Azure Machine Learning - Managed Online Endpoints - Access private azure resources (legacy network isolation)

Šimon Dalecký 0 Reputation points
2024-07-26T09:38:39.1166667+00:00

Hi,

I have created an Azure Machine Learning workspace and need to use Legacy Network Isolation mode (utilizing our own VNET instead of a Managed VNET).

Everything works fine, except for Managed Online Endpoints. Part of the script requires access to other private resources behind the VNET, such as a data lake storage account or an API.

Is there a way to set up connectivity between Managed Online Endpoints and other resources?

Based on the documentation (https://video2.skills-academy.com/en-us/azure/machine-learning/concept-secure-online-endpoint?view=azureml-api-2&tabs=cli#appendix), it appears that when using Legacy Network Isolation mode with Managed Online Endpoints, you can only access the workspace itself, the associated storage account, and the Azure Container Registry via automatically created Private Endpoints from the online endpoint deployment managed VNET to these three resources.

Is my assumption correct that it's not possible to access any other resources? If not, how can I achieve this?

Thank you for any help.

Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
2,833 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 22,616 Reputation points
    2024-07-27T16:14:15.5933333+00:00

    To connect your Azure Machine Learning Managed Online Endpoints to other private resources such as a data lake storage account or an API using Legacy Network Isolation mode, there are several steps and considerations:

    1. Managed Online Endpoints with Legacy Network Isolation mode can only automatically create private endpoints to the Azure Machine Learning workspace, associated storage account, and Azure Container Registry. For other resources, you must manually create private endpoints.
    2. Verify that the egress_public_network_access flag is disabled. This setting is crucial for establishing private endpoint connections from managed online deployments to your private resources. Without this, the deployment will not be able to access private resources through private endpoints.
    3. You can configure outbound rules to allow your deployments to communicate with additional private resources. This involves setting up appropriate private endpoint outbound rules and service tags for the required services (such as your data lake or API). This setup ensures that outbound traffic from the workspace's managed virtual network can reach the desired private endpoints.
    4. Use managed identities to secure connections to other Azure services. By assigning a user-assigned or system-assigned managed identity to your endpoint, you can allow it to access resources like Azure Key Vault and SQL databases securely.
    5. Although it’s currently in public preview, Managed Network Isolation mode can allow more flexibility in connecting to various Azure resources through private endpoints. However, if you must use Legacy Network Isolation, you need to manually handle the connections to other resources.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.