Blog Post

AI - Machine Learning Blog
2 MIN READ

Announcing Azure Machine Learning managed network isolation

andyaviles's avatar
andyaviles
Icon for Microsoft rankMicrosoft
May 23, 2023

Azure Machine Learning offers rich network isolation features such as private link workspace, no public IP option of AI model training compute resources, and data exfiltration protection to support most of your network isolation requirements. However, many data science teams will still find it challenging to configure network isolation compliant with their internal security requirements because, fundamentally, network isolation is not their expertise. This can delay operationalizing machine learning projects on Azure Machine Learning. 

 

To help data science teams with this challenge, we are excited to announce the public preview of Azure Machine Learning managed network isolation. Managed network isolation streamlines and automates your network isolation configuration with a built-in, workspace-level Azure Machine Learning managed virtual network. Your data science team can satisfy your organization’s security requirements by simply choosing below network isolation modes with automated configurations. 

 

Outbound mode 

Description 

Scenarios 

Allow internet outbound 

Allow all internet outbound traffic from the managed VNet. 

Recommended if you need access to machine learning artifacts on the Internet, such as python packages or pretrained models. 

Allow only approved outbound 

Outbound traffic is allowed by specifying service tags. 

Recommended if you want to minimize the risk of data exfiltration but you need to prepare all required machine learning artifacts in your private locations. 

 

Behind the scenes, Azure Machine Learning provisions managed virtual network to provision your computing resources such as compute instance, compute cluster, serverless, and serverless Spark. Managed virtual network is preconfigured with required outbound rules so you do not need to worry about it. If your workspace default resources are private, managed virtual network automatically initiates private endpoint connections. You can add additional private endpoint connections to your additional data sources. You can also configure FQDN/Service tag based public outbound if you choose “allow only approved outbound” mode. 

 

Managed VNet Architecture

 

All enterprises need network isolation in some way. Managed network isolation dramatically automates configuration experiences and speeds up your workspace setup with network isolation requirements.  

 

Resources to get started 

Updated May 22, 2023
Version 1.0
  • cnederveen's avatar
    cnederveen
    Copper Contributor

    Hi, I like this a lot and makes life much easier for network isolation of ML. However in the documentation I see the network tab in the ML creation in the portal. This does not match what I see in the portal (which is just the "old" view). Must I do something to activate the "preview" network tab in the portal?