SageMaker Studio Notebook private access via vpc endpoint

SageMaker PrivateLink endpoints are available, see this link:

https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

Follow these steps and links

https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html https://aws.amazon.com/blogs/machine-learning/securing-amazon-sagemaker-studio-connectivity-using-a-private-vpc/

1. To switch to a VPC-only mode, where internet access is disabled, specify the VPC only network access type when you onboard to Studio or through the CreateDomain API
2. Only private subnets can be used in VPC only mode.
3. Configure security groups with specific inbound and outbound rules that allow NFS traffic over TCP
4. If internet access is required, use a NAT gateway.
5. For corporate network integration, you can set up a CloudFormation stack for accessing Studio over a corporate network, configure a Route 53 inbound resolver, and establish a private hosted zone for the Studio domain​
6. Utilize an AWS CloudFormation template to deploy resources such as a new VPC with a private subnet and security group, an encrypted S3 bucket, and VPC endpoints with access control policies
7. After setting up your environment, create a SageMaker Studio domain and assign it to a VPC.