- Compute Instance with Public IP is the only supported compute type.
- Supported region is eastus only.
- allow_only_approved_outbound is not supported.
- FQDN outbound is not supported.
- Default PE to ACR/Monitor is not supported.
- Make sure your subscription is allowlisted.
You can have an AzureML managed VNet with two configuration types.
- allow_internet_outbound: Allow all internet oubound from AzureML managed VNet. You can have private endpoint connections to your private Azure resources.
- allow_only_approved_outbound: You can allow outbound only to the approved outbound. You can allow outbound using private endpoint, FQDN(will be available) and service tag.
- Remove your Azure CLI AzureML extension if you have.
az extension remove -n ml
- Install CLI ML extension for private preview
az extension add --source https://azuremlsdktestpypi.blob.core.windows.net/wheels/sdk-cli-v2/ml-0.0.88584999-py3-none-any.whl
- Create a workspace without managed network isolation
az login
az account set -s <subscriptionId>
az group create -g <new_rg_name>
az configure -d group=<new_rg_name> location=eastus
az ml workspace create -n <new_ws_name> -g <rg_name> --location eastus --managed-network disabled
- Enable manage network isolation
allow_internet_outbound: Allow all internet oubound from AzureML managed VNet. You can have private endpoint connections to your private Azure resources.
az ml workspace update -n <ws_name> -g <rg_name> --managed-network allow_internet_outbound
You can create private endpoints to access your private resources. Below is an example to create a PE for an Azure storage.
az ml workspace update --file peoutbound.yml --resource-group MyGroup
You can find a sample peoutbound.yml
name: MyWorkspace
managed_network:
outbound_rules:
MyStorage:
type: PrivateEndpoint
destination:
service_resource_id: "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/MyGroup/providers/Microsoft.Storage/storageAccounts/MyAccount"
subresource_target: "blob"
Note that your first CI creation takes 10 mins because we need to initiate multiple private endpoints
Use computeinstance.yml with your compute instance name and SSH key.
az ml compute create --file computeInstance.yml --resource-group <rg_name> --workspace-name <ws_name>
You can create and copy your SSH key if you do not have it.
ssh-keygen -m PEM -t rsa -b 4096
cat ~/.ssh/id_rsa.pub
Go to your Workspace/Notebook or Workspace/Compute/Compute Instance/Jupyter to test python SDK using sample notebooks. We expect you testing below scenarios.
- Run several example notebooks in https://github.com/Azure/azureml-examples/tree/main/sdk/python and if it works without issues.
- Run your own jupyter notebook with your dataset in your private storage account. Note that you need to create a PE to your private storage mentioned in the above.
az ml compute connect-ssh --name <ci_name>--resource-group <rg_name> --workspace-name <ws_name> --private-key-file-path <your sshkey path>
You can check private endpoint connections on Azure portal. You can see private endpoints after your first compute creation. PE connection to ACR/Monitor will come.
Submit a issue details via https://forms.office.com/r/5WpJGk9jK0. AzureML team will set periodical meetings to discuss issues if necessaary.
az group delete -n <rg_name>