Enable Network Isolation for Azure Machine Learning Registries

01 Sign in to the Azure Management Console.

02 Navigate to Azure Machine Learning workspaces blade at https://portal.azure.com/#browse/Microsoft.MachineLearningServices%2Fworkspaces.

03 Select the Azure subscription that you want to examine from the Subscription filter box.

04 Click on the name (link) of the Azure Machine Learning registry that you want to examine.

05 In the resource navigation panel, under Settings, choose Networking to access the networking settings available for the selected registry.

06 On the Networking page, perform the following checks:

1. Select the Public access tab and check the Public network access configuration setting. If Public network access is not set to Disabled, the registry is accessible via public endpoints, therefore, network isolation is not enabled for the selected registry.
2. If Public network access is set to Disabled, select the Private endpoint connections tab and check for any private endpoints configured for your registry. If there are no private endpoints available on this page, network isolation with private endpoints is not enabled for the selected Azure Machine Learning (ML) registry.

07 Repeat steps no. 4 – 6 for each Azure Machine Learning registry available within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

01 Run ml registry list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Machine Learning registry available in the current subscription:

az ml registry list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Azure Machine Learning registry identifiers:

Name                          ResourceGroup
------------------------      ------------------------------
tm-ml-project5-registry       cloud-shell-storage-westeurope
tm-ml-production-registry     cloud-shell-storage-westeurope

03 Run ml registry show command (Windows/macOS/Linux) with the name of the Azure Machine Learning registry that you want to examine as the identifier parameter and custom output filters to describe the public network access status for the selected registry:

az ml registry show
  --name tm-ml-project5-registry
  --resource-group cloud-shell-storage-westeurope
  --query '{"public_access":public_network_access}'

04 The command output should return the requested networking information:

{
	"public_access": "Enabled"
}

05 Run network private-endpoint list command (Windows/macOS/Linux) with custom output filters to list the name and the associated Private Link service ID for each private endpoint available within the current subscription:

az network private-endpoint list
  --query '[*].{name:name, privateLinkServiceId:privateLinkServiceConnections[].privateLinkServiceId}'

06 The command output should return the requested private endpoint identifiers:

[
	{
	"name": "tm-project5-private-endpoint",
		"privateLinkServiceId": [
			"/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/registries/tm-development-registry"
		]
	},
	{
	"name": "tm-dev-private-endpoint",
		"privateLinkServiceId": [
			"/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/registries/tm-ml-test-registry"
		]
	}
]

07 Repeat steps no. 3 - 6 for each Azure Machine Learning registry available in the selected Azure subscription.

08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.

01 Sign in to the Azure Management Console.

02 Navigate to Azure Machine Learning workspaces blade at https://portal.azure.com/#browse/Microsoft.MachineLearningServices%2Fworkspaces.

03 Select the Azure subscription that you want to access from the Subscription filter box.

04 Click on the name (link) of the Azure Machine Learning registry that you want to configure.

05 In the resource navigation panel, under Settings, choose Networking to access the networking settings available for the selected registry.

06 Select the Public access tab and set Public network access to Disabled to enable network isolation for the selected Azure Machine Learning (ML) registry. Choose Save to apply the changes.

07 Add a private endpoint to your ML registry. Select the Private endpoint connections tab, choose + Private endpoint, and perform the following actions:

1. For Basics, provide the following information:
   1. For Subscription, choose your Azure subscription.
   2. For Resource group, select the correct resource group.
   3. Provide a unique name for the private endpoint instance in the Name box.
   4. For Region, select the Azure cloud region where the private endpoint instance will be deployed.
   5. Choose Next : Resource > to continue the setup process.
2. For Resource, select amlregistry from the Target sub-resource dropdown list. This represents the type of ML registry sub-resource that your private endpoint will be able to access. Choose Next : Virtual Network > to continue the setup.
3. For Virtual Network, perform the following actions:
   1. For Virtual network, choose the name of the Azure virtual network (VNet) that you want to use for your private endpoint.
   2. For Subnet, select the VNet subnet where the private endpoint will be deployed.
   3. (Optional) For Network policy for private endpoints, choose (edit) next to Disabled to configure network policies for the selected VNet subnet.
   4. For Private IP configuration, choose whether to dynamically or statically allocate the private IP address.
   5. (Optional) For Application security group, choose + Create to create an Application Security Group (ASG) if required. ASGs allow you to configure network security by grouping virtual machines and defining policies based on these groups.
   6. Choose Next : DNS > to continue.
4. For DNS, select Yes for Integrate with private DNS zone under Private DNS integration, to integrate your private endpoint with a private DNS zone. Ensure that the correct subscription and resource group are selected for the private DNS zone. Choose Next : Tags > to continue the setup.
5. For Tags, use the Name, Value, and Resource fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the private endpoint setup.
6. For Review + create, review the resource configuration details, then choose Create to create your new private endpoint.

