You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Secure Azure Machine Learning workspace resources and compute environments using Azure Virtual Networks (VNets). This article uses an example scenario to show you how to configure a complete virtual network.
30
-
31
-
This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
30
+
Learn how to secure Azure Machine Learning workspace resources and compute environments using Azure Virtual Networks (VNets). This article uses an example scenario to show you how to configure a complete virtual network.
32
31
33
32
This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
34
33
@@ -52,7 +51,7 @@ This article is part of a series on securing an Azure Machine Learning workflow.
52
51
*[Use a firewall](how-to-access-azureml-behind-firewall.md)
53
52
:::moniker-end
54
53
55
-
For a tutorial on creating a secure workspace, see [Tutorial: Create a secure workspace](tutorial-create-secure-workspace.md) or [Tutorial: Create a secure workspace using a template](tutorial-create-secure-workspace-template.md).
54
+
For a tutorial on creating a secure workspace, visit the [Tutorial: Create a secure workspace](tutorial-create-secure-workspace.md) or [Tutorial: Create a secure workspace using a template](tutorial-create-secure-workspace-template.md) articles.
56
55
57
56
## Prerequisites
58
57
@@ -62,6 +61,7 @@ This article assumes that you have familiarity with the following articles:
62
61
+[Azure Machine Learning workspace with private endpoint](how-to-configure-private-link.md)
63
62
+[Network Security Groups (NSG)](/azure/virtual-network/network-security-groups-overview)
64
63
+[Network firewalls](/azure/firewall/overview)
64
+
65
65
## Example scenario
66
66
67
67
In this section, you learn how a common network scenario is set up to secure Azure Machine Learning communication with private IP addresses.
@@ -70,27 +70,27 @@ The following table compares how services access different parts of an Azure Mac
|**No virtual network**| Public IP | Public IP | Public IP | Public IP |
74
-
|**Public workspace, all other resources in a virtual network**| Public IP | Public IP (service endpoint) <br> **- or -** <br> Private IP (private endpoint) | Public IP | Private IP |
75
-
|**Secure resources in a virtual network**| Private IP (private endpoint) | Public IP (service endpoint) <br> **- or -** <br> Private IP (private endpoint) | Private IP | Private IP |
73
+
|__No virtual network__| Public IP | Public IP | Public IP | Public IP |
74
+
|__Public workspace, all other resources in a virtual network__| Public IP | Public IP (service endpoint) <br> __- or -__ <br> Private IP (private endpoint) | Public IP | Private IP |
75
+
|__Secure resources in a virtual network__| Private IP (private endpoint) | Public IP (service endpoint) <br> __- or -__ <br> Private IP (private endpoint) | Private IP | Private IP |
76
76
77
-
***Workspace** - Create a private endpoint for your workspace. The private endpoint connects the workspace to the vnet through several private IP addresses.
78
-
***Public access** - You can optionally enable public access for a secured workspace.
79
-
***Associated resource** - Use service endpoints or private endpoints to connect to workspace resources like Azure storage, Azure Key Vault. For Azure Container Services, use a private endpoint.
80
-
***Service endpoints** provide the identity of your virtual network to the Azure service. Once you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network. Service endpoints use public IP addresses.
81
-
***Private endpoints** are network interfaces that securely connect you to a service powered by Azure Private Link. Private endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet.
82
-
***Training compute access** - Access training compute targets like Azure Machine Learning Compute Instance and Azure Machine Learning Compute Clusters with public or private IP addresses.
83
-
***Inference compute access** - Access Azure Kubernetes Services (AKS) compute clusters with private IP addresses.
77
+
*__Workspace__ - Create a private endpoint for your workspace. The private endpoint connects the workspace to the vnet through several private IP addresses.
78
+
*__Public access__ - You can optionally enable public access for a secured workspace.
79
+
*__Associated resource__ - Use service endpoints or private endpoints to connect to workspace resources like Azure storage, Azure Key Vault. For Azure Container Services, use a private endpoint.
