{"id":444,"date":"2020-10-24T01:02:57","date_gmt":"2020-10-24T01:02:57","guid":{"rendered":"https:\/\/machine-learning.webcloning.com\/2020\/10\/24\/securing-amazon-sagemaker-studio-connectivity-using-a-private-vpc\/"},"modified":"2020-10-24T01:02:57","modified_gmt":"2020-10-24T01:02:57","slug":"securing-amazon-sagemaker-studio-connectivity-using-a-private-vpc","status":"publish","type":"post","link":"https:\/\/salarydistribution.com\/machine-learning\/2020\/10\/24\/securing-amazon-sagemaker-studio-connectivity-using-a-private-vpc\/","title":{"rendered":"Securing Amazon SageMaker Studio connectivity using a private VPC"},"content":{"rendered":"<div id=\"\">\n<p><a href=\"https:\/\/aws.amazon.com\/sagemaker\/\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon SageMaker Studio<\/a> is the first fully integrated development environment (IDE) for machine learning (ML). With a single click, data scientists and developers can quickly spin up <a href=\"https:\/\/docs.aws.amazon.com\/sagemaker\/latest\/dg\/notebooks.html\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon SageMaker Studio Notebooks<\/a> for exploring datasets and building models. With the new ability to launch Amazon SageMaker Studio in your <a href=\"https:\/\/aws.amazon.com\/vpc\/\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon Virtual Private Cloud<\/a> (Amazon VPC), you can control the data flow from your Amazon SageMaker Studio notebooks. This allows you to restrict internet access, monitor and inspect traffic using standard AWS networking and security capabilities, and connect to other AWS resources through <a href=\"https:\/\/aws.amazon.com\/privatelink\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS PrivateLink<\/a> or VPC endpoints.<\/p>\n<p>In this post, we explore how the Amazon SageMaker Studio VPC connectivity works, implement a sample architecture, and demonstrate some security controls in action.<\/p>\n<h2>Solution overview<\/h2>\n<p>When experimenting with and deploying ML workflows, you need access to multiple resources, such as libraries, packages, and datasets. If you\u2019re in a highly regulated industry, controlling access to these resources is a paramount requirement. Amazon SageMaker Studio allows you to implement security in depth, with features such as data encryption, <a href=\"https:\/\/aws.amazon.com\/iam\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Identity and Access Management<\/a> (IAM), and <a href=\"https:\/\/aws.amazon.com\/single-sign-on\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Single Sign-On<\/a> (AWS SSO) integration. The ability to launch Amazon SageMaker Studio in your own private VPC adds another layer of security.<\/p>\n<p>Amazon SageMaker Studio runs on an environment managed by AWS. When launching a new Studio domain, the parameter <code>AppNetworkAccessType<\/code> defines the external connectivity for such domain. Previously, the only option available for this parameter was <code>DirectInternetOnly<\/code>, meaning the traffic from the notebook flowed from an AWS managed internet gateway, as described in the following diagram.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-17363 size-full\" title=\"DirectInternetOnly\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/21\/1-studio-architecture.jpg\" alt=\"\" width=\"900\" height=\"467\"><\/p>\n<p>The <a href=\"http:\/\/aws.amazon.com\/efs\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon Elastic File System<\/a> (Amazon EFS) volumes that store the <a href=\"https:\/\/docs.aws.amazon.com\/sagemaker\/latest\/dg\/notebooks-comparison.html\" target=\"_blank\" rel=\"noopener noreferrer\">Studio users\u2019 home directories<\/a> resides in the customer VPC, even when <code>AppNetworkAccessType=DirectInternetOnly<\/code>. You can optionally specify which VPC and subnet to use.<\/p>\n<p>With the newly introduced feature to launch Studio in your VPC, you can set the <code>AppNetworkAccessType<\/code> parameter to <code>VpcOnly<\/code>. This launches Studio inside the specified VPC, communicating with the domain through an elastic network interface (ENI). You can apply security groups to that ENI to enforce a first layer of security control.<\/p>\n<p>You can also use VPC endpoints to establish a private connection between the Studio domain and other AWS services, such as <a href=\"https:\/\/aws.amazon.com\/s3\/\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon Simple Storage Service<\/a> (Amazon S3) for data storage and <a href=\"https:\/\/aws.amazon.com\/cloudwatch\/\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon CloudWatch<\/a> for logging and monitoring, without requiring internet connectivity. VPC endpoints can impose additional networking controls such as VPC endpoint IAM policies that may, for example, only allow traffic to certain S3 buckets. The following diagram illustrates this architecture.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-17364 size-full\" title=\"VPC endpoints\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/21\/2-studio-architecture-vpc.jpg\" alt=\"\" width=\"900\" height=\"467\"><\/p>\n<h2>Prerequisites<\/h2>\n<p>Before getting started, make sure you have the following prerequisites:<\/p>\n<ul>\n<li>An AWS account<\/li>\n<li>An IAM user or role with administrative access<\/li>\n<li>Curiosity ?<\/li>\n<\/ul>\n<h2>Setting up your environment<\/h2>\n<p>To better understand how the feature works, we provide an <a href=\"http:\/\/aws.amazon.com\/cloudformation\" target=\"_blank\" rel=\"noopener noreferrer\">AWS CloudFormation<\/a> template to set up a basic environment where you can experiment with Amazon SageMaker Studio running inside a VPC. After deployment, the environment looks like the following diagram.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-17365 size-full\" title=\"Architecture deployed by CloudFormation template\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/21\/3-studio-cloudformation-deployed.jpg\" alt=\"\" width=\"900\" height=\"467\"><\/p>\n<p>This template deploys the following resources in your account:<\/p>\n<ul>\n<li>A new VPC, with a private subnet and security group. Because communication occurs across multiple Studio resources, this security group applied to the Studio ENI should allow inbound traffic to itself.<\/li>\n<li>An encrypted S3 bucket, with bucket policies restricting access to our S3 endpoint.<\/li>\n<li>VPC endpoints with policies for access control:\n<ul>\n<li>We use an Amazon S3 endpoint to demonstrate the ability to limit traffic to specific S3 buckets.<\/li>\n<li>Because Studio has its traffic routed through the VPC, access to supporting services needs to be provisioned through VPC endpoints. <a href=\"http:\/\/aws.amazon.com\/cloudwatch\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon CloudWatch Logs<\/a> allows Studio to push logs generated by the service. We need an <a href=\"https:\/\/docs.aws.amazon.com\/sagemaker\/latest\/APIReference\/API_Operations_Amazon_SageMaker_Service.html\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon SageMaker API<\/a> endpoint to launch Studio notebooks, training jobs, processing jobs, and deploy endpoints, and an <a href=\"https:\/\/docs.aws.amazon.com\/sagemaker\/latest\/APIReference\/API_Operations_Amazon_SageMaker_Runtime.html\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon SageMaker RunTime<\/a> endpoint for services to call the Amazon SageMaker inference endpoint.<\/li>\n<\/ul>\n<\/li>\n<li>An IAM execution role. This role is assigned to Amazon SageMaker and defines which access permissions Studio has.<\/li>\n<\/ul>\n<p>To set up your environment, click on the link below. The template is also available at this <a href=\"https:\/\/github.com\/aws-samples\/amazon-sagemaker-studio-vpc-blog\" target=\"_blank\" rel=\"noopener noreferrer\">GitHub repo<\/a>.