Azure Machine Learning offers rich network isolation features such as private link workspace, no public IP option of AI model training compute resources, and data exfiltration protection to support most of your network isolation requirements. However, many data science teams will still find it challenging to configure network isolation compliant with their internal security requirements because, fundamentally, network isolation is not their expertise. This can delay operationalizing machine learning projects on Azure Machine Learning.
To help data science teams with this challenge, we are excited to announce the public preview of Azure Machine Learning managed network isolation. Managed network isolation streamlines and automates your network isolation configuration with a built-in, workspace-level Azure Machine Learning managed virtual network. Your data science team can satisfy your organization’s security requirements by simply choosing below network isolation modes with automated configurations.
Allow internet outbound
Allow all internet outbound traffic from the managed VNet.
Recommended if you need access to machine learning artifacts on the Internet, such as python packages or pretrained models.
Allow only approved outbound
Outbound traffic is allowed by specifying service tags.
Recommended if you want to minimize the risk of data exfiltration but you need to prepare all required machine learning artifacts in your private locations.
Behind the scenes, Azure Machine Learning provisions managed virtual network to provision your computing resources such as compute instance, compute cluster, serverless, and serverless Spark. Managed virtual network is preconfigured with required outbound rules so you do not need to worry about it. If your workspace default resources are private, managed virtual network automatically initiates private endpoint connections. You can add additional private endpoint connections to your additional data sources. You can also configure FQDN/Service tag based public outbound if you choose “allow only approved outbound” mode.
Managed VNet Architecture
All enterprises need network isolation in some way. Managed network isolation dramatically automates configuration experiences and speeds up your workspace setup with network isolation requirements.