80
+
*__Service endpoints__ provide the identity of your virtual network to the Azure service. Once you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network. Service endpoints use public IP addresses.
81
+
*__Private endpoints__ are network interfaces that securely connect you to a service powered by Azure Private Link. Private endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet.
82
+
*__Training compute access__ - Access training compute targets like Azure Machine Learning Compute Instance and Azure Machine Learning Compute Clusters with public or private IP addresses.
83
+
*__Inference compute access__ - Access Azure Kubernetes Services (AKS) compute clusters with private IP addresses.
84
84
85
85
86
86
The next sections show you how to secure the network scenario described previously. To secure your network, you must:
87
87
88
-
1. Secure the [**workspace and associated resources**](#secure-the-workspace-and-associated-resources).
89
-
1. Secure the [**training environment**](#secure-the-training-environment).
90
-
1. Secure the [**inferencing environment**](#secure-the-inferencing-environment).
91
-
1. Optionally: [**enable studio functionality**](#optional-enable-studio-functionality).
1. In properties for the Azure Storage Account(s) for your workspace, add your client IP address to the allowed list in firewall settings. For more information, see [Configure firewalls and virtual networks](/azure/storage/common/storage-network-security#configuring-access-from-on-premises-networks).
134
+
1. In properties for the Azure Storage Account for your workspace, add your client IP address to the allowed list in firewall settings. For more information, see [Configure firewalls and virtual networks](/azure/storage/common/storage-network-security#configuring-access-from-on-premises-networks).
135
135
136
136
## Secure the workspace and associated resources
137
137
@@ -144,7 +144,7 @@ Use the following steps to secure your workspace and associated resources. These
144
144
| Service | Endpoint information | Allow trusted information |
145
145
| ----- | ----- | ----- |
146
146
|__Azure Key Vault__|[Service endpoint](/azure/key-vault/general/overview-vnet-service-endpoints)</br>[Private endpoint](/azure/key-vault/general/private-link-service)|[Allow trusted Microsoft services to bypass this firewall](how-to-secure-workspace-vnet.md#secure-azure-key-vault)|
147
-
|__Azure Storage Account__|[Service and private endpoint](how-to-secure-workspace-vnet.md?tabs=se#secure-azure-storage-accounts)</br>[Private endpoint](how-to-secure-workspace-vnet.md?tabs=pe#secure-azure-storage-accounts)|[Grant access from Azure resource instances](/azure/storage/common/storage-network-security#grant-access-from-azure-resource-instances)</br>**or**</br>[Grant access to trusted Azure services](/azure/storage/common/storage-network-security#grant-access-to-trusted-azure-services)|
147
+
|__Azure Storage Account__|[Service and private endpoint](how-to-secure-workspace-vnet.md?tabs=se#secure-azure-storage-accounts)</br>[Private endpoint](how-to-secure-workspace-vnet.md?tabs=pe#secure-azure-storage-accounts)|[Grant access from Azure resource instances](/azure/storage/common/storage-network-security#grant-access-from-azure-resource-instances)</br>__or__</br>[Grant access to trusted Azure services](/azure/storage/common/storage-network-security#grant-access-to-trusted-azure-services)|
@@ -154,7 +154,7 @@ Use the following steps to secure your workspace and associated resources. These
154
154
| Service | Endpoint information | Allow trusted information |
155
155
| ----- | ----- | ----- |
156
156
|__Azure Key Vault__|[Service endpoint](/azure/key-vault/general/overview-vnet-service-endpoints)</br>[Private endpoint](/azure/key-vault/general/private-link-service)|[Allow trusted Microsoft services to bypass this firewall](./v1/how-to-secure-workspace-vnet.md#secure-azure-key-vault)|
157
-
|__Azure Storage Account__|[Service and private endpoint](./v1/how-to-secure-workspace-vnet.md?tabs=se#secure-azure-storage-accounts)</br>[Private endpoint](./v1/how-to-secure-workspace-vnet.md?tabs=pe#secure-azure-storage-accounts)|[Grant access from Azure resource instances](/azure/storage/common/storage-network-security#grant-access-from-azure-resource-instances)</br>**or**</br>[Grant access to trusted Azure services](/azure/storage/common/storage-network-security#grant-access-to-trusted-azure-services)|
