Skip to content

Commit bf0db6a

Browse files
authored
Merge pull request #60 from Blackmist/286795-custom-policy
writing
2 parents cb1ebde + 0aa3edb commit bf0db6a

File tree

1 file changed

+104
-8
lines changed

1 file changed

+104
-8
lines changed

articles/machine-learning/how-to-integrate-azure-policy.md

Lines changed: 104 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,17 @@
11
---
22
title: Audit and manage Azure Machine Learning
33
titleSuffix: Azure Machine Learning
4-
description: Learn how to use Azure Policy to use built-in policies for Azure Machine Learning to make sure your workspaces are compliant with your requirements.
4+
description: Learn how to use Azure Policy with Azure Machine Learning to make sure your workspaces are compliant with your requirements.
55
author: Blackmist
66
ms.author: larryfr
7-
ms.date: 04/01/2024
7+
ms.date: 09/04/2024
88
services: machine-learning
99
ms.service: azure-machine-learning
1010
ms.subservice: enterprise-readiness
1111
ms.topic: how-to
1212
ms.reviewer: jhirono
13+
ms.custom: FY25Q1-Linter
14+
# Customer Intent: As an admin, I want to understand how I can use Azure Policy to audit and manage Azure Machine Learning resources so that I can ensure compliance with my organization's requirements.
1315
---
1416

1517
# Audit and manage Azure Machine Learning
@@ -22,7 +24,7 @@ As a platform administrator, you can use policies to lay out guardrails for team
2224

2325
[Azure Policy](/azure/governance/policy/) is a governance tool that allows you to ensure that Azure resources are compliant with your policies.
2426

25-
Azure Policy provides a set of policies that you can use for common scenarios with Azure Machine Learning. You can assign these policy definitions to your existing subscription or use them as the basis to create your own custom definitions.
27+
Azure Policy provides a set of policies that you can use for common scenarios with Azure Machine Learning. You can assign these policy definitions to your existing subscription or use them as the basis to create your own [custom definitions](#create-custom-definitions).
2628

2729
The following table lists the built-in policies you can assign with Azure Machine Learning. For a list of all Azure built-in policies, see [Built-in policies](/azure/governance/policy/samples/built-in-policies).
2830

@@ -52,7 +54,7 @@ Landing zones are an architectural pattern that accounts for scale, governance,
5254

5355
The purpose of the landing zone is to ensure that all infrastructure configuration work is done when a team starts in the Azure environment. For instance, security controls are set up in compliance with organizational standards and network connectivity is set up.
5456

55-
Using the landing zones pattern, machine learning teams can deploy and manage their own resources on a self-service basis. By using Azure policy as an administrator, you can audit and manage Azure resources for compliance.
57+
When you use the landing zones pattern, machine learning teams can deploy and manage their own resources on a self-service basis. By using Azure policy as an administrator, you can audit and manage Azure resources for compliance.
5658

5759
Azure Machine Learning integrates with [data landing zones](https://github.com/Azure/data-landing-zone) in the [Cloud Adoption Framework data management and analytics scenario](/azure/cloud-adoption-framework/scenarios/data-management/). This reference implementation provides an optimized environment to migrate machine learning workloads onto Azure Machine Learning and includes preconfigured policies.
5860

@@ -120,15 +122,15 @@ If the policy is set to __Deny__, then you can't create a workspace unless it us
120122

121123
Controls whether a workspace is created using a system-assigned managed identity (default) or a user-assigned managed identity. The managed identity for the workspace is used to access associated resources such as Azure Storage, Azure Container Registry, Azure Key Vault, and Azure Application Insights. For more information, see [Set up authentication between Azure Machine Learning and other services](how-to-identity-based-service-authentication.md).
122124

123-
To configure this policy, set the effect parameter to __Audit__, __Deny__, or __Disabled__. If set to __Audit__, you can create a workspace without specifying a user-assigned managed identity. A system-assigned identity is used and a warning event is created in the activity log.
125+
To configure this policy, set the effect parameter to __Audit__, __Deny__, or __Disabled__. If set to __Audit__, you can create a workspace without specifying a user-assigned managed identity. A system-assigned identity is used, and a warning event is created in the activity log.
124126

125127
If the policy is set to __Deny__, then you can't create a workspace unless you provide a user-assigned identity during the creation process. Attempting to create a workspace without providing a user-assigned identity results in an error. The error is also logged to the activity log. The policy identifier is returned as part of this error.
126128

127129
### Configure computes to modify/disable local authentication
128130

129131
This policy modifies any Azure Machine Learning compute cluster or instance creation request to disable local authentication (SSH).
130132

131-
To configure this policy, set the effect parameter to __Modify__ or __Disabled__. If set __Modify__, any creation of a compute cluster or instance within the scope where the policy applies will automatically have local authentication disabled.
133+
To configure this policy, set the effect parameter to __Modify__ or __Disabled__. If set __Modify__, any creation of a compute cluster or instance within the scope where the policy applies automatically has local authentication disabled.
132134

