You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Customer Intent: As an admin, I want to understand how to use private links to secure communications between my Azure Machine Learning workspace and my virtual network.
15
15
---
16
16
@@ -24,7 +24,7 @@ In this document, you learn how to configure a private endpoint for your Azure M
24
24
Azure Private Link enables you to restrict connections to your workspace to an Azure Virtual Network. You restrict a workspace to only accept connections from a virtual network by creating a private endpoint. The private endpoint is a set of private IP addresses within your virtual network. You can then limit access to your workspace to only occur over the private IP addresses. A private endpoint helps reduce the risk of data exfiltration. To learn more about private endpoints, see the [Azure Private Link](/azure/private-link/private-link-overview) article.
25
25
26
26
> [!WARNING]
27
-
> Securing a workspace with private endpoints does not ensure end-to-end security by itself. You must secure all of the individual components of your solution. For example, if you use a private endpoint for the workspace, but your Azure Storage Account is not behind the VNet, traffic between the workspace and storage does not use the VNet for security.
27
+
> Securing a workspace with private endpoints doesn't ensure end-to-end security by itself. You must secure all of the individual components of your solution. For example, if you use a private endpoint for the workspace, but your Azure Storage Account isn't behind the VNet, traffic between the workspace and storage doesn't use the VNet for security.
28
28
>
29
29
> For more information on securing resources used by Azure Machine Learning, see the following articles:
30
30
>
@@ -40,7 +40,7 @@ Azure Private Link enables you to restrict connections to your workspace to an A
40
40
* You must have an existing virtual network to create the private endpoint in.
41
41
42
42
> [!WARNING]
43
-
> Do not use the 172.17.0.0/16 IP address range for your VNet. This is the default subnet range used by the Docker bridge network, and will result in errors if used for your VNet. Other ranges may also conflict depending on what you want to connect to the virtual network. For example, if you plan to connect your on premises network to the VNet, and your on-premises network also uses the 172.16.0.0/16 range. Ultimately, it is up to __you__ to plan your network infrastructure.
43
+
> Don't use the 172.17.0.0/16 IP address range for your VNet. This is the default subnet range used by the Docker bridge network, and results in errors if used for your VNet. Other ranges might also conflict depending on what you want to connect to the virtual network. For example, if you plan to connect your on premises network to the VNet, and your on-premises network also uses the 172.16.0.0/16 range. Ultimately, it's up to __you__ to plan your network infrastructure.
44
44
45
45
*[Disable network policies for private endpoints](/azure/private-link/disable-private-endpoint-network-policy) before adding the private endpoint.
46
46
@@ -72,10 +72,10 @@ Use one of the following methods to create a workspace with a private endpoint.
72
72
When you use the Azure CLI [extension 2.0 CLI for machine learning](how-to-configure-cli.md), a YAML document is used to configure the workspace. The following example demonstrates creating a new workspace using a YAML configuration:
73
73
74
74
> [!TIP]
75
-
> When you use a private link, your workspace cannot use Azure Container Registry tasks compute for image building. Instead, the workspace defaults to using a [serverless compute cluster](how-to-use-serverless-compute.md) to build images. This works only when the workspace-deependent resources such as the storage account and container registry are not under any network restrictions (private endpoint). If your workspace dependencies are under network restrictions, use the `image_build_compute` property to specify a compute cluster to use for image building.
75
+
> When you use a private link, your workspace can't use Azure Container Registry tasks compute for image building. Instead, the workspace defaults to using a [serverless compute cluster](how-to-use-serverless-compute.md) to build images. This works only when the workspace-deependent resources such as the storage account and container registry aren't under any network restrictions (private endpoint). If your workspace dependencies are under network restrictions, use the `image_build_compute` property to specify a compute cluster to use for image building.
76
76
> The `image_build_compute` property in this configuration specifies a CPU compute cluster name to use for Docker image environment building. You can also specify whether the private link workspace should be accessible over the internet using the `public_network_access` property.
77
77
>
78
-
> In this example, the compute referenced by `image_build_compute`will need to be created before building images.
