{"id":750,"date":"2021-01-12T04:08:34","date_gmt":"2021-01-12T04:08:34","guid":{"rendered":"https:\/\/machine-learning.webcloning.com\/2021\/01\/12\/hosting-a-private-pypi-server-for-amazon-sagemaker-studio-notebooks-in-a-vpc\/"},"modified":"2021-01-12T04:08:34","modified_gmt":"2021-01-12T04:08:34","slug":"hosting-a-private-pypi-server-for-amazon-sagemaker-studio-notebooks-in-a-vpc","status":"publish","type":"post","link":"https:\/\/salarydistribution.com\/machine-learning\/2021\/01\/12\/hosting-a-private-pypi-server-for-amazon-sagemaker-studio-notebooks-in-a-vpc\/","title":{"rendered":"Hosting a private PyPI server for Amazon SageMaker Studio notebooks in a VPC"},"content":{"rendered":"
\n

Amazon SageMaker Studio notebooks provide a full-featured integrated development environment<\/a> (IDE) for flexible machine learning (ML) experimentation and development. Security measures secure and support a versatile and collaborative environment. In some cases, such as to protect sensitive data or meet regulatory requirements, security protocols require that public internet access be disabled in the development environment.<\/p>\n

Typically, developers have access to the public internet and can install any new libraries you want to import. You can install Python packages from the public Python Package Index (PyPI), a Python software repository, using standard tools such as pip. You can find hundreds of thousands of packages, including common packages such as NumPy, Pandas, Matplotlib, Pytest, Requests, Django, and BeautifulSoup.<\/p>\n

In a development environment with internet access disabled, you can instead mirror packages and host your own PyPI server hosted in your own Amazon Virtual Private Cloud (Amazon VPC)<\/a>. A VPC is a logically isolated virtual network into which you can launch resources, such as Amazon Elastic Compute Cloud (Amazon EC2)<\/a> instances and SageMaker Studio domains. You have fine-grained access control over its network connectivity. You can specify an IP address range for the VPC and associate security groups to control its inbound and outbound traffic. You can also add subnets that use a subset of IP addresses within the VPC, and choose whether each subnet is open to the public internet or is private.<\/p>\n

When you use a local PyPI server with this architecture and install Python libraries from your SageMaker Studio notebook, you connect to your private server instead of a public package index, and all traffic remains within a single secured VPC and private subnet.<\/p>\n

SageMaker Studio recently launched VPC integration<\/a> to meet these security needs. You can now launch Studio notebooks within a private VPC, disabling internet access. To install Python packages within this secure environment, you can configure an EC2 instance in your VPC that acts as a PyPI server for your notebooks. This enables you to maintain productivity and ease of package installation while working within a private environment that isn\u2019t accessible from the public internet.<\/p>\n

Solution overview<\/h2>\n

This solution creates a private PyPI server on an EC2 instance, and connects it to a SageMaker Studio notebook through network configuration including a VPC, private subnet, security group, and elastic network interface. The following diagram illustrates this architecture.<\/p>\n

\"The<\/h2>\n

You complete the following steps to implement this solution:<\/p>\n

    \n
  1. Launch an EC2 instance within a VPC, subnet, and security group.<\/li>\n
  2. Configure the instance to function as a private PyPI server.<\/li>\n
  3. Create a VPC endpoint and add security group rules.<\/li>\n
  4. Create a VPC-only SageMaker Studio domain, user, and notebook with the necessary permissions and networking.<\/li>\n
  5. Install a Python package from the PyPI server onto the SageMaker Studio notebook.<\/li>\n<\/ol>\n

    Prerequisites<\/h2>\n

    This is an intermediate-level solution with the following prerequisites:<\/p>\n

    Launching an EC2 instance<\/h2>\n

    For this post, we launch a new EC2 instance in the us-east-2<\/code> Region. For the full list of available Regions supporting SageMaker Studio, see Supported Regions and Quotas<\/a>.<\/p>\n

      \n
    1. On the Amazon EC2 console, launch a new instance in a Region supporting SageMaker Studio.<\/li>\n
    2. Choose an Amazon Linux 2 AMI.<\/li>\n
    3. Choose a t2.medium instance (or larger t2, if preferred).<\/li>\n
    4. On the Step 3: Configure Instance Details<\/strong> page, for Network, choose your VPC.<\/li>\n
    5. For Subnet, choose your subnet.<\/li>\n<\/ol>\n

      You can use the default VPC and subnet, use other existing resources, or create new ones. Make sure to note the VPC and subnet you select for later reference.<\/p>\n

        \n
      1. Leave all other settings as-is.\"\"\n<\/li>\n
      2. Use default storage and tag settings.<\/li>\n
      3. On the Step 6: Configure Security Group<\/strong> page, for Assign a security group<\/strong>, select Create a new security group.<\/strong>\n<\/li>\n
      4. For Security group name<\/strong>, enter studio-SG<\/code>.<\/li>\n
      5. For Type<\/strong>, choose SSH<\/strong> on port range 22.<\/li>\n
      6. For Source<\/strong>, choose My IP<\/strong>.<\/li>\n<\/ol>\n

        This allows you to SSH onto the instance from your current internet network.<\/p>\n

        \"\"<\/p>\n

          \n
        1. Create a new key pair, studio-host<\/code>.<\/li>\n
        2. Launch the instance.<\/li>\n<\/ol>\n

          For more information about launching an instance, see Tutorial: Getting started with Amazon EC2 Linux instances<\/a>.<\/p>\n

