writing

Larry Franks · Larry Franks · commit dccffa1dda60 · 2020-01-03T14:16:34.000-05:00
diff --git a/articles/machine-learning/how-to-enable-virtual-network.md b/articles/machine-learning/how-to-enable-virtual-network.md
@@ -10,7 +10,7 @@ ms.topic: conceptual
 ms.reviewer: larryfr
 ms.author: aashishb
 author: aashishb
-ms.date: 11/13/2019
+ms.date: 01/03/2020
 ---
 
 # Secure Azure ML experimentation and inference jobs within an Azure Virtual Network
@@ -40,9 +40,9 @@ This article also provides detailed information about *advanced security setting
 
 ## Use a storage account for your workspace
 
-To use an Azure storage account for the workspace in a virtual network, do the following:
+To use an Azure storage account for the workspace in a virtual network, use the following steps:
 
-1. Create a compute resource (for example, a Machine Learning compute instance or cluster) behind a virtual network, or attach a compute resource to the workspace (for example, an HDInsight cluster, virtual machine, or Azure Kubernetes Service cluster). The compute resource can be for experimentation or model deployment.
+1. Create a compute resource (for example, a Machine Learning cluster) behind a virtual network, or attach a compute resource to the workspace (for example, an HDInsight cluster, virtual machine, or Azure Kubernetes Service cluster). The compute resource can be for experimentation or model deployment.
 
    For more information, see the [Use a Machine Learning compute](#amlcompute), [Use a virtual machine or HDInsight cluster](#vmorhdi), and [Use Azure Kubernetes Service](#aksvnet) sections in this article.
 
@@ -54,12 +54,12 @@ To use an Azure storage account for the workspace in a virtual network, do the f
 
    ![The "Firewalls and virtual networks" area on the Azure Storage page in the Azure portal](./media/how-to-enable-virtual-network/storage-firewalls-and-virtual-networks.png)
 
-1. On the __Firewalls and virtual networks__ page, do the following:
+1. On the __Firewalls and virtual networks__ page, do the following actions:
     - Select __Selected networks__.
     - Under __Virtual networks__, select the __Add existing virtual network__ link. This action adds the virtual network where your compute  resides (see step 1).
 
         > [!IMPORTANT]
-        > The storage account must be in the same virtual network as the compute instances or clusters used for training or inference.
+        > The storage account must be in the same virtual network as the clusters used for training or inference.
 
     - Select the __Allow trusted Microsoft services to access this storage account__ check box.
 
@@ -85,7 +85,7 @@ The key vault instance that's associated with the workspace is used by Azure Mac
 * Passwords to Azure Container Repository instances
 * Connection strings to data stores
 
-To use Azure Machine Learning experimentation capabilities with Azure Key Vault behind a virtual network, do the following:
+To use Azure Machine Learning experimentation capabilities with Azure Key Vault behind a virtual network, use the following steps:
 1. Go to the key vault that's associated with the workspace.
 
    [![The key vault that's associated with the Azure Machine Learning workspace](./media/how-to-enable-virtual-network/workspace-key-vault.png)](./media/how-to-enable-virtual-network/workspace-key-vault.png#lightbox)
@@ -94,7 +94,7 @@ To use Azure Machine Learning experimentation capabilities with Azure Key Vault
 
    ![The "Firewalls and virtual networks" section in the Key Vault pane](./media/how-to-enable-virtual-network/key-vault-firewalls-and-virtual-networks.png)
 
-1. On the __Firewalls and virtual networks__ page, do the following:
+1. On the __Firewalls and virtual networks__ page, do the following actions:
     - Under __Allow access from__, select __Selected networks__.
     - Under __Virtual networks__, select __Add existing virtual networks__ to add the virtual network where your experimentation compute resides.
     - Under __Allow trusted Microsoft services to bypass this firewall__, select __Yes__.
@@ -103,22 +103,18 @@ To use Azure Machine Learning experimentation capabilities with Azure Key Vault
 
