S3 and other connections to go through VPC, which we do not want. Is there a way to identify the source of studio notebook public traffic that connects to a RS cluster via Internet?

  • skinsman EXPERT
    a year ago

    Yes I'm familiar with that doc link. Possibly I didn't explain clearly enough - I wasn't suggesting you disable internet access. Both your Redshift Cluster and Sagemaker are connected to your VPC even though both are also connected to the internet, so should be able to communicate via the VPC if configured correctly. In that case your Security Group just needs to be inbound from VPC.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content