Share via

Cannot deploy managed endpoint - MirSystemSetupTask failing

aot 111 Reputation points
2025-10-30T07:29:51.2166667+00:00

I am facing issues deploying my managed online endpoints for inference in Azure ML Studio.

I have a setup where I created a VNet in my resource group, put storage account and keyvault inside that VNet, and created private endpoints for the Azure ML workspace, and my container registry.

Access has further been restricted to a specific range of IP addresses

My compute clusters are created inside the same VNet, with a system assigned managed identity. This identity has AcrPull and storage blob data contributor privileges.

In addition, the identity associated with the ML Workspace also has Azure AI Administrator privileges on top of the two roles mentioned above.

When I try to deploy my inference endpoints (from my model pipeline), the endpoint itself is created just fine, but after about 1.5h the deployment fails with the message:

Check envoy cert setting failed in MirSystemSetupTask. Please check the existence/validation of envoy cert.

There is very limited information to be gained from this message, and it is the only return I get. Please advice how to resolve this.

Azure Machine Learning
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 42,941 Reputation points MVP Volunteer Moderator
    2025-11-02T14:04:42.87+00:00

    Hello !

    Thank you for posting on Microsoft Learn Q&A.

    In managed network settings for the AML workspace, verify all required outbound rules are active and if some are failed, expand to see the FQDN and add or approve as needed and you can also query via REST to list rule status.

    https://learn.microsoft.com/en-us/rest/api/azureml/managed-network-settings/list?view=rest-azureml-2025-07-01-preview

    In your firewall/proxy, you need to allow:

    • *.api.azureml.ms, *.notebooks.azure.net
    • Microsoft Entra ID endpoints (login.microsoftonline.com / login.microsoft.com / graph.microsoft.com) per your tenant
    • ACR FQDN (private: *.azurecr.io via privatelink.azurecr.io)
    • storage FQDNs (*.blob.core.windows.net, .dfs.core.windows.net via privatelink.)
    • key vault FQDN (*.vault.azure.net via privatelink.vaultcore.azure.net)

    Managed online endpoints don’t use your compute clusters as they spin their own compute so make sure that the workspace managed identity not just your cluster SA-MI has:

    AcrPull on the linked ACR scope

    • storage blob data reader on the artifact container
    • access to key vault secrets used by the deployment

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.