Merge pull request #190774 from Blackmist/1925309-vnet-private-aks

PRMerger10 · web-flow · commit 6f1c88859b73 · 2022-03-15T06:28:28.000-07:00
adding info on creating/attaching aks w/internal load balancer
diff --git a/articles/machine-learning/how-to-create-attach-kubernetes.md b/articles/machine-learning/how-to-create-attach-kubernetes.md
@@ -7,8 +7,8 @@ ms.service: machine-learning
 ms.subservice: core
 ms.topic: how-to
 ms.custom: devx-track-azurecli
-ms.author: jordane
-author: jpe316
+ms.author: ssambare
+author:  shivanissambare
 ms.reviewer: larryfr
 ms.date: 11/05/2021
 ---
@@ -330,28 +330,59 @@ Following example shows how to enable TLS termination with custom certificate an
 > For more information about how to secure model deployment on AKS cluster, please see [use TLS to secure a web service through Azure Machine Learning](how-to-secure-web-service.md)
 
 ## Create or attach an AKS cluster to use Internal Load Balancer with private IP
+
 When you create or attach an AKS cluster, you can configure the cluster to use an Internal Load Balancer. With an Internal Load Balancer, scoring endpoints for your deployments to AKS will use a private IP within the virtual network. Following code snippets show how to configure an Internal Load Balancer for an AKS cluster.
+
+# [Create](#tab/akscreate)
+
+To create an AKS cluster that uses an Internal Load Balancer, use the the `load_balancer_type` and `load_balancer_subnet` parameters:
+
 ```python
-   
-   from azureml.core.compute.aks import AksUpdateConfiguration
-   from azureml.core.compute import AksCompute, ComputeTarget
-   
-   # When you create an AKS cluster, you can specify Internal Load Balancer to be created with provisioning_config object
-   provisioning_config = AksCompute.provisioning_configuration(load_balancer_type = 'InternalLoadBalancer')
-
-   # when you attach an AKS cluster, you can update the cluster to use internal load balancer after attach
-   aks_target = AksCompute(ws,"myaks")
-
-   # Change to the name of the subnet that contains AKS
-   subnet_name = "default"
-   # Update AKS configuration to use an internal load balancer
-   update_config = AksUpdateConfiguration(None, "InternalLoadBalancer", subnet_name)
-   aks_target.update(update_config)
-   # Wait for the operation to complete
-   aks_target.wait_for_completion(show_output = True)
-   
-   
+from azureml.core.compute.aks import AksUpdateConfiguration
+from azureml.core.compute import AksCompute, ComputeTarget
+
+# Change to the name of the subnet that contains AKS
+subnet_name = "default"
+# When you create an AKS cluster, you can specify Internal Load Balancer to be created with provisioning_config object
+provisioning_config = AksCompute.provisioning_configuration(load_balancer_type = 'InternalLoadBalancer', load_balancer_subnet = subnet_name)
+
+# Create the cluster
+aks_target = ComputeTarget.create(workspace = ws,
+                                name = aks_name,
+                                provisioning_configuration = provisioning_config)
+
+# Wait for the create process to complete
+aks_target.wait_for_completion(show_output = True)
+```
+
+# [Attach](#tab/aksattach)
+
+To attach an AKS cluster and use an internal load balancer (no public IP for the cluster), use the `load_balancer_type` and `load_balancer_subnet` parameters:
+
+```python
+from azureml.core.compute import AksCompute, ComputeTarget
+# Set the resource group that contains the AKS cluster and the cluster name
+resource_group = 'myresourcegroup'
+cluster_name = 'myexistingcluster'
+# Change to the name of the subnet that contains AKS
+subnet_name = "default"
+
+# Attach the cluster to your workgroup. If the cluster has less than 12 virtual CPUs, use the following instead:
+# attach_config = AksCompute.attach_configuration(resource_group = resource_group,
+#                                         cluster_name = cluster_name,
+#                                         cluster_purpose = AksCompute.ClusterPurpose.DEV_TEST)
+attach_config = AksCompute.attach_configuration(resource_group = resource_group,
+                                         cluster_name = cluster_name,
+                                         load_balancer_type = 'InternalLoadBalancer', 
+                                         load_balancer_subnet = subnet_name)
+aks_target = ComputeTarget.attach(ws, 'myaks', attach_config)
+
+# Wait for the attach process to complete
+aks_target.wait_for_completion(show_output = True)
 ```
+
+---
+
 >[!IMPORTANT]
 > If your AKS cluster is configured with an Internal Load Balancer, using a Microsoft provided certificate is not supported and you must use [custom certificate to enable TLS](how-to-secure-web-service.md#deploy-on-azure-kubernetes-service). 
 
@@ -464,6 +495,12 @@ kubectl delete secret azuremlfessl
 kubectl delete cm azuremlfeconfig
 ```
 
+### Load balancers should not have public IPs
+
+When trying to create or attach an AKS cluster, you may receive a message that the request has been denied because "Load Balancers should not have public IPs". This message is returned when an administrator has applied a policy that prevents using an AKS cluster with a public IP address.
+
+To resolve this problem, create/attach the cluster by using the `load_balancer_type` and `load_balancer_subnet` parameters. For more information, see  [Internal Load Balancer (private IP)](#create-or-attach-an-aks-cluster-to-use-internal-load-balancer-with-private-ip).
+
 ## Next steps
 
 * [Use Azure RBAC for Kubernetes authorization](../aks/manage-azure-rbac.md)
diff --git a/articles/machine-learning/how-to-secure-inferencing-vnet.md b/articles/machine-learning/how-to-secure-inferencing-vnet.md
@@ -9,7 +9,7 @@ ms.topic: how-to
 ms.reviewer: larryfr
 ms.author: jhirono
 author: jhirono
-ms.date: 03/02/2022
+ms.date: 03/07/2022
 ms.custom: contperf-fy20q4, tracking-python, contperf-fy21q1, devx-track-azurecli
 
 ---
@@ -245,26 +245,9 @@ For more information, see the [az ml computetarget create aks](/cli/azure/ml(v1)
 
 ---
 
-When __attaching an existing cluster__ to your workspace, you must wait until after the attach operation to configure the load balancer. For information on attaching a cluster, see [Attach an existing AKS cluster](how-to-create-attach-kubernetes.md).
+When __attaching an existing cluster__ to your workspace, use the `load_balancer_type` and `load_balancer_subnet` parameters of [AksCompute.attach_configuration()](/python/api/azureml-core/azureml.core.compute.aks.akscompute#azureml-core-compute-aks-akscompute-attach-configuration) to configure the load balancer.
 
-After attaching the existing cluster, you can then update the cluster to use an internal load balancer/private IP:
-
-```python
-import azureml.core
-from azureml.core.compute.aks import AksUpdateConfiguration
-from azureml.core.compute import AksCompute
-
-# ws = workspace object. Creation not shown in this snippet
-aks_target = AksCompute(ws,"myaks")
-
-# Change to the name of the subnet that contains AKS
-subnet_name = "default"
-# Update AKS configuration to use an internal load balancer
-update_config = AksUpdateConfiguration(None, "InternalLoadBalancer", subnet_name)
-aks_target.update(update_config)
-# Wait for the operation to complete
-aks_target.wait_for_completion(show_output = True)
-```
+For information on attaching a cluster, see [Attach an existing AKS cluster](how-to-create-attach-kubernetes.md).
 
 ## Enable Azure Container Instances (ACI)
 
