Enable a dual-stack workforce - Amazon SageMaker AI
Create a dual-stack workforceUpdate a dual-stack workforce
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enable a dual-stack workforce

You can enable a dual-stack workforce by using the CreateWorkforce and UpdateWorkforce API operations. Creating a dual-stack workforce, updating an existing workforce to dual-stack, and changing a workforce from dual-stack back to IPv4 are not supported in Amazon Web Services Management Console.

Important

A workforce without a defined IpAddressType defaults to IPv4.

Create a dual-stack workforce

The process for creating a dual-stack workforce is similar to creating an IPv4-only workforce, with the exceptions noted below. For more information, see CreateWorkforce.

  • To attach a VPC to the private workforce, ensure the VPC is also dual-stack, with IPv6 CIDR blocks associated with the VPC's subnets.

  • To use the SourceIpConfig parameter to restrict traffic to a specific IP address range, ensure that IPv6 CIDR blocks are also included in the list.

  • To implement policies with SourceIp conditions on S3 buckets accessed by your tasks, ensure those policies are updated to be dual-stack compatible.

  • Your identity provider authentication endpoint supports dual-stack. For more information, see Authentication flow.

Example CreateWorkforce SDK call using boto3

For more information, see create_workforce.

import boto3

client = boto3.resource('sagemaker')

# IpAddressType = 'dualstack'|'ipv4'
client.create_workforce(
    WorkforceName='string',
    IpAddressType='dualstack',
    WorkforceConfig={
        'CognitoConfig': {
            'UserPool': 'string',
            'Client': 'string'
        }
    }
)

Update a dual-stack workforce

When updating an existing workforce to be dual-stack, note the following. For more information, see UpdateWorkforce and IPv6 support for your VPC.

  • If a VPC is attached to the workforce, you must update the VPC to be dual-stack. Also ensure that any security groups for the VPC allow IPv6 traffic.

  • If you're using the SourceIpConfig parameter, update it to include IPv6 CIDR blocks.

  • To implement policies with SourceIp conditions on S3 buckets accessed by your tasks, ensure those policies are updated to be dual-stack compatible.

  • Your identity provider authentication endpoint supports dual-stack. For more information, see Authentication flow.

Example UpdateWorkforce SDK call using boto3

For more information, see update_workforce.

import boto3

client = boto3.resource('sagemaker')

# IpAddressType = 'dualstack'|'ipv4'
client.update_workforce(
    WorkforceName='string',
    IpAddressType='dualstack'
)