AjayBathini-MSFT
commented
9 months ago @yogitasrivastava Thanks for your feedback! We will investigate and update as appropriate.
Open yogitasrivastava opened 9 months ago
AjayBathini-MSFT
commented
9 months ago @yogitasrivastava Thanks for your feedback! We will investigate and update as appropriate.
Naveenommi-MSFT
commented
9 months ago Hi @yogitasrivastava Can you please clarify what kind of guidance you are looking for related to network setup for customers who do not want to use private endpoints?
yogitasrivastava
commented
9 months ago While working with one of the customers to support them setup their ML ops network we referenced MS learn document (this page on which issue is raised) to seek step by step guidance on how to setup network for ml workspace and its components for customer who does not want to use private endpoints.
We came up with the below network topology diagram after reading through this ms learn document and few others as well and then consolidating all our learning into the attached view of the network topology.
While we understand that private endpoints are more secure and we tried to convince customer on it. But due to some internal challenges at the customer end they wanted a view of network setup only with service endpoints (or a combination of service endpoits and private endpoint where it is must to have private endpoint, like when ml workspace is decided to be in VNET)
Some of the questions for which we were referencing ms learn document (single document) that explains the step by step setup clearly with the service endpoints (or a combination of service and private endpoints) just like this one with the private endpoints. But there was no single document that had all the setup as this customer was expecting in one place. Moreover, some of the dependencies regarding the use of service endpoints, subnets like below are just mentioned as paragraphs without actual visio diagram to quickly help customer in effective decision making.
_"Azure Container Registry
Your Azure Container Registry must be Premium version. For more information on upgrading, see Changing SKUs.
If your Azure Container Registry uses a private endpoint, we recommend that it be in the same virtual network as the storage account and compute targets used for training or inference. However it can also be in a peered virtual network.
If it uses a service endpoint, it must be in the same virtual network and subnet as the storage account and compute targets.
Your Azure Machine Learning workspace must contain an Azure Machine Learning compute cluster."_
Overall, it took 2-3 days for us to revert back to customer to help them because most of our time was spend on consolidation of the information across various documents.
It would be of great help we the diagram that we have put together along with the consolidated info that we have derived from various MS learn pages is document in a single MS learn page so that it will be helpful for other customers in the future.
yogitasrivastava
commented
9 months ago @maggiemarxen Please add information as relevant.
@Naveenommi-MSFT Here is the scenario for your reference that we have represented in network topology diagram and tried to test using bastion
Scenario 1 >> All resources in single Azure VNET and same resource group
An Azure Machine Learning workspace that uses a private endpoint to communicate using the customer virtual network. An Azure Storage Account that uses service endpoints to allow storage services such as blob and file to communicate using the customer virtual network. An Azure Container Registry that uses service endpoint to communicate using the customer virtual network. An Azure Key Vault that uses a service endpoint to communicate using the customer virtual network. An Azure Machine Learning compute instance and compute cluster secured by the customer virtual network.
Naveenommi-MSFT
commented
9 months ago @yogitasrivastava Thank you for bringing this to our attention. I've delegated this to content author @jhirono, who will review it and offer their insightful opinions.
yogitasrivastava
commented
9 months ago @Naveenommi-MSFT @jhirono
Thanks to both of you for considering our feedback. Please note that while we have highlighted it as a gap, it might turn out to be an opportunity to consider to include network topology that we put together for this particular customer as an example in one of the documentations. Looping in @maggiemarxen from my team
jhirono
commented
7 months ago @yogitasrivastava I don't capture your requests. This is our planning doc and step-by-step guide.
https://learn.microsoft.com/en-us/azure/machine-learning/how-to-network-isolation-planning?view=azureml-api-2 https://learn.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace?view=azureml-api-2
You can replace private endpoint with service endpoint, if PaaS supports service endpoint. ACR doesn't support service endpoint.
[Gap in documentation to provide guidance related to network setup for customers who do not want to use private endpoints]
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.