diff --git a/articles/ai-services/index.yml b/articles/ai-services/index.yml index 3441d10d213..03616adc435 100644 --- a/articles/ai-services/index.yml +++ b/articles/ai-services/index.yml @@ -13,7 +13,7 @@ metadata: ms.author: eur manager: nitinme ms.custom: ignite-2023 - ms.date: 8/20/2024 + ms.date: 9/5/2024 highlightedContent: # itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new items: @@ -23,9 +23,9 @@ highlightedContent: - title: What is Azure AI Studio? itemType: overview url: ../ai-studio/what-is-ai-studio.md - - title: Build your own copilot with Azure AI SDKs - itemType: tutorial - url: ../ai-studio/tutorials/copilot-sdk-build-rag.md + - title: Chat with Azure OpenAI models using your own data + itemType: quickstart + url: ./openai/use-your-data-quickstart.md - title: Responsible use of AI itemType: concept url: responsible-use-of-ai-overview.md @@ -42,20 +42,25 @@ productDirectory: summary: Perform a wide variety of natural language tasks. url: ./openai/index.yml # Card + - title: Azure AI Search + imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/search.svg + summary: Bring AI-powered cloud search to your mobile and web applications. + url: /azure/search/ + # Card + - title: Content Safety + imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/content-safety.svg + summary: An AI service that detects unwanted contents + url: ./content-safety/index.yml + # Card - title: Speech imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/speech.svg summary: Speech to text, text to speech, translation, and speaker recognition url: ./speech-service/index.yml # Card - - title: Language - imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/language.svg - summary: Build apps with industry-leading natural language understanding capabilities. - url: ./language-service/index.yml - # Card - - title: Translator - imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/translator.svg - summary: Use AI-powered translation technology to translate more than 100 in-use, at-risk, and endangered languages and dialects. - url: ./translator/index.yml + - title: Document Intelligence + imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/document-intelligence.svg + summary: Turn documents into intelligent data-driven solutions. + url: ./document-intelligence/index.yml # Card - title: Vision imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/vision.svg @@ -72,25 +77,15 @@ productDirectory: summary: Detect and identify people and emotions in images. url: ./computer-vision/overview-identity.md # Card - - title: Content Safety - imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/content-safety.svg - summary: An AI service that detects unwanted contents - url: ./content-safety/index.yml - # Card - - title: Bot Service - imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/bot-services.svg - summary: Create bots and connect them across channels. - url: /composer/ - # Card - - title: Document Intelligence - imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/document-intelligence.svg - summary: Turn documents into intelligent data-driven solutions. - url: ./document-intelligence/index.yml + - title: Translator + imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/translator.svg + summary: Use AI-powered translation technology to translate more than 100 in-use, at-risk, and endangered languages and dialects. + url: ./translator/index.yml # Card - - title: Azure AI Search - imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/search.svg - summary: Bring AI-powered cloud search to your mobile and web applications. - url: /azure/search/ + - title: Language + imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/language.svg + summary: Build apps with industry-leading natural language understanding capabilities. + url: ./language-service/index.yml # Card - title: Video Indexer imageSrc: ~/reusable-content/ce-skilling/azure/media/ai-services/video-indexer.svg @@ -110,34 +105,32 @@ additionalContent: links: - text: Azure AI Studio url: https://ai.azure.com/ - - text: Azure OpenAI + - text: Azure OpenAI Studio url: https://oai.azure.com/ + - text: Content Safety + url: https://contentsafety.cognitive.azure.com/ - text: Speech url: https://speech.microsoft.com/ - - text: Language - url: https://language.cognitive.azure.com/ + - text: Document Intelligence + url: https://formrecognizer.appliedai.azure.com/ - text: Vision url: https://portal.vision.cognitive.azure.com/ - text: Custom Vision url: https://www.customvision.ai/ - - text: Document Intelligence - url: https://formrecognizer.appliedai.azure.com/ - - text: Content Safety - url: https://contentsafety.cognitive.azure.com/ - text: Custom Translator url: https://portal.customtranslator.azure.ai/ - - text: Azure Machine Learning - url: https://ml.azure.com/ + - text: Language + url: https://language.cognitive.azure.com/ - title: Explore more AI resources links: + - text: Azure AI Studio + url: /azure/ai-studio/ - text: Azure Machine Learning url: /azure/machine-learning/ - text: Semantic Kernel url: /semantic-kernel/ - text: AI Builder