Merge pull request #266080 from meerakurup/patch-1

Jill Grant · web-flow · commit f5d7784065a8 · 2024-02-29T10:43:50.000-07:00
Update concept-secure-online-endpoint.md
diff --git a/articles/machine-learning/concept-secure-online-endpoint.md b/articles/machine-learning/concept-secure-online-endpoint.md
@@ -11,7 +11,7 @@ ms.author: sehan
 ms.reviewer: mopeakande
 reviewer: msakande
 ms.custom: devplatv2, moe-wsvnet
-ms.date: 09/27/2023
+ms.date: 02/29/2024
 ---
 
 # Network isolation with managed online endpoints
@@ -108,6 +108,10 @@ To learn more about configurations for the workspace managed virtual network, se
 
 ## Scenarios for network isolation configuration
 
+Your Azure Machine Learning workspace and managed online endpoint each have a `public_network_access` flag that you can use to configure their inbound communication. On the other hand, outbound communication from a deployment depends on the workspace's managed virtual network.
+
+#### Communication with the managed online endpoint
+
 Suppose a managed online endpoint has a deployment that uses an AI model, and you want to use an app to send scoring requests to the endpoint. You can decide what network isolation configuration to use for the managed online endpoint as follows:
 
 **For inbound communication**:
@@ -124,6 +128,19 @@ However, if you want your deployment to access the internet, you can use the wor
 
 Finally, if your deployment doesn't need to access private Azure resources and you don't need to control access to the internet, then you don't need to use a workspace managed virtual network.
 
+#### Inbound communication to the Azure Machine Learning workspace
+
+You can use the `public_network_access` flag of your Azure Machine Learning workspace to enable or disable inbound workspace access. 
+Typically, if you secure inbound communication to your workspace (by disabling the workspace's `public_network_access` flag) you also want to secure inbound communication to your managed online endpoint.
+
+The following chart shows a typical workflow for securing inbound communication to your Azure Machine Learning workspace and your managed online endpoint. For best security, we recommend that you disable the `public_network_access` flags for the workspace and the managed online endpoint to ensure that both can't be accessed via the public internet. If the workspace doesn't have a private endpoint, you can create one, making sure to include proper DNS resolution. You can then access the managed online endpoint by using the workspace's private endpoint.
+
+:::image type="content" source="media/concept-secure-online-endpoint/network-isolation-flowchart.png" alt-text="A screenshot showing a typical workflow for securing inbound communication to your workspace and managed online endpoint." lightbox="media/concept-secure-online-endpoint/network-isolation-flowchart.png":::
+
+[!INCLUDE [machine-learning-add-dns-records](includes/machine-learning-add-dns-records.md)]
+
+For more information on DNS resolution for your workspace and private endpoint, see [How to use your workspace with a custom DNS server](how-to-custom-dns.md).
+
 ## Appendix
 
 ### Secure outbound access with legacy network isolation method
diff --git a/articles/machine-learning/how-to-custom-dns.md b/articles/machine-learning/how-to-custom-dns.md
@@ -111,9 +111,7 @@ The Fully Qualified Domains resolve to the following Canonical Names (CNAMEs) ca
 
 The FQDNs resolve to the IP addresses of the Azure Machine Learning workspace in that region. However, resolution of the workspace Private Link FQDNs can be overridden by using a custom DNS server hosted in the virtual network. For an example of this architecture, see the [custom DNS server hosted in a vnet](#example-custom-dns-server-hosted-in-vnet) example.
 
-> [!NOTE]
-> Managed online endpoints share the workspace private endpoint. If you are manually adding DNS records to the private DNS zone `privatelink.api.azureml.ms`, an A record with wildcard
-> `*.<per-workspace globally-unique identifier>.inference.<region>.privatelink.api.azureml.ms` should be added to route all endpoints under the workspace to the private endpoint.
+[!INCLUDE [machine-learning-add-dns-records](includes/machine-learning-add-dns-records.md)]
 
 ## Manual DNS server integration
 
diff --git a/articles/machine-learning/includes/machine-learning-add-dns-records.md b/articles/machine-learning/includes/machine-learning-add-dns-records.md
@@ -0,0 +1,11 @@
+---
+author: msakande
+ms.service: machine-learning
+ms.topic: include
+ms.date: 02/27/2024
+ms.author: mopeakande
+---
+
+> [!NOTE]
+> Managed online endpoints share the workspace's private endpoint. If you're manually adding DNS records to the private DNS zone `privatelink.api.azureml.ms`, an A record with wildcard
+> `*.<per-workspace globally-unique identifier>.inference.<region>.privatelink.api.azureml.ms` should be added to route all endpoints under the workspace to the private endpoint.
diff --git a/articles/machine-learning/media/concept-secure-online-endpoint/network-isolation-flowchart.png b/articles/machine-learning/media/concept-secure-online-endpoint/network-isolation-flowchart.png
