Skip to content

REST-API Proxy for Secure Access to Amazon SageMaker MLflow

Bottom line: A Flask-based REST-API proxy solution enables enterprises to securely access Amazon SageMaker MLflow via HTTPS without direct SDK usage. The solution combines an Application Load Balancer, a Flask proxy service, and SageMaker MLflow to meet enterprise-wide security and infrastructure requirements.

Machine-learning teams use MLflow to effectively manage their ML lifecycle. Amazon SageMaker MLflow offers comprehensive features for experiment tracking and model management. However, many enterprises require HTTPS-based integrations instead of direct SDK usage to comply with their existing infrastructure and security policies.

Many organizations want to integrate Amazon SageMaker MLflow into their established system landscape while preserving their security and infrastructure requirements. This integration challenge affects teams that cannot use the SDK directly due to enterprise-internal security policies, network restrictions, or legacy system requirements.

This solution demonstrates how to build a secure Flask-based MLflow proxy service that enables HTTPS access to Amazon SageMaker MLflow without SDK requirements. The concept is designed for organizations in cloud transformation processes that want to preserve their existing ML workflows while leveraging cloud-native services.

The implementation covers the following focal points: building the MLflow proxy service for HTTPS requests, configuring AWS Identity and Access Management authentication for secure access, and managing URL pre-signing and request transformation.

The architecture is based on three core components: an AWS Application Load Balancer serves as an upstream router for traffic distribution and SSL termination. A Python-based Flask application processes incoming HTTPS requests, manages AWS authentication, and transforms URLs for secure MLflow endpoint access. Amazon SageMaker MLflow finally provides backend metadata storage and file management, supporting two deployment modes: the managed MLflow Tracking Server and the serverless MLflow App.

This architecture enables secure communication while maintaining compatibility with established enterprise systems. The proxy service acts as an intermediary, converting standard HTTPS requests into authenticated AWS API calls.


Source: aws.amazon.com

Share on: