Feature/aml managed vnet #43
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
promisinganuj
requested changes
May 6, 2024
| ## Scenario | ||
|
|
||
| <!-- Describe the usage scenario for this template. Describe the challenges this recipes aims to address. --> | ||
| This scenario aims to address the challenge of correctly configuring an Azure machine learning workspace within a Microsoft managed VNet including ensuring appropriate connectivity with common services such as Azure Storage Account, Azure Key Vault, Azure Container Registry. |
There was a problem hiding this comment.
Suggested change
| This scenario aims to address the challenge of correctly configuring an Azure machine learning workspace within a Microsoft managed VNet including ensuring appropriate connectivity with common services such as Azure Storage Account, Azure Key Vault, Azure Container Registry. | |
| This scenario aims to address the challenge of correctly configuring an Azure Machine Learning (AML) workspace within a managed virtual network (managed VNet). This includes ensuring appropriate connectivity with common Azure services such as Azure Storage Account, Azure Key Vault, and Azure Container Registry. |
| ### Problem Summary | ||
|
|
||
| <!--Briefly describe the problme that this recipe intends to resolve or make easier. --> | ||
| Azure machine learning workspace is composed of a number of different components: Machine Learning Studio, workspace storage account, key vault, machine learning Data Pipelines, container registry and other external data sources like Azure SQL Server, ADLS Gen2. Despite being under a single machine learning umbrella service, each of these sub-components require a slightly different VNet configuration treatment to properly isolate network traffic. For example, generally you need at least four Private Endpoints configured for a single workspace each with connecting to a different sub-component. Another example, while managed workspace are generally a single tenant service with compute resources spun up within a designated Managed VNet, data scientist vm's, azure dev ops pipelines could be multi-tenanted and therefore require provisioning a Private Endpoint within the bridge vnet in order to connect to the workspace successfully. |
There was a problem hiding this comment.
Suggested change
| Azure machine learning workspace is composed of a number of different components: Machine Learning Studio, workspace storage account, key vault, machine learning Data Pipelines, container registry and other external data sources like Azure SQL Server, ADLS Gen2. Despite being under a single machine learning umbrella service, each of these sub-components require a slightly different VNet configuration treatment to properly isolate network traffic. For example, generally you need at least four Private Endpoints configured for a single workspace each with connecting to a different sub-component. Another example, while managed workspace are generally a single tenant service with compute resources spun up within a designated Managed VNet, data scientist vm's, azure dev ops pipelines could be multi-tenanted and therefore require provisioning a Private Endpoint within the bridge vnet in order to connect to the workspace successfully. | |
| Azure machine learning workspace is composed of a number of different components: Machine Learning Studio, workspace storage account, key vault, machine learning Data Pipelines, container registry and other external data sources like Azure SQL Server, Azure Data Lake Storage Gen2 (ADLS Gen2). Despite being under a single machine learning umbrella service, each of these sub-components require a slightly different VNet configuration treatment to properly isolate network traffic. For instance, configuring at least four private endpoints is necessary for a single workspace, each connecting to a distinct sub-component. Another example pertains to managed workspaces, which are typically single-tenant services with compute resources deployed within a designated managed VNet. However, data scientist VMs and Azure DevOps pipelines could be multi-tenanted, and thus require the provisioning of a private endpoint within the bridge VNet in order to connect to the workspace successfully. |
| <!--Briefly describe the problme that this recipe intends to resolve or make easier. --> | ||
| Azure machine learning workspace is composed of a number of different components: Machine Learning Studio, workspace storage account, key vault, machine learning Data Pipelines, container registry and other external data sources like Azure SQL Server, ADLS Gen2. Despite being under a single machine learning umbrella service, each of these sub-components require a slightly different VNet configuration treatment to properly isolate network traffic. For example, generally you need at least four Private Endpoints configured for a single workspace each with connecting to a different sub-component. Another example, while managed workspace are generally a single tenant service with compute resources spun up within a designated Managed VNet, data scientist vm's, azure dev ops pipelines could be multi-tenanted and therefore require provisioning a Private Endpoint within the bridge vnet in order to connect to the workspace successfully. | ||
|
|
||
| In addition to this, customers will also need to ensure that traffic between the Azure machine learning workspace studio can still privately flow between the workspace components and additional Azure services such as storage external to the managed VNet. This is done through the use of Private Endpoints. Another important that one has to keep in mind is the secure integration of Azure Machine Learning with Azure DevOps pipelines and Github actions that are enabled through the bridge virtual network (VNet to access resources in the architecure diagram). |
There was a problem hiding this comment.
