diff --git a/.changelog/45530.txt b/.changelog/45530.txt
new file mode 100644
index 00000000000..4ce36693d81
--- /dev/null
+++ b/.changelog/45530.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_sagemaker_domain: Fix update failure when `app_network_access_type` is `VpcOnly`
+```
diff --git a/internal/service/sagemaker/domain.go b/internal/service/sagemaker/domain.go
index 98a14818780..a233d623bc3 100644
--- a/internal/service/sagemaker/domain.go
+++ b/internal/service/sagemaker/domain.go
@@ -1566,6 +1566,11 @@ func resourceDomainUpdate(ctx context.Context, d *schema.ResourceData, meta any)
 			input.AppNetworkAccessType = awstypes.AppNetworkAccessType(v.(string))
 		}
 
+		if input.AppNetworkAccessType == awstypes.AppNetworkAccessTypeVpcOnly {
+			input.VpcId = aws.String(d.Get(names.AttrVPCID).(string))
+			input.SubnetIds = flex.ExpandStringValueSet(d.Get(names.AttrSubnetIDs).(*schema.Set))
+		}
+
 		if v, ok := d.GetOk("app_security_group_management"); ok && rstudioDomainEnabled(d.Get("domain_settings").([]any)) {
 			input.AppSecurityGroupManagement = awstypes.AppSecurityGroupManagement(v.(string))
 		}
diff --git a/internal/service/sagemaker/domain_test.go b/internal/service/sagemaker/domain_test.go
index 8e720ecc1e1..d6f1c7fc21b 100644
--- a/internal/service/sagemaker/domain_test.go
+++ b/internal/service/sagemaker/domain_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/sagemaker"
 	sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
 	"github.com/hashicorp/terraform-provider-aws/internal/conns"
@@ -271,14 +272,19 @@ func testAccDomain_sharingSettings(t *testing.T) {
 		CheckDestroy:             testAccCheckDomainDestroy(ctx),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDomainConfig_sharingSettings(rName),
+				Config: testAccDomainConfig_sharingSettings(rName, "sharing"),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionCreate),
+					},
+				},
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckDomainExists(ctx, resourceName, &domain),
 					resource.TestCheckResourceAttr(resourceName, "default_user_settings.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "default_user_settings.0.sharing_settings.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "default_user_settings.0.sharing_settings.0.notebook_output_option", "Allowed"),
 					resource.TestCheckResourceAttrPair(resourceName, "default_user_settings.0.sharing_settings.0.s3_kms_key_id", "aws_kms_key.test", names.AttrKeyID),
-					resource.TestCheckResourceAttrSet(resourceName, "default_user_settings.0.sharing_settings.0.s3_output_path"),
+					resource.TestMatchResourceAttr(resourceName, "default_user_settings.0.sharing_settings.0.s3_output_path", regexache.MustCompile(`^s3://tf-acc-.+/sharing$`)),
 				),
 			},
 			{
@@ -287,6 +293,23 @@ func testAccDomain_sharingSettings(t *testing.T) {
 				ImportStateVerify:       true,
 				ImportStateVerifyIgnore: []string{"retention_policy"},
 			},
+			{
+				Config: testAccDomainConfig_sharingSettings(rName, "sharing-updated"),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+					},
+				},
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckDomainExists(ctx, resourceName, &domain),
+					resource.TestCheckResourceAttr(resourceName, "default_user_settings.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "default_user_settings.0.sharing_settings.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "default_user_settings.0.sharing_settings.0.notebook_output_option", "Allowed"),
+					resource.TestCheckResourceAttrPair(resourceName, "default_user_settings.0.sharing_settings.0.s3_kms_key_id", "aws_kms_key.test", names.AttrKeyID),
+					resource.TestCheckResourceAttrSet(resourceName, "default_user_settings.0.sharing_settings.0.s3_output_path"),
+					resource.TestMatchResourceAttr(resourceName, "default_user_settings.0.sharing_settings.0.s3_output_path", regexache.MustCompile(`^s3://tf-acc-.+/sharing-updated$`)),
+				),
+			},
 		},
 	})
 }
@@ -1285,7 +1308,7 @@ func testAccDomain_defaultUserSettingsUpdated(t *testing.T) {
 				ImportStateVerifyIgnore: []string{"retention_policy"},
 			},
 			{
-				Config: testAccDomainConfig_sharingSettings(rName),
+				Config: testAccDomainConfig_sharingSettings(rName, "sharing"),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckDomainExists(ctx, resourceName, &domain),
 					resource.TestCheckResourceAttr(resourceName, "app_network_access_type", "VpcOnly"),
@@ -2074,7 +2097,7 @@ resource "aws_sagemaker_domain" "test" {
 `, rName, tagKey1, tagValue1, tagKey2, tagValue2))
 }
 
-func testAccDomainConfig_sharingSettings(rName string) string {
+func testAccDomainConfig_sharingSettings(rName, s3KeyPrefix string) string {
 	return acctest.ConfigCompose(testAccDomainConfig_base(rName), fmt.Sprintf(`
 resource "aws_kms_key" "test" {
   description             = %[1]q
@@ -2101,7 +2124,7 @@ resource "aws_sagemaker_domain" "test" {
     sharing_settings {
       notebook_output_option = "Allowed"
       s3_kms_key_id          = aws_kms_key.test.key_id
-      s3_output_path         = "s3://${aws_s3_bucket.test.bucket}/sharing"
+      s3_output_path         = "s3://${aws_s3_bucket.test.bucket}/%[2]s"
     }
   }
 
@@ -2109,7 +2132,7 @@ resource "aws_sagemaker_domain" "test" {
     home_efs_file_system = "Delete"
   }
 }
-`, rName))
+`, rName, s3KeyPrefix))
 }
 
 func testAccDomainConfig_canvasAppSettings(rName string) string {