Merge pull request #108842 from Blackmist/azureml-firewall

azureml-firewall

Author: shawnmariejones

articles/machine-learning/concept-enterprise-security.md

@@ -380,10 +380,7 @@ Here are the details:
 
 * [Secure Azure Machine Learning web services with TLS](how-to-secure-web-service.md)
 * [Consume a Machine Learning model deployed as a web service](how-to-consume-web-service.md)
-* [How to run batch predictions](how-to-use-parallel-run-step.md)
-* [Monitor your Azure Machine Learning models with Application Insights](how-to-enable-app-insights.md)
-* [Collect data for models in production](how-to-enable-data-collection.md)
-* [Azure Machine Learning SDK](https://docs.microsoft.com/python/api/overview/azure/ml/intro?view=azure-ml-py)
+* [Use Azure Machine Learning with Azure Firewall](how-to-access-azureml-behind-firewall.md)
 * [Use Azure Machine Learning with Azure Virtual Network](how-to-enable-virtual-network.md)
 * [Best practices for building recommendation systems](https://github.com/Microsoft/Recommenders)
 * [Build a real-time recommendation API on Azure](https://docs.microsoft.com/azure/architecture/reference-architectures/ai/real-time-recommendation)

articles/machine-learning/how-to-access-azureml-behind-firewall.md

@@ -0,0 +1,72 @@
+---
+title: Use Azure Machine Learning behind a firewall
+titleSuffix: Azure Machine Learning
+description: 'Securely use Azure Machine Learning behind Azure Firewall. Learn about the hosts that you must allow through the firewall for Azure Machine Learning to function correctly.'
+services: machine-learning
+ms.service: machine-learning
+ms.subservice: core
+ms.topic: conceptual
+ms.author: aashishb
+author: aashishb
+ms.reviewer: larryfr
+ms.date: 04/27/2020
+---
+
+# Use Azure Machine Learning workspace behind Azure Firewall
+
+This article contains information on configuring Azure Firewall for use with Azure Machine Learning.
+
+Azure Firewall can be used to control access to your Azure Machine Learning workspace and the public internet. If not configured correctly, the firewall can cause problems using your workspace.
+
+## Network rules
+
+On your firewall, create a network rule allowing traffic to and from the addresses in this article.
+
+> [!TIP]
+> When adding the network rule, set the __Protocol__ to any, and the ports to `*`.
+>
+> For more information on configuring Azure Firewall, see [Deploy and configure Azure Firewall](../firewall/tutorial-firewall-deploy-portal.md#configure-a-network-rule).
+
+## Microsoft hosts
+
+The hosts in this section are owned by Microsoft, and provide services required for the proper functioning of your workspace.
+
+| **Host name** | **Purpose** |
+| ---- | ---- |
+| **\*.batchai.core.windows.net** | Training clusters |
+| **ml.azure.com** | Azure Machine Learning studio |
+| **\*.azureml.ms** | Used by Azure Machine Learning APIs |
+| **\*.experiments.azureml.net** | Used by experiments running in Azure Machine Learning|
+| **\*.modelmanagement.azureml.net** | Used to register and deploy models|
+| **mlworkspace.azure.ai** | Used by the Azure portal when viewing a workspace |
+| **\*.aether.ms** | Used when running Azure Machine Learning pipelines |
+| **\*.instances.azureml.net** | Azure Machine Learning compute instances |
+| **windows.net** | Azure Blob Storage |
+| **vault.azure.net** | Azure Key Vault |
+| **microsoft.com** | Base docker images |
+| **azurecr.io** | Azure Container Registry |
+
+## Python hosts
+
+The hosts in this section are used to install Python packages. They are required during development, training, and deployment. 
+
+| **Host name** | **Purpose** |
+| ---- | ---- |
+| **anaconda.com** | Used when installing conda packages |
+| **pypi.org** | Used when installing pip packages |
+
+## R hosts
+
+The hosts in this section are used to install R packages. They are required during development, training, and deployment.
+
+> [!IMPORTANT]
+> Internally, the R SDK for Azure Machine Learning uses Python packages. So you must also allow Python hosts through the firewall.
+
+| **Host name** | **Purpose** |
+| ---- | ---- |
+| **cloud.r-project.org** | Used when installing CRAN packages. |
+
+Next steps
+
+* [[Deploy and configure Azure Firewall](../firewall/tutorial-firewall-deploy-portal.md)]
+* [Secure Azure ML experimentation and inference jobs within an Azure Virtual Network](how-to-enable-virtual-network.md)

articles/machine-learning/how-to-enable-virtual-network.md

@@ -505,19 +505,7 @@ To use ACI in a virtual network to your workspace, use the following steps:
 
 ## Use Azure Firewall
 
-When using Azure Firewall, you must configure a network rule to allow traffic to and from the following addresses:
-
-- `*.batchai.core.windows.net`
-- `ml.azure.com`
-- `*.azureml.ms`
-- `*.experiments.azureml.net`
-- `*.modelmanagement.azureml.net`
-- `mlworkspace.azure.ai`
-- `*.aether.ms`
-
-When adding the rule, set the __Protocol__ to any, and the ports to `*`.
-
-For more information on configuring a network rule, see [Deploy and configure Azure Firewall](/azure/firewall/tutorial-firewall-deploy-portal#configure-a-network-rule).
+For information on using Azure Machine Learning with Azure Firewall, see [Use Azure Machine Learning workspace behind Azure Firewall](how-to-access-azureml-behind-firewall.md).
 
 ## Use Azure Container Registry
 

articles/machine-learning/toc.yml

@@ -158,6 +158,8 @@
               href: how-to-use-azure-ad-identity.md
             - name: Regenerate storage access keys
               href: how-to-change-storage-access-key.md
+            - name: Use Azure Firewall
+              href: how-to-access-azureml-behind-firewall.md
         - name: Set up authentication
           displayName: authentication, auth, oauth
           href: how-to-setup-authentication.md