Share via

How to create private Azure machine learning and compute in custom VNET?

Boopathi Sarvesan 20 Reputation points
2025-01-28T05:39:54.29+00:00

Hi,

Q1 - I am trying to use a custom VNET in Azure Machine Learning and have chosen to have a private network while disabling managed network isolation. When I attempted to create the compute without a public IP, it is trying to create the resources in the resource group where the virtual network is located instead of where the Machine Learning resource is located. How can I create the compute in the resource group where the Machine Learning resource is present instead of where the VNET is present?

Q2. How can I achieve inbound and outbound networking with a custom VNET and compute without a public IP?

Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
3,102 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sreeju Nair 12,611 Reputation points
    2025-01-28T06:18:02.06+00:00
    1. Q1: The behavior of creating resources in the resource group of the VNET occurs because Azure attempts to ensure the compute is deployed with network proximity to the VNET for better performance. But you can specify the resource group explicitly during the compute creation process. az ml compute create --name <COMPUTE_NAME> \ --``type`` AmlCompute \ --resource-group <RESOURCE_GROUP_OF_ML_WORKSPACE> \ --workspace-name <WORKSPACE_NAME> \ --vnet-name <VNET_NAME> \ --subnet <SUBNET_NAME> \ --no-public-ip
    2. To enable networking for the compute without a public IP in a custom VNET, you must set up the appropriate configurations for both inbound and outbound traffic. Make sure you configure
      1. NSG Rules
      2. Use Nat Gateway To get inbound without public ip, you might need to use VPN / Express route / Private Endpoints.

    Hope this helps

  2. Saideep Anchuri 1,790 Reputation points Microsoft Vendor
    2025-01-28T06:28:41.3766667+00:00

    Hi Boopathi Sarvesan

    Welcome to Microsoft Q&A Forum, thank you for posting your query here!

    Q1- Actually, you should keep all the resources along the virtual network in one resource group only. instead of putting virtual network and machine learning in separate resource groups. It is by design that compute or compute cluster will occupy IP from subnet, the private endpoints are created with.  You should select the virtual network and subnet while creating the computes as shown in below screenshot. User's image

    Kindly refer below link: create-a-storage-accountQ2. You need to allow the required Azure Service tags (Storage, keyvault, front door etc) as destination in outbound rules from your network security group to allow communication in between azure resources. You can also add respective host name to allow installation of conda, python package etc.

    Kindly refer below link: configuration

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful.

    Thank You.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.