# Use Amazon VPC Mode from a Private Worker Portal
To restrict worker portal access to labelers working inside of your Amazon VPC, you can add a VPC configuration when you create a Ground Truth private workforce. You can also add a VPC configuration to an existing private workforce. Ground Truth automatically creates VPC interface endpoints in your VPC and sets up AWS PrivateLink between your VPC endpoint and the Ground Truth services. The worker portal URL associated with the workforce can be accessed from your VPC. The worker portal URL can also be accessed from public internet until you set the restriction on the public internet. When you delete the workforce or remove the VPC configuration from your workforce, Ground Truth automatically deletes the VPC endpoints associated with the workforce.
**Note**
There can be only one VPC supported for a workforce.
[Point Cloud](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-point-cloud.html) and [video](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-video.html) tasks do not support loading through a VPC.
The guide demonstrates how to complete the necessary steps to add and delete an Amazon VPC configuration to your workforce, and satisfy the prerequisites.
## Prerequisites
To run a Ground Truth labeling job in Amazon VPC, review the following prerequisites.
+ You have an Amazon VPC configured that you can use. If you have not configured a VPC, follow these instructions for [creating a VPC](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#interface-endpoint-shared-subnets).
+ Depending on how a [Worker Task Template](https://docs.aws.amazon.com/sagemaker/latest/dg/a2i-instructions-overview.html) is written, labeling data stored in an Amazon S3 bucket may be accessed directly from Amazon S3 during labeling tasks. In these cases, the VPC network must be configured to allow traffic from the device used by the human labeler to the S3 bucket containing labeling data.
+ Follow [View and update DNS attributes for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-updating) to enable DNS hostnames and DNS resolution for your VPC.
**Note**
There are two ways to configure your VPC for your workforce. You can do this through the [console](https://console.aws.amazon.com/sagemaker) or the AWS SageMaker AI [CLI](https://aws.amazon.com/cli/).
# Using the SageMaker AI console to manage a VPC config
You can use the [SageMaker AI console](https://console.aws.amazon.com/sagemaker) to add or remove a VPC configuration. You can also delete an existing workforce.
## Adding a VPC configuration to your workforce
### Create a private workforce
+ [Create a private workforce using Amazon Cognito](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-workforce-private-use-cognito.html)
+ [Create a private workforce using OpenID Connect (OIDC) Identity Provider(IdP)](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-workforce-private-use-oidc.html).
After you have created your private workforce, add a VPC configuration to it.
1. Navigate to [Amazon SageMaker Runtime](https://console.aws.amazon.com/sagemaker) in your console.
1. Select **Labeling workforces** in the left panel.
1. Select **Private** to access your private workforce. After your **Workforce status** is **Active**, select **Add** next to **VPC**.
1. When you are prompted to configure your VPC, provide the following:
1. Your **VPC**
1. **Subnets**
1. Ensure that your VPC has an existing subnet
1. **Security groups**
1.
**Note**
You cannot select more than 5 security groups.
1. After filling in this information, choose **Confirm**.
1. After you choose **Confirm**, you are redirected back to the **Private** page under **Labeling workforces**. You should see a green banner at the top that reads **Your private workforce update with VPC configuration was successfully initialized.** The workforce status is **Updating**. Next to the **Delete workforce** button is the **Refresh** button, which can be used to retrieve the latest **Workforce status**. After the workforce status has changed to **Active**, the VPC endpoint ID is updated as well.
## Removing a VPC configuration from your workforce
Use the following information to remove a VPC configuration from your workforce using the console.
1. Navigate to [Amazon SageMaker Runtime](https://console.aws.amazon.com/sagemaker) in your console.
1. Select **Labeling workforces** in the left panel.
1. Find and select your workforce.
1. Under **Private workforce summary**, find **VPC** and choose **Remove** next to it.
1. Select **Remove**.
## Deleting a workforce through the console
If you delete a workforce, you should not have any teams associated with it. You can delete a workforce only if the workforce status is **Active** or **Failed**.
Use the following information to delete a workforce using the console.
1. Navigate to [Amazon SageMaker Runtime](https://console.aws.amazon.com/sagemaker) in your console.
1. Select **Labeling workforces** in the left panel.
1. Find and select your workforce.
1. Choose **Delete workforce**.
1. Choose **Delete**.
# Using the SageMaker AI AWS API to manage a VPC config
Use the following sections to learn more about managing a VPCs configuration, while maintaining the right level of access to the work team.
## Create a workforce with a VPC configuration
If the account already has a workforce, then you must delete it first. You can also update the workforce with VPC configuration.