78
+
> In this example, the compute referenced by `image_build_compute`needs to be created before building images.
@@ -151,7 +151,7 @@ Use one of the following methods to add a private endpoint to an existing worksp
151
151
152
152
> [!WARNING]
153
153
>
154
-
> If you have any existing compute targets associated with this workspace, and they are not behind the same virtual network that the private endpoint is created in, they will not work.
154
+
> If you have any existing compute targets associated with this workspace, and they aren't behind the same virtual network that the private endpoint is created in, they won't work.
@@ -271,7 +271,7 @@ To enable public access, use the following steps:
271
271
> There are two possible properties that you can configure:
272
272
> *`allow_public_access_when_behind_vnet` - used by the Python SDK v1
273
273
> *`public_network_access` - used by the CLI and Python SDK v2
274
-
> Each property overrides the other. For example, setting `public_network_access`will override any previous setting to `allow_public_access_when_behind_vnet`.
274
+
> Each property overrides the other. For example, setting `public_network_access`overrides any previous setting to `allow_public_access_when_behind_vnet`.
275
275
>
276
276
> Microsoft recommends using `public_network_access` to enable or disable public access to a workspace.
277
277
@@ -380,7 +380,7 @@ Azure Machine Learning supports multiple private endpoints for a workspace. Mult
380
380
* [Azure Data Factory managed virtual network](/azure/data-factory/managed-virtual-network-private-endpoint).
381
381
382
382
> [!IMPORTANT]
383
-
> [Synapse's data exfiltration protection](/azure/synapse-analytics/security/workspace-data-exfiltration-protection) is not supported with Azure Machine Learning.
383
+
> [Synapse's data exfiltration protection](/azure/synapse-analytics/security/workspace-data-exfiltration-protection) isn't supported with Azure Machine Learning.
384
384
385
385
> [!IMPORTANT]
386
386
> Each VNet that contains a private endpoint for the workspace must also be able to access the Azure Storage Account, Azure Key Vault, and Azure Container Registry used by the workspace. For example, you might create a private endpoint for the services in each VNet.
@@ -421,9 +421,7 @@ If you want to create an isolated Azure Kubernetes Service used by the workspace
421
421
422
422
### Scenario: Managed online endpoints with access from selected IP addresses
423
423
424
-
Enabling inbound access from selected IP addresses is affected by the ingress setting on your managed online endpoints. If public ingress is enabled on your managed online endpoint, then you can't enable selected IP addresses on our workspace.
425
-
426
-
The following table shows the possible configurations for your workspace and managed online endpoint network configurations, and how it affects both. For more information, see [Network isolation with managed online endpoints](concept-secure-online-endpoint.md).
424
+
Enabling inbound access from selected IP addresses is affected by the ingress setting on your managed online endpoints. The following table shows the possible configurations for your workspace and managed online endpoint network configurations, and how it affects both. For more information, see [Network isolation with managed online endpoints](concept-secure-online-endpoint.md).
427
425
428
426
| Workspace</br>public network access | Managed online endpoint</br>public network access | Does the workspace</br>respect the selected IPs? | Does the online endpoint</br>respect the selected IPs? |
429
427
| --- | --- | --- | --- |
@@ -433,7 +431,7 @@ The following table shows the possible configurations for your workspace and man
> If the workspace public network access configuration is changed from selected IPs to disabled, the managed online enedpoints will continue to respect the selected IPs. If you do not want thee selected IPs applied to your online endpoints, remove the addresses before selecting __Disabled__ for the workspace in the Azure portal. The Python SDK and Azure CLI support this change after or before.
434
+
> If the workspace public network access configuration is changed from selected IPs to disabled, the managed online enedpoints continue to respect the selected IPs. If you don't want the selected IPs applied to your online endpoints, remove the addresses before selecting __Disabled__ for the workspace in the Azure portal. The Python SDK and Azure CLI support this change after or before.
437
435
438
436
### Scenario: Batch endpoints with access from selected IP addresses
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments