Merge pull request #220836 from msakande/GA-updates-DLP-feature

initial updates for UDP doc changes

Author: denrea

articles/machine-learning/how-to-prevent-data-loss-exfiltration.md

@@ -12,7 +12,7 @@ ms.reviewer: larryfr
 ms.date: 08/26/2022
 ---
 
-# Azure Machine Learning data exfiltration prevention (Preview)
+# Azure Machine Learning data exfiltration prevention
 
 <!-- Learn how to use a [Service Endpoint policy](../virtual-network/virtual-network-service-endpoint-policies-overview.md) to prevent data exfiltration from storage accounts in your Azure Virtual Network that are used by Azure Machine Learning. -->
 
@@ -36,15 +36,32 @@ Azure Machine Learning has several inbound and outbound dependencies. Some of th
 * An Azure Machine Learning workspace with a private endpoint that connects to the VNet.
     * The storage account used by the workspace must also connect to the VNet using a private endpoint.
 
-## 1. Opt in to the preview
+## 1. Create the service endpoint policy
 
-> [!IMPORTANT]
-> Before opting in to this preview, you must have created a workspace and a compute instance on the subscription you plan to use. You can delete the compute instance and/or workspace after creating them.
+1. From the [Azure portal](https://portal.azure.com), add a new __Service Endpoint Policy__. On the __Basics__ tab, provide the required information and then select __Next__.
+1. On the __Policy definitions__ tab, perform the following actions:
+    1. Select __+ Add a resource__, and then provide the following information:
+    
+        <!-- > [!TIP]
+        > * At least one storage account resource must be listed in the policy.
+        > * If you are adding multiple storage accounts, and the _default storage account_ for your workspace is configured with a private endpoint, you do not need to include it in the policy. -->
 
-Use the form at [https://forms.office.com/r/1TraBek7LV](https://forms.office.com/r/1TraBek7LV) to opt in to this Azure Machine Learning preview. Microsoft will contact you once your subscription has been allowlisted to the preview.
+        * __Service__: Microsoft.Storage
+        * __Scope__: Select the scope as __Single account__ to limit the network traffic to one storage account.
+        * __Subscription__: The Azure subscription that contains the storage account.
+        * __Resource group__: The resource group that contains the storage account.
+        * __Resource__: The default storage account of your workspace.
+    
+        Select __Add__ to add the resource information.
 
-> [!TIP]
-> It may take one to two weeks to allowlist your subscription.
+        :::image type="content" source="media/how-to-data-exfiltration-prevention/create-service-endpoint-policy.png" alt-text="A screenshot showing how to create a service endpoint policy." lightbox="media/how-to-data-exfiltration-prevention/create-service-endpoint-policy.png":::
+
+    1. Select __+ Add an alias__, and then select `/services/Azure/MachineLearning` as the __Server Alias__ value. Select __Add__ to add the alias.
+    
+        > [!NOTE]
+        > The Azure CLI and Azure PowerShell do not provide support for adding an alias to the policy.
+
+1. Select __Review + Create__, and then select __Create__.
 
 ## 2. Allow inbound and outbound network traffic
 
@@ -91,42 +108,20 @@ For more information, see [How to secure training environments](how-to-secure-tr
 