url: /ai-builder/ - - text: Power Virtual Agents with Azure AI Language - url: /power-virtual-agents/advanced-clu-integration - text: Windows AI url: /windows/ai/ - text: GitHub Copilot diff --git a/articles/ai-services/language-service/conversational-language-understanding/concepts/best-practices.md b/articles/ai-services/language-service/conversational-language-understanding/concepts/best-practices.md index 0e1dbb6084c..f4efdad7b06 100644 --- a/articles/ai-services/language-service/conversational-language-understanding/concepts/best-practices.md +++ b/articles/ai-services/language-service/conversational-language-understanding/concepts/best-practices.md @@ -243,7 +243,7 @@ curl --request POST \ ## Address out-of-domain utterances -Customers can use the new recipe version `2024-06-01-preview` if the model has poor AIQ on out-of-domain utterances. An example of this scenario with the default recipe can be like the following example where the model has three intents: `Sports`, `QueryWeather`, and `Alarm`. The test utterances are out-of-domain utterances and the model classifies them as `InDomain` with a relatively high confidence score. +Customers can use the newly updated recipe version `2024-08-01-preview` (previously `2024-06-01-preview`) if the model has poor AIQ on out-of-domain utterances. An example of this scenario with the default recipe can be like the following example where the model has three intents: `Sports`, `QueryWeather`, and `Alarm`. The test utterances are out-of-domain utterances and the model classifies them as `InDomain` with a relatively high confidence score. | Text | Predicted intent | Confidence score | |----|----|----| @@ -251,7 +251,7 @@ Customers can use the new recipe version `2024-06-01-preview` if the model has p | "Do I look good to you today?" | `QueryWeather` | 1.00 | | "I hope you have a good evening." | `Alarm` | 0.80 | -To address this scenario, use the `2024-06-01-preview` configuration version that's built specifically to address this issue while also maintaining reasonably good quality on `InDomain` utterances. +To address this scenario, use the `2024-08-01-preview` configuration version that's built specifically to address this issue while also maintaining reasonably good quality on `InDomain` utterances. ```console curl --location 'https://.cognitiveservices.azure.com/language/authoring/analyze-conversations/projects//:train?api-version=2022-10-01-preview' \ @@ -260,7 +260,7 @@ curl --location 'https://.cognitiveservices.azure.com/language/au --data '{       "modelLabel": "",       "trainingMode": "advanced", -      "trainingConfigVersion": "2024-06-01-preview", +      "trainingConfigVersion": "2024-08-01-preview",       "evaluationOptions": {             "kind": "percentage",             "testingSplitPercentage": 0, diff --git a/articles/ai-services/openai/api-version-deprecation.md b/articles/ai-services/openai/api-version-deprecation.md index b37157cbc92..4d1359771cd 100644 --- a/articles/ai-services/openai/api-version-deprecation.md +++ b/articles/ai-services/openai/api-version-deprecation.md @@ -1,11 +1,11 @@ --- -title: Azure OpenAI Service API version retirement +title: Azure OpenAI Service API version lifecycle description: Learn more about API version retirement in Azure OpenAI Services. services: cognitive-services manager: nitinme ms.service: azure-ai-openai ms.topic: conceptual -ms.date: 08/14/2024 +ms.date: 09/05/2024 author: mrbullwinkle ms.author: mbullwin recommendations: false @@ -14,10 +14,10 @@ ms.custom: # Azure OpenAI API preview lifecycle -This article is to help you understand the support lifecycle for the Azure OpenAI API previews. New preview APIs target a monthly release cadence. After February 3rd, 2025, the latest three preview APIs will remain supported while older APIs will no longer be supported unless support is explicitly indicated. +This article is to help you understand the support lifecycle for the Azure OpenAI API previews. New preview APIs target a monthly release cadence. Whenever possible we recommend using either the latest GA, or preview API releases. > [!NOTE] -> The `2023-06-01-preview` API will remain supported at this time, as `DALL-E 2` is only available in this API version. `DALL-E 3` is supported in the latest API releases. The `2023-10-01-preview` API will also remain supported at this time. +> The `2023-06-01-preview` API and the `2023-10-01-preview` API remain supported at this time. ## Latest preview API releases diff --git a/articles/ai-services/openai/concepts/content-filter.md b/articles/ai-services/openai/concepts/content-filter.md index 9c3d5b28c2c..c7508eb670b 100644 --- a/articles/ai-services/openai/concepts/content-filter.md +++ b/articles/ai-services/openai/concepts/content-filter.md @@ -79,16 +79,17 @@ Detecting indirect attacks requires using document delimiters when constructing --- -## Configurability (preview) +## Configurability -The default content filtering configuration for the GPT model series is set to filter at the medium severity threshold for all four content harm categories (hate, violence, sexual, and self-harm) and applies to both prompts (text, multi-modal text/image) and completions (text). This means that content that is detected at severity level medium or high is filtered, while content detected at severity level low isn't filtered by the content filters. For DALL-E, the default severity threshold is set to low for both prompts (text) and completions (images), so content detected at severity levels low, medium, or high is filtered. The configurability feature is available in preview and allows customers to adjust the settings, separately for prompts and completions, to filter content for each content category at different severity levels as described in the table below: +Azure OpenAI Service includes default safety settings applied to all models, excluding Azure OpenAI Whisper. These configurations provide you with a responsible experience by default, including content filtering models, blocklists, prompt transformation, [content credentials](../concepts/content-credentials.md), and others. [Read more about it here](/azure/ai-services/openai/concepts/default-safety-policies). All customers can also configure content filters and create custom safety policies that are tailored to their use case requirements. The configurability feature allows customers to adjust the settings, separately for prompts and completions, to filter content for each content category at different severity levels as described in the table below: | Severity filtered | Configurable for prompts | Configurable for completions | Descriptions | |-------------------|--------------------------|------------------------------|--------------| | Low, medium, high | Yes | Yes | Strictest filtering configuration. Content detected at severity levels low, medium, and high is filtered.| | Medium, high | Yes | Yes | Content detected at severity level low isn't filtered, content at medium and high is filtered.| -| High | Yes| Yes | Content detected at severity levels low and medium isn't filtered. Only content at severity level high is filtered. Requires approval1.| +| High | Yes| Yes | Content detected at severity levels low and medium isn't filtered. Only content at severity level high is filtered. | | No filters | If approved1| If approved1| No content is filtered regardless of severity level detected. Requires approval1.| +|Annotate only | If approved1| If approved1| Disables the filter functionality, so content will not be blocked, but annotations are returned via API response. Requires approval1.| 1 For Azure OpenAI models, only customers who have been approved for modified content filtering have full content filtering control and can turn off content filters. Apply for modified content filters via this form: [Azure OpenAI Limited Access Review: Modified Content Filters](https://ncv.microsoft.com/uEfCgnITdR) For Azure Government customers, please apply for modified content filters via this form: [Azure Government - Request Modified Content Filtering for Azure OpenAI Service](https://aka.ms/AOAIGovModifyContentFilter). diff --git a/articles/ai-services/openai/how-to/content-filters.md b/articles/ai-services/openai/how-to/content-filters.md index fb44864f457..e5addc5b0fd 100644 --- a/articles/ai-services/openai/how-to/content-filters.md +++ b/articles/ai-services/openai/how-to/content-filters.md @@ -21,28 +21,30 @@ The content filtering system integrated into Azure OpenAI Service runs alongside Content filters can be configured at resource level. Once a new configuration is created, it can be associated with one or more deployments. For more information about model deployment, see the [resource deployment guide](create-resource.md). -The configurability feature is available in preview and allows customers to adjust the settings, separately for prompts and completions, to filter content for each content category at different severity levels as described in the table below. Content detected at the 'safe' severity level is labeled in annotations but is not subject to filtering and isn't configurable. +The configurability feature allows customers to adjust the settings, separately for prompts and completions, to filter content for each content category at different severity levels as described in the table below. Content detected at the 'safe' severity level is labeled in annotations but is not subject to filtering and isn't configurable. | Severity filtered | Configurable for prompts | Configurable for completions | Descriptions | |-------------------|--------------------------|------------------------------|--------------| -| Low, medium, high | Yes | Yes | Strictest filtering configuration. Content detected at severity levels low, medium, and high is filtered.| -| Medium, high | Yes | Yes | Default setting. Content detected at severity level low isn't filtered, content at medium and high is filtered.