# Connect your local Visual Studio Code to Amazon SageMaker Unified Studio spaces with remote access
You can connect remotely from Visual Studio Code (VS Code) to Amazon SageMaker Unified Studio Spaces. You can use your customized local VS Code setup, including AI-assisted development tools and custom extensions, with the scalable compute resources in Amazon SageMaker Unified Studio.
## Key Concepts
**VPC**
Amazon Virtual Private Cloud (VPC) is a fundamental building block, allowing you to provision a logically isolated virtual network within the AWS Cloud.
**Amazon SageMaker Unified Studio Space**
Amazon SageMaker Unified Studio provides compute Spaces for integrated development environments (IDEs) that you can use to author code. There are two IDE applications available in Amazon SageMaker Unified Studio: JupyterLab and Code Editor. A JupyterLab Space is created in your project by default, and you can create additional Spaces as desired.
**Remote Connection**
A secure SSH-over-SSM tunnel between your local VS Code and a SageMaker Unified Studio Space. This connection enables interactive development and code execution in VS Code using Amazon SageMaker Unified Studio compute resources.
# Configuring Amazon SageMaker Unified Studio for Remote Access
## Prerequisites
**Note**
Certain features in Amazon SageMaker Unified Studio may maintain active sessions even after you log out of Amazon SageMaker Unified Studio or the associated IAM Identity Center/SSO session. Sometimes, these disconnected sessions can persist for up to 12 hours. Affected features include:
Spaces
Local IDE (Visual Studio Code) Support
Workflows
ML Experiments (MLFlow)
Connections
Hyperpod
Amazon SageMaker partner applications
To ensure the security of your environment, administrators must review and adjust session duration settings where possible and be cautious when using shared workstations or public networks.
To establish a remote connection from VS Code to a Amazon SageMaker Unified Studio Space, you must have the following prerequisites:
+ Access to a Amazon SageMaker Unified Studio Domain with proper network connectivity and AWS Identity Center setup. To create an Amazon SageMaker Unified Studio domain, see [Domains](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/working-with-domains.html).
+ By default, Amazon SageMaker Unified Studio Projects create Spaces in VpcOnly mode. To support remote connection, you have three network configuration options:
+ **Public Internet Access**: Configure your Amazon SageMaker Unified Studio Projects to allow public internet access by setting `sagemakerDomainNetworkType` to `PublicInternetOnly`.
+ **VPC with NAT Gateway**: Keep Spaces in `VpcOnly` mode and attach a NAT gateway to your VPC to provide internet access. This is the default configuration with Unified Studio Quick Setup for manually setting it up. For more details, see [Internet gateways](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html).
+ **Isolated VPC with VPC Endpoints**: Keep your domain completely isolated from the internet by configuring VPC endpoints. See [Configuring Isolated VPC for Remote Access](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/configuring-isolated-vpc-remote-access.html) for detailed setup instructions.
+ Project role permissions to call SageMaker StartSession. This is the API that enables remote connectivity to a Space. The Amazon SageMaker Unified Studio managed policy has already been updated to provide you access to call this API for the Spaces they own. If you are managing your own roles, ensure the role has the following policy:
```
{
"Sid": "AllowStartSessionForSpaceRemoteConnection",
"Effect": "Allow",
"Action": [
"sagemaker:StartSession"
],
"Resource": "arn:aws:sagemaker:*:*:space/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}",
"aws:ResourceTag/AmazonDataZoneUser": "${aws:PrincipalTag/datazone:userId}"
}
}
}
```
+ VS Code with Microsoft Remote SSH (version 0.74.0 or higher), and AWS Toolkit (version 3.87.0 or higher) extension installed on your local machine.
**Important**
Remote Space connections are currently not supported for TIP (Trusted Identity Propagation) enabled project profiles. For instructions on how to set the `enableTrustedIdentityPropagationPermissions` to false to use remote connection for Spaces, see [Trusted identity propagation](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/trusted-identity-propagation.html).
### VS Code specific network requirements
Remote VS Code connection requires VS Code remote development, which needs specific network access to install the remote server and extensions. See the [remote development FAQ](https://code.visualstudio.com/docs/remote/faq) in the VS Code documentation for full network requirements. The following is a summary of the requirements:
+ Access to Microsoft's VS Code server endpoints is required to install and update the VS Code remote server.
+ Access to VS Marketplace and related CDN endpoints is required for installing VS Code extensions through the extension panel (alternatively, extensions can be installed manually using VSIX files without internet connection).
+ Some extensions may require access to additional endpoints for downloading their specific dependencies. See the extension's documentation for their specific connectivity requirements.
# Network Configuration for Remote Access
## Configuring Amazon SageMaker Unified Studio Project Profiles to allow Internet Access
To allow Spaces to be created with internet access, you can set the tooling blueprint parameter `sagemakerDomainNetworkType` to `PublicInternetOnly`. By default, it is set to `VpcOnly`. To create an Amazon SageMaker Unified Studio project profile, see [Project profiles](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/project-profiles.html). To update an existing project profile's `sagemakerDomainNetworkType`, you need to ensure there are no running Spaces in the project. For more details see [Update Project Profiles](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/update-project-profile.html).
**Note**
This configuration is only applicable for enabling Local IDE support in Identity Center based domains, not in IAM-based domains.
## Configuring Isolated VPC for Remote Access
To configure a VPC isolated from the internet and also enable remote access from VS Code, you need to create VPC endpoints and attach them to the VPC along with security groups to allow traffic to flow through the SSH tunnel. The recommended network setup is:
### Use service created project security group
+ When you create a Project, the service always creates the Security group on your behalf. You can identify the security group by:
+ Searching for the Unified Studio `ProjectId` in the AWS VPC console. The `projectId` can be found in the project overview page in the portal/URL when accessing the Project through CLI/API.
+ Run the command `cat /opt/ml/metadata/resource-metadata.json | jq .` in the Space terminal to identify which service-created security group has been attached to the Space.
+ Attach the identified Security group to the VPC endpoints created above. This setup is needed only once per project and not for every Space as security is reused across the project.
+ Refer to the following table and create VPC endpoints that you require for your use cases and attach them to the Amazon SageMaker Unified Studio Domain VPC:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/network-config-remote-access.html)
To create your own security groups, ensure traffic is allowed to and from the service-created security group for the Project.