Merge pull request #196190 from Blackmist/dpv2-network-isolation

dpv2 network isolation

Author: v-regandowner

articles/machine-learning/how-to-configure-network-isolation-with-v2.md

@@ -0,0 +1,102 @@
+---
+title: Network isolation change with our new API platform on Azure Resource Manager
+titleSuffix: Azure Machine Learning
+description: 'Explain network isolation changes with our new API platform on Azure Resource Manager and how to maintain network isolation'
+services: machine-learning
+ms.service: machine-learning
+ms.subservice: enterprise-readiness
+ms.topic: how-to
+ms.author: jhirono
+author: jhirono
+ms.reviewer: larryfr
+ms.date: 05/13/2022
+---
+
+# Network Isolation Change with Our New API Platform on Azure Resource Manager
+
+In this article, you'll learn about network isolation changes with our new v2 API platform on Azure Resource Manager (ARM) and its effect on network isolation.
+
+## What is the new API platform on Azure Resource Manager (ARM)
+
+There are two types of operations used by the v1 and v2 APIs, __Azure Resource Manager (ARM)__ and __Azure Machine Learning workspace__.
+
+With the v1 API, most operations used the workspace. For v2, we've moved most operations to use public ARM.
+
+| API version | Public ARM | Workspace |
+| ----- | ----- | ----- |
+| v1 | Workspace and compute create, update, and delete (CRUD) operations. | Other operations such as experiments. |
+| v2 | Most operations such as workspace, compute, datastore, dataset, job, environment, code, component, endpoints. | Remaining operations. |
+
+
+The v2 API provides a consistent API in one place. You can more easily use Azure role-based access control and Azure Policy for resources with the v2 API because it's based on Azure Resource Manager.
+
+The Azure Machine Learning CLI v2 uses our new v2 API platform. New features such as [managed online endpoints](concept-endpoints.md) are only available using the v2 API platform.
+
+## What are the network isolation changes with V2
+
+As mentioned in the previous section, there are two types of operations; with ARM and with the workspace. With the __legacy v1 API__, most operations used the workspace. With the v1 API, adding a private endpoint to the workspace provided network isolation for everything except CRUD operations on the workspace or compute resources.
+
+With the __new v2 API__, most operations use ARM. So enabling a private endpoint on your workspace doesn't provide the same level of network isolation. Operations that use ARM communicate  over public networks, and include any metadata (such as your resource IDs) or parameters used by the operation. For example, the [create or update job](/rest/api/azureml/jobs/create-or-update) api sends metadata, and [parameters](/azure/machine-learning/reference-yaml-job-command).
+
+> [!TIP]
+> * Public ARM operations do not surface data in your storage account on public networks. 
+> * Your communication with public ARM is encrypted using TLS 1.2.
+
+If you need time to evaluate the new v2 API before adopting it in your enterprise solutions, or have a company policy that prohibits sending communication over public networks, we'll provide a *v1_legacy_mode* parameter. When enabled, this parameter disables the v2 API for your workspace.
+
+> [!IMPORTANT]
+> Enabling v1_legacy_mode may prevent you from using features provided by the v2 API. For example, some features of Azure Machine Learning studio may be unavailable.
+
+## Scenarios and Required Actions
+
+>[!WARNING]
+>The *v1_legacy_mode* parameter is not implemented yet. It will be implemented the week of May 15th, 2022.
+
+* If you don't plan on using a private endpoint with your workspace, you don't need to enable parameter.
+
+* If you're OK with operations communicating with public ARM, you don't need to enable the parameter.
+
+* You only need to enable the parameter if you're using a private endpoint with the workspace _and_ don't want to allow operations with ARM over public networks.
+
+Once we implement the parameter, it will be retroactively applied to existing workspaces using the following logic:
+
+* If you have __an existing workspace with a private endpoint__, the flag will be __true__.
+
+* If you have __an existing workspace without a private endpoint__ (public workspace), the flag will be __false__.
+
+After the parameter has been implemented, the default value of the flag depends on the underlying REST API version used when you create a workspace (with a private endpoint):
+
+* If the API version is __older__ than `2022-05-01`, then the flag is __true__ by default. 
+* If the API version is `2022-05-01` or __newer__, then the flag is __false__ by default.
+
+> [!IMPORTANT]
+> If you want to use the v2 API with your workspace, you must set the v1_legacy_mode parameter to false.
+
+## How to update v1_legacy_mode parameter
+
+>[!WARNING]
+>This parameter is not implemented yet. It will be implemented the week of May 15th, 2022.
+
+To update v1_legacy_mode, use the following steps:
+
+# [Python](#tab/python)
+
+To disable v1_legacy_mode, use [Workspace.update](/python/api/azureml-core/azureml.core.workspace(class)#update-friendly-name-none--description-none--tags-none--image-build-compute-none--service-managed-resources-settings-none--primary-user-assigned-identity-none--allow-public-access-when-behind-vnet-none-) and set `v1_legacy_mode=false`.
+
+```python
+from azureml.core import Workspace
+
+ws = Workspace.from_config()
+ws.update(v1_legacy_mode=false)
+```
+
+# [Azure CLI extension v1](#tab/azurecliextensionv1)
+
+The Azure CLI [extension v1 for machine learning](reference-azure-machine-learning-cli.md) provides the [az ml workspace update](/cli/azure/ml/workspace#az-ml-workspace-update) command. To enable the parameter for a workspace, add the parameter `--set v1-legacy-mode=true`.
+
+---
+
+## Next steps
+
+* [Use a private endpoint with Azure Machine Learning workspace](how-to-configure-private-link.md).
+* [Create private link for managing Azure resources](/azure/azure-resource-manager/management/create-private-link-access-portal).

