This Guidance helps you to create an environment where AWS customers can consume an Independent Software Vendor (ISV) Partner’s application within their own Amazon VPC, protecting the customer’s data while also protecting the Partner application’s implementation assets through isolated network access controls and subscription authorization.
ISV Partner write and package their model code as a Docker image and push the image into Amazon Elastic Container Registry (Amazon ECR).
Partner packages/pushes the image as a machine learning (ML) model for listing on AWS Marketplace.
Customer subscribes to the listing on AWS Marketplace.
Upon subscription, an Amazon SageMaker instance is provisioned in the customer’s VPC in network isolation mode - along with the model container image and the invocation endpoint.
Customer application invokes an Lambda Init endpoint to validate the subscription from the seller.
Lambda Authorizer then invokes the Lambda function running in partner’s VPC to return an authorization token that is valid for certain duration.
Customer application invokes Lambda request endpoint along with authorization token and the data to be processed.
Lambda Authorizer validates the authorization token and forwards the call to the Lambda proxy.
The Lambda proxy calls the SageMaker endpoint running in network isolation mode, along with the data to be processed.
The SageMaker endpoint returns the response back to the Lambda function along with the processed data.
Lambda stores the response in the Amazon S3 bucket for the buyer application to use.
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
You can make frequent, small, reversible changes by using the version published in the AWS Marketplace listing along with running the AWS CloudFormation script. Billing and logging details are also captured, making it easier to do any ‘post-mortem’ exercises.
The seller’s code is running in network isolation mode, with proper separation of duties between buyer and seller applications. The seller data and the model are protected. The buyer does not have any permissions to access the Amazon SageMaker instance deployed using AWS Marketplace.
Amazon SageMaker instances can be scaled horizontally, depending on the transaction capacity required by the seller workload.
Resource provisioning and management is automated through serverless architecture (AWS Lambda) and provisioning the seller Docker image through AWS Marketplace.
Expenditure and usage awareness is monitored via AWS Marketplace. The size of the AWS SageMaker instance is based on the capacity needed by the buyer. On demand AWS Lambda cost is based on number of transactions completed by the buyer application, whose usage can be governed in the AWS Cost Explorer by the buyer.
Workload is right-sized and implemented with an efficient design to ensure high utilization and to maximize the energy efficiency of the underlying Amazon SageMaker instance and its hardware.
Deploy embedded services with privacy-safe controls on AWS
Amazon Web Services (AWS) customers across the advertising and marketing industry are seeking to further protect their customers’ information by limiting the movement and sharing of data outside of their control.
This post demonstrates how industry Partners are increasingly seeking to deploy embedded services within trusted compute environments to offer more capabilities for their customers’ AWS data.
Power Identity Translation with LiveRamp in Your VPC
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.