Merge pull request #180362 from Blackmist/1885500-vnet-subnet-requirements

PRMerger12 · web-flow · commit dec6b775997e · 2021-11-19T06:05:32.000-08:00
1885500 vnet subnet requirements
diff --git a/articles/machine-learning/concept-network-data-access.md b/articles/machine-learning/concept-network-data-access.md
@@ -9,7 +9,7 @@ ms.topic: conceptual
 ms.author: jhirono
 author: jhirono
 ms.reviewer: larryfr
-ms.date: 11/08/2021
+ms.date: 11/19/2021
 ---
 
 
@@ -49,8 +49,8 @@ In general, data access from studio involves the following checks:
     - Create, read, update, and delete (CRUD) operations on a data store/dataset are handled by Azure Machine Learning.
     - Data Access calls (such as preview or schema) go to the underlying storage and need extra permissions.
 5. Where is this operation being run; compute resources in your Azure subscription or resources hosted in a Microsoft subscription?
-    - All calls to dataset and datastore services (except the "Generate Profile" option,) use resources hosted in a __Microsoft subscription__ to run the operations.
-    - Jobs, including a the "Generate Profile" option for datasets, run on a compute resource in __your subscription__, and access the data from there. So the compute identity needs permission to the storage rather than the identity of the user submitting the job.
+    - All calls to dataset and datastore services (except the "Generate Profile" option) use resources hosted in a __Microsoft subscription__ to run the operations.
+    - Jobs, including the "Generate Profile" option for datasets, run on a compute resource in __your subscription__, and access the data from there. So the compute identity needs permission to the storage rather than the identity of the user submitting the job.
 
 The following diagram shows the general flow of a data access call. In this example, a user is trying to make a data access call through a machine learning workspace, without using any compute resource.
 
@@ -74,7 +74,14 @@ To avoid this issue, you can either allow Azure Machine Learning to create the d
 
 ### Azure Storage firewall
 
-When an Azure Storage account is behind a virtual network, the storage firewall can normally be used to allow your client to directly connect over the internet. However, when using studio it isn't  your client that connects to the storage account; it's the Azure Machine Learning service that makes the request. The IP address of the service isn't documented and changes frequently. __Enabling the storage firewall will not allow studio to access the storage account in a VNet configuration__.
+When an Azure Storage account is behind a virtual network, the storage firewall can normally be used to allow your client to directly connect over the internet. However, when using studio it isn't your client that connects to the storage account; it's the Azure Machine Learning service that makes the request. The IP address of the service isn't documented and changes frequently. __Enabling the storage firewall will not allow studio to access the storage account in a VNet configuration__.
+
+### Azure Storage endpoint type
+
+When the workspace uses a private endpoint and the storage account is also in the VNet, there are extra validation requirements when using studio:
+
+* If the storage account uses a __service endpoint__, the workspace private endpoint and storage service endpoint must be in the same subnet of the VNet.
+* If the storage account uses a __private endpoint__, the workspace private endpoint and storage service endpoint must be in the same VNet. In this case, they can be in different subnets.
 
 ## Azure Data Lake Storage Gen1
 
diff --git a/articles/machine-learning/how-to-enable-studio-virtual-network.md b/articles/machine-learning/how-to-enable-studio-virtual-network.md
@@ -9,7 +9,7 @@ ms.topic: how-to
 ms.reviewer: larryfr
 ms.author: jhirono
 author: jhirono
-ms.date: 11/10/2021
+ms.date: 11/19/2021
 ms.custom: contperf-fy20q4, tracking-python, security
 
 ---
@@ -67,11 +67,16 @@ In this article, you learn how to:
 
 ### Azure Storage Account
 
-There's a known issue where the default file store does not automatically create the `azureml-filestore` folder, which is required to submit AutoML experiments. This problem occurs when users bring an existing file store to set as the default file store during workspace creation.
+* There's a known issue where the default file store does not automatically create the `azureml-filestore` folder, which is required to submit AutoML experiments. This problem occurs when users bring an existing file store to set as the default file store during workspace creation.
 
-To avoid this issue, you have two options: 1) Use the default file store, which is automatically created for you doing workspace creation. 2) To bring your own file store, make sure the file store is outside of the VNet during workspace creation. After the workspace is created, add the storage account to the virtual network.
+    To avoid this issue, you have two options: 1) Use the default file store, which is automatically created for you doing workspace creation. 2) To bring your own file store, make sure the file store is outside of the VNet during workspace creation. After the workspace is created, add the storage account to the virtual network.
 
-To resolve this issue, remove the file store account from the virtual network then add it back to the virtual network.
+    To resolve this issue, remove the file store account from the virtual network then add it back to the virtual network.
+
+* When the storage account is in the VNet, there are extra validation requirements when using studio:
+
+    * If the storage account uses a __service endpoint__, the workspace private endpoint and storage service endpoint must be in the same subnet of the VNet.
+    * If the storage account uses a __private endpoint__, the workspace private endpoint and storage service endpoint must be in the same VNet. In this case, they can be in different subnets.
 
 ### Designer sample pipeline
 
diff --git a/articles/machine-learning/how-to-secure-workspace-vnet.md b/articles/machine-learning/how-to-secure-workspace-vnet.md
@@ -8,7 +8,7 @@ ms.subservice: enterprise-readiness
 ms.reviewer: larryfr
 ms.author: jhirono
 author: jhirono
-ms.date: 10/21/2021
+ms.date: 11/19/2021
 ms.topic: how-to
 ms.custom: contperf-fy20q4, tracking-python, contperf-fy21q1, security
 
@@ -68,7 +68,10 @@ In this article you learn how to enable the following workspaces resources in a
 
 ### Azure Storage Account
 
-If both the Azure Machine Learning workspace and the Azure Storage Account use a private endpoint to connect to the VNet, both must be within the same subnet.
+* If you plan to use Azure Machine Learning studio and the storage account is also in the VNet, there are extra validation requirements:
+
+    * If the storage account uses a __service endpoint__, the workspace private endpoint and storage service endpoint must be in the same subnet of the VNet.
+    * If the storage account uses a __private endpoint__, the workspace private endpoint and storage service endpoint must be in the same VNet. In this case, they can be in different subnets.
 
 ### Azure Container Registry
 
