Error: Scoring FE IP address not updated yet, when enabling the use of internal load balancer

Allen Azemia 11 Reputation points
2020-10-13T07:20:04+00:00

Hello, currently, I'm having issues to enable private load balancer after attaching an existing AKS Cluster to AML Workspace. The error message "Scoring FE IP address not updated yet" is displayed when trying to enable private load balancer by following the instructions at https://learn.microsoft.com/en-us/azure/machine-learning/how-to-secure-inferencing-vnet?tabs=azure-cli#internal-aks-load-balancer. The AKS Cluster is in a separate VNet than the AML Workspace. The two VNet have peered. Also, I've tried using Azure CLI but receiving the same error message. Can you provide some help on resolving this?

Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
2,418 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Allen Azemia 11 Reputation points
    2020-10-21T05:12:01.293+00:00

    @Ramr-msft We've resolved the issue. The AKS MSI did not have NetworkContributer Reader role assigned on the VNet which we thought that had already been applied. The AML workspace doesn't need to be private. It works for both AKS NetworkType (i.e. kubenet and Azure CNI).

    2 people found this answer helpful.

  2. Ramr-msft 17,441 Reputation points
    2020-10-14T13:38:20.347+00:00

    @Allen Azemia Thanks for the question. Details of creating a private IP link is here.
    https://learn.microsoft.com/en-us/azure/machine-learning/how-to-network-security-overview#use-private-ips-with-azure-kubernetes-service
    for secure AKS inference deployment, request an inbound NSG rule on port 80.
    32355-aks.jpg
    This rule is needed so that scoring endpoint can be called from outside the VNet. IP shown is not static but is the scoring endpoint IP.

    Currently all the resources needs to be in the same VNet since AML workspace doesn’t support multiple private endpoints but AKS cluster can be in its own subnet with the VNet. We have forwarded to the product team to check on this.