<\/p>\n<p><a href=\"https:\/\/console.aws.amazon.com\/cloudformation\/home?region=us-east-2#\/stacks\/create\/review?stackName=studio-vpc-infra&amp;templateURL=https:\/\/aws-ml-blog.s3.amazonaws.com\/artifacts\/Securing-Amazon-SageMaker-Studio-connectivity-using-private-vpc\/sm-studio-vpc-infra.template.yaml\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-15520\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/09\/01\/4-Launch-Stack.jpg\" alt=\"\" width=\"107\" height=\"20\"><\/a><\/p>\n<h2>Creating an Amazon SageMaker Studio domain inside a VPC<\/h2>\n<p>With the infrastructure in place, you\u2019re ready to create an Amazon SageMaker Studio domain and assign it to a VPC.<\/p>\n<p>For more information about the options available to set up Studio, see <a href=\"https:\/\/docs.aws.amazon.com\/sagemaker\/latest\/dg\/gs-studio-onboard.html\" target=\"_blank\" rel=\"noopener noreferrer\">Onboard to Amazon SageMaker Studio.<\/a> If you have an existing domain, you might want to <a href=\"https:\/\/docs.aws.amazon.com\/sagemaker\/latest\/dg\/gs-studio-delete-domain.html\" target=\"_blank\" rel=\"noopener noreferrer\">delete it<\/a> and recreate it, or create a separate one.<\/p>\n<p>To create the domain, you can use the following:<\/p>\n<p>To use the console to create a Studio domain and tie it to the VPC infrastructure deployed by the template, complete the following steps:<\/p>\n<ol>\n<li>On the Amazon SageMaker console, choose <strong>SageMaker Studio<\/strong>.<\/li>\n<\/ol>\n<p>If you don\u2019t have a domain created, a screen appears.<\/p>\n<ol start=\"2\">\n<li>For <strong>Get Started<\/strong>, select <strong>Standard setup<\/strong>.<\/li>\n<li>For <strong>Authentication method<\/strong>, select <strong>AWS Identity and Access Management (IAM)<\/strong>.<\/li>\n<li>For <strong>Execution role for all users<\/strong>, choose your notebook IAM role (the default is <code>studiovpc-notebook-role<\/code>).<\/li>\n<li>In the <strong>Network <\/strong>section, for <strong>VPC<\/strong>, choose your VPC (the default is <code>studiovpc-vpc<\/code>).<\/li>\n<li>For <strong>Subnet<\/strong>, choose your subnet (the default is <code>studiovpc-private-subnet<\/code>).<\/li>\n<\/ol>\n<p>Make sure to not choose studiovpc-endpoint-private-subnet.<\/p>\n<ol start=\"7\">\n<li>For <strong>Network Access for Studio<\/strong>, select <strong>VPC Only<\/strong>.<\/li>\n<\/ol>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-17366 size-full\" title=\"For Network Access for Studio, select VPC Only\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/21\/4-SageMakerStudio_Screenshot.jpg\" alt=\"\" width=\"900\" height=\"610\"><\/p>\n<ol start=\"8\">\n<li>Choose <strong>Submit<\/strong>.<\/li>\n<\/ol>\n<p>To create and link the domain with the AWS CLI, enter the following code. The option <code>--app-network-access-type VpcOnly<\/code> links the domain to our VPC. The VPC and subnet parameters are set by the<code> --default-user-settings<\/code> option.<\/p>\n<div class=\"hide-language\">\n<pre class=\"unlimited-height-code\"><code class=\"lang-python\">#Please replace the variable below according to your environment\r\nREGION= #AWS Region where the Domain will be created\r\nAWS_ACCOUNT_ID= #AWS Account ID \r\nVPC_DOMAIN_NAME= #Select a name for your Domain\r\n\r\n#The values below can be obtained on the \"Output\" section of the CloudFormation used on the previous step\r\nVPC_ID=\r\nPRIVATE_SUBNET_IDS=\r\nSECURITY_GROUP=\r\nEXECUTION_ROLE_ARN=\r\n\r\n#Now let's create the domain\r\naws sagemaker create-domain \r\n--region $REGION \r\n--domain-name $VPC_DOMAIN_NAME \r\n--vpc-id $VPC_ID \r\n--subnet-ids $PRIVATE_SUBNET_IDS \r\n--app-network-access-type VpcOnly \r\n--auth-mode IAM \r\n--default-user-settings \"ExecutionRole=${EXECUTION_ROLE_ARN},SecurityGroups=${SECURITY_GROUP}\"\r\n\r\n#Please note the DomainArn output - we will use it on the next step\r\n<\/code><\/pre>\n<\/div>\n<h2>Creating a user profile<\/h2>\n<p>Now that the domain is created, we need to create a user profile. You can create multiple user profiles associated to a single domain.<\/p>\n<p>To create your user profile on the console, complete the following steps:<\/p>\n<ol>\n<li>On the Amazon SageMaker Studio console, choose <strong>Control Panel<\/strong>.