Host ML Compute in VNet
March 21, 2025 ยท View on GitHub
SYNOPSIS
Azure Machine Learning Computes should be hosted in a virtual network (VNet).
DESCRIPTION
When using Azure Machine Learning (ML), you can configure compute instances to be private or accessible from the public Internet. By default, the ML compute is configured to be accessible from the public Internet.
ML compute can be deployed into an virtual network (VNet) to provide private connectivity, enhanaced security, and isolation. Using a VNet reduces the attack surface for your solution, and the chances of data exfiltration. Additionally, network controls such as Network Security Groups (NSGs) can be used to further restrict access.
RECOMMENDATION
Consider using ML - compute hosted in a VNet to provide private connectivity, enhanaced security, and isolation.
EXAMPLES
Configure with Azure template
To deploy an ML - compute that passes this rule:
- Set the
properties.properties.subnet.idproperty with a resource Id of a specific VNET subnet.
For example:
{
"type": "Microsoft.MachineLearningServices/workspaces/computes",
"apiVersion": "2023-06-01-preview",
"name": "[format('{0}/{1}', parameters('name'), parameters('name'))]",
"location": "[parameters('location')]",
"properties": {
"computeType": "ComputeInstance",
"disableLocalAuth": true,
"properties": {
"vmSize": "[parameters('vmSize')]",
"idleTimeBeforeShutdown": "PT15M",
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', split('vnet/subnet', '/')[0], split('vnet/subnet', '/')[1])]"
}
}
},
"dependsOn": [
"[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]"
]
}
Configure with Bicep
To deploy an ML - compute that passes this rule:
- Set the
properties.properties.subnet.idproperty with a resource Id of a specific VNET subnet.
For example:
resource compute_instance 'Microsoft.MachineLearningServices/workspaces/computes@2023-06-01-preview' = {
parent: workspace
name: name
location: location
properties: {
computeType: 'ComputeInstance'
disableLocalAuth: true
properties: {
vmSize: vmSize
idleTimeBeforeShutdown: 'PT15M'
subnet: {
id: subnet.id
}
}
}
}