Implementation of AML network isolation with a customer-managed VNET.
Create the variables file:
cp config/template.tfvars .auto.tfvars
Configuration:
- Set your IP address in the
allowed_ip_address
variable. - Set your the Entra ID tenant in the
entraid_tenant_domain
variable.
Generate a key pair to manage instances with SSH:
ssh-keygen -f keys/ssh_key
Create the resources:
terraform init
terraform apply -auto-approve
Confirm and approve any private endpoints, both in the subscription, and within the managed AML workspace.
Manually create the datastores in AML and run the test notebooks.
Create the AML compute and other resources by changing the appropriate flags:
💡 Follow the documentation steps to enable AKS VNET integration, if not yet done so.
mlw_instance_create_flag = true
mlw_aks_create_flag = true
mlw_mssql_create_flag = true
vm_proxy_create_flag = true
#!/bin/bash
proxy_domain=squid.private.litware.com
sudo echo "export HTTP_PROXY=$proxy_domain" >> ~/.bashrc
sudo echo "export HTTPS_PROXY=$proxy_domain" >> ~/.bashrc
Proxy connection will be configured on init following the proxy documentation.
echo "$http_proxy"
echo "$https_proxy"
Extra configuration is required when using an Container Registry with private endpoints.
After creating the compute node, follow the documentation to enable docker builds in AML:
az ml workspace update --name myworkspace --resource-group myresourcegroup --image-build-compute mycomputecluster
This project has two roles which require different set of permissions:
User | Activities |
---|---|
azureadmin |
Administration of all related Azure resources. |
datascientist |
Development in the AML workspace. |
Connect to the proxy VM server:
ssh -i keys/ssh_key azureuser@<public-ip>
Squid will already be installed via cloud-init
. If you need to make changes, check the official docs.
Configuration can be set in file /etc/squid/squid.conf
.
Set some hostname parameters:
visible_hostname squid.private.litware.com
hostname_aliases squid.private.litware.com
Change the http_access
setting to allow all connections:
# http_access deny !Safe_ports
http_access allow all
Restart the service:
sudo systemctl restart squid.service
Testing with default configuration:
curl -x "http://squid.private.litware.com:3128" "https://example.com/"
⚠️ From this thread, running NGINX full proxy with HTTPS will required additional configuration steps.
Connect to the proxy server:
ssh -i keys/ssh_key azureuser@<public-ip>
I've used this article as reference to setup the forward proxy server on NGINX.
- Comment the default server config within
/etc/nginx/sites-enabled/default
. - Create the [nginx/forward][nginx/forward] config file.
- Restart NGINX (
systemctl restart nginx.service
).
The forward proxy service should be available at port 8888
.
curl -x "http://127.0.0.1:8888" "https://example.com/"
Delete the resources and avoid unplanned costs:
terraform destroy -auto-approve