Merge pull request #251175 from Blackmist/fresh-09

JamesJBarnett · web-flow · commit 207e257be8dd · 2023-09-12T13:56:13.000-07:00
freshness/moniker work
diff --git a/articles/machine-learning/concept-customer-managed-keys.md b/articles/machine-learning/concept-customer-managed-keys.md
@@ -9,8 +9,9 @@ ms.topic: conceptual
 ms.author: jhirono
 author: jhirono
 ms.reviewer: larryfr
-ms.date: 01/19/2023
+ms.date: 09/12/2023
 ms.custom: engagement-fy23
+monikerRange: 'azureml-api-2 || azureml-api-1'
 ---
 # Customer-managed keys for Azure Machine Learning
 
@@ -20,7 +21,7 @@ Azure Machine Learning is built on top of multiple Azure services. While the dat
 
 In addition to customer-managed keys, Azure Machine Learning also provides a [hbi_workspace flag](/python/api/azure-ai-ml/azure.ai.ml.entities.workspace). Enabling this flag reduces the amount of data Microsoft collects for diagnostic purposes and enables [extra encryption in Microsoft-managed environments](../security/fundamentals/encryption-atrest.md). This flag also enables the following behaviors:
 
-* Starts encrypting the local scratch disk in your Azure Machine Learning compute cluster, provided you haven’t created any previous clusters in that subscription. Else, you need to raise a support ticket to enable encryption of the scratch disk of your compute clusters.
+* Starts encrypting the local scratch disk in your Azure Machine Learning compute cluster, provided you haven't created any previous clusters in that subscription. Else, you need to raise a support ticket to enable encryption of the scratch disk of your compute clusters.
 * Cleans up your local scratch disk between jobs.
 * Securely passes credentials for your storage account, container registry, and SSH account from the execution layer to your compute clusters using your key vault.
 
@@ -43,15 +44,15 @@ In addition to customer-managed keys, Azure Machine Learning also provides a [hb
 
 ## Limitations
 
-* The customer-managed key for resources the workspace depends on can’t be updated after workspace creation.
-* Resources managed by Microsoft in your subscription can’t transfer ownership to you.
+* The customer-managed key for resources the workspace depends on can't be updated after workspace creation.
+* Resources managed by Microsoft in your subscription can't transfer ownership to you.
 * You can't delete Microsoft-managed resources used for customer-managed keys without also deleting your workspace.
 
 ## How workspace metadata is stored
 
 The following resources store metadata for your workspace:
 
-| Service | How it’s used |
+| Service | How it's used |
 | ----- | ----- |
 | Azure Cosmos DB | Stores job history data. |
 | Azure Cognitive Search | Stores indices that are used to help query your machine learning content. |
@@ -84,12 +85,21 @@ These Microsoft-managed resources are located in a new Azure resource group is c
 
 Azure Machine Learning uses compute resources to train and deploy machine learning models. The following table describes the compute options and how data is encrypted by each one:
 
+:::moniker range="azureml-api-1"
 | Compute | Encryption |
 | ----- | ----- |
 | Azure Container Instance | Data is encrypted by a Microsoft-managed key or a customer-managed key.</br>For more information, see [Encrypt data with a customer-managed key](../container-instances/container-instances-encrypt-data.md). |
 | Azure Kubernetes Service | Data is encrypted by a Microsoft-managed key or a customer-managed key.</br>For more information, see [Bring your own keys with Azure disks in Azure Kubernetes Services](../aks/azure-disk-customer-managed-keys.md). |
 | Azure Machine Learning compute instance | Local scratch disk is encrypted if the `hbi_workspace` flag is enabled for the workspace. |
 | Azure Machine Learning compute cluster | OS disk encrypted in Azure Storage with Microsoft-managed keys. Temporary disk is encrypted if the `hbi_workspace` flag is enabled for the workspace. |
+:::moniker-end
+:::moniker range="azureml-api-2"
+| Compute | Encryption |
+| ----- | ----- |
+| Azure Kubernetes Service | Data is encrypted by a Microsoft-managed key or a customer-managed key.</br>For more information, see [Bring your own keys with Azure disks in Azure Kubernetes Services](../aks/azure-disk-customer-managed-keys.md). |
+| Azure Machine Learning compute instance | Local scratch disk is encrypted if the `hbi_workspace` flag is enabled for the workspace. |
+| Azure Machine Learning compute cluster | OS disk encrypted in Azure Storage with Microsoft-managed keys. Temporary disk is encrypted if the `hbi_workspace` flag is enabled for the workspace. |
+:::moniker-end
 
 **Compute cluster**
 The OS disk for each compute node stored in Azure Storage is encrypted with Microsoft-managed keys in Azure Machine Learning storage accounts. This compute target is ephemeral, and clusters are typically scaled down when no jobs are queued. The underlying virtual machine is de-provisioned, and the OS disk is deleted. Azure Disk Encryption isn't supported for the OS disk. 
@@ -101,8 +111,8 @@ The OS disk for compute instance is encrypted with Microsoft-managed keys in Azu
 
 ### HBI_workspace flag
 
-* The `hbi_workspace` flag can only be set when a workspace is created. It can’t be changed for an existing workspace.
-* When this flag is set to True, it may increase the difficulty of troubleshooting issues because less telemetry data is sent to Microsoft. There’s less visibility into success rates or problem types. Microsoft may not be able to react as proactively when this flag is True.
+* The `hbi_workspace` flag can only be set when a workspace is created. It can't be changed for an existing workspace.
+* When this flag is set to True, it may increase the difficulty of troubleshooting issues because less telemetry data is sent to Microsoft. There's less visibility into success rates or problem types. Microsoft may not be able to react as proactively when this flag is True.
 
 To enable the `hbi_workspace` flag when creating an Azure Machine Learning workspace, follow the steps in one of the following articles:
 
diff --git a/articles/machine-learning/how-to-setup-customer-managed-keys.md b/articles/machine-learning/how-to-setup-customer-managed-keys.md
@@ -10,7 +10,8 @@ ms.topic: conceptual
 ms.author: jhirono
 author: jhirono
 ms.reviewer: larryfr
-ms.date: 01/20/2023
+ms.date: 09/12/2023
+monikerRange: 'azureml-api-2 || azureml-api-1'
 ---
 # Use customer-managed keys with Azure Machine Learning
 
@@ -27,7 +28,7 @@ In the [customer-managed keys concepts article](concept-customer-managed-keys.md
     | Resource provider | Why it's needed |
     | ----- | ----- |
     | Microsoft.MachineLearningServices | Creating the Azure Machine Learning workspace.
-    | Microsoft.Storage	Azure | Storage Account is used as the default storage for the workspace.
+    | Microsoft.Storage    Azure | Storage Account is used as the default storage for the workspace.
     | Microsoft.KeyVault |Azure Key Vault is used by the workspace to store secrets.
     | Microsoft.DocumentDB/databaseAccounts | Azure Cosmos DB instance that logs metadata for the workspace.
     | Microsoft.Search/searchServices | Azure Search provides indexing capabilities for the workspace.
@@ -37,8 +38,8 @@ In the [customer-managed keys concepts article](concept-customer-managed-keys.md
 
 ## Limitations
 
-* The customer-managed key for resources the workspace depends on can’t be updated after workspace creation.
-* Resources managed by Microsoft in your subscription can’t transfer ownership to you.
+* The customer-managed key for resources the workspace depends on can't be updated after workspace creation.
+* Resources managed by Microsoft in your subscription can't transfer ownership to you.
 * You can't delete Microsoft-managed resources used for customer-managed keys without also deleting your workspace.
 * The key vault that contains your customer-managed key must be in the same Azure subscription as the Azure Machine Learning workspace.
 * OS disk of machine learning compute can't be encrypted with customer-managed key, but can be encrypted with Microsoft-managed key if the workspace is created with `hbi_workspace` parameter set to `TRUE`. For more details, see [Data encryption](concept-data-encryption.md#machine-learning-compute).
@@ -131,6 +132,7 @@ Once the workspace has been created, you'll notice that Azure resource group is
 
 For more information on customer-managed keys with Azure Cosmos DB, see [Configure customer-managed keys for your Azure Cosmos DB account](../cosmos-db/how-to-setup-cmk.md).
 
+:::moniker range="azureml-api-1"
 ### Azure Container Instance
 
 > [!IMPORTANT]
@@ -146,12 +148,11 @@ To use the key when deploying a model to Azure Container Instance, create a new
 
 For more information on creating and using a deployment configuration, see the following articles:
 
-* [AciWebservice.deploy_configuration()](/python/api/azureml-core/azureml.core.webservice.aci.aciwebservice#deploy-configuration-cpu-cores-none--memory-gb-none--tags-none--properties-none--description-none--location-none--auth-enabled-none--ssl-enabled-none--enable-app-insights-none--ssl-cert-pem-file-none--ssl-key-pem-file-none--ssl-cname-none--dns-name-label-none--primary-key-none--secondary-key-none--collect-model-data-none--cmk-vault-base-url-none--cmk-key-name-none--cmk-key-version-none-) reference
-* [Where and how to deploy](how-to-deploy-online-endpoints.md)
+* [AciWebservice.deploy_configuration()](/python/api/azureml-core/azureml.core.webservice.aci.aciwebservice#deploy-configuration-cpu-cores-none--memory-gb-none--tags-none--properties-none--description-none--location-none--auth-enabled-none--ssl-enabled-none--enable-app-insights-none--ssl-cert-pem-file-none--ssl-key-pem-file-none--ssl-cname-none--dns-name-label-none--primary-key-none--secondary-key-none--collect-model-data-none--cmk-vault-base-url-none--cmk-key-name-none--cmk-key-version-none-)
 * [Deploy a model to Azure Container Instances (SDK/CLI v1)](v1/how-to-deploy-azure-container-instance.md)
 
     For more information on using a customer-managed key with ACI, see [Encrypt deployment data](../container-instances/container-instances-encrypt-data.md).
-
+:::moniker-end
 ### Azure Kubernetes Service
 
 You may encrypt a deployed Azure Kubernetes Service resource using customer-managed keys at any time. For more information, see [Bring your own keys with Azure Kubernetes Service](../aks/azure-disk-customer-managed-keys.md). 
diff --git a/articles/machine-learning/includes/machine-learning-customer-managed-keys.md b/articles/machine-learning/includes/machine-learning-customer-managed-keys.md
@@ -4,18 +4,33 @@ ms.service: machine-learning
 ms.topic: include
 ms.date: 03/08/2022
 ms.author: larryfr
+monikerRange: 'azureml-api-2 || azureml-api-1'
 ---
 
 Customer-managed keys are used with the following services that Azure Machine Learning relies on:
 
-| Service | What it’s used for |
+:::moniker range="azureml-api-2"
+| Service | What it's used for |
 | ----- | ----- |
 | Azure Cosmos DB | Stores metadata for Azure Machine Learning |
 | Azure Cognitive Search | Stores workspace metadata for Azure Machine Learning |
-| Azure Storage Account | Stores workspace metadata for Azure Machine Learning | 
-| Azure Container Instance | Hosting trained models as inference endpoints |
+| Azure Storage Account | Stores workspace metadata for Azure Machine Learning |
+| Azure Kubernetes Service | Hosting trained models as inference endpoints |
+
+> [!TIP]
+> * Azure Cosmos DB, Cognitive Search, and Storage Account are secured using the same key. You can use a different key for Azure Kubernetes Service.
+> * To use a customer-managed key with Azure Cosmos DB, Cognitive Search, and Storage Account, the key is provided when you create your workspace. The key used with Kubernetes Service is provided when configuring that resource.
+:::moniker-end
+:::moniker range="azureml-api-1"
+| Service | What it's used for |
+| ----- | ----- |
+| Azure Cosmos DB | Stores metadata for Azure Machine Learning |
+| Azure Cognitive Search | Stores workspace metadata for Azure Machine Learning |
+| Azure Storage Account | Stores workspace metadata for Azure Machine Learning |
 | Azure Kubernetes Service | Hosting trained models as inference endpoints |
+| Azure Container Instance | Hosting trained models as inference endpoints |
 
 > [!TIP]
 > * Azure Cosmos DB, Cognitive Search, and Storage Account are secured using the same key. You can use a different key for Azure Kubernetes Service and Container Instance.
-> * To use a customer-managed key with Azure Cosmos DB, Cognitive Search, and Storage Account, the key is provided when you create your workspace. The key(s) used with Azure Container Instance and Kubernetes Service are provided when configuring those resources.
+> * To use a customer-managed key with Azure Cosmos DB, Cognitive Search, and Storage Account, the key is provided when you create your workspace. The key(s) used with Azure Container Instance and Kubernetes Service are provided when configuring those resources.
+:::moniker-end
diff --git a/articles/machine-learning/monitor-resource-reference.md b/articles/machine-learning/monitor-resource-reference.md
@@ -9,7 +9,7 @@ ms.reviewer: larryfr
 ms.author: aashishb
 author: aashishb
 ms.custom: subject-monitoring engagement-fy23
-ms.date: 01/19/2023
+ms.date: 09/12/2023
 ---
 
 # Monitoring Azure Machine Learning data reference
