Connect to RDS from basic SageMaker Studio domain?
If you have a default SageMaker Studio domain, which has public internet access, I'm guessing you can't connect to an RDS instance that's in a private subnet? You'd have to create a new domain with the "Standard setup" instead of the "Quick Setup", right?
Or can you actually connect from a SageMaker Studio notebook that doesn't have the "Standard Setup"? If so, how do you see its security group, so I can allow list that security group in the RDS instance's inbound security group rules.
- Newest
- Most votes
- Most comments
You are correct: As shown in the architecture diagrams on the blog post @jnavrro linked in his answer, The default (direct-to-Internet) Studio setup has notebooks accessing the Internet directly through SageMaker's own service accounts. This means your RDS instances would only be accessible from the notebook if they're accessible from the Internet.
(It's worth mentioning that even in this mode there is still some VPC involvement: Because Studio uses Amazon EFS for user file storage and this must be provisioned inside a VPC in your account. However, this connection is used for the filesystem only: It doesn't give you a route for user code in the notebooks to access your VPC).
So if you want to access private-subnet RDS databases (or EMR clusters, data warehouses, or other similar things!) from Studio, I'd suggest to provision a VPC-based SageMaker Domain through the standard setup instead.
Hi,
You can connect to an RDS instance in a private subnet from a SageMaker Studio Notebook, check this Document. There is also a blog. In both links, the SageMaker domain has an ENI inside the VPC, so it can communicate with other resources in the VPC. To configure the VPC and Networking settings, you have to follow the Standard Setup route.
Assuming your database is in a private subnet and your SageMaker Studio Domain is too, the things to check are the following:
-
Can your SageMaker Studio ENI reach your RDS Database endpoint? - If they are in the same VPC they will see each other, however there is a possibility of them being in different VPCs. In this case, you will need to have both VPCs connected, via VPC Peering, AWS Transit Gateway or PrivateLink plus NLB as described in this blog. Another option worth looking at would be to use RDSProxy for cross-account access as show in this other blog.
-
Do your security groups allow the traffic? - The RDS instance must allow traffic from the Security Group of the SageMaker Studio ENI or its CIDR. In case you are peering VPCs, you can reference security groups of peered VPCs as explained in the AWS Documentation.
Hope this helps!
Relevant content
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
It sounds like you're providing evidence to support the following answer to my question, "If you want to connect to an RDS instance located in a private subnet from a SageMaker Studio Notebook, the SageMaker Domain must be created with the Standard Setup. You cannot use the default domain, i.e., the Quick Setup." Is that correct?
That's correct. To have access to a private RDS instance, you need to have control over the VPC settings of the SageMaker Domain, and the only way is through the Standard Setup. Quick Setup does not allow you to control the VPC settings.