```
aws sagemaker create-workforce --cognito-config '{"ClientId": "app-client-id","UserPool": "Pool_ID",}' --workforce-vpc-config \
" {\"VpcId\": \"vpc-id\", \"SecurityGroupIds\": [\"sg-0123456789abcdef0\"], \"Subnets\": [\"subnet-0123456789abcdef0\"]}" --workforce-name workforce-name
{
"WorkforceArn": "arn:aws:sagemaker:us-west-2:xxxxxxxxx:workforce/workforce-name"
}
```
Describe the workforce and make sure the status is `Initializing`.
```
aws sagemaker describe-workforce --workforce-name workforce-name
{
"Workforce": {
"WorkforceName": "workforce-name",
"WorkforceArn": "arn:aws:sagemaker:us-west-2:xxxxxxxxx:workforce/workforce-name",
"LastUpdatedDate": 1622151252.451,
"SourceIpConfig": {
"Cidrs": []
},
"SubDomain": "subdomain.us-west-2.sagamaker.aws.com",
"CognitoConfig": {
"UserPool": "Pool_ID",
"ClientId": "app-client-id"
},
"CreateDate": 1622151252.451,
"WorkforceVpcConfig": {
"VpcId": "vpc-id",
"SecurityGroupIds": [
"sg-0123456789abcdef0"
],
"Subnets": [
"subnet-0123456789abcdef0"
]
},
"Status": "Initializing"
}
}
```
Navigate to the Amazon VPC console. Select **Endpoints** from the left panel. There should be two VPC endpoints created in your account.
## Adding a VPC configuration your workforce
Update a non-VPC private workforce with a VPC configuration using the following command.
```
aws sagemaker update-workforce --workforce-name workforce-name\
--workforce-vpc-config "{\"VpcId\": \"vpc-id\", \"SecurityGroupIds\": [\"sg-0123456789abcdef0\"], \"Subnets\": [\"subnet-0123456789abcdef0\"]}"
```
Describe the workforce and make sure the status is `Updating`.
```
aws sagemaker describe-workforce --workforce-name workforce-name
{
"Workforce": {
"WorkforceName": "workforce-name",
"WorkforceArn": "arn:aws:sagemaker:us-west-2:xxxxxxxxx:workforce/workforce-name",
"LastUpdatedDate": 1622151252.451,
"SourceIpConfig": {
"Cidrs": []
},
"SubDomain": "subdomain.us-west-2.sagamaker.aws.com",
"CognitoConfig": {
"UserPool": "Pool_ID",
"ClientId": "app-client-id"
},
"CreateDate": 1622151252.451,
"WorkforceVpcConfig": {
"VpcId": "vpc-id",
"SecurityGroupIds": [
"sg-0123456789abcdef0"
],
"Subnets": [
"subnet-0123456789abcdef0"
]
},
"Status": "Updating"
}
}
```
Navigate to your Amazon VPC console. Select **Endpoints** from the left panel. There should be two VPC endpoints created in your account.
## Removing a VPC configuration from your workforce
Update a VPC private workforce with an empty VPC configuration to remove VPC resources.
```
aws sagemaker update-workforce --workforce-name workforce-name\
--workforce-vpc-config "{}"
```
Describe the workforce and make sure the status is `Updating`.
```
aws sagemaker describe-workforce --workforce-name workforce-name
{
"Workforce": {
"WorkforceName": "workforce-name",
"WorkforceArn": "arn:aws:sagemaker:us-west-2:xxxxxxxxx:workforce/workforce-name",
"LastUpdatedDate": 1622151252.451,
"SourceIpConfig": {
"Cidrs": []
},
"SubDomain": "subdomain.us-west-2.sagamaker.aws.com",
"CognitoConfig": {
"UserPool": "Pool_ID",
"ClientId": "app-client-id"
},
"CreateDate": 1622151252.451,
"Status": "Updating"
}
}
```
Naviagate to your Amazon VPC console. Select **Endpoints** from the left panel. The two VPC endpoints should be deleted.
## Restrict public access to the worker portal while maintaining access through a VPC
The workers in a VPC or non-VPC worker portal are be able to see the labeling job tasks assigned to them. The assignment comes from assigning workers in a work team through OIDC groups. It is the customer’s responsibility to restrict the access to their public worker portal by setting the `sourceIpConfig` in their workforce.
**Note**
You can restrict access to the worker portal only through the SageMaker API. This cannot be done through the console.
Use the following command to restrict public access to the worker portal.
```
aws sagemaker update-workforce --region us-west-2 \
--workforce-name workforce-demo --source-ip-config '{"Cidrs":["10.0.0.0/16"]}'
```
After the `sourceIpConfig` is set on the workforce, the workers can access the worker portal in VPC but not through public internet.
**Note**
You can not set the `sourceIP` restriction for worker portal in VPC.