How do I isolate inference endpoints within Amazon SageMaker?
In this guide, we will demonstrate how to isolate inference endpoints within Amazon SageMaker using Pulumi. This involves creating a SageMaker endpoint within a VPC to ensure that the inference endpoint is securely isolated and not accessible over the public internet. We will create the necessary VPC, subnets, security groups, and SageMaker endpoint configurations.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create a VPC
const vpc = new aws.ec2.Vpc("sagemakerVpc", {
cidrBlock: "10.0.0.0/16",
enableDnsSupport: true,
enableDnsHostnames: true,
tags: {
Name: "sagemaker-vpc",
},
});
// Create subnets
const subnet1 = new aws.ec2.Subnet("subnet1", {
vpcId: vpc.id,
cidrBlock: "10.0.1.0/24",
availabilityZone: "us-west-2a",
tags: {
Name: "sagemaker-subnet-1",
},
});
const subnet2 = new aws.ec2.Subnet("subnet2", {
vpcId: vpc.id,
cidrBlock: "10.0.2.0/24",
availabilityZone: "us-west-2b",
tags: {
Name: "sagemaker-subnet-2",
},
});
// Create a security group
const securityGroup = new aws.ec2.SecurityGroup("sagemakerSecurityGroup", {
vpcId: vpc.id,
description: "Allow all inbound traffic",
ingress: [
{ protocol: "tcp", fromPort: 0, toPort: 65535, cidrBlocks: ["10.0.0.0/16"] },
],
egress: [
{ protocol: "tcp", fromPort: 0, toPort: 65535, cidrBlocks: ["0.0.0.0/0"] },
],
tags: {
Name: "sagemaker-security-group",
},
});
// Create a SageMaker model
const model = new aws.sagemaker.Model("sagemakerModel", {
executionRoleArn: "arn:aws:iam::123456789012:role/SageMakerExecutionRole",
primaryContainer: {
image: "174872318107.dkr.ecr.us-west-2.amazonaws.com/kmeans:latest",
modelDataUrl: "s3://my-bucket/model.tar.gz",
},
vpcConfig: {
subnets: [subnet1.id, subnet2.id],
securityGroupIds: [securityGroup.id],
},
tags: {
Name: "sagemaker-model",
},
});
// Create an endpoint configuration
const endpointConfig = new aws.sagemaker.EndpointConfiguration("sagemakerEndpointConfig", {
productionVariants: [{
modelName: model.name,
variantName: "AllTraffic",
initialInstanceCount: 1,
instanceType: "ml.m4.xlarge",
}],
tags: {
Name: "sagemaker-endpoint-config",
},
});
// Create an endpoint
const endpoint = new aws.sagemaker.Endpoint("sagemakerEndpoint", {
endpointConfigName: endpointConfig.name,
tags: {
Name: "sagemaker-endpoint",
},
});
// Export the endpoint name
export const endpointName = endpoint.name;
Key Points
- VPC Creation: A Virtual Private Cloud (VPC) is created to isolate the SageMaker endpoint.
- Subnets and Security Group: Subnets and a security group are created within the VPC to manage network traffic.
- SageMaker Model: A SageMaker model is configured to run within the VPC.
- Endpoint Configuration and Endpoint: An endpoint configuration and the actual endpoint are created to serve the model within the VPC.
Summary
In this guide, we created a VPC, subnets, and security groups to isolate an Amazon SageMaker inference endpoint. We then configured a SageMaker model to run within this VPC and created an endpoint to securely serve the model. This setup ensures that the inference endpoint is not accessible over the public internet, enhancing the security of your machine learning infrastructure.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.