Suggested change
| In addition to this, customers will also need to ensure that traffic between the Azure machine learning workspace studio can still privately flow between the workspace components and additional Azure services such as storage external to the managed VNet. This is done through the use of Private Endpoints. Another important that one has to keep in mind is the secure integration of Azure Machine Learning with Azure DevOps pipelines and Github actions that are enabled through the bridge virtual network (VNet to access resources in the architecure diagram). | |
| In addition to this, customers will also need to ensure that traffic within the Azure machine learning workspace studio can still privately flow between the workspace components and additional Azure services such as external storage accounts. This is done through the use of private endpoints. Another crucial aspect to consider is the secure integration of Azure Machine Learning with Azure DevOps pipelines and GitHub actions, which is facilitated through a bridge virtual network ("VNet to access AML workspace and resources" in the architecture diagram). |
|
|
||
| In addition to this, customers will also need to ensure that traffic between the Azure machine learning workspace studio can still privately flow between the workspace components and additional Azure services such as storage external to the managed VNet. This is done through the use of Private Endpoints. Another important that one has to keep in mind is the secure integration of Azure Machine Learning with Azure DevOps pipelines and Github actions that are enabled through the bridge virtual network (VNet to access resources in the architecure diagram). | ||
|
|
||
| This recipe aims to provide developers a starting point with an IaC example of an Azure machine learning managed-vnet workspace with all sub-components correctly configured to ensure traffic stays private, while still being able to connect to common additional services such as Azure Storage Account, ADLS Gen2 and Azure Key Vault. |
There was a problem hiding this comment.
Suggested change
| This recipe aims to provide developers a starting point with an IaC example of an Azure machine learning managed-vnet workspace with all sub-components correctly configured to ensure traffic stays private, while still being able to connect to common additional services such as Azure Storage Account, ADLS Gen2 and Azure Key Vault. | |
| This recipe aims to provide developers with a starting point, offering an Infrastructure as Code (IaC) example of an Azure Machine Learning managed VNet workspace with the required secured networking configured as described above. |
| ### Architecture | ||
|
|
||
| <!-- Include a high-level architecture diagram of the components used in this recipe. --> | ||
|  |
There was a problem hiding this comment.
Suggest removing the Azure services if they are not deployed as part of the recipe.
Also, suggest using a different font "helvetica" or "tahoma" for the text.
There was a problem hiding this comment.
Suggest providing a brief description (few paragraphs) of what's happening in this architecture diagram.
| In addition to adding a private endpoint for the AML workspace, a private endpoint should be created for the AML dependant resources such as Azure Blob Storage and Key Vault inside your chosen VNet to enable connectivity to these resources. | ||
|
|
||
| ### Testing Solution | ||
| To test Azure Machine Learning (AML) end-to-end, you can follow these steps using the **AzureML in a day notebook** from the **Samples** folder within the Notebooks section of Azure Machine Learning: |
There was a problem hiding this comment.
Where is the notebook? If it's just one notebook, I suggest copying it in the repo and add reference to it. That way, user doesn't have to go to another repo.
Having said that, please feel free to add link to the "AML rep" for reference.
|
|
||
| In addition to adding a private endpoint for the AML workspace, a private endpoint should be created for the AML dependant resources such as Azure Blob Storage and Key Vault inside your chosen VNet to enable connectivity to these resources. | ||
|
|
||
| ### Testing Solution |
There was a problem hiding this comment.
In general, please following the markdown linting rules. For example, leaving spaces before and after the headers. "markdownlint" VS Code extension can help with this.
| ### Testing Solution | ||
| To test Azure Machine Learning (AML) end-to-end, you can follow these steps using the **AzureML in a day notebook** from the **Samples** folder within the Notebooks section of Azure Machine Learning: | ||
| - Create a Compute Instance: | ||
| - On the left navigation, select Compute and then Compute Instance. Create a new compute instance and supply a name. Keep all the defaults, expect under networking select No Public IP. Select Review & Create and wait for the deployment to be completed. |
There was a problem hiding this comment.
Can we add a GIF image to show this?
| name = "sa${random_string.sa_prefix.result}${var.environment}" | ||
| location = azurerm_resource_group.default.location | ||
| resource_group_name = azurerm_resource_group.default.name | ||
| account_tier = "Standard" |
There was a problem hiding this comment.
Is there any particular reason for not deploying "ADLS Gen2" account? (is_hns_enabled=true).
| - Sign in to the Azure Machine Learning studio. | ||
| - Navigate to Notebooks and select the Samples tab. | ||
| - Look for the AzureML in a day notebook. | ||
| - Open the notebook and clikc on 'Clone' to create a copy in your workspace file share. |
There was a problem hiding this comment.
I am getting the following error:
I have already created "blob" PE for the storage account and AKV in the customer VNet.
|
Hi @yogitasrivastava / @oloomi / @RenSilvaAU , Overall, this is looking really good. Well done! The recipes in this repo also deploys the "customer VNet" and that's missing from this sample. Suggest you add the following Azure resources:
|
Refer https://github.com/Azure-Samples/virtual-network-integration-recipes/pull/27/files?short_path=64a62a4#diff-64a62a4611883e924d833faeb925f4339bb201c9a3b2df284c1446b9db30f94b for additional guidance. Happy to chat about the details. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add automation for managed-vnet AML workspace (allow internet outbound) to Azure recipes
Does this introduce a breaking change?
Pull Request Type
What kind of change does this Pull Request introduce?
How to Test
git clone [repo-address] cd [repo-name] git checkout [branch-name] npm installWhat to Check
Verify that the following are valid
Other Information
Please follow the Readme.md to install the code for automation.