Merge pull request #3902 from Blackmist/415877-fresh

prmerger-automator[bot] · web-flow · commit 636e05c2b358 · 2025-04-03T17:09:57.000Z
acrolinx/freshness
diff --git a/articles/machine-learning/how-to-access-azureml-behind-firewall.md b/articles/machine-learning/how-to-access-azureml-behind-firewall.md
@@ -9,7 +9,7 @@ ms.topic: how-to
 ms.author: larryfr
 author: Blackmist
 ms.reviewer: meerakurup
-ms.date: 04/08/2024
+ms.date: 04/03/2025
 ms.custom: devx-track-azurecli
 ms.devlang: azurecli
 monikerRange: 'azureml-api-2 || azureml-api-1'
@@ -31,13 +31,13 @@ The following terms and information are used throughout this article:
     > [!IMPORTANT]
     > Azure service tags are only supported by some Azure services. For a list of service tags supported with network security groups and Azure Firewall, see the [Virtual network service tags](/azure/virtual-network/service-tags-overview) article.
     > 
-    > If you are using a non-Azure solution such as a 3rd party firewall, download a list of [Azure IP Ranges and Service Tags](https://www.microsoft.com/download/details.aspx?id=56519). Extract the file and search for the service tag within the file. The IP addresses may change periodically.
+    > If you're using a non-Azure solution such as a 3rd party firewall, download a list of [Azure IP Ranges and Service Tags](https://www.microsoft.com/download/details.aspx?id=56519). Extract the file and search for the service tag within the file. The IP addresses might change periodically.
 
 * __Region__: Some service tags allow you to specify an Azure region. This limits access to the service IP addresses in a specific region, usually the one that your service is in. In this article, when you see `<region>`, substitute your Azure region instead. For example, `BatchNodeManagement.<region>` would be `BatchNodeManagement.uswest` if your Azure Machine Learning workspace is in the US West region.
 
 * __Azure Batch__: Azure Machine Learning compute clusters and compute instances rely on a back-end Azure Batch instance. This back-end service is hosted in a Microsoft subscription.
 
-* __Ports__: The following ports are used in this article. If a port range isn't listed in this table, it's specific to the service and may not have any published information on what it's used for:
+* __Ports__: The following ports are used in this article. If a port range isn't listed in this table, it's specific to the service and might not have any published information on what it's used for:
 
     | Port | Description |
     | ----- | ----- | 
@@ -53,8 +53,8 @@ The following terms and information are used throughout this article:
 
 This configuration makes the following assumptions:
 
-* You're using docker images provided by a container registry that you provide, and won't be using images provided by Microsoft.
-* You're using a private Python package repository, and won't be accessing public package repositories such as `pypi.org`, `*.anaconda.com`, or `*.anaconda.org`.
+* You're using docker images provided by a container registry that you provide, and don't use images provided by Microsoft.
+* You're using a private Python package repository, and don't access public package repositories such as `pypi.org`, `*.anaconda.com`, or `*.anaconda.org`.
 * The private endpoints can communicate directly with each other within the VNet. For example, all services have a private endpoint in the same VNet:
     * Azure Machine Learning workspace
     * Azure Storage Account (blob, file, table, queue)
@@ -70,7 +70,7 @@ __Inbound traffic__
 
 __Outbound traffic__
 
-| Service tag(s) | Ports | Purpose |
+| Service tags | Ports | Purpose |
 | ----- |:-----:| ----- |
 | `AzureActiveDirectory` | 80, 443 | Authentication using Microsoft Entra ID. |
 | `AzureMachineLearning` | 443, 8787, 18881<br>UDP: 5831 | Using Azure Machine Learning services. |
@@ -80,7 +80,7 @@ __Outbound traffic__
 | `AzureFrontDoor.FrontEnd`</br>* Not needed in Microsoft Azure operated by 21Vianet. | 443 | Global entry point for [Azure Machine Learning studio](https://ml.azure.com). Store images and environments for AutoML. |
 | `MicrosoftContainerRegistry` | 443 | Access docker images provided by Microsoft. |
 | `Frontdoor.FirstParty` | 443 | Access docker images provided by Microsoft. |
-| `AzureMonitor` | 443 | Used to log monitoring and metrics to Azure Monitor. Only needed if you haven't [secured Azure Monitor](how-to-secure-workspace-vnet.md#secure-azure-monitor-and-application-insights) for the workspace. </br>* This outbound is also used to log information for support incidents. |
+| `AzureMonitor` | 443 | Used to log monitoring and metrics to Azure Monitor. Only needed if you aren't using a [secured Azure Monitor](how-to-secure-workspace-vnet.md#secure-azure-monitor-and-application-insights) for the workspace. </br>* This outbound is also used to log information for support incidents. |
 | `VirtualNetwork` | 443 | Required when private endpoints are present in the virtual network or peered virtual networks. |
 
 > [!IMPORTANT]
@@ -109,7 +109,7 @@ To allow installation of RStudio on a compute instance, the firewall needs to al
 
 * __Name__: AllowRStudioInstall 
 * __Source Type__: IP Address 
-* __Source IP Addresses__: The IP address range of the subnet where you will create the compute instance. For example, `172.16.0.0/24`. 
+* __Source IP Addresses__: The IP address range of the subnet where you create the compute instance. For example, `172.16.0.0/24`. 
 * __Destination Type__: FQDN 
 * __Target FQDN__: `ghcr.io`, `pkg-containers.githubusercontent.com` 
 * __Protocol__: `Https:443`
@@ -122,9 +122,9 @@ To allow the installation of R packages, allow __outbound__ traffic to `cloud.r-
 ## Scenario: Using compute cluster or compute instance with a public IP
 
 > [!IMPORTANT]
-> A compute instance or compute cluster without a public IP does not need inbound traffic from Azure Batch management and Azure Machine Learning services. However, if you have multiple computes and some of them use a public IP address, you will need to allow this traffic.
+> A compute instance or compute cluster without a public IP doesn't need inbound traffic from Azure Batch management and Azure Machine Learning services. However, if you have multiple computes and some of them use a public IP address, you need to allow this traffic.
 
-When using Azure Machine Learning __compute instance__ or __compute cluster__ (_with a public IP address_), allow inbound traffic from the Azure Machine Learning service. A compute instance or compute cluster _with no public IP_ (preview) __doesn't__ require this inbound communication. A Network Security Group allowing this traffic is dynamically created for you, however you might need to also create user-defined routes (UDR) if you have a firewall. When creating a UDR for this traffic, you can use either **IP Addresses** or **service tags** to route the traffic.
+When using Azure Machine Learning __compute instance__ or __compute cluster__ (_with a public IP address_), allow inbound traffic from the Azure Machine Learning service. A compute instance or compute cluster _with no public IP_ __doesn't__ require this inbound communication. A Network Security Group allowing this traffic is dynamically created for you, however you might need to also create user-defined routes (UDR) if you have a firewall. When creating a UDR for this traffic, you can use either **IP Addresses** or **service tags** to route the traffic.
 
 # [IP Address routes](#tab/ipaddress)
 
