Azure Machine Learning - Access to Storage accounts in a different Vnet

[JunchiLiu94]

Hi AML Team,

A partner that I work with raised this issue with me as he was trying to access a storage account in a different VNet from his compute instance. He got confused with the following dot point under the Azure Storage Account Limitations header:

• "If the storage account uses a private endpoint, the workspace private endpoint and storage private endpoint must be in the same VNet. In this case, they can be in different subnets."

Though this section specifically pertains to Azure ML Studio, he interpreted that this limitation was for the service as a whole and raised this as a hard blocker for adoption of the service as the Enterprise Data Lake was in a different VNet. This was remediated through support from FastTrack, and we were able to access the data later. However, this isn't clear in the documentation and other features don't seem to be supported with this. I believe data profiling also had issues, I may be wrong here.

When searching for access to data in a separate VNet for AML. This dot point shows up, and it isn't explicit that this feature is actually supported (with limitations).

Cheers, Junchi

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 81c80f3d-0b15-6bd8-775c-15abff5d7a1a
• Version Independent ID: aaada5e3-7ce2-0eba-4cfb-ad5cec8365a7
• Content: Enable Azure Machine Learning studio in a virtual network - Azure Machine Learning
• Content Source: articles/machine-learning/how-to-enable-studio-virtual-network.md
• Service: machine-learning
• Sub-service: enterprise-readiness
• GitHub Login: @jhirono
• Microsoft Alias: jhirono

[YashikaTyagii]

@JunchiLiu94 Thanks for your feedback! We will investigate and update as appropriate.

[RamanathanChinnappan-MSFT]

@JunchiLiu94

Thanks for your feedback! We have assigned the issue to author and will provide further updates.

[RamanathanChinnappan-MSFT]

@jhirono

could you please review this and update as appropriate.

[jhirono]

@JunchiLiu94 sorry for my delay.

would you explain why your data lake cannot have a PE in the Vnet for AzureML? data profiling has a hard limitation. https://learn.microsoft.com/en-us/azure/machine-learning/how-to-enable-studio-virtual-network, but we are working to streamline its experience with WebAssembly, it wll be the next semester. Other than data profiling on Azureml studio UI, our compute resources are the same as normal azure VM from network isolation perspective, so no real limitation related to data access.

[JunchiLiu94]

@jhirono - The customer has their data platform deployed in AU Southeast. I believe the data lake has a PE to a separate VNet in AU Southeast. As AML wasn't available in AU Southeast at the time of deployment, everything including VNets were deployed to AU East. The partner mentioned that the documentation indicated that peered VNet's couldn't be accessed when they can, but with limitations.

[jhirono]

@JunchiLiu94 for the studio UI with private link workspace, PE should be in the same VNet. For the other data access e.g., no limitation to access data in the storage in peered vnet from compute instance.

@YashikaTyagii I think we can close this issue