| +| Low, medium, high | Yes | Yes | Strictest filtering configuration. Content detected at severity levels low, medium, and high is filtered. | +| Medium, high | Yes | Yes | Content detected at severity level low isn't filtered, content at medium and high is filtered. | | High | Yes| Yes | Content detected at severity levels low and medium isn't filtered. Only content at severity level high is filtered. | | No filters | If approved\*| If approved\*| No content is filtered regardless of severity level detected. Requires approval\*.| +|Annotate only | If approved\*| If approved\*| Disables the filter functionality, so content will not be blocked, but annotations are returned via API response. Requires approval\*| \* Only approved customers have full content filtering control and can turn the content filters partially or fully off. Managed customers only can apply for full content filtering control via this form: [Azure OpenAI Limited Access Review: Modified Content Filters](https://ncv.microsoft.com/uEfCgnITdR). At this time, it is not possible to become a managed customer. Customers are responsible for ensuring that applications integrating Azure OpenAI comply with the [Code of Conduct](/legal/cognitive-services/openai/code-of-conduct?context=%2Fazure%2Fai-services%2Fopenai%2Fcontext%2Fcontext). -|Filter category |Default setting |Applied to prompt or completion? |Description | +|Filter category |Status |Default setting |Applied to prompt or completion? |Description | |---------|---------|---------|---------| -|Jailbreak risk detection | Off | Prompt | Can be turned on to filter or annotate user prompts that might present a Jailbreak Risk. For more information about consuming annotations, visit [Azure OpenAI Service content filtering](/azure/ai-services/openai/concepts/content-filter?tabs=python#annotations-preview) | -| Protected material - code | off | Completion | Can be turned on to get the example citation and license information in annotations for code snippets that match any public code sources. For more information about consuming annotations, see the [content filtering concepts guide](/azure/ai-services/openai/concepts/content-filter#annotations-preview) | -| Protected material - text | off | Completion | Can be turned on to identify and block known text content from being displayed in the model output (for example, song lyrics, recipes, and selected web content). | +|Prompt Shields for direct attacks (jailbreak) |GA| On | User prompt | Filters / annotates user prompts that might present a Jailbreak Risk. For more information about annotations, visit [Azure OpenAI Service content filtering](/azure/ai-services/openai/concepts/content-filter?tabs=python#annotations-preview). | +|Prompt Shields for indirect attacks | GA| On| User prompt | Filter / annotate Indirect Attacks, also referred to as Indirect Prompt Attacks or Cross-Domain Prompt Injection Attacks, a potential vulnerability where third parties place malicious instructions inside of documents that the generative AI system can access and process. Required: [Document ](/azure/ai-services/openai/concepts/content-filter?tabs=warning%2Cuser-prompt%2Cpython-new#embedding-documents-in-your-prompt)formatting. | +| Protected material - code |GA| On | Completion | Filters protected code or gets the example citation and license information in annotations for code snippets that match any public code sources, powered by GitHub Copilot. For more information about consuming annotations, see the [content filtering concepts guide](/azure/ai-services/openai/concepts/content-filter#annotations-preview) | +| Protected material - text | GA| On | Completion | Identifies and blocks known text content from being displayed in the model output (for example, song lyrics, recipes, and selected web content). | -## Configuring content filters via Azure OpenAI Studio (preview) +## Configuring content filters via Azure OpenAI Studio The following steps show how to set up a customized content filtering configuration for your resource. diff --git a/articles/ai-services/openai/how-to/deployment-types.md b/articles/ai-services/openai/how-to/deployment-types.md index 189fd08ae0b..8146c05dd44 100644 --- a/articles/ai-services/openai/how-to/deployment-types.md +++ b/articles/ai-services/openai/how-to/deployment-types.md @@ -20,7 +20,9 @@ Azure OpenAI provides customers with choices on the hosting structure that fits ## Global versus regional deployment types -For standard deployments you have an option of two types of configurations within your resource – **global** or **regional**. Global standard is the recommended starting point for development and experimentation. Global deployments leverage Azure's global infrastructure, dynamically route customer traffic to the data center with best availability for the customer’s inference requests. With global deployments there are higher initial throughput limits, though your latency may vary at high usage levels. For customers that require the lower latency variance at large workload usage, we recommend purchasing provisioned throughput. +For standard deployments you have an option of two types of configurations within your resource – **global** or **regional**. Global standard is the recommended starting point. + +Global deployments leverage Azure's global