          Configuring the instance as a PyPI server<\/h2>\n

          To configure your instance, complete the following steps:<\/p>\n

            \n
          1. Open a terminal window and navigate to the directory containing your .pem file.<\/li>\n
          2. Change the key permissions and SSH onto your instance, substituting in the public IP address and Region:\n
            \n
            chmod 400 studio-host.pem\r\nssh -i \"studio-host.pem\" ec2-user@ec2-x-x-x-x.{region}.compute.amazonaws.com<\/code><\/pre>\n<\/div>\n<\/li>\n<\/ol>\n
            If needed, you can find the SSH command by selecting your instance on the console, choosing Connect<\/strong>, and navigating to the SSH Client<\/strong> tab.<\/p>\n
              \n
            1. Install pip<\/a>, which you use to install Python packages, and bandersnatch<\/a>, which you use to mirror packages from the public PyPI server onto your instance. For this post, we use the package AWS Data Wrangler<\/a>, an AWS Professional Services open-source library that integrates Pandas DataFrames with AWS services:\n
              \n
              sudo yum install python3-pip\r\nsudo pip3 install multidict==4.7.6\r\nsudo pip3 install yarl==1.6.0\r\nsudo pip3 install bandersnatch<\/code><\/pre>\n<\/div>\n<\/li>\n<\/ol>\n
              You now configure bandersnatch to specify packages and their versions to mirror.<\/p>\n
                \n
              1. Open a config file:\n
                \n
                sudo vim \/etc\/bandersnatch.conf<\/code><\/pre>\n<\/div>\n<\/li>\n<\/ol>\n
                  \n
                1. Enter the following file contents:\n
                  \n
                  [mirror]\r\ndirectory = \/pypi\r\nmaster = https:\/\/pypi.org\r\ntimeout = 10\r\nworkers = 3\r\nhash-index = false\r\nstop-on-error = false\r\njson = false\r\n\r\n[plugins]\r\nenabled =\r\n    whitelist_project\r\n    allowlist_release\r\n\r\n[whitelist]\r\npackages =\r\n    awswrangler==1.10.0\r\n    pyarrow==2.0.0\r\n    SQLAlchemy==1.3.10\r\n    s3fs==0.4.2\r\n    numpy==1.18.4\r\n    sqlalchemy-redshift==0.7.9\r\n    boto3==1.15.10\r\n    pandas==1.1.0\r\n    psycopg2-binary==2.8.0\r\n    pymysql==0.9.3\r\n    botocore==1.18.10\r\n    fsspec==0.7.4\r\n    s3transfer==0.3.2\r\n    jmespath==0.9.4\r\n    pytz==2019.3\r\n    python-dateutil==2.8.1\r\n    urllib3==1.25.8\r\n    six==1.14.0\r\n<\/code><\/pre>\n<\/div>\n<\/li>\n<\/ol>\n
                    \n
                  1. Mirror the libraries and list the directory contents to view that the libraries have been copied onto the instance:\n
                    \n
                    sudo \/usr\/local\/bin\/bandersnatch mirror\r\nls \/pypi\/web\/simple\/<\/code><\/pre>\n<\/div>\n<\/li>\n<\/ol>\n
                    You must configure pip so that when pip is run to install packages, they are searched for within your private PyPI server instead of on the public server. The file already exists, and you add two more lines to the existing file.<\/p>\n
                      \n
                    1. Open the file:\n          <\/li>\n<\/ol>\n
                        \n
                      1. Ensure your pip config file reads as follows, adding the last two lines:\n
                        \n
                        \n
                        [global] \r\ndisable_pip_version_check = 1 \r\nformat = columns \r\nindex-url = http:\/\/localhost\/simple \r\ntrusted-host = localhost<\/code><\/pre>\n<\/div>\n<\/div>\n<\/li>\n<\/ol>\n
                          \n
                        1. Install and configure nginx so that the instance can function as a private web server:\n
                          \n
                          sudo amazon-linux-extras install nginx1\r\nsudo vim \/etc\/nginx\/nginx.conf<\/code><\/pre>\n<\/div>\n<\/li>\n<\/ol>\n
                            \n
                          1. Update the server section of the nginx config file to change the server_name<\/code> to localhost<\/code>, listen on the private IP address, and add the root and index locations. The server section of the nginx config file should be as follows:\n
                            \n
                            server {\r\n        listen x.x.x.x:80;<\/strong>\r\n        listen       80;\r\n        listen       [::]:80;\r\n        server_name localhost;<\/strong>\r\n        root         \/usr\/share\/nginx\/html;\r\n\r\n        # Load configuration files for the default server block.\r\n        include \/etc\/nginx\/default.d\/*.conf;\r\n\r\n        location \/ { root \/pypi\/web\/; index index.html index.htm index.php; }<\/strong>\r\n\r\n        error_page 404 \/404.html;\r\n            location = \/40x.html {\r\n        }\r\n\r\n        error_page 500 502 503 504 \/50x.html;\r\n            location = \/50x.html {\r\n        }\r\n    }\r\n<\/code><\/pre>\n<\/div>\n<\/li>\n
                          2. Start the server and install the package locally to test it out:\n
                            \n
                            sudo service nginx start\r\npip3 install --user awswrangler<\/code><\/pre>\n<\/div>\n<\/li>\n<\/ol>\n
                            Note that the packages are collected from the localhost, not the public package index.<\/p>\n
                            You now have a private PyPI server ready for use.<\/p>\n
                            Creating a VPC endpoint<\/h2>\n
                            VPC endpoints allow resources within a VPC to access AWS services. For this solution, you will create an endpoint for the SageMaker API. You can extend this solution by adding more endpoints for other services you need to access from your notebook.<\/p>\n
                            There are two types of VPC endpoints:<\/p>\n