To connect your Azure Machine Learning Managed Online Endpoints to other private resources such as a data lake storage account or an API using Legacy Network Isolation mode, there are several steps and considerations:
- Managed Online Endpoints with Legacy Network Isolation mode can only automatically create private endpoints to the Azure Machine Learning workspace, associated storage account, and Azure Container Registry. For other resources, you must manually create private endpoints.
- Verify that the
egress_public_network_access
flag is disabled. This setting is crucial for establishing private endpoint connections from managed online deployments to your private resources. Without this, the deployment will not be able to access private resources through private endpoints. - You can configure outbound rules to allow your deployments to communicate with additional private resources. This involves setting up appropriate private endpoint outbound rules and service tags for the required services (such as your data lake or API). This setup ensures that outbound traffic from the workspace's managed virtual network can reach the desired private endpoints.
- Use managed identities to secure connections to other Azure services. By assigning a user-assigned or system-assigned managed identity to your endpoint, you can allow it to access resources like Azure Key Vault and SQL databases securely.
- Although it’s currently in public preview, Managed Network Isolation mode can allow more flexibility in connecting to various Azure resources through private endpoints. However, if you must use Legacy Network Isolation, you need to manually handle the connections to other resources.