infrastructure, dynamically route customer traffic to the data center with best availability for the customer’s inference requests. This means you will get the higest initial throughput limits and best model availability with Global while still providing our uptime SLA and low latency.For high voulmne workloads above the specified usage tiers, you may experience increased latency variation. For customers that require the lower latency variance at large workload usage, we recommend purchasing provisioned throughput. Our global deployments will be the first location for all new models and features. Customers with very large throughput requirements should consider our provisioned deployment offering. diff --git a/articles/machine-learning/how-to-configure-private-link.md b/articles/machine-learning/how-to-configure-private-link.md index b6e4cb2efac..0cc17d23038 100644 --- a/articles/machine-learning/how-to-configure-private-link.md +++ b/articles/machine-learning/how-to-configure-private-link.md @@ -6,11 +6,12 @@ services: machine-learning ms.service: azure-machine-learning ms.subservice: enterprise-readiness ms.topic: how-to -ms.custom: devx-track-azurecli, sdkv2 +ms.custom: devx-track-azurecli, sdkv2, FY25Q1-Linter ms.author: larryfr author: Blackmist ms.reviewer: meerakurup -ms.date: 01/02/2024 +ms.date: 09/05/2024 +# Customer Intent: As an admin, I want to understand how to use private links to secure communications between my Azure Machine Learning workspace and my virtual network. --- # Configure a private endpoint for an Azure Machine Learning workspace @@ -20,7 +21,7 @@ ms.date: 01/02/2024 In this document, you learn how to configure a private endpoint for your Azure Machine Learning workspace. For information on creating a virtual network for Azure Machine Learning, see [Virtual network isolation and privacy overview](how-to-network-security-overview.md). -Azure Private Link enables you to connect to your workspace using a private endpoint. The private endpoint is a set of private IP addresses within your virtual network. You can then limit access to your workspace to only occur over the private IP addresses. A private endpoint helps reduce the risk of data exfiltration. To learn more about private endpoints, see the [Azure Private Link](/azure/private-link/private-link-overview) article. +Azure Private Link enables you to restrict connections to your workspace to an Azure Virtual Network. You restrict a workspace to only accept connections from a virtual network by creating a private endpoint. The private endpoint is a set of private IP addresses within your virtual network. You can then limit access to your workspace to only occur over the private IP addresses. A private endpoint helps reduce the risk of data exfiltration. To learn more about private endpoints, see the [Azure Private Link](/azure/private-link/private-link-overview) article. > [!WARNING] > Securing a workspace with private endpoints does not ensure end-to-end security by itself. You must secure all of the individual components of your solution. For example, if you use a private endpoint for the workspace, but your Azure Storage Account is not behind the VNet, traffic between the workspace and storage does not use the VNet for security. @@ -45,18 +46,18 @@ Azure Private Link enables you to connect to your workspace using a private endp ## Limitations -* If you enable public access for a workspace secured with private endpoint and use Azure Machine Learning studio over the public internet, some features such as the designer may fail to access your data. This problem happens when the data is stored on a service that is secured behind the VNet. For example, an Azure Storage Account. -* You may encounter problems trying to access the private endpoint for your workspace if you're using Mozilla Firefox. This problem may be related to DNS over HTTPS in Mozilla Firefox. We recommend using Microsoft Edge or Google Chrome. +* If you enable public access for a workspace secured with private endpoint and use Azure Machine Learning studio over the public internet, some features such as the designer might fail to access your data. This problem happens when the data is stored on a service that is secured behind the virtual network. For example, an Azure Storage Account. +* If you're using Mozilla Firefox, you might encounter problems trying to access the private endpoint for your workspace. This problem might be related to DNS over HTTPS in Mozilla Firefox. We recommend using Microsoft Edge or Google Chrome. * Using a private endpoint doesn't affect Azure control plane (management operations) such as deleting the workspace or managing compute resources. For example, creating, updating, or deleting a compute target. These operations are performed over the public Internet as normal. Data plane operations, such as using Azure Machine Learning studio, APIs (including published pipelines), or the SDK use the private endpoint. -* When creating a compute instance or compute cluster in a workspace with a private endpoint, the compute instance and compute cluster