157
+
|__Azure Storage Account__|[Service and private endpoint](./v1/how-to-secure-workspace-vnet.md?tabs=se#secure-azure-storage-accounts)</br>[Private endpoint](./v1/how-to-secure-workspace-vnet.md?tabs=pe#secure-azure-storage-accounts)|[Grant access from Azure resource instances](/azure/storage/common/storage-network-security#grant-access-from-azure-resource-instances)</br>__or__</br>[Grant access to trusted Azure services](/azure/storage/common/storage-network-security#grant-access-to-trusted-azure-services)|
@@ -182,14 +182,14 @@ In this section, you learn how to secure the training environment in Azure Machi
182
182
To secure the training environment, use the following steps:
183
183
184
184
:::moniker range="azureml-api-2"
185
-
1. Create an Azure Machine Learning [compute instance and computer cluster in the virtual network](how-to-secure-training-vnet.md) to run the training job.
185
+
1. Create an Azure Machine Learning [compute instance and computer cluster in the virtual network](how-to-secure-training-vnet.md). Training jobs run on these computes.
186
186
1. If your compute cluster or compute instance uses a public IP address, you must [Allow inbound communication](how-to-secure-training-vnet.md) so that management services can submit jobs to your compute resources.
187
187
188
188
> [!TIP]
189
189
> Compute cluster and compute instance can be created with or without a public IP address. If created with a public IP address, you get a load balancer with a public IP to accept the inbound access from Azure batch service and Azure Machine Learning service. You need to configure User Defined Routing (UDR) if you use a firewall. If created without a public IP, you get a private link service to accept the inbound access from Azure batch service and Azure Machine Learning service without a public IP.
190
190
:::moniker-end
191
191
:::moniker range="azureml-api-1"
192
-
1. Create an Azure Machine Learning [compute instance and computer cluster in the virtual network](./v1/how-to-secure-training-vnet.md) to run the training job.
192
+
1. Create an Azure Machine Learning [compute instance and computer cluster in the virtual network](./v1/how-to-secure-training-vnet.md). Train jobs run on these computes.
193
193
1. If your compute cluster or compute instance uses a public IP address, you must [Allow inbound communication](./v1/how-to-secure-training-vnet.md) so that management services can submit jobs to your compute resources.
194
194
195
195
> [!TIP]
@@ -240,9 +240,9 @@ You have two options for AKS clusters in a virtual network:
240
240
- Deploy or attach a default AKS cluster to your VNet.
241
241
- Attach a private AKS cluster to your VNet.
242
242
243
-
**Default AKS clusters** have a control plane with public IP addresses. You can add a default AKS cluster to your VNet during the deployment or attach a cluster after it's created.
243
+
__Default AKS clusters__ have a control plane with public IP addresses. You can add a default AKS cluster to your VNet during the deployment or attach a cluster after creation.
244
244
245
-
**Private AKS clusters** have a control plane, which can only be accessed through private IPs. Private AKS clusters must be attached after the cluster is created.
245
+
__Private AKS clusters__ have a control plane, which can only be accessed through private IPs. Private AKS clusters must be attached after the cluster is created.
246
246
247
247
For detailed instructions on how to add default and private clusters, see [Secure an inferencing environment](./v1/how-to-secure-inferencing-vnet.md).
248
248
@@ -320,7 +320,7 @@ For more information on this configuration, see [Create an Azure Machine Learnin
320
320
321
321
:::image type="content" source="./media/how-to-network-security-overview/private-endpoint-deploy-bastion.svg" alt-text="Daigram showing Microsoft Sentinel connection through a VNet.":::
322
322
323
-
## Next steps
323
+
## Related content
324
324
325
325
This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments