Azure Machine Learning
An Azure machine learning service for building and deploying models.
Can't create Compute Instance in Azure Machine Learning Workspace when Storage Account has no public IP address
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 93%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Thomas SELECK
0
Reputation points
Hi everyone,
I'm trying to create an Azure Machine Learning workspace to be able to develop, train and put in production custom made Python AI models using Scikit-Learn. I want the setup to be created from Terraform and I want to ensure no public IP addresses are available on the system to avoid sensitive data leakage.
The issue I have is the following : when the Storage Account used for the Azure Machine Learning Workspace has the following attributes set to false to disable all public IP addresses, I can create a compute instance.
public_network_access_enabled = false
allow_nested_items_to_be_public = false
It fails with following error message:
When I set those two attributes of the storage account to true, everything runs fine.
Here is a part of the Terraform configuration file used here:
resource "azurerm_storage_account" "amlstorage" {
name = var.aml_storage_account_name
resource_group_name = local.ai_resource_group_name
location = local.location
account_tier = "Standard"
account_replication_type = "LRS"
public_network_access_enabled = false # Issue here!
allow_nested_items_to_be_public = false # Issue here!
infrastructure_encryption_enabled = true
https_traffic_only_enabled = true
network_rules {
default_action = "Deny"
bypass = ["AzureServices"]
virtual_network_subnet_ids = [local.default_subnet_id]
}
}
# Create a dedicated container for AML model artifacts
resource "azurerm_storage_container" "aml_model_artifacts_container" {
name = "azureml-model-artifacts"
storage_account_id = azurerm_storage_account.amlstorage.id
container_access_type = "private"
}
# Private Endpoint for AML Storage Account
resource "azurerm_private_endpoint" "aml_storage_blob_pe" {
name = "${local.prefix}amlstorage-blob-pe"
location = local.location
resource_group_name = local.ai_resource_group_name
subnet_id = local.default_subnet_id
private_service_connection {
name = "${local.prefix}amlstorage-blob-psc"
private_connection_resource_id = azurerm_storage_account.amlstorage.id
subresource_names = ["blob"]
is_manual_connection = false
}
private_dns_zone_group {
name = "${local.prefix}amlstorage-blob-dns-group"
private_dns_zone_ids = [local.private_dns_zone_blob_id]
}
}
# Private Endpoint for AML Storage Account FILE service
resource "azurerm_private_endpoint" "aml_storage_file_pe" {
name = "${local.prefix}amlstorage-file-pe"
location = local.location
resource_group_name = local.ai_resource_group_name
subnet_id = local.default_subnet_id
private_service_connection {
name = "${local.prefix}amlstorage-file-psc"
private_connection_resource_id = azurerm_storage_account.amlstorage.id
subresource_names = ["file"]
is_manual_connection = false
}
private_dns_zone_group {
name = "${local.prefix}amlstorage-file-dns-group"
private_dns_zone_ids = [local.private_dns_zone_file_id]
}
}
resource "azurerm_container_registry" "main" {
name = "prdamlcontainerregistry"
resource_group_name = local.ai_resource_group_name
location = local.location
sku = "Basic"
admin_enabled = false
}
resource "azurerm_machine_learning_workspace" "amlws" {
name = "${local.prefix}amlworkspace"
location = local.location
resource_group_name = local.ai_resource_group_name
sku_name = "Basic"
storage_account_id = azurerm_storage_account.amlstorage.id
key_vault_id = local.key_vault_id
application_insights_id = azurerm_application_insights.aml_ai.id
container_registry_id = azurerm_container_registry.main.id
identity {
type = "SystemAssigned"
}
public_network_access_enabled = true
}
resource "azurerm_role_assignment" "aml_workspace_storage_blob_data_contributor" {
scope = azurerm_storage_account.amlstorage.id
role_definition_name = "Storage Blob Data Contributor"
principal_id = azurerm_machine_learning_workspace.amlws.identity[0].principal_id
}
resource "azurerm_role_assignment" "acr_pull_for_aml_workspace" {
scope = azurerm_container_registry.main.id
role_definition_name = "AcrPull"
principal_id = azurerm_machine_learning_workspace.amlws.identity[0].principal_id
}
# Compute instance for training models
resource "azurerm_machine_learning_compute_instance" "aml_compute_instance" {
name = "${local.prefix}training-inst"
machine_learning_workspace_id = azurerm_machine_learning_workspace.amlws.id
virtual_machine_size = "Standard_DS3_v2"
subnet_resource_id = local.default_subnet_id
node_public_ip_enabled = false
identity {
type = "SystemAssigned"
}
depends_on = [
# Depends on the PE for the workspace and BOTH PEs for storage
azurerm_private_endpoint.aml_workspace_pe,
azurerm_private_endpoint.aml_storage_blob_pe,
azurerm_private_endpoint.aml_storage_file_pe,
# Depends on the role assignment being active
azurerm_role_assignment.aml_workspace_storage_blob_data_contributor
]
}
# Private Endpoint for Azure Machine Learning Workspace Control Plane (API & Notebooks)
resource "azurerm_private_endpoint" "aml_workspace_pe" {
name = "${local.prefix}aml-ws-pe"
location = local.location
resource_group_name = local.ai_resource_group_name # Private Endpoint should be in the RG of the service or a dedicated PE RG
subnet_id = local.default_subnet_id # Connect to your main default subnet
private_service_connection {
name = "${local.prefix}aml-ws-psc"
private_connection_resource_id = azurerm_machine_learning_workspace.amlws.id
subresource_names = ["amlworkspace"] # Standard subresource for the workspace control plane
is_manual_connection = false
}
private_dns_zone_group {
name = "${local.prefix}aml-ws-dns-group"
# Link to both the API and Notebooks private DNS zones for the workspace
private_dns_zone_ids = [
local.aml_workspace_api_dns_zone_id,
local.aml_workspace_notebooks_dns_zone_id
]
}
# Ensure the AML workspace is created before attempting to create its private endpoint
depends_on = [
azurerm_machine_learning_workspace.amlws,
local.aml_workspace_api_vnet_link_id,
local.aml_workspace_notebooks_vnet_link_id
]
}
Can you help me to fix that issue?
