Unable to create comma separated list of FQDNs outbound rules for outbound managed Azure ML workspace

Van 20 Reputation points
2024-10-17T17:49:47.7066667+00:00

I have a managed Azure ML workspace with the "Allow Only Approved Outbound" setting. In the past I was able to create a comma separated list of FQDNs for a user defined outbound rule. This is not working anymore and is breaking our terraform. I have also tested this in the portal where it doesn't work either. Has something changed or why is this not allowed anymore?

Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
3,335 questions
0 comments No comments
{count} votes

Accepted answer
  1. Amira Bedhiafi 33,476 Reputation points Volunteer Moderator
    2024-10-17T20:54:34.4733333+00:00

    I think that the ability to use comma-separated lists of FQDNs in outbound rules for managed AML workspaces with the "Allow Only Approved Outbound" setting may no longer be supported as it once was. Previously, you could define FQDNs for outbound traffic, but recent changes in Azure ML’s network isolation and outbound rule handling may have caused this functionality to break.

    Azure has increasingly emphasized the use of private endpoints and service tags to manage outbound traffic for security reasons, especially in scenarios where data exfiltration concerns are present. For example, FQDN-based outbound rules do not fully propagate in certain scenarios like Spark jobs, and Azure Firewalls now handle much of this traffic filtering instead of NSGs, which may be causing the issues you are encountering.

    For outbound traffic, you might need to explore Azure Firewall or private endpoints if you haven't already, as they are currently the preferred solutions for controlling traffic with greater granularity in managed environments.

    https://learn.microsoft.com/en-us/cli/azure/ml/workspace/outbound-rule?view=azure-cli-latest

    https://learn.microsoft.com/en-us/azure/firewall/fqdn-filtering-network-rules

    You may also want to double-check any recent Azure updates or restrictions regarding FQDN rules in managed virtual networks to confirm if they are causing the issue.

    If you're using Terraform and this change is breaking your deployment, adjusting the configuration to align with Azure current network security best practices (for example switching to Azure Firewall rules or private endpoints) might be necessary.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.