<\/li>\n<li>Choose <strong>Add user profile<\/strong>.<\/li>\n<li>For <strong>User name<\/strong>, enter a name (for example, <code>demo-user<\/code>).<\/li>\n<li>For <strong>Execution role<\/strong>, choose your IAM role (the default is <code>studiovpc-notebook-role<\/code>).<\/li>\n<\/ol>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-17378 size-full\" title=\"Choose your IAM role\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/22\/5-SageMakerStudio_CP.jpg\" alt=\"\" width=\"451\" height=\"276\"><\/p>\n<p>To create your user profile with the AWS CLI, enter the following code:<\/p>\n<div class=\"hide-language\">\n<pre class=\"unlimited-height-code\"><code class=\"lang-python\">#Please replace the variable below according to your environment\r\nDOMAIN_ID= #From previous step\r\nUSER_PROFILE_NAME= #Select a name for your user profile\r\n\r\n#Now let's create the profile\r\naws sagemaker create-user-profile \r\n--region $REGION \r\n--domain-id $DOMAIN_ID \r\n--user-profile-name $USER_PROFILE_NAME\r\n<\/code><\/pre>\n<\/div>\n<h2>Accessing Amazon SageMaker Studio<\/h2>\n<p>We now have a Studio domain associated to our VPC and a user profile in this domain. Now we need to give access to the user. To do so, we create a pre-signed URL.<\/p>\n<p>To use the console, on the Studio Control Panel, locate your user name and choose <strong>Open Studio<\/strong>.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-17367 size-full\" title=\"Choose Open Studio\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/21\/6-SageStudio_CP_Screenshot.jpg\" alt=\"\" width=\"900\" height=\"143\"><\/p>\n<p>To use the AWS CLI, enter the following code:<\/p>\n<div class=\"hide-language\">\n<pre class=\"unlimited-height-code\"><code class=\"lang-python\">#Now let's create the pre-signed URL\r\naws sagemaker create-presigned-domain-url \r\n--region $REGION \r\n --domain-id $DOMAIN_ID \r\n--user-profile-name $USER_PROFILE_NAME\r\n\r\n#Please take note of the Domain URL, and paste it on a browser that have VPC Connectivity\r\n<\/code><\/pre>\n<\/div>\n<p>At this point, our deployment looks like the following diagram.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-17368 size-full\" title=\"Final deployment architecture\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/21\/7-Final_Deployment.jpg\" alt=\"\" width=\"900\" height=\"467\"><\/p>\n<p>We made it! Now you can use your browser to connect to the Amazon SageMaker Studio domain. After a few minutes, Studio finishes creating your environment and you\u2019re greeted with the launcher screen (see the following screenshot).<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-17369 size-full\" title=\"Launcher screen\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/21\/8-Domain.jpg\" alt=\"\" width=\"900\" height=\"359\"><\/p>\n<h2>Security controls<\/h2>\n<p>Some examples of security best practices are Amazon S3 access control and limiting internet ingress and egress. In this section, we see how to implement them in combination with running Amazon SageMaker Studio in a private VPC.<\/p>\n<h3>Amazon S3 access control<\/h3>\n<p>Developing ML models requires access to sensitive data stored on specific S3 buckets. You might want to implement controls to guarantee that:<\/p>\n<ul>\n<li>Only specific Studio domains can access these buckets<\/li>\n<li>Each Studio domain only have access to the defined S3 buckets<\/li>\n<\/ul>\n<p>We can achieve this using the sample architecture provided in the CloudFormation template.<\/p>\n<p>Our CloudFormation template created an S3 bucket with the following S3 bucket policy attached to it. The condition <code>StringsNotEquals<\/code> evaluates the VPC endpoint ID with the effect set to deny, meaning that access to the S3 bucket is denied if the access doesn\u2019t come from the designated VPC endpoint. You can find your specific bucket name on the AWS CloudFormation console, on the <strong>Outputs <\/strong>tab for the stack.