title | description | ms.topic | ms.date | ms.custom |
---|---|---|---|---|
Create a simplified node communication pool without public IP addresses (preview) |
Learn how to create an Azure Batch simplified node communication pool without public IP addresses. |
how-to |
05/26/2022 |
references_regions |
Note
This replaces the previous preview version of Azure Batch pool without public IP addresses. This new version requires using simplified compute node communication.
Important
- Support for pools without public IP addresses in Azure Batch is currently in public preview for selected regions.
- This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
- For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
When you create an Azure Batch pool, you can provision the virtual machine (VM) configuration pool without a public IP address. This article explains how to set up a Batch pool without public IP addresses.
By default, all the compute nodes in an Azure Batch VM configuration pool are assigned a public IP address. This address is used by the Batch service to support outbound access to the internet, as well inbound access to compute nodes from the internet.
To restrict access to these nodes and reduce the discoverability of these nodes from the internet, you can provision the pool without public IP addresses.
Important
The prerequisites have changed from the previous version of this preview. Make sure to review each item for changes before proceeding.
-
Use simplified compute node communication. For more information, see Use simplified compute node communication.
-
The Batch client API must use Azure Active Directory (AD) authentication. Azure Batch support for Azure AD is documented in Authenticate Batch service solutions with Active Directory.
-
Create your pool in an Azure virtual network (VNet), follow these requirements and configurations. To prepare a VNet with one or more subnets in advance, you can use the Azure portal, Azure PowerShell, the Azure Command-Line Interface (Azure CLI), or other methods.
-
The VNet must be in the same subscription and region as the Batch account you use to create your pool.
-
The subnet specified for the pool must have enough unassigned IP addresses to accommodate the number of VMs targeted for the pool; that is, the sum of the
targetDedicatedNodes
andtargetLowPriorityNodes
properties of the pool. If the subnet doesn't have enough unassigned IP addresses, the pool partially allocates the compute nodes, and a resize error occurs. -
If you plan to use a private endpoint with Batch accounts, you must disable private endpoint network policies. Run the following Azure CLI command:
az network vnet subnet update --vnet-name <vnetname> -n <subnetname> --resource-group <resourcegroup> --disable-private-endpoint-network-policies
-
-
Enable outbound access for Batch node management. A pool with no public IP addresses doesn't have internet outbound access enabled by default. To allow compute nodes to access the Batch node management service (see Use simplified compute node communication) either:
-
Use
nodeManagement
private endpoint with Batch accounts. This is the preferred method. -
Alternatively, provide your own internet outbound access support (see Outbound access to the internet).
-
- Pools without public IP addresses must use Virtual Machine Configuration and not Cloud Services Configuration.
- Custom endpoint configuration for Batch compute nodes doesn't work with pools without public IP addresses.
- Because there are no public IP addresses, you can't use your own specified public IP addresses with this type of pool.
- Navigate to your Batch account in the Azure portal.
- In the Settings window on the left, select Pools.
- In the Pools window, select Add.
- On the Add Pool window, select the option you intend to use from the Image Type dropdown.
- Select the correct Publisher/Offer/Sku of your image.
- Specify the remaining required settings, including the Node size, Target dedicated nodes, and Target Spot/low-priority nodes, as well as any desired optional settings.
- Select a virtual network and subnet you wish to use. This virtual network must be in the same location as the pool you are creating.
- In IP address provisioning type, select NoPublicIPAddresses.
The example below shows how to use the Batch Service REST API to create a pool that uses public IP addresses.
POST {batchURL}/pools?api-version=2020-03-01.11.0
client-request-id: 00000000-0000-0000-0000-000000000000
"pool": {
"id": "pool2",
"vmSize": "standard_a1",
"virtualMachineConfiguration": {
"imageReference": {
"publisher": "Canonical",
"offer": "UbuntuServer",
"sku": "18.04-lts"
},
"nodeAgentSKUId": "batch.node.ubuntu 18.04"
}
"networkConfiguration": {
"subnetId": "/subscriptions/<your_subscription_id>/resourceGroups/<your_resource_group>/providers/Microsoft.Network/virtualNetworks/<your_vnet_name>/subnets/<your_subnet_name>",
"publicIPAddressConfiguration": {
"provision": "NoPublicIPAddresses"
}
},
"resizeTimeout": "PT15M",
"targetDedicatedNodes": 5,
"targetLowPriorityNodes": 0,
"taskSlotsPerNode": 3,
"taskSchedulingPolicy": {
"nodeFillType": "spread"
},
"enableAutoScale": false,
"enableInterNodeCommunication": true,
"metadata": [
{
"name": "myproperty",
"value": "myvalue"
}
]
}
In a pool without public IP addresses, your virtual machines won't be able to access the public internet unless you configure your network setup appropriately, such as by using virtual network NAT. Note that NAT only allows outbound access to the internet from the virtual machines in the virtual network. Batch-created compute nodes won't be publicly accessible, since they don't have public IP addresses associated.
Another way to provide outbound connectivity is to use a user-defined route (UDR). This lets you route traffic to a proxy machine that has public internet access, for example Azure Firewall.
Important
There is no extra network resource (load balancer, network security group) created for simplified node communication pools without public IP addresses. Since the compute nodes in the pool are not bound to any load balancer, Azure may provide Default Outbound Access. However, Default Outbound Access is not suitable for production workloads, so it is strongly recommended to bring your own Internet outbound access.
For existing pools that use the previous preview version of Azure Batch No Public IP pool, it's only possible to migrate pools created in a virtual network. To migrate the pool, follow the opt-in process for simplified node communication:
- Opt in to use simplified node communication.
- Create a private endpoint for Batch node management in the virtual network.
- Scale down the pool to zero nodes.
- Scale out the pool again. The pool is then automatically migrated to the new version of the preview.
- Learn how to use simplified compute node communication.
- Learn more about creating pools in a virtual network.
- Learn how to use private endpoints with Batch accounts.