Give SageMaker Access to Resources in your Amazon VPC - Amazon SageMaker
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Give SageMaker Access to Resources in your Amazon VPC

SageMaker runs the following job types in an Amazon Virtual Private Cloud by default.

  • Processing

  • Training

  • Model hosting

  • Batch transform

  • Amazon SageMaker Clarify

  • SageMaker Compilation

However, containers for these jobs access Amazon resources—such as the Amazon Simple Storage Service (Amazon S3) buckets where you store training data and model artifacts—over the internet.

To control access to your data and job containers, we recommend that you create a private VPC and configure it so that they aren't accessible over the internet. For information about creating and configuring a VPC, see Getting Started With Amazon VPC in the Amazon VPC User Guide. Using a VPC helps to protect your job containers and data because you can configure your VPC so that it is not connected to the internet. Using a VPC also allows you to monitor all network traffic in and out of your job containers by using VPC flow logs. For more information, see VPC Flow Logs in the Amazon VPC User Guide.

You specify your private VPC configuration when you create jobs by specifying subnets and security groups. When you specify the subnets and security groups, SageMaker creates elastic network interfaces that are associated with your security groups in one of the subnets. Network interfaces allow your job containers to connect to resources in your VPC. For information about network interfaces, see Elastic Network Interfaces in the Amazon VPC User Guide.

You specify a VPC configuration within the VpcConfig object of the CreateProcessingJob operation or CreateTrainingJob operation. Specifying a VPC configuration when you create a training job gives your model access to resources within your VPC.

Specifying a VPC configuration alone doesn't change the invocation path. To connect to Amazon SageMaker within a VPC, create a VPC endpoint and invoke it. For more information, see Connect to SageMaker Within your VPC.