NSG rules do not allow authentication to Azure ML Studio

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure

https://docs.microsoft.com/azure

Creative Commons Attribution 4.0 International

10.28k stars 21.45k forks source link

NSG rules do not allow authentication to Azure ML Studio #106137

Open jh4mit opened 1 year ago

jh4mit commented 1 year ago

Opening the listed NSG rules for service tags (AzureMachineLearning, AzureFrontDoor, AzureActiveDirectory) does not allow traffic to aadcdn.msftauth.net, which is required to authenticate to ml.azure.com, at least for MFA accounts. So implementing the steps as written does not produce a working configuration.

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

ID: 226c7926-de43-598b-d9d7-4f5f2ffbd72e
Version Independent ID: 2cf84d0c-927e-3678-4aac-ae15398a2638
Content: Secure an Azure Machine Learning workspace with virtual networks - Azure Machine Learning
Content Source: articles/machine-learning/how-to-secure-workspace-vnet.md
Service: machine-learning
Sub-service: enterprise-readiness
GitHub Login: @jhirono
Microsoft Alias: jhirono

AjayBathini-MSFT commented 1 year ago

@jh4mit Thanks for your feedback! We will investigate and update as appropriate.

RamanathanChinnappan-MSFT commented 1 year ago

@jh4mit

I've delegated this to @jhirono , a content author, to review and share their valuable insights.

jh4mit commented 1 year ago

@jhirono Any update on this? I had a conversation with Azure support, which led to adding an NSG rule for the IP address for aadcdn.msftauth.net -- but with no guarantees this is stable, and no plans to implement a service tag covering it. At minimum, this should be listed in the Required public internet access section.

jhirono commented 1 year ago

aacdn.msfauth.net should be included in AzureFrontDoor.Frontend and the access to aacdn should succeed if you allow outbound AzureFrontDoor.

jh4mit commented 1 year ago

@jhirono It doesn't appear to currently be included in AzureFrontDoor.Frontend. I have an NSG that has an outbound allow rule for AzureFrontDoor.Frontend (tested with both TCP 443 and with Any/Any), which times out trying to display the login page. When explicitly adding an allow rule for 152.199.4.44 (aadcdn.msftauth.net), the login page loads successfully. Confirmed this with Azure support, for what that's worth.

iam-mamadou commented 1 year ago

I am also facing the same issue as described by @jh4mit @jhirono Is anyone looking into this issue?

jhirono commented 1 year ago

Sorry for my delay, let me check this in my env.

jhirono commented 1 year ago

Interesting. https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud#azure-portal-urls-for-proxy-bypass said

The service tags required to access the Azure portal (including authentication and resource listing) are AzureActiveDirectory, AzureResourceManager, and AzureFrontDoor.Frontend.

Let me follow up with the right team. Thanks for your patience.