Share via

Need Alternative approach to make the private AML Compute instance works with the terminals

Rajoli Hari Krishna 616 Reputation points
2025-02-21T13:06:01.1833333+00:00

Hi

We have hosted the resources in our Azure Landing Zone Subscription where the public network access is disabled on the Management Group Policy Level, hosted with the virtual networks - private endpoints.

Our Company has strictly restricted the every functionality with the Azure Firewall so we have whitelisted the required FQDNs/hosts related to AML Compute functionality mentioned in this Microsoft document:

https://learn.microsoft.com/en-us/azure/machine-learning/how-to-access-azureml-behind-firewall?view=azureml-api-2&tabs=ipaddress%2Cpublic#basic-configuration

If we allow Service Tag in Azure Firewall, the AML Compute instance works with only the Office network.

If we allow a bunch of Public IPs given in this MS Link, the AML Compute instance - terminals are working from both Office and Public Network (integrated with Z-scaler VPN).

My Problems are:

  1. As mentioned in the document, the public IPs may change weekly. How do we get notifications and does it can't be hectic to update the firewall on weekly basis because few companies like us has a process of raising the request to network team to allow these Microsoft Azure Public IPs in the firewall to make working of the virtual network hosted aml compute instance?
  2. If Service Tags allowed, we are unable to access the aml compute terminals over the public internet routed through company's Z-Scaler VPN.
Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
3,149 questions
0 comments
Accepted answer
  1. Saideep Anchuri 3,140 Reputation points Microsoft Vendor
    2025-02-21T14:16:36.7+00:00

    Hi Rajoli Hari Krishna

    you can whitelist the hosts and ports relating Azure Machine learning service instead.  You can follow the instruction on using dependency Api to get needed host and ports for whitelisting in your azure or org firewall. You can also configure p2sconnection to connect with Azure VPN client to be in same network as of Virtual network instead of using Zscaler VPN.  Regarding IP ranges in service tags, there is dedicate IP range for each region, you can whitelist the IP ranges on region wise for Azure ML dependent resources like key vault, storage, front door etc.

    Kindly refer below link: Azure Machine Learning

    Thank You.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.