<\/p>\n<div class=\"hide-language\">\n<pre class=\"unlimited-height-code\"><code class=\"lang-json\">{\r\n    \"Version\": \"2008-10-17\",\r\n    \"Statement\": [\r\n        {\r\n            \"Effect\": \"Deny\",\r\n            \"Principal\": \"*\",\r\n            \"Action\": [\r\n                \"s3:GetObject\",\r\n                \"s3:PutObject\",\r\n                \"s3:ListBucket\"\r\n            ],\r\n            \"Resource\": [\r\n                \"arn:aws:s3:::<em><span>&lt;s3-bucket-name&gt;<\/span><\/em>\/*\",\r\n                \"arn:aws:s3:::<em><span>&lt;s3-bucket-name&gt;<\/span><\/em>\"\r\n            ],\r\n            \"Condition\": {\r\n                \"StringNotEquals\": {\r\n                    \"aws:sourceVpce\": \"&lt;s3-vpc-endpoint-id&gt;\"\r\n                }\r\n            }\r\n        }\r\n    ]\r\n<\/code><\/pre>\n<\/div>\n<p>The Amazon S3 VPC endpoint also has a policy attached to it. This policy only allows access to the S3 bucket created by AWS CloudFormation:<\/p>\n<div class=\"hide-language\">\n<pre class=\"unlimited-height-code\"><code class=\"lang-json\">{\r\n    \"Version\": \"2012-10-17\",\r\n    \"Statement\": [\r\n        {\r\n            \"Effect\": \"Allow\",\r\n            \"Principal\": \"*\",\r\n            \"Action\": [\r\n                \"s3:GetObject\",\r\n                \"s3:PutObject\",\r\n                \"s3:ListBucket\"\r\n            ],\r\n            \"Resource\": [\r\n                \"arn:aws:s3:::<em><span>&lt;s3-bucket-name&gt;<\/span><\/em>\",\r\n                \"arn:aws:s3:::<em><span>&lt;s3-bucket-name&gt;<\/span><\/em>\/*\"\r\n            ]\r\n        }\r\n    ]\r\n<\/code><\/pre>\n<\/div>\n<p>This combination of S3 bucket policy and VPC endpoint policy, together with Studio VPC connectivity, establishes that Studio can only access the referenced S3 bucket, and this S3 bucket can only be accessed from the VPC endpoint.<\/p>\n<p>To test it, open a notebook in Studio and try to copy a file into your S3 bucket. The following screenshot shows that it works as expected.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-17370 size-full\" title=\"Studio can only access the referenced S3 bucket\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/21\/9-touch_dummy_file.jpg\" alt=\"\" width=\"900\" height=\"128\"><\/p>\n<p>If you try the same with a different S3 bucket, you should get a permission denied error.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-17371 size-full\" title=\"Permission denied error\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/21\/10-Redlines.jpg\" alt=\"\" width=\"900\" height=\"52\"><\/p>\n<p>If you try to access the bucket from outside Studio, you should also get a permission error.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-17372 size-full\" title=\"Access the bucket from outside Studio permission error\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/21\/11-Permission_error.jpg\" alt=\"\" width=\"900\" height=\"66\"><\/p>\n<h3>Limiting internet ingress and egress<\/h3>\n<p>To develop ML models, data scientists often need access to public code repos or Python packages (for example, from PyPI) to explore data and train models. If you need to restrict access to only approved datasets and libraries, you need to restrict internet access. In our sample architecture, we achieve this by using a private subnet on our VPC, without an internet gateway or NAT gateway deployed.<\/p>\n<p>We can test this by trying to clone a public repository containing Amazon SageMaker example notebooks.<\/p>\n<p>In your Studio environment, open a notebook and enter the following code:<\/p>\n<div class=\"hide-language\">\n<pre class=\"unlimited-height-code\"><code class=\"lang-python\">! git clone https:\/\/github.com\/awslabs\/amazon-sagemaker-examples.git<\/code><\/pre>\n<\/div>\n<p>You can also run it in your notebook directly.