 <a id="amlcompute"></a>
 
-## <a name="compute-instance"></a>Use a Machine Learning Compute
+## Use a Machine Learning Compute
 
-> [!NOTE]
-> Compute instances (preview) are currently available only for workspaces with a region of **North Central US** or **UK South**, with support for other regions coming soon.
-> Use one of these regions to create a compute instance that can be added to virtual network.
-
-To use an Azure Machine Learning compute instance or compute cluster in a virtual network, the following network requirements must be met:
+To use an Azure Machine Learning compute cluster in a virtual network, the following network requirements must be met:
 
 > [!div class="checklist"]
 > * The virtual network must be in the same subscription and region as the Azure Machine Learning workspace.
-> * The subnet that's specified for the compute instance or cluster must have enough unassigned IP addresses to accommodate the number of VMs that are targeted. If the subnet doesn't have enough unassigned IP addresses, a compute cluster will be partially allocated.
+> * The subnet that's specified for the compute cluster must have enough unassigned IP addresses to accommodate the number of VMs that are targeted. If the subnet doesn't have enough unassigned IP addresses, a compute cluster will be partially allocated.
 > * Check to see whether your security policies or locks on the virtual network's subscription or resource group restrict permissions to manage the virtual network. If you plan to secure the virtual network by restricting traffic, leave some ports open for the compute service. For more information, see the [Required ports](#mlcports) section.
-> * If you're going to put multiple compute instances or clusters in one virtual network, you might need to request a quota increase for one or more of your resources.
-> * If the Azure Storage Account(s) for the workspace are also secured in a virtual network, they must be in the same virtual network as the Azure Machine Learning compute instance or cluster. If you are creating a compute instance in the same virtual network, you would need to detach the storage account(s) from the virtual network, create the compute instance in the virtual network, and then attach the storage account(s) back to the virtual network.
+> * If you're going to put multiple compute clusters in one virtual network, you might need to request a quota increase for one or more of your resources.
+> * If the Azure Storage Account(s) for the workspace are also secured in a virtual network, they must be in the same virtual network as the Azure Machine Learning compute cluster.
 
-The Machine Learning compute instance or cluster automatically allocates additional networking resources in the resource group that contains the virtual network. For each compute instance or cluster, the service allocates the following resources:
+The Machine Learning compute cluster automatically allocates additional networking resources in the resource group that contains the virtual network. For each compute cluster, the service allocates the following resources:
 
 * One network security group
 * One public IP address
@@ -141,8 +137,6 @@ Machine Learning Compute currently uses the Azure Batch service to provision VMs
 
 - Outbound traffic on any port to the internet.
 
-- For compute instance inbound TCP traffic on port 44224 from a __Service Tag__ of __AzureMachineLearning__.
-
 Exercise caution if you modify or add inbound or outbound rules in Batch-configured NSGs. If an NSG blocks communication to the compute nodes, the compute service sets the state of the compute nodes to unusable.
 
 You don't need to specify NSGs at the subnet level, because the Azure Batch service configures its own NSGs. However, if the specified subnet has associated NSGs or a firewall, configure the inbound and outbound security rules as mentioned earlier.
@@ -155,23 +149,22 @@ The NSG rule configuration in the Azure portal is shown in the following images:
 
 ### <a id="limiting-outbound-from-vnet"></a> Limit outbound connectivity from the virtual network
 
-If you don't want to use the default outbound rules and you do want to limit the outbound access of your virtual network, do the following:
+If you don't want to use the default outbound rules and you do want to limit the outbound access of your virtual network, do the following actions:
 
 - Deny outbound internet connection by using the NSG rules.
 
