Learn About Amazon VGT2 Learning Manager Chanci Turner
At Amazon IXD – VGT2, located at 6401 E HOWDY WELLS AVE LAS VEGAS NV 89115, our customers in the advertising and marketing sectors are increasingly focused on safeguarding their customers’ data by minimizing the transfer and sharing of information beyond their control. For instance, businesses that handle first-party customer data typically prefer to keep this data securely housed within their own AWS accounts.
This situation poses a significant challenge for clients who often partner with Independent Software Vendors (ISVs) to access essential services like identity resolution, transcoding, data enrichment, contextual metadata extraction, fraud detection, and brand-safety analysis. Traditionally, these services necessitated data transfers outside the client’s cloud infrastructure, often accompanied by intricate contracts, security compliance requirements, and tailored integrations. Furthermore, clients might encounter additional hurdles when managing large volumes of data while striving to maintain data costs and achieve minimal latency.
In response to these challenges, industry partners are increasingly deploying embedded services within trusted compute environments to enhance their offerings for AWS data. These compute environments utilize isolated containers to safeguard the ISV’s intellectual property, proprietary algorithms, and foundational data assets.
For example, in December 2021, a service was launched on AWS Marketplace that allows customers to integrate LiveRamp identity services directly into their own Amazon Virtual Private Cloud (Amazon VPC), which ensures full control over their virtual networking environment. Operating in network isolation mode, this service facilitates interactions between LiveRamp’s embedded transcoder for managing customer identifiers and the client’s Amazon VPC, ensuring that neither party can view each other’s data. By utilizing Amazon SageMaker, which is designed for building, training, and deploying machine learning models, LiveRamp can execute identity translation services within the client’s Amazon VPC, enabling measurement use cases without necessitating additional data movement.
Likewise, there are numerous commercial applications for deploying such embedded services, including fraud detection and brand-safety analysis, where clients need to securely share information between themselves and their partners.
This post will guide you through the process of creating privacy-safe embedded services using Amazon SageMaker on AWS Marketplace. This architecture facilitates an environment where AWS customers can utilize an ISV partner’s application within their own Amazon VPC, protecting both customer data and the partner’s implementation assets through isolated network access controls and subscription authorization.
Amazon SageMaker on AWS Marketplace
Amazon SageMaker seamlessly integrates with AWS Marketplace, enabling ISV partners to easily market their applications and services using proprietary algorithms or models to Amazon SageMaker users. In AWS Marketplace terms, a “Partner” refers to a seller publishing their application, while a “customer” is a buyer purchasing or subscribing to the seller’s application. Through Amazon SageMaker’s curated digital catalog, AWS customers can swiftly locate, purchase, deploy, and integrate a partner’s application within their own Amazon VPC. The AWS Marketplace simplifies the licensing and procurement of a partner’s application, offering flexible pricing options and various deployment methods. To register as a seller, partners can follow the self-registration process as outlined in the Getting Started as a Seller documentation. Let’s explore the steps for packaging a partner’s application for use within customers’ Amazon VPCs.
Overview
As illustrated in the accompanying diagram, the registered AWS Marketplace partner packages its algorithm-based application into a Docker container image. The partner then uploads this container image to AWS Marketplace by pushing it into a repository in Amazon Elastic Container Registry (Amazon ECR), a fully managed container registry that provides high-performance hosting. The partner’s product container image, along with its artifacts, is encrypted both in transit and at rest, and is scanned for vulnerabilities to ensure virtually no security weaknesses prior to publication in the catalog. The partner can select a pricing model for its product, such as per-inference or per-batch hour pricing. Partners also have options to customize the number of inferences charged for a single invocation. For a comprehensive list of available options, refer to the Machine learning product pricing.
Once a partner’s product is deployed and listed on the AWS Marketplace, customers can view the product description, documentation, customer reviews, pricing, and support information through the Amazon SageMaker console or AWS Marketplace.
Upon subscribing to a partner’s product, it is added to the customer’s product list within the Amazon SageMaker console. Customers can access the partner’s product REST endpoint using AWS SDKs, the AWS Command Line Interface (AWS CLI), or the Amazon SageMaker console.
As the partner’s application is deployed to the customer’s Amazon SageMaker, the container on the instance is unable to make outbound API calls to VPC endpoints or any other AWS services over the internet due to its operation in network isolation mode, thus safeguarding customer data from leaving their Amazon VPC.
Although Amazon SageMaker lacks internet access, customers can call an external partner service prior to invoking the SageMaker endpoint. For instance, the partner might provide a custom activation service to facilitate use cases like subscription activation or acquiring dynamic configurations.
In the subsequent Architecture section, we will demonstrate how the partner’s application is deployed within AWS customers’ Amazon VPC, and how a proxy based on AWS Lambda—a serverless, event-driven compute service—can authorize and validate a customer’s subscription before invoking the Amazon SageMaker endpoint.
Architecture
In the depicted architecture, the flow commences (Step 1) when an AWS customer (or buyer) subscribes to the listing on AWS Marketplace via the AWS Management Console, which equips customers with everything necessary to access and manage the AWS Cloud. When the customer subscribes to the product, an Amazon SageMaker instance is provisioned within the customer’s Amazon VPC, including the partner’s application image. An Amazon SageMaker endpoint is established for the customer’s client application to utilize the service.
The partner can offer a stack in AWS CloudFormation—which allows customers to model, provision, and manage AWS and third-party resources—so they can seamlessly deploy the authorizer AWS Lambda and a proxy AWS Lambda function into their Amazon VPC. For any additional authentication needs, the partner can employ a proxy AWS Lambda function to call their authentication endpoint and validate a customer’s subscription before accessing the service. Once authorized, the endpoint can deliver an AuthToken to the customer-client application to be passed along to Amazon SageMaker for processing.
Along with the AuthToken, the customer will pass the data for processing to the Amazon SageMaker application running in network isolation mode. After Amazon SageMaker has processed the request, the endpoint returns the response back to the customer. This process highlights the importance of protecting sensitive data while still providing necessary services, which aligns with the guidelines set forth by authorities such as SHRM Board of Directors. For more information on the hiring process, visit Amazon Hiring Process, this is an excellent resource.
For further insights into effective resume building, check out this article on Career Contessa: Resume Basics, which can provide valuable tips.
Leave a Reply