Share via

Error training model in ML Studio

Repetti Pierangelo 20 Reputation points
2024-12-18T08:08:11.23+00:00

Hello,

I get the following error while running an "Automated ML" job in ML Studio.

Failed to download snapshot from storage using SAS url. Error message: This request is not authorized to perform this operation.

Authentication error when downloading from storage. Tip: Please check the storage account attached to the workspace. Make sure the request is not blocked by by a firewall, virtual network, or other security settings.

The job is trying to interact with a storage account that, for security reasons, is configured NOT to let access from all networks. The storage is in the same resource group and accepts connections from:

  • public IP address range for our Company network
  • the resource group's virtual network
  • the Machine Learning workspace instance (as Microsoft.MachineLearningServices/workspaces) based on their system-assigned managed identity as stated by the Azure portal

Looking at logs for the storage, the failed requests are coming from address 10.0.0.4.

Given that the storage firewall should remain, is there a way to configure it so that it can let requests from ML pass through ? Should we add subnet 10.0.0.x to it ? Is that a fixed subnet or might it change ?

Thank you

Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
3,038 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,284 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Saideep Anchuri 495 Reputation points Microsoft Vendor
    2024-12-18T10:17:15.6833333+00:00

    Hi Repetti Pierangelo

    Welcome to Microsoft Q&A Forum, thank you for posting your query here!

    1.This 10.0.0.4 looks like a private IP and might be one of your Azure resources. You can identify the resource using the command 

    dig -x <PrivateIP>

    to get the designated FQDN and the underlying Azure resource. Once the resource type is identified from the FQDN, you can allow it as a trusted resource, similar to how you did for your Azure Machine Learning instance.

    2.You can also modify the inbound rules of your virtual network to allow connections from the specified subnet range with the target being the resource subnet. However, it might be simpler to include the subnet range in the storage firewall if the existing declared virtual network range does not already encompass it.

    kindly refer the below documentation: https://learn.microsoft.com/en-us/azure/machine-learning/how-to-access-azureml-behind-firewall?view=azureml-api-2&tabs=ipaddress%2Cpublic

    https://learn.microsoft.com/en-us/azure/machine-learning/how-to-secure-workspace-vnet?view=azureml-api-2&tabs=required%2Cpe%2Ccli#secure-azure-storage-accounts

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Thank you.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.