MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.29k stars 21.47k forks source link

Azure Machine Learning - Access to Storage accounts in a different Vnet #100018

Open JunchiLiu94 opened 2 years ago

JunchiLiu94 commented 2 years ago

Hi AML Team,

A partner that I work with raised this issue with me as he was trying to access a storage account in a different VNet from his compute instance. He got confused with the following dot point under the Azure Storage Account Limitations header:

Though this section specifically pertains to Azure ML Studio, he interpreted that this limitation was for the service as a whole and raised this as a hard blocker for adoption of the service as the Enterprise Data Lake was in a different VNet. This was remediated through support from FastTrack, and we were able to access the data later. However, this isn't clear in the documentation and other features don't seem to be supported with this. I believe data profiling also had issues, I may be wrong here.

When searching for access to data in a separate VNet for AML. This dot point shows up, and it isn't explicit that this feature is actually supported (with limitations).

Cheers, Junchi

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

YashikaTyagii commented 2 years ago

@JunchiLiu94 Thanks for your feedback! We will investigate and update as appropriate.

RamanathanChinnappan-MSFT commented 2 years ago

@JunchiLiu94

Thanks for your feedback! We have assigned the issue to author and will provide further updates.

RamanathanChinnappan-MSFT commented 2 years ago

@jhirono

could you please review this and update as appropriate.

jhirono commented 1 year ago

@JunchiLiu94 sorry for my delay.

would you explain why your data lake cannot have a PE in the Vnet for AzureML? data profiling has a hard limitation. https://learn.microsoft.com/en-us/azure/machine-learning/how-to-enable-studio-virtual-network, but we are working to streamline its experience with WebAssembly, it wll be the next semester. Other than data profiling on Azureml studio UI, our compute resources are the same as normal azure VM from network isolation perspective, so no real limitation related to data access.

JunchiLiu94 commented 1 year ago

@jhirono - The customer has their data platform deployed in AU Southeast. I believe the data lake has a PE to a separate VNet in AU Southeast. As AML wasn't available in AU Southeast at the time of deployment, everything including VNets were deployed to AU East. The partner mentioned that the documentation indicated that peered VNet's couldn't be accessed when they can, but with limitations.

jhirono commented 1 year ago

@JunchiLiu94 for the studio UI with private link workspace, PE should be in the same VNet. For the other data access e.g., no limitation to access data in the storage in peered vnet from compute instance.

@YashikaTyagii I think we can close this issue