-- Limit outbound traffic to the following:
+- Limit outbound traffic to the following resources:
    - Azure Storage, by using __Service Tag__ of __Storage.Region_Name__ (for example, Storage.EastUS)
    - Azure Container Registry, by using __Service Tag__ of __AzureContainerRegistry.Region_Name__ (for example, AzureContainerRegistry.EastUS)
    - Azure Machine Learning, by using __Service Tag__ of __AzureMachineLearning__
-   - In case of compute instance, Azure Cloud, by using __Service Tag__ of __AzureCloud.Region_Name__ (for example, AzureCloud.NorthCentralUS)
 
 The NSG rule configuration in the Azure portal is shown in the following image:
 
 [![The outbound NSG rules for Machine Learning Compute](./media/how-to-enable-virtual-network/limited-outbound-nsg-exp.png)](./media/how-to-enable-virtual-network/limited-outbound-nsg-exp.png#lightbox)
 
 ### User-defined routes for forced tunneling
 
-If you're using forced tunneling with the Machine Learning Compute, add [user-defined routes (UDRs)](https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) to the subnet that contains the compute resource.
+If you're using forced tunneling with Machine Learning Compute, add [user-defined routes (UDRs)](https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) to the subnet that contains the compute resource.
 
 * Establish a UDR for each IP address that's used by the Azure Batch service in the region where your resources exist. These UDRs enable the Batch service to communicate with compute nodes for task scheduling. To get a list of IP addresses of the Batch service, use one of the following methods:
 
@@ -193,13 +186,13 @@ For more information, see [Create an Azure Batch pool in a virtual network](../b
 
 ### Create a compute cluster in a virtual network
 
-To create a Machine Learning Compute cluster, do the following:
+To create a Machine Learning Compute cluster, use the following steps:
 
 1. In the [Azure portal](https://portal.azure.com), select your Azure Machine Learning workspace.
 
 1. In the __Application__ section, select __Compute__, and then select __Add compute__.
 
-1. To configure this compute resource to use a virtual network, do the following:
+1. To configure this compute resource to use a virtual network, do the following actions:
 
     a. For __Network configuration__, select __Advanced__.
 
@@ -267,14 +260,14 @@ For specific information on using Azure Databricks with a virtual network, see [
 > [!IMPORTANT]
 > Azure Machine Learning supports only virtual machines that are running Ubuntu.
 
-To use a virtual machine or Azure HDInsight cluster in a virtual network with your workspace, do the following:
+To use a virtual machine or Azure HDInsight cluster in a virtual network with your workspace, use the following steps:
 
 1. Create a VM or HDInsight cluster by using the Azure portal or the Azure CLI, and put the cluster in an Azure virtual network. For more information, see the following articles:
     * [Create and manage Azure virtual networks for Linux VMs](https://docs.microsoft.com/azure/virtual-machines/linux/tutorial-virtual-network)
 
     * [Extend HDInsight using an Azure virtual network](https://docs.microsoft.com/azure/hdinsight/hdinsight-extend-hadoop-virtual-network)
 
-1. To allow Azure Machine Learning to communicate with the SSH port on the VM or cluster, configure a source entry for the network security group. The SSH port is usually port 22. To allow traffic from this source, do the following:
+1. To allow Azure Machine Learning to communicate with the SSH port on the VM or cluster, configure a source entry for the network security group. The SSH port is usually port 22. To allow traffic from this source, do the following actions:
 
     * In the __Source__ drop-down list, select __Service Tag__.
 
@@ -302,7 +295,7 @@ To use a virtual machine or Azure HDInsight cluster in a virtual network with yo
 
 ## Use Azure Kubernetes Service (AKS)
 
-To add AKS in a virtual network to your workspace, do the following:
+To add AKS in a virtual network to your workspace, use the following steps:
 
 > [!IMPORTANT]
 > Before you begin the following procedure, follow the prerequisites in the [Configure advanced networking in Azure Kubernetes Service (AKS)](https://docs.microsoft.com/azure/aks/configure-advanced-networking#prerequisites) how-to and plan the IP addressing for your cluster.
@@ -317,7 +310,7 @@ To add AKS in a virtual network to your workspace, do the following:
 
 1. In the __Application__ section, select __Compute__, and then select __Add compute__.
 
-1. To configure this compute resource to use a virtual network, do the following:
+1. To configure this compute resource to use a virtual network, do the following actions:
 
     - For __Network configuration__, select __Advanced__.
 