 1. From the [Azure portal](https://portal.azure.com), select the __Azure Virtual Network__ for your Azure ML workspace.
 1. From the left of the page, select __Subnets__ and then select the subnet that contains your compute cluster/instance resources.
-1. In the form that appears, expand the __Services__ dropdown and then __enable Microsoft.Storage__. Select __Save__ to save these changes.
-
-## 4. Create the service endpoint policy
-
-1. From the [Azure portal](https://portal.azure.com), add a new __Service Endpoint Policy__. On the __Basics__ tab, provide the required information and then select __Next__.
-1. On the __Policy definitions__ tab, perform the following actions:
-    1. Select __+ Add a resource__, and then provide the following information:
-    
-        > [!TIP]
-        > * At least one storage account resource must be listed in the policy.
-        > * If you are adding multiple storage accounts, and the _default storage account_ for your workspace is configured with a private endpoint, you do not need to include it in the policy.
-
-        * __Service__: Microsoft.Storage
-        * __Scope__: Select the scope. For example, select __Single account__ if you want to limit the network traffic to one storage account.
-        * __Subscription__: The Azure subscription that contains the storage account.
-        * __Resource group__: The resource group that contains the storage account.
-        * __Resource__: The storage account.
-    
-        Select __Add__ to add the resource information.
-    1. Select __+ Add an alias__, and then select `/services/Azure/MachineLearning` as the __Server Alias__ value. Select __Add__ to add the alias.
-    
-        > [!NOTE]
-        > The Azure CLI and Azure PowerShell do not provide support for adding an alias to the policy.
-
-1. Select __Review + Create__, and then select __Create__.
+1. In the form that appears, expand the __Services__ dropdown and then enable __Microsoft.Storage__. Select __Save__ to save these changes.
+1. Apply the service endpoint policy to your workspace subnet.
 
+:::image type="content" source="media/how-to-data-exfiltration-prevention/enable-storage-endpoint-for-subnet.png" alt-text="A screenshot of the Azure portal showing how to enable storage endpoint for the subnet." lightbox="media/how-to-data-exfiltration-prevention/enable-storage-endpoint-for-subnet.png":::
 
-## 5. Curated environments
+## 4. Curated environments
 
 When using Azure ML curated environments, make sure to use the latest environment version. The container registry for the environment must also be `mcr.microsoft.com`. To check the container registry, use the following steps:
 
 1. From [Azure ML studio](https://ml.azure.com), select your workspace and then select __Environments__.
 1. Verify that the __Azure container registry__ begins with a value of `mcr.microsoft.com`.
 
     > [!IMPORTANT]
-    > If the container registry is `viennaglobal.azurecr.io` you cannot use the curated environment with the data exfiltration preview. Try upgrading to the latest version of the curated environment.
+    > If the container registry is `viennaglobal.azurecr.io` you cannot use the curated environment with the data exfiltration. Try upgrading to the latest version of the curated environment.
 
 1. When using `mcr.microsoft.com`, you must also allow outbound configuration to the following resources. Select the configuration option that you're using:
 

articles/machine-learning/media/how-to-data-exfiltration-prevention/create-service-endpoint-policy.png

@@ -10,21 +10,22 @@ ms.author: larryfr
 ms.custom: include file
 ---
 
-Azure Machine Learning requires both inbound and outbound access to the public internet. The following tables provide an overview of what access is required and what it is for. The __protocol__ for all items is __TCP__. For service tags that end in `.region`, replace `region` with the Azure region that contains your workspace. For example, `Storage.westus`:
+Azure Machine Learning requires both inbound and outbound access to the public internet. The following tables provide an overview of what access is required and what purpose it serves. For service tags that end in `.region`, replace `region` with the Azure region that contains your workspace. For example, `Storage.westus`:
 
