Merge pull request #127703 from Blackmist/vnet-ui-update

updating for UI changes

Author: v-shils

articles/machine-learning/how-to-manage-workspace.md

@@ -47,7 +47,7 @@ To create a workspace, you need an Azure subscription. If you don't have an Azur
 
     ![Configure your workspace](./media/how-to-manage-workspace/select-edition.png)
 
-1. When you're finished configuring the workspace, select **Review + Create**.
+1. When you're finished configuring the workspace, select **Review + Create**. Optionally, use the [Networking](#networking) and [Advanced](#advanced) sections to configure more settings for the workspace.
 2. Review the settings and make any additional changes or corrections. When you're satisfied with the settings, select **Create**.
 
    > [!Warning] 
@@ -57,15 +57,66 @@ To create a workspace, you need an Azure subscription. If you don't have an Azur
 
  1. To view the new workspace, select **Go to resource**.
 
-### Download a configuration file
 
-1. If you will be creating a [compute instance](tutorial-1st-experiment-sdk-setup.md#azure), skip this step.
+### Networking
 
-1. If you plan to use code on your local environment that references this workspace, select  **Download config.json** from the **Overview** section of the workspace.  
+> [!IMPORTANT]
+> For more information on using a private endpoint and virtual network with your workspace, see [Network isolation and privacy](how-to-enable-virtual-network.md).
 
-   ![Download config.json](./media/how-to-manage-workspace/configure.png)
-   
-   Place the file into  the directory structure with your Python scripts or Jupyter Notebooks. It can be in the same directory, a subdirectory named *.azureml*, or in a parent directory. When you create a compute instance, this file is added to the correct directory on the VM for you.
+1. The default network configuration is to use a __Public endpoint__, which is accessible on the public internet. To limit access to your workspace to an Azure Virtual Network you have created, you can instead select __Private endpoint__ (preview) as the __Connectivity method__, and then use __+ Add__ to configure the endpoint.
+
+   > [!IMPORTANT]
+   > Using a private endpoint with Azure Machine Learning workspace is currently in public preview. This preview is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. 
+   > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+   :::image type="content" source="media/how-to-manage-workspace/select-private-endpoint.png" alt-text="Private endpoint selection":::
+
+1. On the __Create private endpoint__ form, set the location, name, and virtual network to use. If you'd like to use the endpoint with a Private DNS Zone, select __Integrate with private DNS zone__ and select the zone using the __Private DNS Zone__ field. Select __OK__ to create the endpoint. 
+
+   :::image type="content" source="media/how-to-manage-workspace/create-private-endpoint.png" alt-text="Private endpoint creation":::
+
+1. When you are finished configuring networking, you can select __Review + Create__, or advance to the optional __Advanced__ configuration.
+
+    > [!WARNING]
+    > When you create a private endpoint, a new Private DNS Zone named __privatelink.api.azureml.ms__ is created. This contains a link to the virtual network. If you create multiple workspaces with private endpoints in the same resource group, only the virtual network for the first private endpoint may be added to the DNS zone. To add entries for the virtual networks used by the additional workspaces/private endpoints, use the following steps:
+    > 
+    > 1. In the [Azure portal](https://portal.azure.com), select the resource group that contains the workspace. Then select the Private DNS Zone resource named __privatelink.api.azureml.ms__.
+    > 2. In the __Settings__, select __Virtual network links__.
+    > 3. Select __Add__. From the __Add virtual network link__ page, provide a unique __Link name__, and then select the __Virtual network__ to be added. Select __OK__ to add the network link.
+    >
+    > For more information, see [Azure Private Endpoint DNS configuration](/azure/private-link/private-endpoint-dns).
+
+### Advanced
+
+By default, metrics and metadata for the workspace is stored in an Azure Cosmos DB instance that Microsoft maintains. This data is encrypted using Microsoft-managed keys. 
+
+To limit the data that Microsoft collects on your workspace, select __High business impact workspace__.
+
+> [!IMPORTANT]
+> Selecting high business impact can only be done when creating a workspace. You cannot change this setting after workspace creation.
+
+If you are using the __Enterprise__ version of Azure Machine Learning, you can instead provide your own key. Doing so creates the Azure Cosmos DB instance that stores metrics and metadata in your Azure subscription. Use the following steps to use your own key:
+
+> [!IMPORTANT]
+> Before following these steps, you must first perform the following actions:
+>
+> 1. Authorize the __Machine Learning App__ (in Identity and Access Management) with contributor permissions on your subscription.
+> 1. Follow the steps in [Configure customer-managed keys](/azure/cosmos-db/how-to-setup-cmk) to:
+>     * Register the Azure Cosmos DB provider
+>     * Create and configure an Azure Key Vault
+>     * Generate a key
+>
+>     You do not need to manually create the Azure Cosmos DB instance, one will be created for you during workspace creation. This Azure Cosmos DB instance will be created in a separate resource group using a name based on this pattern: `<your-resource-group-name>_<GUID>`.
+>
+> You cannot change this setting after workspace creation. If you delete the Azure Cosmos DB used by your workspace, you must also delete the workspace that is using it.
+
+1. Select __Customer-managed keys__, and then select __Click to select key__.
+
+    :::image type="content" source="media/how-to-manage-workspace/advanced-workspace.png" alt-text="Customer-managed keys":::
+
+1. On the __Select key from Azure Key Vault__ form, select an existing Azure Key Vault, a key that it contains, and the version of the key. This key is used to encrypt the data stored in Azure Cosmos DB. Finally, use the __Select__ button to use this key.
+
+   :::image type="content" source="media/how-to-manage-workspace/select-key-vault.png" alt-text="Select the key":::
 
 ## <a name="upgrade"></a>Upgrade to Enterprise edition
 
@@ -83,7 +134,17 @@ You can upgrade your workspace from Basic edition to Enterprise edition to take
 
 
 > [!IMPORTANT]
-> You cannot downgrade an Enterprise edition workspace to a Basic edition workspace. 
+> You cannot downgrade an Enterprise edition workspace to a Basic edition workspace.
+
+### Download a configuration file
+
+1. If you will be creating a [compute instance](tutorial-1st-experiment-sdk-setup.md#azure), skip this step.
+
+1. If you plan to use code on your local environment that references this workspace, select  **Download config.json** from the **Overview** section of the workspace.  
+
+   ![Download config.json](./media/how-to-manage-workspace/configure.png)
+   
+   Place the file into  the directory structure with your Python scripts or Jupyter Notebooks. It can be in the same directory, a subdirectory named *.azureml*, or in a parent directory. When you create a compute instance, this file is added to the correct directory on the VM for you.
 
 ## <a name="view"></a>Find a workspace