You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/machine-learning/concept-secure-online-endpoint.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -91,12 +91,12 @@ For outbound communication with a workspace managed virtual network, Azure Machi
91
91
92
92
- Creates private endpoints for the managed virtual network to use for communication with Azure resources that are used by the workspace, such as Azure Storage, Azure Key Vault, and Azure Container Registry.
93
93
- Allows deployments to access the Microsoft Container Registry (MCR), which can be useful when you want to use curated environments or MLflow no-code deployment.
94
-
- Allows users to configure private endpoint outbound rules to private resources and configure outbound rules for service tags and FQDNs for public resources. For more information on how to manage outbound rules, see [Manage outbound rules](how-to-managed-network.md#manage-outbound-rules).
94
+
- Allows users to configure private endpoint outbound rules to private resources and configure outbound rules (service tag or FQDN) for public resources. For more information on how to manage outbound rules, see [Manage outbound rules](how-to-managed-network.md#manage-outbound-rules).
95
95
96
-
Furthermore, you have two configuration modes for outbound traffic from the workspace managed virtual network, namely:
96
+
Furthermore, you can configure two isolation modes for outbound traffic from the workspace managed virtual network, namely:
97
97
98
98
-**Allow internet outbound**, to allow all internet outbound traffic from the managed virtual network
99
-
-**Allow only approved outbound**, to control outbound traffic using private endpoints, FQDNs, and service tags.
99
+
-**Allow only approved outbound**, to control outbound traffic using private endpoints, FQDN outbound rules, and service tag outbound rules.
100
100
101
101
For example, say your workspace's managed virtual network contains two deployments under a managed online endpoint, both deployments can use the workspace's private endpoints to communicate with:
102
102
@@ -120,11 +120,11 @@ However, say the app is private, such as an internal app within your organizatio
120
120
121
121
**For outbound communication (deployment)**:
122
122
123
-
Suppose your deployment doesn't need to access private Azure resources (such as the Azure Storage blob, ACR, and Azure Key Vault), then you don't need to use a workspacemanaged virtual network.
123
+
Suppose your deployment needs to access private Azure resources (such as the Azure Storage blob, ACR, and Azure Key Vault), or it's unacceptable for the deployment to access the internet. In this case, you need to **enable** the _workspace's managed virtual network_ with the **allow only approved outbound** isolation mode. This isolation mode allows outbound communication from the deployment to approved destinations only, thereby protecting against data exfiltration. Furthermore, you can add outbound rules for the workspace, to allow access to more private or public resources. For more information, see [Configure a managed virtual network to allow only approved outbound](how-to-managed-network.md#configure-a-managed-virtual-network-to-allow-only-approved-outbound).
124
124
125
-
However, if the deployment needs to access private Azure resources, you need to **enable**the _workspace's managed virtual network_ so that its private endpoints can be used by the deployment to communicate with those Azure resources.
126
-
Furthermore, you can configure the managed virtual network to **allow internet outbound** so that your deployment can also access the public internet.
127
-
Alternatively, you can configure the virtual network to **allow only approved outbound**, so that outbound communication from the deployment is to approved destinations only, thereby protecting against data exfiltration.
125
+
However, if you want your deployment to access the internet, you can use the workspace's managed virtual network with the **allow internet outbound** isolation mode. Apart from being able to access the internet, you'll be able to use the private endpoints of the managed virtual network to access private Azure resources that you need.
126
+
127
+
Finally, if your deployment doesn't need to access private Azure resources and you don't need to control access to the internet, then you don't need to use a workspace managed virtual network.
0 commit comments