After data and access management comes infrastructure. Although Azure Machine Learning is a cloud service, it doesn’t mean that we cannot leverage services together with our Azure or on-premises infrastructure to isolate our resources and secure them from public access.

In this chapter, we will learn how to implement security best practices regarding the workspace. We will focus more on practices and scenarios around virtual networking and endpoint security as well as compute. Compute in Azure Machine Learning can be used both for model training and deployment and each option available has its own security best practices. Compute includes compute instances, compute clusters, and containers. The workspace uses Azure Container Registries to deploy models that can be deployed as containers, so we will review security options for all those services.

In this chapter, we’re going to cover the following main topics...

This chapter deals heavily with networking and infrastructure in Azure. Although the tutorials can be implemented without much difficulty, properly implementing and maintaining a network architecture in Azure requires a lot of knowledge.

If you have no experience with networking in Azure, I recommend taking a look at this overview of the service before moving on with the chapter:

• Virtual Networks overview:

  https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

• Networking architecture design:

  https://learn.microsoft.com/en-us/azure/architecture/guide/networking/networking-start-here

The Azure Machine Learning workspace is the main point of use. This is where you complete all your ML tasks, and by default, all endpoints and workspace have access to the public internet. However, if we are already using Azure infrastructure services for different purposes or want to restrict access to our resources, we can leverage virtual networks (VNets). Using VNets in Azure provides an extra layer of security and isolation for our Azure Machine Learning resources and better control for inbound and outbound network communications. In this section, we will explore several options we have to integrate VNets with Azure Machine Learning.

Let us start with the workspace.

Creating a VNet

The first thing we will need is a VNet. If you already have one, you can use it. If not, you can follow the next steps to create one:

1. Search for Virtual Networks in the Azure search bar and click to create a new one. The create form will pop up. Choose the...

Azure Machine Learning provides a scalable cloud environment to build, train, and deploy ML models. It offers different computational targets for running experiments, training models, and serving predictions.

There are four targets overall, with two of these being managed internally from the workspace: compute instances and compute clusters. A compute instance is a managed VM that you use for development, training, and inferencing needs. It’s essentially a dedicated, personal workstation in the workspace. It can be used to run Jupyter notebooks and scripts. A compute cluster is a managed scalable set of virtual machines that are used for the large-scale training of ML models. Compute clusters automatically scale up or down (within the limits you set) based on the workload. So, for example, you can declare a minimum and maximum node and the machine will scale based on demand, which helps us optimize costs. There is also external...

Azure Machine Learning provides an integrated, end-to-end data science workflow, enabling data scientists and developers to prepare data, experiment with models, and then deploy them in a scalable environment. A pivotal aspect of this deployment process involves containerization, which brings us to Azure Container Registry (ACR). ACR is a managed, private Docker container registry service based on the open source Docker Registry 2.0. ACR allows users to build, store, and manage container images and artifacts in a secure and scalable manner within Azure. ACR integrates well with existing container development and deployment pipelines, and it’s especially useful for storing and managing the custom Docker images that can be deployed in various Azure services.

When working with Azure Machine Learning, there’s an underlying process that packages models for deployment. This packaging involves creating a Docker image that contains...

In this chapter, we talked about multiple aspects of leveraging networking to protect our Azure Machine Learning workloads.

The main aim of this chapter was to learn basic networking practices to isolate the workspace and all associated services, specifically storage accounts, key vaults, and Azure Container Registry. Although public access means access from the public internet and not unauthorized access, credentials can be leaked and malicious actors can gain access. By isolating our resources using VNets, we are reducing the attack surface area.

Combining networking and best practices regarding identity, such as configuring managed identities where possible and using proper RBAC with our users and services, we can take one step closer to maintaining a baseline security posture across our cloud services and infrastructure.

In the next chapter, we will see how to automate best practices with continuous integration and continuous delivery (CI/CD) for our ML tasks.