writing

Author: Blackmist

articles/ai-studio/concepts/vulnerability-management.md

@@ -48,43 +48,18 @@ Azure AI Studio releases updates for supported images every two weeks to address
 
 Patched images are released under a new immutable tag and an updated `:latest` tag. Using the `:latest` tag or pinning to a particular image version might be a tradeoff between security and environment reproducibility for your machine learning job.
 
-<!-- ## Managing environments and container images  
+## Managing environments and container images  
 
-Q: Do we still need this section?
+In Azure AI Studio, Docker images are used to provide a runtime environment for [prompt flow deployments](../how-to/flow-deploy.md). The images are built from a base image that Azure AI Studio provides.
 
-Reproducibility is a key aspect of software development and machine learning experimentation. The [Azure Machine Learning environment](concept-environments.md) component's primary focus is to guarantee reproducibility of the environment where the user's code is executed. To ensure reproducibility for any machine learning job, earlier built images are pulled to the compute nodes without the need for rematerialization.
+Although Azure AI Studio patches base images with each release, whether you use the latest image might be tradeoff between reproducibility and vulnerability management. It's your responsibility to choose the environment version that you use for your jobs or model deployments.  
 
-Although Azure Machine Learning patches base images with each release, whether you use the latest image might be tradeoff between reproducibility and vulnerability management. It's your responsibility to choose the environment version that you use for your jobs or model deployments.  
+By default, dependencies are layered on top of base images when you're building an image. After you install more dependencies on top of the Microsoft-provided images, vulnerability management becomes your responsibility.  
 
-By default, dependencies are layered on top of base images that Azure Machine Learning provides when you're building environments. You can also use your own base images when you're using environments in Azure Machine Learning. After you install more dependencies on top of the Microsoft-provided images, or bring your own base images, vulnerability management becomes your responsibility.  
+Associated with your AI hub resource is an Azure Container Registry instance that functions as a cache for container images. Any image that materializes is pushed to the container registry. The workspace uses it when deployment is triggered for the corresponding environment.
 
-Associated with your Azure Machine Learning workspace is an Azure Container Registry instance that functions as a cache for container images. Any image that materializes is pushed to the container registry. The workspace uses it if experimentation or deployment is triggered for the corresponding environment.
+The AI hub doesn't delete any image from your container registry. You're responsible for evaluating the need for an image over time. To monitor and maintain environment hygiene, you can use [Microsoft Defender for Container Registry](/azure/defender-for-cloud/defender-for-container-registries-usage) to help scan your images for vulnerabilities. To automate your processes based on triggers from Microsoft Defender, see [Automate remediation responses](/azure/defender-for-cloud/workflow-automation).
 
-Azure Machine Learning doesn't delete any image from your container registry. You're responsible for evaluating the need for an image over time. To monitor and maintain environment hygiene, you can use [Microsoft Defender for Container Registry](../defender-for-cloud/defender-for-container-registries-usage.md) to help scan your images for vulnerabilities. To automate your processes based on triggers from Microsoft Defender, see [Automate remediation responses](../defender-for-cloud/workflow-automation.md).
-
-## Using a private package repository
-
-Q: Do we need this section?
-
-Azure Machine Learning uses Conda and Pip to install Python packages. By default, Azure Machine Learning downloads packages from public repositories. If your organization requires you to source packages only from private repositories like Azure DevOps feeds, you can override the Conda and Pip configuration as part of your base images and your environment configurations for compute instances.
-
-The following example configuration shows how to remove the default channels and add your own private Conda and Pip feeds. Consider using [compute instance setup scripts](./how-to-customize-compute-instance.md) for automation.
-
-```dockerfile
-RUN conda config --set offline false \
-&& conda config --remove channels defaults || true \
-&& conda config --add channels https://my.private.conda.feed/conda/feed \
-&& conda config --add repodata_fns <repodata_file_on_your_server>.json
-
-# Configure Pip private indexes and ensure that the client trusts your host
-RUN pip config set global.index https://my.private.pypi.feed/repository/myfeed/pypi/ \
-&&  pip config set global.index-url https://my.private.pypi.feed/repository/myfeed/simple/
-
-# In case your feed host isn't secured through SSL
-RUN  pip config set global.trusted-host http://my.private.pypi.feed/
-```
-
-To learn how to specify your own base images in Azure Machine Learning, see [Create an environment from a Docker build context](how-to-use-environments.md#use-your-own-dockerfile). For more information on configuring Conda environments, see [Creating an environment file manually](https://docs.conda.io/projects/conda/en/4.6.1/user-guide/tasks/manage-environments.html#creating-an-environment-file-manually) on the Conda site. -->
 
 ## Vulnerability management on compute hosts
 
@@ -149,32 +124,12 @@ In the following conditions, cluster nodes don't scale down, so they can't get t
 
 You're responsible for scaling down non-idle cluster nodes to get the latest OS VM image updates. Azure Machine Learning doesn't stop any running workloads on compute nodes to issue VM updates. Temporarily change the minimum nodes to zero and allow the cluster to reduce to zero nodes. -->
 
-### Managed online endpoints
+### Endpoints
 
-Managed online endpoints automatically receive OS host image updates that include vulnerability fixes. The update frequency of images is at least once a month.
+Endpoints automatically receive OS host image updates that include vulnerability fixes. The update frequency of images is at least once a month.
 
 Compute nodes are automatically upgraded to the latest VM image version when that version is released. You don't need to take any action.  
 
-<!-- ### Customer-managed Kubernetes clusters
-
-[Kubernetes compute](how-to-attach-kubernetes-anywhere.md) lets you configure Kubernetes clusters to train, perform inference, and manage models in Azure Machine Learning.
-
-Because you manage the environment with Kubernetes, management of both OS VM vulnerabilities and container image vulnerabilities is your responsibility.  
-
-Azure Machine Learning frequently publishes new versions of Azure Machine Learning extension container images in Microsoft Artifact Registry. Microsoft is responsible for ensuring that new image versions are free from vulnerabilities. [Each release](https://github.com/Azure/AML-Kubernetes/blob/master/docs/release-notes.md) fixes vulnerabilities.
-
-When your clusters run jobs without interruption, running jobs might run outdated container image versions. After you upgrade the `amlarc` extension to a running cluster, newly submitted jobs start to use the latest image version. When you're upgrading the `amlarc` extension to its latest version, clean up the old container image versions from the clusters as required.
-
-To observe whether your Azure Arc cluster is running the latest version of `amlarc`, use the Azure portal. Under your Azure Arc resource of the type **Kubernetes - Azure Arc**, go to **Extensions** to find the version of the `amlarc` extension.
-
-## AutoML and Designer environments
-
-For code-based training experiences, you control which Azure Machine Learning environment to use. With AutoML and the designer, the environment is encapsulated as part of the service. These types of jobs can run on computes that you configure, to allow for extra controls such as network isolation.
-
-AutoML jobs run on environments that layer on top of Azure Machine Learning [base Docker images](https://github.com/Azure/AzureML-Containers).
-
-Designer jobs are compartmentalized into [components](concept-component.md). Each component has its own environment that layers on top of the Azure Machine Learning base Docker images. For more information on components, see the [component reference](./component-reference-v2/component-reference-v2.md).   -->
-
 ## Next steps
 
 <!-- * [Azure Machine Learning repository for base images](https://github.com/Azure/AzureML-Containers)