Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update AML to enable private IP compute #3052

Merged
merged 29 commits into from
Jan 25, 2023
Merged
Show file tree
Hide file tree
Changes from 28 commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
cdaa91f
Cannot create private AML compute
marrobi Jan 3, 2023
982a43c
Update lock
marrobi Jan 4, 2023
d57cfc6
Add missing updates from merge
marrobi Jan 4, 2023
c8a30de
Merge branch 'main' into marrobi/issue2780
marrobi Jan 4, 2023
cefb588
Public IP workspace works.
marrobi Jan 4, 2023
f07f274
Always deploy 445 rule
marrobi Jan 5, 2023
8df315c
Merge branch 'main' of github.com:microsoft/AzureTRE into marrobi/iss…
marrobi Jan 5, 2023
11b1602
Fix various networking and firewall issues.
marrobi Jan 5, 2023
1e21774
Update ordering
marrobi Jan 6, 2023
847231f
Add 5831 rule
marrobi Jan 16, 2023
ec640de
Merge branch 'main' of github.com:microsoft/AzureTRE into marrobi/iss…
marrobi Jan 17, 2023
1e786d9
Additonal ports.
marrobi Jan 17, 2023
1f182e5
Fix dependancy issue
marrobi Jan 17, 2023
b120947
Merge branch 'marrobi/issue2780' of github.com:marrobi/AzureTRE; bran…
marrobi Jan 18, 2023
40297dc
Merge branch 'main' of github.com:microsoft/AzureTRE into marrobi/iss…
marrobi Jan 23, 2023
f90dda7
Update overview and PR comments
marrobi Jan 24, 2023
20f7f2a
Merge branch 'main' of github.com:microsoft/AzureTRE into marrobi/iss…
marrobi Jan 24, 2023
a55b479
remove data
marrobi Jan 24, 2023
633475a
remove load env
marrobi Jan 24, 2023
a5e9b80
fix linting
marrobi Jan 24, 2023
faac467
fix linting
marrobi Jan 24, 2023
f51f1c5
Merge branch 'main' into marrobi/issue2780
marrobi Jan 24, 2023
aeee777
update changelog
marrobi Jan 24, 2023
0c94156
Merge branch 'marrobi/issue2780' of github.com:marrobi/AzureTRE into …
marrobi Jan 24, 2023
d8c1c89
Add aML back to e2e tests
marrobi Jan 25, 2023
b8a330e
Merge branch 'main' into marrobi/issue2780
marrobi Jan 25, 2023
6bb1c75
update docs
marrobi Jan 25, 2023
c5ac102
Merge branch 'marrobi/issue2780' of github.com:marrobi/AzureTRE into …
marrobi Jan 25, 2023
d8ae302
Update changelog.
marrobi Jan 25, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ FEATURES:

ENHANCEMENTS:
* Add support for referencing IP Groups from the Core Resource Group in firewall rules created via the pipeline [#3089](https://github.com/microsoft/AzureTRE/pull/3089)
* Update Azure Machine Learning Workspace Service to support "no public IP" compute. This is a full rework so upgrades of existing Azure ML Workspace Service deployments are not supported. [#3052](https://github.com/microsoft/AzureTRE/pull/3052)

BUG FIXES:

Expand Down
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,7 @@ terraform-deploy:
$(call target_title, "Deploying ${DIR} with Terraform") \
&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \
&& . ${MAKEFILE_DIR}/devops/scripts/load_and_validate_env.sh \
&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${DIR}/.env \
&& cd ${DIR}/terraform/ && ./deploy.sh

terraform-import:
Expand Down
25 changes: 3 additions & 22 deletions docs/tre-templates/workspace-services/azure-ml.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,30 +6,11 @@ This service installs the following resources into an existing virtual network w

![Azure Machine Learning Service](images/aml_service.png)

Any users with the role of `Workspace Researcher` will be assigned the `AzureML Data Scientist` role within the AML workspace.

## Properties

- `display_name` - The name of the Azure Machine Learning workspace.
- `description` - The description of the Azure Machine Learning workspace.
- `is_exposed_externally` - If `True`, the Azure Machine Learning workspace is accessible from outside of the worksapce virtual network.

When deploying the service the Azure ML workspace can be exposed publicly or access restricted to the virtual network. Depending on the choice appropriate network security rules are added. This also means that in the public configuration compute instances can be deployed with public IPs, and in the private configuration they must be deployed with no public IP.

## Firewall Rules

Please be aware that the following outbound Firewall rules are opened for the workspace when this service is deployed, including to Azure Storage. This does open the possibility to extract data from a workspace if the user is determined to do so. Work is ongoing to remove some of these requirements:

Service Tags:
- AzureActiveDirectory
- AzureResourceManager
- AzureMachineLearning"
- Storage.`{AzureRegion}`
- MicrosoftContainerRegistry

URLs:
- aadcdn.msftauth.net
- ml.azure.com
Any users with the role of `Workspace Researcher` will be assigned the `AzureML Data Scientist` role within the AML workspace.

To ensure AML compute instances are deployed with the appropriate configuration we suggest they are deployed using an Compute Instance User Resource.

