Sagemaker endpoint(with VPC) url accessible from internet

Question

I have created a model with VPC, Private subnet, and appropriate security group. The endpoint URL can, however, be reached through the internet though failing due to the lack of security token

Things I need clarification on now are

1. Is there a way to avoid the URL being accessible from the internet
2. Are we not charged for requests failed on AUTH(like for API Gateway)
3. Does that make our deployment vulnerable to any attacks

Answer 1

You are not hitting your endpoint, but the endpoint of AWS SageMaker runtime. This endpoint is checking all the permissions to access your hosted model, and only if the credentials and requirements are met, the request is forwarded to your instances and models.

Therefore, you can't prevent this URL from being accessible from the Internet, but at the same time, you don't need to protect it or pay for it. AWS has a high level of security on these endpoints, and I don't think that you have a more secure way to protect these endpoints.