I'm hoping I can get some guidance/confirmation on this design.
I would like to enable access for all SageMaker components (notebooks, training and hosting instances) over a private network from the corporate network i.e. no direct access over the Internet connectivity should be possible. I understand that I can bring the components inside the VPC by "VPC only" deployment and needs to leverage VPC interface endpoints and as long as I have the private connectivity established (e.g. DX) and have DNS architecture to support the DNS resolution, it will work. What I'm not able to fully understand and need help is how to enforce or disable the access over the internet? The reading I have done so far suggest that I can make use of VPC endpoint policy to do this and use a condition aws:SourceVpce in the IAM policy. Here is what I am reading.
https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-interface-endpoint.html
Did I get it right? If yes then, is there any dependency on what Authentication mode for the Sagemaker domain is set to i.e. IAM vs SSO? For example, if SageMaker domain authentication mode is set to AWS IAM Identity Center (AWS SSO) where I'll bring user/groups from Azure AD via SCIM connector and enabling access for them the access portal, does this change anything when it comes to providing access over only private connection and not enabling/allowing access through the public internet?
Appreciate any help that can provided here....thanks.
asked 5 years ago
AWS OFFICIALUpdated 2 years ago
