How do I troubleshoot network connectivity from my Amazon SageMaker notebook instance that has direct internet access deactivated?

Resolution

SageMaker notebook instances can be configured to use the public internet, or an Amazon VPC. When using an Amazon VPC, the SageMaker notebook instance uses the VPC to train or deploy models instead of the public internet.

Note: After you create a SageMaker notebook instance, you can’t change the network configuration settings. This applies to both Public internet only and VPC SageMaker notebooks. If your SageMaker notebook requires changes to the network settings, you must Create a new notebook instance.

When a notebook instance with direct internet access deactivated is in VPC mode, you can’t train or deploy models from notebooks on this instance unless:

• Your VPC has a NAT Gateway.
• Your instance security group allows outbound connections.

If you don’t want traffic from the notebook to traverse the internet, use VPC endpoints to connect to services like SageMaker API and SageMaker Runtime. For more information, see Connect to SageMaker though a VPC interface endpoint.

Activate internet access from a notebook instance in an Amazon VPC with direct internet deactivated using a NAT Gateway

As a prerequisite, create a private and public subnet in the same Region as the VPC of the notebook instance:

1.    Open the Amazon VPC console.

2.    In the navigation pane, choose NAT Gateways.

3.    Choose Create NAT Gateway and do the following:

• (Optional) Specify a name for the NAT gateway.
• Choose the public subnet.
• For Elastic IP allocation ID, associate an Elastic IP with the NAT gateway. You can allocate an Elastic IP address if you don’t have one.

4.    Choose Create a NAT Gateway.

5.    Add the NAT Gateway to the route table of the private subnet.

For more information about using SageMaker with your Amazon VPC, see Connect a notebook instance in a VPC to external resources.

Perform NAT gateway troubleshooting checks

• Verify whether your VPC has an existing NAT gateway associated with it.
• Verify whether your VPC and NAT gateway are in the same region.
• Verify that your NAT gateway is created within a public subnet.
• Verify whether the NAT gateway is associated as a target in the route table for a private subnet.
• Verify that your destination allows inbound and outbound traffic.
• Verify whether your Amazon VPC’s security group allows outbound connections.

For more information about NAT gateways, see NAT gateways.

Activate access to AWS services from a notebook instance with direct internet deactivated using a VPC endpoint

1. Open the Amazon VPC console.
2. In the navigation pane, choose Endpoints.
3. Choose Create endpoint.
4. For Service category, choose AWS services.
5. For Service name, select the service.
6. For VPC, select the VPC in the same region as your SageMaker notebook instance.
7. Select the route table associated with the private subnet.
8. Choose Create endpoint.

For more information about VPC endpoints, see Access an AWS service using an interface VPC endpoint.

Perform VPC endpoint troubleshooting checks

• Verify that your Amazon VPC has an existing VPC endpoint associated to the AWS service that you want to connect to.
• Verify that both your Amazon VPC and the AWS service you want to connect to are located in the same region.
• Verify that the VPC endpoint is associated with a private subnet route table.

---

Related information

Customize your SageMaker notebook instances with lifecycle configurations and the option to turn off internet access

How do I set up a NAT gateway for a private subnet in Amazon VPC?

Understanding SageMaker notebook instance networking configurations and advanced routing options