# Connecting to an MLflow tracking server through an Interface VPC Endpoint
The MLflow tracking server runs in an Amazon Virtual Private Cloud managed by Amazon SageMaker AI. You can connect to an MLflow tracking server from an endpoint in your own VPC. Your requests to the tracking server are not exposed to the public internet. For more information about connecting your VPC to SageMaker AI, see [Connect to SageMaker AI Within your VPC](interface-vpc-endpoint.md).
**Topics**
+ [Create a VPC Endpoint](mlflow-interface-endpoint-create.md)
+ [Create a VPC Endpoint Policy for SageMaker AI MLflow](mlflow-private-link-policy.md)
+ [Allow Access only from within your VPC](mlflow-private-link-restrict.md)
# Create a VPC Endpoint
You can create an interface endpoint to connect to SageMaker AI MLflow. For instructions, see [Creating an interface endpoint](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint). Make sure that you create interface endpoints for all of the subnets in your VPC from which you want to connect to SageMaker AI MLflow.
When you create an interface endpoint, ensure that the security groups on your endpoint allow inbound and outbound access for HTTPS traffic. For more information, see [Control access to services with VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html#vpc-endpoints-security-groups).
**Note**
In addition to creating an interface endpoint to connect to SageMaker AI MLflow, create an interface endpoint to connect to the Amazon SageMaker API. When users call [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreatePresignedMlflowTrackingServerUrl.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreatePresignedMlflowTrackingServerUrl.html) to get the URL to connect to SageMaker AI MLflow, that call goes through the interface endpoint used to connect to the SageMaker API.
When you create the interface endpoint, specify **aws.sagemaker.*AWS Region*.experiments** as the service name. After you create the interface endpoint, enable private DNS for your endpoint. When you connect to SageMaker AI MLflow from within the VPC using the SageMaker Python SDK, you connect through the interface endpoint instead of the public internet.
Within the AWS Management Console, you can use the following procedure to create an endpoint.
**To create an endpoint**
1. Navigate to the [Amazon Virtual Private Cloud console](https://console.aws.amazon.com/vpcconsole).
1. Navigate to **Endpoints**.
1. Choose **Create endpoint**.
1. (Optional) For **Name (tag)**, specify a name for the endpoint.
1. In the search bar under **Services**, specify **experiments**.
1. Select the endponit that you're creating.
1. For **VPC**, specify the name of the VPC.
1. Choose **Create endpoint**.
# Create a VPC Endpoint Policy for SageMaker AI MLflow
You can attach an Amazon VPC endpoint policy to the interface VPC endpoints that you use to connect to SageMaker AI MLflow. The endpoint policy controls access to MLflow. You can specify the following:
+ The principal that can perform actions.
+ The actions that can be performed.
+ The resources on which actions can be performed.
For more information, see [Controlling access to services with VPC endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html).
The following example of a VPC endpoint policy specifies that all users that have access to the endpoint are allowed to access to the MLflow tracking server that you specify. Access to other tracking servers is denied.
```
{
"Statement": [
{
"Action": "sagemaker-mlflow:*",
"Effect": "Allow",
"Principal": "*",
"Resource": "arn:aws:sagemaker:AWS Region:111122223333:mlflow-tracking-server/*"
}
]
}
```
# Allow Access only from within your VPC
Users outside your VPC can connect to SageMaker AI MLflow or over the internet even if you set up an interface endpoint in your VPC.
To allow access to only connections made from within your VPC, create an AWS Identity and Access Management (IAM) policy to that effect. Add that policy to every user, group, or role used to access SageMaker AI MLflow. This feature is only supported when using IAM mode for authentication, and is not supported in IAM Identity Center mode. The following examples demonstrate how to create such policies.
**Important**
If you apply an IAM policy similar to one of the following examples, users cannot access SageMaker AI MLflow through the specified SageMaker APIs through the SageMaker AI console. To access SageMaker AI MLflow, users must use a presigned URL or call the SageMaker APIs directly.
**Example 1: Allow connections only within the subnet of an interface endpoint**
The following policy allows connections only to callers within the subnet where you created the interface endpoint.
------
#### [ JSON ]
****
```
{
"Id": "mlflow-example-1",
"Version":"2012-10-17",
"Statement": [
{
"Sid": "MlflowAccess",
"Effect": "Allow",
"Action": [
"sagemaker-mlflow:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-111bbaaa"
}
}
}
]
}
```
------
**Example 2: Allow connections only through interface endpoints using `aws:sourceVpce`**
The following policy allows connections only to those made through the interface endpoints specified by the `aws:sourceVpce` condition key. For example, the first interface endpoint could allow access through the SageMaker AI console. The second interface endpoint could allow access through the SageMaker API.
------
#### [ JSON ]
****
```
{
"Id": "sagemaker-mlflow-example-2",
"Version":"2012-10-17",
"Statement": [
{
"Sid": "MlflowAccess",
"Effect": "Allow",
"Action": [
"sagemaker-mlflow:*"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:sourceVpce": [
"vpce-111bbccc",
"vpce-111bbddd"
]
}
}
}
]
}
```
------
**Example 3: Allow connections from IP addresses using `aws:SourceIp` **
The following policy allows connections only from the specified range of IP addresses using the `aws:SourceIp` condition key.
------
#### [ JSON ]
****
```
{
"Id": "sagemaker-mlflow-example-3",
"Version":"2012-10-17",
"Statement": [
{
"Sid": "MlflowAccess",
"Effect": "Allow",
"Action": [
"sagemaker-mlflow:*"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
}
}
}
]
}
```
------
**Example 4: Allow connections from IP addresses through an interface endpoint using `aws:VpcSourceIp`**
If you are accessing SageMaker AI MLflow through an interface endpoint, you can use the `aws:VpcSourceIp` condition key to allow connections only from the specified range of IP addresses within the subnet where you created the interface endpoint as shown in the following policy:
------
#### [ JSON ]
****
```
{
"Id": "sagemaker-mlflow-example-4",
"Version":"2012-10-17",
"Statement": [
{
"Sid": "MlflowAccess",
"Effect": "Allow",
"Action": [
"sagemaker-mlflow:*"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:VpcSourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
},
"StringEquals": {
"aws:SourceVpc": "vpc-111bbaaa"
}
}
}
]
}
```
------