Notebook is not available, when choose "Allow Only Approved Outbound" option.

Question

I created an Azure Machine Learning workspace, disabled public access, and set the outbound policy to "Allow Only Approved Outbound". Then I was unable to open notebooks in the ML workspace.

Even I added a FQDN, it is still failed.

Answer 1

Hi Lai Yin Bo (NCS),

Welcome to Microsoft Q&A and thank you for your question.

You're encountering issues with Azure Machine Learning Notebooks becoming inaccessible when using the "Allow Only Approved Outbound" option. This behavior is expected based on how AzureML’s network isolation works.

When you enable “Allow Only Approved Outbound”:

• Azure restricts outbound internet access to only Microsoft-approved FQDNs.

AML notebook compute relies on access to multiple Azure services like identity, storage, blob access, and telemetry.

• If any of these required domains are blocked or missing, the notebooks will fail to launch or function correctly. Adding just one or two FQDNs manually is not sufficient, because many services resolve to multiple dynamic subdomains and IPs.

Please try the steps below to resolve the issue:

1. Use “User-Defined Routes (UDR)” + Approved FQDN Tags

Microsoft provides a list of required FQDNs that must be whitelisted when using "Approved Outbound" mode.

Please ensure the following are allowed in your Firewall, NSG, or routing setup:

Required FQDNs
*.notebooks.azure.net
*.notebooks.azure.net
*.pythonhosted.org
*.pypi.org
*.blob.core.windows.net
*.azureml.ms
*.microsoftonline.com
*.login.microsoftonline.com
*.aznbcontent.net
*.experiments.azureml.net (region-specific)

Reference: Approved FQDNs for Notebooks and Compute

2. Enable Private Endpoints + Managed VNet Integration (Advanced Option)

If you are working in a highly secured or isolated network environment:

Configure Private Endpoints for:

AML Workspace

  Azure Storage Account
  
     Azure Container Registry
     
        Key Vault
        
        Enable **Managed VNet integration** for your compute
        
        Add **AzureML service tags** in your NSG rules
        

Guide: Use Managed VNET with secure outbound for Notebooks

Can you please try below the workaround solution which would resolve your issue

1. Change the Outbound Access Mode to "Allow All" temporarily.
2. Verify notebook access.
3. Once confirmed, revert to secure mode with proper FQDN whitelisting.

If you’ve already added the required domains and it still fails:

Please review the next set of actions below to help isolate the problem and confirm on the below items to check if the issue still persists

1. Did you allow outbound traffic to *.notebooks.azure.net?
2. Are DNS rules resolving all required endpoints correctly?
3. Is your storage account accessible through Private Endpoint or Firewall?
4. Have you tried switching to "Allow All" temporarily to verify notebooks work?

Even if the issue persists and needs help further, please feel free to reach us out by commenting on the below answer with the following for deeper troubleshooting:

Screenshot of your network settings

Full list of FQDNs added

• Any custom NSG or UDR rules in place

We can validate whether any critical domains or ports are still blocked.

Let me know if you'd like assistance generating a sample Azure Firewall Policy, configuring Private DNS zones, or automating the setup using ARM or Bicep templates.

Best regards,

Chakravarthi Rangarajan Bhargavi

Answer 2

Are you accessing the notebook via a Jumphost in the same VNet as the private endpoint for the workspace? If yes, then make sure your private endpoint for the workspace and DNS settings in your VNet are correctly set up.

If not, you will need to allow internet inbound and set an inbound IP rule to your client IP. I don't think outbound policies are the issue here as those are for compute services in the managed VNet initiating outbound requests. Here, you are attempting to access the workspace (inbound) as a client.