OCI Data Science: Private Endpoint for Data Science Notebooks
Problem Statement
Most of the customers want their Data Science Notebooks not to be accessible publicly and that these should be accessible only from a particular network/VPN/CIDR range.
Architecture
Solution
OCI has recently announced Private Endpoints for OCI Data Science Notebook sessions.
Private Endpoint enables you to access the resource via a specific network path only.
From the above architecture:
- This is the earlier architecture where OCI Data Science Notebooks are accessible over public internet.
- This is the current architecture that can be implemented to restrict access to OCI Data Science Notebook over a specific Network range.
Now, let us see how to achieve this.
Implementation
While creating OCI Data Science Notebook there are two network options as shown below:
- Public endpoint : Notebook session created with Endpoint type as Public can be accessed from outside the VCN as well.
2. Private endpoint : Notebook session created with Endpoint type as Private can be accessed only via resources created in the VCN.
Before creating this we need to first create a Private Endpoint as shown below
Now, let us create an OCI Data Science Notebook using this Private Endpoint
Now when you try accessing the Notebook directly it ain’t accessible publicly. This addresses the issue w.r.t accessing OCI Data Science Notebook publicly.
This notebook can only be accessed via the VCN. So, for this we will try to have a Jump Server (VM) created in the same VCN to which we will restrict access via my local and access OCI Data Science Notebook through that Jump Server.
Allowing Ingress traffic from my Local IP only on TCP/3389 port for Jump server. Here you can give your Network/CIDR range.
Allowing traffic from Public subnet only on the Private Endpoint subnet.
Accessing OCI Data Science Notebook from Jump server which is on the same VCN as Private Endpoint.
!!!Happy Reading!!!