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-17373 size-full\" title=\"Running directly from the notebook\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/21\/12-GIT-clone.jpg\" alt=\"\" width=\"900\" height=\"98\"><\/p>\n<p>As expected, the connection times out.<\/p>\n<p>If you want to provide internet access through your VPC, just add an internet gateway and the proper routing entries. The internet traffic flows through your VPC, and you can implement other security controls such as inline inspections with a firewall or internet proxy. For more information, see <a href=\"https:\/\/aws.amazon.com\/blogs\/machine-learning\/understanding-amazon-sagemaker-notebook-instance-networking-configurations-and-advanced-routing-options\/\" target=\"_blank\" rel=\"noopener noreferrer\">Understanding Amazon SageMaker notebook instance networking configurations and advanced routing options<\/a>.<\/p>\n<h2>Cleaning up<\/h2>\n<p>To avoid incurring future charges, delete the resources you created:<\/p>\n<h2>Conclusion<\/h2>\n<p>You can use Amazon SageMaker Studio to streamline developing, experimenting with, training, and deploying ML models. With the new ability to launch Studio inside a VPC, regulated industries such as financial services, healthcare, and others with strict security requirements can use Studio while meeting their enterprise security needs.<\/p>\n<p>Go test this new feature and let us know what you think. For more information about Amazon SageMaker security, see the following:<\/p>\n<p>\u00a0<\/p>\n<hr>\n<h3>About the Authors<\/h3>\n<p><strong><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-17377 alignleft\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/22\/Suguiura.jpg\" alt=\"\" width=\"98\" height=\"133\"><\/strong><\/p>\n<p><strong>Rafael Suguiura<\/strong> is a Principal Solutions Architect at Amazon Web Services. He guides some of the world\u2019s largest financial services companies in their cloud journey. When the weather is nice, he enjoys cycling and finding new hiking trails\u2014 and when it\u2019s not, he catches up with sci-fi books, TV series, and video games.<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p><strong><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-15884 alignleft\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/09\/12\/stefan-natu.jpg\" alt=\"\" width=\"100\" height=\"113\">Stefan Natu<\/strong> is a Sr. Machine Learning Specialist at Amazon Web Services. He is focused on helping financial services customers build end-to-end machine learning solutions on AWS. In his spare time, he enjoys reading machine learning blogs, playing the guitar, and exploring the food scene in New York City.<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p><strong><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-17375 alignleft\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2020\/10\/22\/HanZhang.jpg\" alt=\"\" width=\"102\" height=\"115\">Han Zhang <\/strong>is a Software Development Engineer at\u00a0Amazon Web Services. She is part of the launch team for Amazon SageMaker Notebooks and Amazon SageMaker Studio, and has been focusing on building secure machine learning environments for customers. In her spare time, she enjoys hiking and skiing in the Pacific Northwest.<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>https:\/\/aws.amazon.com\/blogs\/machine-learning\/securing-amazon-sagemaker-studio-connectivity-using-a-private-vpc\/<\/p>\n","protected":false},"author":0,"featured_media":445,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/posts\/444"}],"collection":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/comments?post=444"}],"version-history":[{"count":0,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/posts\/444\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/media\/445"}],"wp:attachment":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/media?parent=444"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/categories?post=444"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/tags?post=444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}