08 Repeat step no. 4 - 7 for each Azure Machine Learning registry that you want to configure, available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

01 Run ml registry update command (Windows/macOS/Linux) to disable public network access for the selected Azure Machine Learning (ML) registry and implement network isolation:

az ml registry update
  --name tm-ml-project5-registry
  --resource-group cloud-shell-storage-westeurope
  --set publicNetworkAccess=Disabled

02 The command output should return the new registry configuration information:

{
	"containerRegistry": null,
	"description": null,
	"discoveryUrl": "https://westeurope.api.azureml.ms/registrymanagement/v1.0/registries/tm-ml-project5-registry/discovery",
	"identity": {
		"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"tenantId": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"type": "SystemAssigned",
		"userAssignedIdentities": null
	},
	"intellectualProperty": null,
	"location": "westeurope",
	"managedResourceGroup": {
		"resourceId": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/azureml-rg-tm-ml-project5-registry_abcd1234-abcd-1234-abcd-1234abcd1234"
	},
	"mlflowRegistryUri": "azureml://westeurope.api.azureml.ms/mlflow/v1.0/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/registries/tm-ml-project5-registry",
	"name": "tm-ml-project5-registry",
	"properties": {},
	"publicNetworkAccess": "Enabled",
	"replicationLocations": [
		{
			"acrConfig": [
				{
					"acrAccountSku": "Premium",
					"armResourceId": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/azureml-rg-tm-ml-project5-registry_abcd1234-abcd-1234-abcd-1234abcd1234/providers/Microsoft.ContainerRegistry/registries/1234abcd1234"
				}
			],
			"location": "westeurope",
			"storageConfig": {
				"armResourceId": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/azureml-rg-tm-ml-project5-registry_abcd1234-abcd-1234-abcd-1234abcd1234/providers/Microsoft.Storage/storageAccounts/6755eb52202",
				"replicatedIds": null,
				"replicationCount": 1,
				"storageAccountHns": false,
				"storageAccountType": "standard_lrs"
			}
		}
	],
	"tags": {}
}

03 Run network private-endpoint create command (Windows/macOS/Linux) to create and attach a private endpoint to your Azure Machine Learning (ML) registry. Use the --private-connection-resource-id command parameter to specify the resource ID of your ML registry:

az network private-endpoint create
  --name tm-private-endpoint
  --resource-group cloud-shell-storage-westeurope
  --vnet-name tm-project5-vnet
  --subnet tm-vnet-subnet001
  --private-connection-resource-id "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/registries/tm-ml-project5-registry"
  --connection-name tm-ml-project5-registry-private-connection
  --group-id amlregistry
  --location westeurope

04 The command output should return the new private endpoint configuration information:

{
	"customDnsConfigs": [
		{
			"fqdn": "abcd1234-abcd-1234-abcd-1234abcd1234.registry.westeurope.api.azureml.ms",
			"ipAddresses": [
			"10.0.0.5"
			]
		}
	],

	"etag": "W/\"abcd1234-abcd-1234-abcd-1234abcd1234\"",
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/tm-private-endpoint",
	"ipConfigurations": [],
	"location": "westeurope",
	"manualPrivateLinkServiceConnections": [],
	"name": "tm-private-endpoint",
	"networkInterfaces": [
		{
			"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkInterfaces/tm-private-endpoint.nic.abcd1234-abcd-1234-abcd-1234abcd1234",
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"privateLinkServiceConnections": [
		{
			"etag": "W/\"abcd1234-abcd-1234-abcd-1234abcd1234\"",
			"groupIds": [
				"amlregistry"
			],
			"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateEndpoints/tm-private-endpoint/privateLinkServiceConnections/tm-ml-project5-registry-private-connection",
			"name": "tm-ml-project5-registry-private-connection",
			"privateLinkServiceConnectionState": {
				"actionsRequired": "None",
				"description": "Auto-Approved",
				"status": "Approved"
			},
			"privateLinkServiceId": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/registries/tm-ml-project5-registry",
			"provisioningState": "Succeeded",
			"resourceGroup": "cloud-shell-storage-westeurope",
			"type": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections"
		}
	],
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"subnet": {
		"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/tm-project5-vnet/subnets/default",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"type": "Microsoft.Network/privateEndpoints"
}

05 Repeat steps no. 1 - 4 for each Azure Machine Learning registry that you want to configure, available in the selected Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.