Azure Machine Learning
{count} votes
-
Amira Bedhiafi 41,121 Reputation points Volunteer Moderator2025-06-30T13:04:47.6266667+00:00 Hello Thomas !
Thank you for posting on Microsoft Learn.
Your Compute Instance cannot access the workspace storage account when public_network_access_enabled = false on the Storage Account. The error happens because the AML compute instance uses the workspace storage account blob and file services for setup and without a public endpoint, it must resolve those services over the Private Endpoint and Private DNS.
Even though you've defined private endpoints for blob and file and attached Private DNS Zone Groups, the Compute Instance's subnet must be able to resolve the storage account name via private DNS and route traffic via the Private Endpoint.
If that DNS resolution or routing fails, the storage access fails and hence the Compute Instance setup fails.
You must link these private DNS zones to the VNet hosting your compute subnet:
SubresourcePrivate DNS Zoneblobprivatelink.blob.core.windows.netblobprivatelink.blob.core.windows.netfileprivatelink.file.core.windows.net Terraform examples (I am assuming zones already exist):
resource "azurerm_private_dns_zone_virtual_network_link" "blob_dns_vnet_link" { name = "blob-dns-link" resource_group_name = local.dns_resource_group private_dns_zone_name = "privatelink.blob.core.windows.net" virtual_network_id = local.vnet_id registration_enabled = false } resource "azurerm_private_dns_zone_virtual_network_link" "file_dns_vnet_link" { name = "file-dns-link" resource_group_name = local.dns_resource_group private_dns_zone_name = "privatelink.file.core.windows.net" virtual_network_id = local.vnet_id registration_enabled = false }Sometimes, DNS propagation delays or missing links cause issues. You can validate this from a VM in the same subnet (or with Azure Network Watcher DNS tools).
You can check resolution of:
<yourstorageaccount>.blob.core.windows.net <yourstorageaccount>.file.core.windows.netIt should resolve to a private IP (typically 10.x.x.x), not a public IP.
-
Prashanth Veeragoni 5,770 Reputation points Microsoft External Staff Moderator2025-07-01T04:58:18.21+00:00 Hello Thomas SELECK,
Yes, you're encountering a common issue when trying to create an Azure Machine Learning Compute Instance in a private network configuration — specifically, when the Storage Account has public access disabled and private endpoints are used.
Root Cause (from your error and Terraform setup):
The error:
"Workspace storage account could not be reached. Details: UnreachableStorageError"happens because the compute instance cannot access the storage account during provisioning — even though you have private endpoints, the issue is typically due to DNS or routing misconfiguration, or missing VNet integration or correct subnets.
Key Problem Areas in Your Setup:
1.Storage Account:
- public_network_access_enabled = false
- allow_nested_items_to_be_public = false This is correct for private networking — but you must ensure full private connectivity.
2.Private Endpoints:
- You added Private Endpoints for blob and file storage, which is good.
- But make sure your compute subnet has correct DNS resolution and NSG rules allow outbound traffic to the storage account over private IP.
3.Private DNS Zones:
- Did you link the private DNS zones (privatelink.blob.core.windows.net, privatelink.file.core.windows.net) to the VNet?
- If not, the compute instance won’t resolve the storage account endpoint correctly.
Required Fixes:
1.Ensure DNS Resolution Works:
You must link your private DNS zones (via azurerm_private_dns_zone_virtual_network_link) to your VNet.
Add these:
resource "azurerm_private_dns_zone_virtual_network_link" "blob_dns_link" { name = "link-to-blob-dns" resource_group_name = local.ai_resource_group_name private_dns_zone_name = "privatelink.blob.core.windows.net" virtual_network_id = local.vnet_id registration_enabled = false } resource "azurerm_private_dns_zone_virtual_network_link" "file_dns_link" { name = "link-to-file-dns" resource_group_name = local.ai_resource_group_name private_dns_zone_name = "privatelink.file.core.windows.net" virtual_network_id = local.vnet_id registration_enabled = false }this is as mentioned in the above comment
2.Validate NSG Rules (Important)
Make sure your subnet NSG allows:
3.AML Workspace Setup:
You correctly use public_network_access_enabled = true for the workspace — this is fine for control-plane operations unless you're trying to lock it down further.
But you must ensure:
· Compute instance subnet is same as the workspace subnet
· Or all required traffic is allowed between them.
Please refer below documents for better understanding:
Secure an Azure Machine Learning workspace with virtual networks
Connect to a storage account using an Azure Private Endpoint
Troubleshoot Azure Private Endpoint connectivity problems
Hope this helps, do let me know if you have any further queries.
Thank you!
-
Prashanth Veeragoni 5,770 Reputation points Microsoft External Staff Moderator
2025-07-03T06:58:47.16+00:00 Hi Thomas SELECK,
Checking back to see if the above suggestion helped in resolving your issue, please do let me know if you have any further queries.
Thank you!
-
Prashanth Veeragoni 5,770 Reputation points Microsoft External Staff Moderator
2025-07-04T08:13:01.34+00:00 Hello Thomas SELECK,
We didn't hear from you on the last response, can you please confirm if the given answer helped in resolving your issue or let me know if you any further queries.
Thank you!
Sign in to comment
Sign in to answer