This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 95%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hello, currently, I'm having issues to enable private load balancer after attaching an existing AKS Cluster to AML Workspace. The error message "Scoring FE IP address not updated yet" is displayed when trying to enable private load balancer by following the instructions at https://learn.microsoft.com/en-us/azure/machine-learning/how-to-secure-inferencing-vnet?tabs=azure-cli#internal-aks-load-balancer. The AKS Cluster is in a separate VNet than the AML Workspace. The two VNet have peered. Also, I've tried using Azure CLI but receiving the same error message. Can you provide some help on resolving this?
@Ramr-msft We've resolved the issue. The AKS MSI did not have NetworkContributer Reader role assigned on the VNet which we thought that had already been applied. The AML workspace doesn't need to be private. It works for both AKS NetworkType (i.e. kubenet and Azure CNI).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 11%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
@Allen Azemia Thanks for sharing the update.
@Allen Azemia Thanks for the question. Details of creating a private IP link is here.
https://learn.microsoft.com/en-us/azure/machine-learning/how-to-network-security-overview#use-private-ips-with-azure-kubernetes-service
for secure AKS inference deployment, request an inbound NSG rule on port 80.
This rule is needed so that scoring endpoint can be called from outside the VNet. IP shown is not static but is the scoring endpoint IP.
Currently all the resources needs to be in the same VNet since AML workspace doesn’t support multiple private endpoints but AKS cluster can be in its own subnet with the VNet. We have forwarded to the product team to check on this.
@Ramr-msft Thank you for your answers above. Following the instructions from the provided link, I can confirm that it did not resolve the issue. The AKS Cluster is configured to use kubenet networking. Can you advise whether the solutions above works only with Azure CNI?