You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/machine-learning/how-to-secure-training-vnet.md
+19-9Lines changed: 19 additions & 9 deletions
Original file line number
Diff line number
Diff line change
@@ -68,15 +68,25 @@ To use either a [managed Azure Machine Learning __compute target__](concept-comp
68
68
> * Virtual network service endpoint policies do not work for compute cluster/instance system storage accounts
69
69
> * If storage and compute instance are in different regions you might see intermittent timeouts
70
70
71
-
72
-
> [!TIP]
73
-
> The Machine Learning compute instance or cluster automatically allocates additional networking resources __in the resource group that contains the virtual network__. For each compute instance or cluster, the service allocates the following resources:
74
-
>
75
-
> * One network security group
76
-
> * One public IP address. If you have Azure policy prohibiting Public IP creation then deployment of cluster/instances will fail
77
-
> * One load balancer
78
-
>
79
-
> In the case of clusters these resources are deleted (and recreated) every time the cluster scales down to 0 nodes, however for an instance the resources are held onto till the instance is completely deleted (stopping does not remove the resources).
71
+
### Dynamically allocated resources
72
+
73
+
The Machine Learning compute instance or cluster automatically allocates additional networking resources __in the resource group that contains the virtual network__. For each compute instance or cluster, the service allocates the following resources:
74
+
75
+
* One network security group (NSG). This NSG contains the following rules, which are specific to compute cluster and compute instance:
76
+
77
+
* Allow inbound TCP traffic on ports 29876-29877 from the `BatchNodeManagement` service tag.
78
+
* Allow inbound TCP traffic on port 44224 from the `AzureMachineLearning` service tag.
79
+
80
+
The following is a screenshot of the default rules for this NSG:
81
+
82
+
:::image type="content" source="./media/how-to-secure-training-vnet/compute-instance-cluster-network-security-group.png" alt-text="Screenshot of NSG":::
83
+
84
+
* One public IP address. If you have Azure policy prohibiting Public IP creation then deployment of cluster/instances will fail
85
+
* One load balancer
86
+
87
+
In the case of clusters these resources are deleted (and recreated) every time the cluster scales down to 0 nodes, however for an instance the resources are held onto till the instance is completely deleted (stopping does not remove the resources).
88
+
89
+
> [!IMPORTANT]
80
90
> These resources are limited by the subscription's [resource quotas](../azure-resource-manager/management/azure-subscription-service-limits.md). If the virtual network resource group is locked then deletion of compute cluster/instance will fail. Load balancer cannot be deleted until the compute cluster/instance is deleted. Also please ensure there is no Azure policy which prohibits creation of network security groups.
0 commit comments