articles/machine-learning/how-to-configure-private-link.md

@@ -29,6 +29,7 @@ Azure Private Link enables you to connect to your workspace using a private endp
 > * [Secure training environments](how-to-secure-training-vnet.md).
 > * [Secure inference environments](how-to-secure-inferencing-vnet.md).
 > * [Use Azure Machine Learning studio in a VNet](how-to-enable-studio-virtual-network.md).
+> * [API platform network isolation](how-to-configure-network-isolation-with-v2.md)
 
 ## Prerequisites
 
@@ -77,7 +78,7 @@ ws = Workspace.create(name='myworkspace',
 
 # [Azure CLI extension 2.0 preview](#tab/azurecliextensionv2)
 
-When using the Azure CLI [extension 2.0 CLI preview for machine learning](how-to-configure-cli.md), a YAML document is used to configure the workspace. The following is an of creating a new workspace using a YAML configuration:
+When using the Azure CLI [extension 2.0 CLI preview for machine learning](how-to-configure-cli.md), a YAML document is used to configure the workspace. The following is an example of creating a new workspace using a YAML configuration:
 
 > [!TIP]
 > When using private link, your workspace cannot use Azure Container Registry tasks compute for image building. The `image_build_compute` property in this configuration specifies a CPU compute cluster name to use for Docker image environment building. You can also specify whether the private link workspace should be accessible over the internet using the `public_network_access` property.
@@ -322,7 +323,7 @@ The Azure CLI [extension 1.0 for machine learning](reference-azure-machine-learn
 In some situations, you may want to allow someone to connect to your secured workspace over a public endpoint, instead of through the VNet. Or you may want to remove the workspace from the VNet and re-enable public access.
 
 > [!IMPORTANT]
-> Enabling public access doesn't remove any private endpoints that exist. All communications between components behind the VNet that the private endpoint(s) connect to is still secured. It enables public access only to the workspace, in addition to the private access through any private endpoints.
+> Enabling public access doesn't remove any private endpoints that exist. All communications between components behind the VNet that the private endpoint(s) connect to are still secured. It enables public access only to the workspace, in addition to the private access through any private endpoints.
 
 > [!WARNING]
 > When connecting over the public endpoint while the workspace uses a private endpoint to communicate with other resources:
@@ -439,3 +440,5 @@ If you want to create an isolated Azure Kubernetes Service used by the workspace
 * For more information on securing your Azure Machine Learning workspace, see the [Virtual network isolation and privacy overview](how-to-network-security-overview.md) article.
 
 * If you plan on using a custom DNS solution in your virtual network, see [how to use a workspace with a custom DNS server](how-to-custom-dns.md).
+
+* [API platform network isolation](how-to-configure-network-isolation-with-v2.md)

articles/machine-learning/how-to-network-security-overview.md

@@ -27,6 +27,7 @@ Secure Azure Machine Learning workspace resources and compute environments using
 > * [Enable studio functionality](how-to-enable-studio-virtual-network.md)
 > * [Use custom DNS](how-to-custom-dns.md)
 > * [Use a firewall](how-to-access-azureml-behind-firewall.md)
+> * [API platform network isolation](how-to-configure-network-isolation-with-v2.md)
 >
 > For a tutorial on creating a secure workspace, see [Tutorial: Create a secure workspace](tutorial-create-secure-workspace.md) or [Tutorial: Create a secure workspace using a template](tutorial-create-secure-workspace-template.md).
 
@@ -237,4 +238,5 @@ This article is part of a series on securing an Azure Machine Learning workflow.
 * [Secure the inference environment](how-to-secure-inferencing-vnet.md)
 * [Enable studio functionality](how-to-enable-studio-virtual-network.md)
 * [Use custom DNS](how-to-custom-dns.md)
-* [Use a firewall](how-to-access-azureml-behind-firewall.md)
+* [Use a firewall](how-to-access-azureml-behind-firewall.md)
+* [API platform network isolation](how-to-configure-network-isolation-with-v2.md)

articles/machine-learning/how-to-secure-workspace-vnet.md

@@ -27,6 +27,7 @@ In this article, you learn how to secure an Azure Machine Learning workspace and
 > * [Enable studio functionality](how-to-enable-studio-virtual-network.md)
 > * [Use custom DNS](how-to-custom-dns.md)
 > * [Use a firewall](how-to-access-azureml-behind-firewall.md)
+> * [API platform network isolation](how-to-configure-network-isolation-with-v2.md)
 >
 > For a tutorial on creating a secure workspace, see [Tutorial: Create a secure workspace](tutorial-create-secure-workspace.md) or [Tutorial: Create a secure workspace using a template](tutorial-create-secure-workspace-template.md).
 
@@ -352,4 +353,5 @@ This article is part of a series on securing an Azure Machine Learning workflow.
 * [Use custom DNS](how-to-custom-dns.md)
 * [Use a firewall](how-to-access-azureml-behind-firewall.md)
 * [Tutorial: Create a secure workspace](tutorial-create-secure-workspace.md)
-* [Tutorial: Create a secure workspace using a template](tutorial-create-secure-workspace-template.md)
+* [Tutorial: Create a secure workspace using a template](tutorial-create-secure-workspace-template.md)
+* [API platform network isolation](how-to-configure-network-isolation-with-v2.md)

articles/machine-learning/toc.yml

@@ -269,6 +269,8 @@
             - name: Configure required network traffic
               href: how-to-access-azureml-behind-firewall.md
               displayName: firewall, user-defined route, udr
+            - name: Configure network isolation with v2
+              href: how-to-configure-network-isolation-with-v2.md
         - name: Data protection
           items:
             - name: Failover & disaster recovery