Network Isolation Change with Our New API Platform on Azure Resource Manager

In this article, you'll learn about network isolation changes with our new v2 API platform on Azure Resource Manager (ARM) and its effect on network isolation.

Prerequisites

What is the new API platform on Azure Resource Manager (ARM)

There are two types of operations used by the v1 and v2 APIs, Azure Resource Manager (ARM) and Azure Machine Learning workspace.

With the v1 API, most operations used the workspace. For v2, we've moved most operations to use public ARM.

API version Public ARM Inside workspace virtual network
v1 Workspace and compute create, update, and delete (CRUD) operations. Other operations such as experiments.
v2 Most operations such as workspace, compute, datastore, dataset, job, environment, code, component, endpoints. Remaining operations.

The v2 API provides a consistent API in one place. You can more easily use Azure role-based access control and Azure Policy for resources with the v2 API because it's based on Azure Resource Manager.

The Azure Machine Learning CLI v2 uses our new v2 API platform. New features such as managed online endpoints are only available using the v2 API platform.

What are the network isolation changes with V2

As mentioned in the previous section, there are two types of operations; with ARM and with the workspace. With the legacy v1 API, most operations used the workspace. With the v1 API, adding a private endpoint to the workspace provided network isolation for everything except CRUD operations on the workspace or compute resources.

With the new v2 API, most operations use ARM. So enabling a private endpoint on your workspace doesn't provide the same level of network isolation. Operations that use ARM communicate over public networks, and include any metadata (such as your resource IDs) or parameters used by the operation. For example, the create or update job api sends metadata, and parameters.

Important

For most people, using the public ARM communications is OK:

  • Public ARM communications is the standard for management operations with Azure services. For example, creating an Azure Storage Account or Azure Virtual Network uses ARM.
  • The Azure Machine Learning operations do not expose data in your storage account (or other storage in the VNet) on public networks. For example, a training job that runs on a compute cluster in the VNet, and uses data from a storage account in the VNet, would securely access the data directly using the VNet.
  • All communication with public ARM is encrypted using TLS 1.2.

If you need time to evaluate the new v2 API before adopting it in your enterprise solutions, or have a company policy that prohibits sending communication over public networks, you can enable the v1_legacy_mode parameter. When enabled, this parameter disables the v2 API for your workspace.

Warning

Enabling v1_legacy_mode may prevent you from using features provided by the v2 API. For example, some features of Azure Machine Learning studio may be unavailable.

Scenarios and Required Actions

Warning

The v1_legacy_mode parameter is available now, but the v2 API blocking functionality will be enforced starting the week of May 15th, 2022.

  • If you don't plan on using a private endpoint with your workspace, you don't need to enable parameter.

  • If you're OK with operations communicating with public ARM, you don't need to enable the parameter.

  • You only need to enable the parameter if you're using a private endpoint with the workspace and don't want to allow operations with ARM over public networks.

Once we implement the parameter, it will be retroactively applied to existing workspaces using the following logic:

  • If you have an existing workspace with a private endpoint, the flag will be true.

  • If you have an existing workspace without a private endpoint (public workspace), the flag will be false.

After the parameter has been implemented, the default value of the flag depends on the underlying REST API version used when you create a workspace (with a private endpoint):

  • If the API version is older than 2022-05-01, then the flag is true by default.
  • If the API version is 2022-05-01 or newer, then the flag is false by default.

Important

If you want to use the v2 API with your workspace, you must set the v1_legacy_mode parameter to false.

How to update v1_legacy_mode parameter

Warning

The v1_legacy_mode parameter is available now, but the v2 API blocking functionality will be enforced starting the week of May 15th, 2022.

To update v1_legacy_mode, use the following steps:

To disable v1_legacy_mode, use Workspace.update and set v1_legacy_mode=false.

from azureml.core import Workspace

ws = Workspace.from_config()
ws.update(v1_legacy_mode=False)

Important

Note that it takes about 30 minutes to an hour or more for changing v1_legacy_mode parameter from true to false to be reflected in the workspace. Therefore, if you set the parameter to false but receive an error that the parameter is true in a subsequent operation, please try after a few more minutes.

Next steps