## Prerequisites

Expand Down
Binary file modified docs/tre-templates/workspace-services/images/aml_service.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion e2e_tests/test_workspace_services.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
pytestmark = pytest.mark.asyncio

workspace_services = [
# strings.AZUREML_SERVICE,
strings.AZUREML_SERVICE,
# strings.INNEREYE_SERVICE,
strings.GITEA_SERVICE,
strings.MLFLOW_SERVICE,
Expand Down
2 changes: 2 additions & 0 deletions templates/workspace_services/azureml/.env.sample
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,5 @@ WORKSPACE_ID="__CHANGE_ME__"
DISPLAY_NAME="__CHANGE_ME__"
DESCRIPTION="__CHANGE_ME__"
IS_EXPOSED_EXTERNALLY="false"

ADDRESS_SAPCE="__CHANGE_ME__"
6 changes: 6 additions & 0 deletions templates/workspace_services/azureml/parameters.json
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,12 @@
"env": "DESCRIPTION"
}
},
{
"name": "address_space",
"source": {
"env": "ADDRESS_SPACE"
}
},
{
"name": "is_exposed_externally",
"source": {
Expand Down
46 changes: 31 additions & 15 deletions templates/workspace_services/azureml/porter.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
schemaVersion: 1.0.0
name: tre-service-azureml
version: 0.6.0
version: 0.7.25
description: "An Azure TRE service for Azure Machine Learning"
registry: azuretre
dockerfile: Dockerfile.tmpl
Expand Down Expand Up @@ -41,6 +41,9 @@ parameters:
default: false
env: IS_EXPOSED_EXTERNALLY
description: "Determines if the AML workspace will be available over public/internet"
- name: address_space
type: string
description: "Address space for the AML subnets"
- name: tfstate_resource_group_name
type: string
description: "Resource group containing the Terraform state storage account"
Expand Down Expand Up @@ -83,7 +86,12 @@ outputs:
applyTo:
- install
- upgrade
- name: workspace_services_subnet_address_prefix
- name: workspace_address_spaces
type: string
applyTo:
- install
- upgrade
- name: aml_subnet_address_prefixes
type: string
applyTo:
- install
Expand All @@ -93,14 +101,22 @@ outputs:
applyTo:
- install
- upgrade
- name: batch_tag
type: string
applyTo:
- install
- upgrade
- name: mcr_tag
type: string
applyTo:
- install
- upgrade

mixins:
- terraform:
clientVersion: 1.3.6
- az:
clientVersion: 2.37.0
extensions:
- azure-firewall

install:
- terraform:
Expand All @@ -111,11 +127,9 @@ install:
tre_resource_id: ${ bundle.parameters.id }
display_name: ${ bundle.parameters.display_name }
description: ${ bundle.parameters.description }
address_space: ${ bundle.parameters.address_space }
is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
arm_client_id: ${ bundle.credentials.azure_client_id }
arm_client_secret: ${ bundle.credentials.azure_client_secret }
arm_use_msi: ${ bundle.parameters.arm_use_msi }
auth_client_id: ${ bundle.credentials.auth_client_id }
auth_client_secret: ${ bundle.credentials.auth_client_secret }
auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
Expand All @@ -130,8 +144,11 @@ install:
- name: azureml_storage_account_id
- name: connection_uri
- name: internal_connection_uri
- name: workspace_services_subnet_address_prefix
- name: workspace_address_spaces
- name: aml_subnet_address_prefixes
- name: storage_tag
- name: batch_tag
- name: mcr_tag

upgrade:
- terraform:
Expand All @@ -142,11 +159,9 @@ upgrade:
tre_resource_id: ${ bundle.parameters.id }
display_name: ${ bundle.parameters.display_name }
description: ${ bundle.parameters.description }
address_space: ${ bundle.parameters.address_space }
is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
arm_client_id: ${ bundle.credentials.azure_client_id }
arm_client_secret: ${ bundle.credentials.azure_client_secret }
arm_use_msi: ${ bundle.parameters.arm_use_msi }
auth_client_id: ${ bundle.credentials.auth_client_id }
auth_client_secret: ${ bundle.credentials.auth_client_secret }
auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
Expand All @@ -161,8 +176,11 @@ upgrade:
- name: azureml_storage_account_id
- name: connection_uri
- name: internal_connection_uri
- name: workspace_services_subnet_address_prefix
- name: workspace_address_spaces
- name: aml_subnet_address_prefixes
- name: storage_tag
- name: batch_tag
- name: mcr_tag

uninstall:
- terraform:
Expand All @@ -173,11 +191,9 @@ uninstall:
tre_resource_id: ${ bundle.parameters.id }
display_name: ${ bundle.parameters.display_name }
description: ${ bundle.parameters.description }
address_space: ${ bundle.parameters.address_space }
is_exposed_externally: ${ bundle.parameters.is_exposed_externally }
arm_use_msi: ${ bundle.parameters.arm_use_msi }
arm_tenant_id: ${ bundle.credentials.azure_tenant_id }
arm_client_id: ${ bundle.credentials.azure_client_id }
arm_client_secret: ${ bundle.credentials.azure_client_secret }
auth_client_id: ${ bundle.credentials.auth_client_id }
auth_client_secret: ${ bundle.credentials.auth_client_secret }
auth_tenant_id: ${ bundle.credentials.auth_tenant_id }
Expand Down
Loading