You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/machine-learning/how-to-prevent-data-loss-exfiltration.md
+15-1Lines changed: 15 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,6 +35,13 @@ Azure Machine Learning has several inbound and outbound dependencies. Some of th
35
35
* An Azure Virtual Network (VNet)
36
36
* An Azure Machine Learning workspace with a private endpoint that connects to the VNet.
37
37
* The storage account used by the workspace must also connect to the VNet using a private endpoint.
38
+
* You need to recreate compute instance or scale down compute cluster to zero node.
39
+
* Not required if you have joined preview.
40
+
* Not required if you have new compute instance and compute cluster created after December 2022.
41
+
42
+
## Why do I need to use the service endpoint policy
43
+
44
+
Service endpoint policies allow you to filter egress virtual network traffic to Azure Storage accounts over service endpoint and allow data exfiltration to only specific Azure Storage accounts. Azure Machine Learning compute instance and compute cluster requires access to Microsoft-managed storage accounts for its provisioning. The Azure Machine learning alias in service endpoint policies includes Microsoft-managed storage accounts. We use service endpoint policies with the Azure Machine Learning alias to prevent data exfiltration or control the destination storage accounts. You can learn more in [Service Endpoint policy documentation](../virtual-network/virtual-network-service-endpoint-policies-overview.md).
38
45
39
46
## 1. Create the service endpoint policy
40
47
@@ -63,6 +70,9 @@ Azure Machine Learning has several inbound and outbound dependencies. Some of th
63
70
64
71
1. Select __Review + Create__, and then select __Create__.
65
72
73
+
> [!IMPORTANT]
74
+
> If your compute instance and compute cluster need access to additional storage accounts, your service endpoint policy should include the additional storage accounts in the resources section. Note that it is not required if you use Storage private endpoints. Service endpoint policy and private endpoint are independent.
75
+
66
76
## 2. Allow inbound and outbound network traffic
67
77
68
78
### Inbound
@@ -141,9 +151,13 @@ When using Azure ML curated environments, make sure to use the latest environmen
141
151
142
152
---
143
153
154
+
## Limitations
155
+
156
+
If you want to have data exfiltration with **No Public IP option**, you need to opt in to this Azure Machine Learning preview. Microsoft will contact you once your subscription has been allowlisted to the preview. It may take one to two weeks to allowlist your subscription. Use the form at [https://forms.office.com/r/0Rw6mXTT07](https://forms.office.com/r/0Rw6mXTT07) to opt in to this Azure Machine Learning preview.
157
+
144
158
## Next steps
145
159
146
160
For more information, see the following articles:
147
161
148
162
*[How to configure inbound and outbound network traffic](how-to-access-azureml-behind-firewall.md)
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments