Secure Jupyter Notebooks for ML on EC2 Instances

Question

Pulumi · Accepted Answer

When setting up a secure Jupyter Notebook environment for Machine Learning on EC2 instances, you will need to consider several aspects such as the instance type, security, accessibility, and how to configure Jupyter Notebook. Below, I will outline a Pulumi program that lets you set up such an environment on AWS.

This program will create:
1. An EC2 instance with sufficient resources to run Machine Learning workloads.
2. A security group with rules to allow only secure access to the Jupyter Notebook.
3. A script to install Jupyter Notebook on the EC2 instance upon initialization.

Here is the step-by-step Pulumi Python program:

```python
import pulumi
import pulumi_aws as aws

# Choose the right AMI for the AWS region you're working in. This will be an Amazon Linux 2 AMI.
ami = "ami-0c55b159cbfafe1f0"  # example AMI for Amazon Linux 2, this may differ by region

# Create a security group to securely access the Jupyter Notebook.
security_group = aws.ec2.SecurityGroup('notebook-secgrp',
    description='Allow SSH and TCP/8888 only',
    ingress=[
        {
            'protocol': 'tcp',
            'from_port': 22,
            'to_port': 22,
            'cidr_blocks': ['0.0.0.0/0']  # Be more restrictive with your IP address range for added security
        },
        {
            'protocol': 'tcp',
            'from_port': 8888,
            'to_port': 8888,
            'cidr_blocks': ['0.0.0.0/0']
        },
    ],
    egress=[{'protocol': '-1', 'from_port': 0, 'to_port': 0, 'cidr_blocks': ['0.0.0.0/0']}]
)

# Bootstrap commands to install Jupyter Notebook
user_data = """#!/bin/bash
sudo yum update -y
sudo amazon-linux-extras install -y python3.8
sudo pip3 install jupyter
# Generate config and set password
jupyter notebook --generate-config
echo "c.NotebookApp.ip = '0.0.0.0'" >> ~/.jupyter/jupyter_notebook_config.py
echo "c.NotebookApp.open_browser = False" >> ~/.jupyter/jupyter_notebook_config.py
echo "c.NotebookApp.port = 8888" >> ~/.jupyter/jupyter_notebook_config.py

# Start up Jupyter Notebook on startup
echo "@reboot sudo jupyter-notebook --config=~/.jupyter/jupyter_notebook_config.py" | crontab -
"""

# Set up the EC2 instance
instance = aws.ec2.Instance('ml-notebook-instance',
    instance_type='t2.medium',  # Choose instance type according to ML workload
    vpc_security_group_ids=[security_group.id],
    ami=ami,
    key_name="your-key",  # Replace with your SSH key name
    user_data=user_data,  # User data script to install Jupyter
    tags={'Name': 'jupyter-ml-notebook'}
)

# Export the EC2 instance's public IP to access it via SSH or Jupyter
pulumi.export('publicIp', instance.public_ip)
pulumi.export('publicDns', instance.public_dns)
```

### Explanation

1. We're using the `aws.ec2.SecurityGroup` resource to create a security group that allows secure access over SSH and the Jupyter Notebook default port (8888).
2. We're creating an EC2 instance of type `t2.medium`. Depending on your ML workload, select an instance type that offers a balance of compute, memory, and network resources.
3. For the machine image (AMI), ensure that you're using one compatible with Jupyter Notebook, typically an Ubuntu or Amazon Linux 2 AMI.
4. We're using `user_data` to run a script on the instance's first boot. This script updates the system, installs Python, Jupyter Notebook, and configures it to start automatically.
5. Replace `"your-key"` with your actual SSH key to access the EC2 instance securely.
6. Finally, we export the instance's public IP and DNS name, which you can use to access your Jupyter Notebook.

After you run this Pulumi program, you will have an EC2 instance with Jupyter Notebook installed and configured to run on boot. You can connect to the Notebook using the public IP and DNS name outputs at port 8888. Make sure to set up a secure password for your Jupyter Notebook to keep your ML environment secure.