Is there any mechanism for updating the bunch of IP addresses of Azure Service Tag in the Azure Firewall?

Rajoli Hari Krishna 536 Reputation points
2024-10-28T12:17:12.14+00:00

Scenario:

As part of the Enterprise Scale Migration (Azure Public Cloud to Azure Landing Zones), we are not able to access the compute in the Azure Machine Learning workspace.

We are getting the two issues mainly:

  1. When we open the compute tab in the AML Studio, it is displaying the error like "Error: User does not have access to this compute instance. Please check if this compute instance is assigned to you and you have access to the workspace. Additionally, verify that you are on the correct network to access this compute instance."

User's image

  1. When we try to access the compute using the supported applications such as Jupyter, Jupyter Lab, VS Code (Web), etc. - We are unable to access them which shows the below error:
Unauthorized
User xxx@yyy.com does not have access to compute instance hariscompute1.
Please check if this compute instance is assigned to you and you have access to the workspace.
Additionally, verify that you are on the correct network to access this compute instance.

User's image

On troubleshooting with our network team, we found the issue that the traffic is not allowing from our compute IP to this below endpoint (canadacentral.tundra.azureml.ms) in the UDP Port 5831:

Compute instance<region>.tundra.azureml.msUDP5831Compute instance<region>.tundra.azureml.msUDP5831We have whitelisted the "Azure ML Compute instance and compute cluster hosts section of endpoints and given ports" following the MS Doc provided, in our On-prem, Azure Firewalls.

On doing the nslookup for the above endpoint canadacentral.tundra.azureml.ms, we got the public IP and that we whitelisted in our Azure Firewall. Then, we are able to access the Compute applications such as Jupyter, Jupyter Lab, etc.

But after an hour, the IP address of the endpoint is changed dynamically as we also found the relevant MS doc for getting the list of IP addresses allowed to Azure Machine Learning Service Tag.

In the above MS Doc, it is mentioned that the list of IP addresses specified to the service tags can be updated weekly.

Hence, we need a mechanism or automation around validating the list of IPs updated to AzureMachineLearning Service tag regularly would hep us to pro-actively whitelist the required IPs to not break the existing applications.

Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
2,960 questions
Accepted answer
  1. romungi-MSFT 46,751 Reputation points Microsoft Employee
    2024-10-28T13:59:56.82+00:00

    @Rajoli Hari Krishna AFAIK using the list of IPs to update is not recommended as IPs can change at any instance. I think you need to use service tags in this case, the AzureMachineLearning tag represents the IP addresses used by the Azure Machine Learning service. So, you can try to whitelist based on service tag if you are using a service that supports this service tag.

    See this scenario guide on adding UDR for compute instance or cluster.

    az network route-table route create -g MyResourceGroup --route-table-name MyRouteTable -n AzureMLRoute --address-prefix AzureMachineLearning --next-hop-type Internet

    If you are using a 3rd party firewall you will have to build a client-side mechanism to extract the file and search for the service tag within the file.

    I hope this helps!!

    You found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.