-| Direction | Ports | Service tag | Purpose |
+| Direction | Ports | Service tag | Protocol | Purpose |
 | ----- |:-----:| ----- | ----- |
-| Inbound | 29876-29877 | BatchNodeManagement | Create, update, and delete of Azure Machine Learning compute instance and compute cluster. It isn't required if you use No Public IP option.|
-| Inbound | 44224 | AzureMachineLearning | Create, update, and delete of Azure Machine Learning compute instance. It isn't required if you use No Public IP option.|
-| Outbound | 80, 443 | AzureActiveDirectory | Authentication using Azure AD. |
-| Outbound | 443, 8787, 18881 | AzureMachineLearning | Using Azure Machine Learning services. |
-| Outbound | 443 | BatchNodeManagement.region | Communication with Azure Batch back-end for computes. Replace `region` with the Azure region of your workspace. |
-| Outbound | 443 | AzureResourceManager | Creation of Azure resources with Azure Machine Learning. |
-| Outbound | 443, 445 (*)| Storage.region | Access data stored in the Azure Storage Account for compute cluster and compute instance. This outbound can be used to exfiltrate data. For more information, see [Data exfiltration protection](../articles/machine-learning/how-to-prevent-data-loss-exfiltration.md).<br>(*) 445 is only required if you have a firewall between your virtual network for Azure ML and a private endpoint for your storage accounts.|
-| Outbound | 443 | AzureFrontDoor.FrontEnd</br>* Not needed in Azure China. | Global entry point for [Azure Machine Learning studio](https://ml.azure.com). Store images and environments for AutoML. |
-| Outbound | 443 | MicrosoftContainerRegistry.region</br>**Note** that this  tag has a dependency on the **AzureFrontDoor.FirstParty** tag | Access docker images provided by Microsoft. Setup of the Azure Machine Learning router for Azure Kubernetes Service. |
-| Outbound | 443 | AzureMonitor | Used to log monitoring and metrics to App Insights and Azure Monitor. |
-| Outbound | 443 | Keyvault.region | Access the key vault for the Azure Batch service. Only needed if your workspace was created with the [hbi_workspace](/python/api/azureml-core/azureml.core.workspace%28class%29#create-name--auth-none--subscription-id-none--resource-group-none--location-none--create-resource-group-true--sku--basic---friendly-name-none--storage-account-none--key-vault-none--app-insights-none--container-registry-none--cmk-keyvault-none--resource-cmk-uri-none--hbi-workspace-false--default-cpu-compute-target-none--default-gpu-compute-target-none--exist-ok-false--show-output-true-) flag enabled. |
+| Inbound | 29876-29877 | BatchNodeManagement | TCP | Create, update, and delete of Azure Machine Learning compute instance and compute cluster. It isn't required if you use No Public IP option.|
+| Inbound | 44224 | AzureMachineLearning | TCP | Create, update, and delete of Azure Machine Learning compute instance. It isn't required if you use No Public IP option.|
+| Outbound | 80, 443 | AzureActiveDirectory | TCP | Authentication using Azure AD. |
+| Outbound | 443, 8787, 18881 | AzureMachineLearning | TCP | Using Azure Machine Learning services. |
+| Outbound | 443 | BatchNodeManagement.region | TCP | Communication with Azure Batch back-end for computes. Replace `region` with the Azure region of your workspace. |
+| Outbound | 443 | AzureResourceManager | TCP | Creation of Azure resources with Azure Machine Learning. |
+| Outbound | 443, 445 (*)| Storage.region | TCP | Access data stored in the Azure Storage Account for compute cluster and compute instance. This outbound can be used to exfiltrate data. For more information, see [Data exfiltration protection](../articles/machine-learning/how-to-prevent-data-loss-exfiltration.md).<br>(*) 445 is only required if you have a firewall between your virtual network for Azure ML and a private endpoint for your storage accounts.|
+| Outbound | 443 | AzureFrontDoor.FrontEnd</br>* Not needed in Azure China. | TCP | Global entry point for [Azure Machine Learning studio](https://ml.azure.com). Store images and environments for AutoML. |
+| Outbound | 443 | MicrosoftContainerRegistry.region</br>**Note** that this  tag has a dependency on the **AzureFrontDoor.FirstParty** tag | TCP | Access docker images provided by Microsoft. Setup of the Azure Machine Learning router for Azure Kubernetes Service. |
+| Outbound | 443 | AzureMonitor | TCP | Used to log monitoring and metrics to App Insights and Azure Monitor. |
+| Outbound | 443 | Keyvault.region | TCP | Access the key vault for the Azure Batch service. Only needed if your workspace was created with the [hbi_workspace](/python/api/azureml-core/azureml.core.workspace%28class%29#create-name--auth-none--subscription-id-none--resource-group-none--location-none--create-resource-group-true--sku--basic---friendly-name-none--storage-account-none--key-vault-none--app-insights-none--container-registry-none--cmk-keyvault-none--resource-cmk-uri-none--hbi-workspace-false--default-cpu-compute-target-none--default-gpu-compute-target-none--exist-ok-false--show-output-true-) flag enabled. |
+| Outbound | 5831 | AzureMachineLearning | UDP | Communication with Azure Machine Learning for compute instances. |
 
 > [!TIP]
 > If you need the IP addresses instead of service tags, use one of the following options: