Skip to content

epomatti/azure-machinelearning-cm-vnet

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits

.assets

.assets

 
 

config

config

 
 

custom

custom

 
 

modules

modules

 
 

nginx

nginx

 
 

notebooks

notebooks

 
 

.gitignore

.gitignore

 
 

.terraform.lock.hcl

.terraform.lock.hcl

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

backend.tf

backend.tf

 
 

cspell.json

cspell.json

 
 

main.tf

main.tf

 
 

output.tf

output.tf

 
 

provider.tf

provider.tf

 
 

variables.tf

variables.tf

 
 

Repository files navigation

Azure ML VNET

Implementation of AML network isolation with a customer-managed VNET.

Setup

Create the variables file:

cp config/template.tfvars .auto.tfvars

Configuration:

  1. Set your IP address in the allowed_ip_address variable.
  2. Set your the Entra ID tenant in the entraid_tenant_domain variable.

Generate a key pair to manage instances with SSH:

ssh-keygen -f keys/ssh_key

Create the resources:

terraform init
terraform apply -auto-approve

Confirm and approve any private endpoints, both in the subscription, and within the managed AML workspace.

Manually create the datastores in AML and run the test notebooks.

Compute

Create the AML compute and other resources by changing the appropriate flags:

💡 Follow the documentation steps to enable AKS VNET integration, if not yet done so.

mlw_instance_create_flag = true
mlw_aks_create_flag      = true
mlw_mssql_create_flag    = true
vm_proxy_create_flag     = true
#!/bin/bash

proxy_domain=squid.private.litware.com

sudo echo "export HTTP_PROXY=$proxy_domain" >> ~/.bashrc
sudo echo "export HTTPS_PROXY=$proxy_domain" >> ~/.bashrc

Proxy connection will be configured on init following the proxy documentation.

echo "$http_proxy"
echo "$https_proxy"

Container Registry

Extra configuration is required when using an Container Registry with private endpoints.

After creating the compute node, follow the documentation to enable docker builds in AML:

az ml workspace update --name myworkspace --resource-group myresourcegroup --image-build-compute mycomputecluster

IAM

This project has two roles which require different set of permissions:

User Activities
azureadmin Administration of all related Azure resources.
datascientist Development in the AML workspace.

Forward Proxy

Squid

Connect to the proxy VM server:

ssh -i keys/ssh_key azureuser@<public-ip>

Squid will already be installed via cloud-init. If you need to make changes, check the official docs.

Configuration can be set in file /etc/squid/squid.conf.

Set some hostname parameters:

visible_hostname squid.private.litware.com
hostname_aliases squid.private.litware.com

Change the http_access setting to allow all connections:

# http_access deny !Safe_ports
http_access allow all

Restart the service:

sudo systemctl restart squid.service

Testing with default configuration:

curl -x "http://squid.private.litware.com:3128" "https://example.com/"

NGINX

⚠️ From this thread, running NGINX full proxy with HTTPS will required additional configuration steps.

Connect to the proxy server:

ssh -i keys/ssh_key azureuser@<public-ip>

I've used this article as reference to setup the forward proxy server on NGINX.

  1. Comment the default server config within /etc/nginx/sites-enabled/default.
  2. Create the [nginx/forward][nginx/forward] config file.
  3. Restart NGINX (systemctl restart nginx.service).

The forward proxy service should be available at port 8888.

curl -x "http://127.0.0.1:8888" "https://example.com/"

Clean-up

Delete the resources and avoid unplanned costs:

terraform destroy -auto-approve

About

Azure ML with customer-managed VNET

Topics

nginx machine-learning azure proxy terraform squid forward-proxy squid-proxy azure-ml

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Packages

No packages published

Languages