As organizations scale machine learning (ML) adoption, they are looking for efficient and reliable ways to deploy new infrastructure and onboard teams to ML environments. One of the challenges is setting up specific authentication and permissions for users based on their roles and activities. For example, MLOps engineers typically perform model deployment activities, while data scientists perform ML training and validation activities. Another challenge is the effort required to configure and manage network configurations. Typically, there is no easy mechanism for administrators to discover, implement, and manage the appropriate network and security configurations that their computers need.
That's why today we're excited to announce the new onboarding experience that makes it easier for you to set up Amazon SageMaker domains for your organization. As a platform administrator, you can use the updated user interface (UI) and APIs to onboard users faster, with the right infrastructure and security settings.
Let's see what's new and how to get started!
Introducing the SageMaker Domain Configuration UI for Organizations
The new UI for Organizations lets you set up a SageMaker domain through the AWS console and onboard users and organizations with just a few clicks. The redesigned user interface guides you through setup and provides step-by-step instructions so you can scale quickly. You can choose to use AWS Identity Access Management (IAM) or AWS IAM Identity Center authentication and assign narrow-scope policies to your existing groups or users. You can assign existing roles or create new ones based on your typical ML activities. An ML activity represents a set of permissions for a specific task, such as running ML training jobs.
In addition to installing and configuring your SageMaker apps and runtime roles, the new experience offers an updated user interface for deploying complex network configurations, such as VPC endpoints, subnets and security groups, and encryption settings. You can also manage your subnets and connection modes later if changes need to be made.
Now let's review the new experience in more depth.
Previous requirements
Before using advanced settings for organizations, you must have the following:
- An AWS account
- An IAM role with permissions to create the resources required to configure a SageMaker domain
Set up a SageMaker domain for organizations
To experience the updated UI, the ML Administrator completes the following steps:
- In the SageMaker console, choose Configured for organizations.
This will take you to the SageMaker Configure Domain wizard, where Configured for organizations The option is already selected. - Choose Set up.
- About him Domain details page, enter a domain name, then choose Next.
- About him ML users and activities page, select your preferred authentication method. For this post, we selected AWS Identity Center. Note that your AWS Identity Center configuration must be in the same region where you are creating your SageMaker domain.
- In it Who will use Studio? section, you can optionally choose user groups to grant access to the SageMaker domain.
- Select Create a new role to create a new role to assign activities to or use an existing role. For Machine learning activitiesSelect from the list of predefined activities.
- In it S3 bucket access enter an Amazon Simple Storage Service (Amazon S3) bucket that all users in the domain will have access to, and then choose Next. You can specify more than one S3 bucket.
- About him Applications On the page, you can specify and configure the integrated development environments (IDEs) available in the SageMaker domain. For SageMaker Studio, select the updated or classic version. You can also configure Canvas, Code Editor and RStudio.
- Choose Next.
- About him Grid page, select to use only VPC or public internet access. For this post, we selected Virtual private cloud (VPC) only. If you are using a VPC, specify your VPC, subnets, and security groups, then choose Next.
- About him Storage page, you can optionally configure an encryption key.
- Optionally, you can also configure the maximum and default space size for the Amazon Elastic Block Store (Amazon EBS) volume for the Amazon Elastic Compute Cloud (Amazon EC2) instance that hosts JupyterLab and Code Editor.
- Choose Next.
- About him Review and create page, review your settings, and then choose Deliver to create the domain.
- This starts the SageMaker domain setup process, which takes 2-4 minutes to complete.
- When the domain is ready, a success banner appears.
New: Update existing domains for organizations
Now that we've walked through the user journey of an administrator setting up a new SageMaker for Organizations domain, the domain is ready and ML users can join SageMaker. This process is not a one-time event; After domains are created, requirements may evolve and updates to the domain configuration are needed. Let's explore some newly released features as part of this setup that enable updates to existing domains.
Prerequisites for updating domains
To use these new features, ML administrators must have access to:
Update a subnet on an existing domain using the AWS CLI
As organizations scale ML adoption, their needs evolve, requiring changes to their infrastructure. As you add more users and resources to your projects and teams, you will need more resources (such as IP range and endpoints). You may also want to isolate some subnets and disassociate them from SageMaker Studio and therefore want to remove the subnets from their domains. One of the challenges administrators face when they want to add or remove subnets is that updating a domain's subnets requires experience and time. We are pleased to announce that we have simplified this process and that ML administrators can now update subnets for a domain through the AWS CLI.
Let's review this functionality.
In this example use case, you created a new SageMaker Studio domain with two subnets: subnet-1 and subnet-2. You have exhausted all subnet IPs for the domain and now want to add new subnets. subnet-3 and subnet-4 to the domain. See the following code:
If you realize that you don't actually need that many IPs, you can remove a subnet (for this example, subnet-4) from the existing list of subnets. See the following code:
Change your network connection mode on an existing domain via the AWS CLI
When you test or explore SageMaker to learn more about the service, you can create your domain with public Internet access. However, as you set up projects and scale your machine learning workloads, you may need to change your authentication mode to VPC just to meet your organization's existing network and security requirements. We are pleased to announce that ML administrators can now change their network connection mode from public Internet to VPC-only mode via AWS CLI.
For example, in the following code, we update the domain AppNetworkAccessType to VpcOnly:
In the following code, we update the domain. AppNetworkAccessType to PublicInternetOnly:
Conclusion
The new user interface for organizations to configure domains and new features related to updating existing domains are available today at no additional cost in all AWS Regions where SageMaker is available, except the AWS GovCloud and AWS China Regions.
Try these new features and tell us what you think. We always look forward to your comments! You can submit it through your regular AWS Support contacts or post it to the AWS Forum for SageMaker.
For more information, visit New onboarding experience in SageMaker and see Onboarding to the Amazon SageMaker domain using IAM Identity Center.
About the authors
Ozan Eken is a senior product manager at Amazon Web Services. She is passionate about building onboarding products with the right infrastructure, guardrails, and governance for SageMaker. Outside of work, she enjoys exploring different outdoor activities and watching soccer.
Vikesh Pandey is a solutions architect specializing in machine learning at AWS, helping clients in financial industries design and build solutions in generative ai and machine learning. Outside of work, Vikesh enjoys trying different cuisines and playing outdoor sports.
Anastasia Tzeveleka He is a solutions architect specializing in machine learning and artificial intelligence at AWS. He works with clients in EMEA and helps them build machine learning solutions at scale using AWS services. He has worked on projects in different domains including Natural Language Processing (NLP), MLOps, and Low Code No Code tools.