@@ -363,6 +356,82 @@ aks_target = ComputeTarget.create(workspace=ws,
 
 When the creation process is completed, you can run inference, or model scoring, on an AKS cluster behind a virtual network. For more information, see [How to deploy to AKS](how-to-deploy-and-where.md).
 
+### Use private IPs with Azure Kubernetes Service
+
+By default, a public IP address is assigned to AKS deployments. When using AKS inside a virtual network, you can use a private IP address instead. Private IP addresses are only accessible from inside the virtual network or joined networks.
+
+A private IP address is enabled by configuring AKS to use an _internal load balancer_. 
+
+> [!IMPORTANT]
+> You cannot enable private IP when creating the Azure Kubernetes Service cluster. It must be enabled as an update to an existing cluster.
+
+The following code snippet demonstrates how to **create a new AKS cluster**, and then update it to use a private IP/internal load balancer
+
+```python
+import azureml.core
+from azureml.core.compute import AksCompute, ComputeTarget
+
+# Verify that cluster does not exist already
+try:
+    aks_target = AksCompute(workspace=ws, name=aks_cluster_name)
+    print("Found existing aks cluster")
+
+except:
+    print("Creating new aks cluster")
+
+    # Create AKS configuration
+    prov_config = AksCompute.provisioning_configuration(location = "eastus2")
+    # Set info for existing virtual network to create the cluster in
+    prov_config.vnet_resourcegroup_name = "myvnetresourcegroup"
+    prov_config.vnet_name = "myvnetname"
+    prov_config.service_cidr = "10.0.0.0/16"
+    prov_config.dns_service_ip = "10.0.0.10"
+    prov_config.subnet_name = "default"
+    prov_config.docker_bridge_cidr = "172.17.0.1/16"
+
+    # Create compute target
+    aks_target = ComputeTarget.create(workspace = ws, name = “myaks”, provisioning_configuration = prov_config)
+    # Wait for the operation to complete
+    aks_target.wait_for_completion(show_output = True)
+    
+    # Update AKS configuration to use an internal load balancer
+    update_config = AksUpdateConfiguration(None, "InternalLoadBalancer")
+    aks_target.update(update_config)
+    # Wait for the operation to complete
+    aks_target.wait_for_completion(show_output = True)
+    
+```
+
+__Azure CLI__
+
+```azurecli-interactive
+az rest --method put --uri https://management.azure.com"/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.ContainerService/managedClusters/<aks-resource-id>?api-version=2018-11-19 --body @body.json
+```
+
+The contents of the `body.json` file referenced by the command are similar to the following JSON document:
+
+```json
+{ 
+    "location": “<region>”, 
+    "properties": { 
+    	"resourceId": "/subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.ContainerService/managedClusters/<aks-resource-id>", 
+        "computeType": "AKS", 
+        "provisioningState": "Succeeded", 
+        "properties": { 
+            "loadBalancerType": "InternalLoadBalancer", 
+    	    "agentCount": <agent-count>, 
+    	    "agentVmSize": "vm-size", 
+    	    "clusterFqdn": "<cluster-fqdn>" 
+        } 
+    } 
+} 
+```
+
+> [!NOTE]
+> Currently, you cannot configure the load balancer when performing an __attach__ operation on an existing cluster. You must first attach the cluster, and then perform an update operation to change the load balancer.
+
+For more information on using the internal load balancer with AKS, see [Use internal load balancer with Azure Kubernetes Service](/azure/aks/internal-lb).
+
 ## Use Azure Firewall
 
 When using Azure Firewall, you must configure a network rule to allow traffic to and from the following addresses:
