Deploying an ML Model to ACI with a secured workspace in a VNet

Byron Verzmoter 1 Reputation point
2022-04-04T09:45:04.527+00:00

I am trying to deploy an ML model to an ACI in a VNet. I have followed the guide to setup a secure workspace, and also noted that if deploying to ACI, the container registry must not be in the same vnet.
I have deployed the container registry:

  • outside of the vnet in the same resource group
  • Allowed admin user in the CR
  • Disabled public access
  • Allowed trusted microsoft services
  • Created a private endpoint for private access for the worskpace to access (needed this for image builds on my training runs)
  • Allowed subnet delegation on the Scoring subnet for the containerGroups service as shown here

Now when I am trying to deploy the model to a container instance, I get this failure 

   Error:  
   {  
     "code": "InaccessibleImage",  
     "statusCode": 400,  
     "message": "ACI Service request failed. Reason: The image '<containerRegName>.azurecr.io/azureml/azureml_<imageHash>' in container group '<serviceName>-qcloi6KnEkOQ6CTdniybhQ' is not accessible. Please check the image and registry credential.. Refer to https://learn.microsoft.com/azure/container-registry/container-registry-authentication#admin-account and make sure Admin user is enabled for your container registry."  
   }

After speaking to the docs team where the guides address this deployment strategy (here), the only response is to use AKS. AKS won't be feasible right now for this project and the documentation seems to suggest that this is possible.

Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
635 questions
Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
2,563 questions