133135
### Configure workspace to use private DNS zones
134136

@@ -138,9 +140,9 @@ To configure this policy, set the effect parameter to __DeployIfNotExists__. Set
138140

139141
### Configure workspaces to disable public network access
140142

141-
Configures a workspace to disable network access from the public internet. This helps protect the workspaces against data leakage risks. You can instead access your workspace by creating private endpoints. For more information, see [Configure a private endpoint for an Azure Machine Learning workspace](how-to-configure-private-link.md).
143+
Configures a workspace to disable network access from the public internet. Disabling public network access helps protect the workspaces against data leakage risks. You can instead access your workspace by creating private endpoints. For more information, see [Configure a private endpoint for an Azure Machine Learning workspace](how-to-configure-private-link.md).
142144

143-
To configure this policy, set the effect parameter to __Modify__ or __Disabled__. If set to __Modify__, any creation of a workspace within the scope where the policy applies will automatically have public network access disabled.
145+
To configure this policy, set the effect parameter to __Modify__ or __Disabled__. If set to __Modify__, any creation of a workspace within the scope where the policy applies automatically has public network access disabled.
144146

145147
### Configure workspaces with private endpoints
146148

@@ -160,6 +162,100 @@ Audits whether resource logs are enabled for an Azure Machine Learning workspace
160162

161163
To configure this policy, set the effect parameter to __AuditIfNotExists__ or __Disabled__. If set to __AuditIfNotExists__, the policy audits if resource logs aren't enabled for the workspace.
162164

165+
## Create custom definitions
166+
167+
When you need to create custom policies for your organization, you can use the [Azure Policy definition structure](/azure/governance/policy/concepts/definition-structure-basics) to create your own definitions. You can use the [Azure Policy Visual Studio Code extension](https://marketplace.visualstudio.com/items?itemName=AzurePolicy.azurepolicyextension) to author and test your policies.
168+
169+
To discover the policy aliases you can use in your definition, use the following Azure CLI command to list the aliases for Azure Machine Learning:
170+
171+
```azurecli
172+
az provider show --namespace Microsoft.MachineLearningServices --expand "resourceTypes/aliases" --query "resourceTypes[].aliases[].name"
173+
```
174+
175+
To discover the allowed values for a specific alias, visit the [Azure Machine Learning REST API](/rest/api/azureml/) reference.
176+
177+
For a tutorial (not Azure Machine Learning specific) on how to create custom policies, visit [Create a custom policy definition](/azure/governance/policy/tutorials/create-custom-policy-definition).
178+
179+
### Example: Block serverless spark compute jobs
180+
181+
```json
182+
{
183+
"properties": {
184+
"displayName": "Deny serverless Spark compute jobs",
185+
"description": "Deny serverless Spark compute jobs",
186+
"mode": "All",
187+
"policyRule": {
188+
"if": {
189+
"allOf": [
190+
{
191+
"field": "Microsoft.MachineLearningServices/workspaces/jobs/jobType",
192+
"in": [
193+
"Spark"
194+
]
195+
}
196+
]
197+
},
198+
"then": {
199+
"effect": "Deny"
200+
}
201+
},
202+
"parameters": {}
203+
}
204+
}
205+
```
206+
207+
### Example: Configure no public IP for managed computes
208+
209+
```json
210+
{
211+
"properties": {
212+
"displayName": "Deny compute instance and compute cluster creation with public IP",
213+
"description": "Deny compute instance and compute cluster creation with public IP",
214+
"mode": "all",
215+
"parameters": {
216+
"effectType": {
217+
"type": "string",
218+
"defaultValue": "Deny",
219+
"allowedValues": [
220+
"Deny",
221+
"Disabled"
222+
],
223+
"metadata": {
224+
"displayName": "Effect",
225+
"description": "Enable or disable the execution of the policy"
226+
}
227+
}
228+
},
229+
"policyRule": {
230+
"if": {
231+
"allOf": [
232+
{
233+
"field": "type",
234+
"equals": "Microsoft.MachineLearningServices/workspaces/computes"
235+
},
236+
{
237+
"allOf": [
238+
{
239+
"field": "Microsoft.MachineLearningServices/workspaces/computes/computeType",
240+
"notEquals": "AKS"
241+
},
242+
{
243+
"field": "Microsoft.MachineLearningServices/workspaces/computes/enableNodePublicIP",
244+
"equals": true
245+
}
246+
]
247+
}
248+
]
249+
},
250+
"then": {
251+
"effect": "[parameters('effectType')]"
252+
}
253+
}
254+
}
255+
}
256+
```
257+
258+
163259
## Related content
164260

165261
* [Azure Policy documentation](/azure/governance/policy/overview)

0 commit comments

Comments
 (0)