must be in the same Azure region as the workspace. -* When attaching an Azure Kubernetes Service cluster to a workspace with a private endpoint, the cluster must be in the same region as the workspace. -* When using a workspace with multiple private endpoints, one of the private endpoints must be in the same VNet as the following dependency services: +* When you create a compute instance or compute cluster in a workspace with a private endpoint, the compute instance and compute cluster must be in the same Azure region as the workspace. +* When you attach an Azure Kubernetes Service cluster to a workspace with a private endpoint, the cluster must be in the same region as the workspace. +* When you use a workspace with multiple private endpoints, one of the private endpoints must be in the same virtual network as the following dependency services: * Azure Storage Account that provides the default storage for the workspace * Azure Key Vault for the workspace * Azure Container Registry for the workspace. - For example, one VNet ('services' VNet) would contain a private endpoint for the dependency services and the workspace. This configuration allows the workspace to communicate with the services. Another VNet ('clients') might only contain a private endpoint for the workspace, and be used only for communication between client development machines and the workspace. + For example, one virtual network ('services') would contain a private endpoint for the dependency services and the workspace. This configuration allows the workspace to communicate with the services. Another virtual network ('clients') might only contain a private endpoint for the workspace, and be used only for communication between client development machines and the workspace. ## Create a workspace that uses a private endpoint @@ -66,12 +67,13 @@ Use one of the following methods to create a workspace with a private endpoint. > If you'd like to create a workspace, private endpoint, and virtual network at the same time, see [Use an Azure Resource Manager template to create a workspace for Azure Machine Learning](how-to-create-workspace-template.md). # [Azure CLI](#tab/cli) -[!INCLUDE [cli v2](includes/machine-learning-cli-v2.md)] +[!INCLUDE [CLI v2](includes/machine-learning-cli-v2.md)] -When using the Azure CLI [extension 2.0 CLI for machine learning](how-to-configure-cli.md), a YAML document is used to configure the workspace. The following example demonstrates creating a new workspace using a YAML configuration: +When you use the Azure CLI [extension 2.0 CLI for machine learning](how-to-configure-cli.md), a YAML document is used to configure the workspace. The following example demonstrates creating a new workspace using a YAML configuration: > [!TIP] -> When using private link, your workspace cannot use Azure Container Registry tasks compute for image building. The `image_build_compute` property in this configuration specifies a CPU compute cluster name to use for Docker image environment building. You can also specify whether the private link workspace should be accessible over the internet using the `public_network_access` property. +> When you use a private link, your workspace cannot use Azure Container Registry tasks compute for image building. Instead, the workspace defaults to using a [serverless compute cluster](how-to-use-serverless-compute.md) to build images. This works only when the workspace-deependent resources such as the storage account and container registry are not under any network restrictions (private endpoint). If your workspace dependencies are under network restrictions, use the `image_build_compute` property to specify a compute cluster to use for image building. +> The `image_build_compute` property in this configuration specifies a CPU compute cluster name to use for Docker image environment building. You can also specify whether the private link workspace should be accessible over the internet using the `public_network_access` property. > > In this example, the compute referenced by `image_build_compute` will need to be created before building images. @@ -152,7 +154,7 @@ Use one of the following methods to add a private endpoint to an existing worksp > If you have any existing compute targets associated with this workspace, and they are not behind the same virtual network that the private endpoint is created in, they will not work. # [Azure CLI](#tab/cli) -[!INCLUDE [cli v2](includes/machine-learning-cli-v2.md)] +[!INCLUDE [CLI v2](includes/machine-learning-cli-v2.md)] When using the Azure CLI [extension 2.0 CLI for machine learning](how-to-configure-cli.md), use the [Azure networking CLI commands](/cli/azure/network/private-endpoint#az-network-private-endpoint-create) to create a private link endpoint for the workspace. @@ -210,19 +212,19 @@ az network private-endpoint dns-zone-group add \ # [Portal](#tab/azure-portal) -From the Azure Machine Learning workspace in the portal, select __Private endpoint connections__ and then select __+ Private endpoint__. Use the fields to create a new private endpoint. +From the Azure Machine Learning workspace in the portal, select __Settings__, __Networking__, __Private endpoint connections__ and then select __+ Private endpoint__. Use the fields to create a new private endpoint. * When selecting the __Region__, select the same region as your virtual network. -* When selecting __Resource type__, use __Microsoft.MachineLearningServices/workspaces__. -* Set the __Resource__ to your workspace name. +* When selecting the __Virtual network__, select the virtual network you want to connect to. +* When selecting the __Subnet__, select the subnet in the virtual network that the private endpoint IP addresses are assigned from. -Finally, select __Create__ to create the private endpoint. +You can leave other fields at the default value or modify as needed for your environment. Finally, select __Create__ to create the private endpoint. --- ## Remove a private endpoint -You can remove one or all private endpoints for a workspace. Removing a private endpoint removes the workspace from the VNet that the endpoint was associated with. Removing the private endpoint may prevent the workspace from accessing resources in that VNet, or resources in the VNet from accessing the workspace. For example, if the VNet doesn't allow access to or from the public internet. +You can remove one or all private endpoints for a workspace. Removing a private endpoint removes the workspace from the virtual network that the endpoint was associated with. Removing the private endpoint might prevent the workspace from accessing resources in that virtual network, or resources in the virtual network from accessing the workspace. For example, if the virtual network doesn't allow access to or from the public internet. > [!WARNING] > Removing the private endpoints for a workspace __doesn't make it publicly accessible__. To make the workspace publicly accessible, use the steps in the [Enable public access](#enable-public-access) section. @@ -230,7 +232,7 @@ You can remove one or all private endpoints for a workspace. Removing a private To remove a private endpoint, use the following information: # [Azure CLI](#tab/cli) -[!INCLUDE [cli v2](includes/machine-learning-cli-v2.md)] +[!INCLUDE [CLI v2](includes/machine-learning-cli-v2.md)] When using the Azure CLI [extension 2.0 CLI for machine learning](how-to-configure-cli.md), use the following command to remove the private endpoint: @@ -253,7 +255,7 @@ az network private-endpoint delete \ ## Enable public access -In some situations, you may want to allow someone to connect to your secured workspace over a public endpoint, instead of through the VNet. Or you may want to remove the workspace from the VNet and re-enable public access. +In some situations, you might want to allow someone to connect to your secured workspace over a public endpoint, instead of through the virtual network. Or you might want to remove the workspace from the virtual network and re-enable public access. > [!IMPORTANT] > Enabling public access doesn't remove any private endpoints that exist. All communications between components behind the VNet that the private endpoint(s) connect to are still secured. It enables public access only to the workspace, in addition to the private access through any private endpoints. @@ -274,7 +276,7 @@ To enable public access, use the following steps: > Microsoft recommends using `public_network_access` to enable or disable public access to a workspace. # [Azure CLI](#tab/cli) -[!INCLUDE [cli v2](includes/machine-learning-cli-v2.md)] +[!INCLUDE [CLI v2](includes/machine-learning-cli-v2.md)] When using the Azure CLI [extension 2.0 CLI for machine learning](how-to-configure-cli.md), use the `az ml update` command to enable `public_network_access` for the workspace: @@ -309,8 +311,9 @@ You can use IP network rules to allow access to your workspace and endpoint from > * To use this feature with Azure Machine Learning managed virtual network, see [Azure Machine Learning managed virtual network](how-to-managed-network.md#scenario-enable-access-from-selected-ip-addresses). # [Azure CLI](#tab/cli) -[!INCLUDE [cli v2](includes/machine-learning-cli-v2.md)] -Azure CLI does not support this. +[!INCLUDE [CLI v2](includes/machine-learning-cli-v2.md)] + +Azure CLI doesn't support enabling public access from IP ranges. # [Portal](#tab/azure-portal) @@ -326,7 +329,7 @@ Azure CLI does not support this. The following restrictions apply to IP address ranges: -- IP network rules are allowed only for *public internet* IP addresses. +- IP network rules are allowed only for _public internet_ IP addresses. [Reserved IP address ranges](https://en.wikipedia.org/wiki/Reserved_IP_addresses) aren't allowed in IP rules such as private addresses that start with 10, 172.16 to 172.31, and 192.168. @@ -334,7 +337,7 @@ The following restrictions apply to IP address ranges: - Only IPv4 addresses are supported for configuration of storage firewall rules. -- When this feature is enabled, you can test public endpoints using any client tool such as Curl, but the Endpoint Test tool in the portal is not supported. +- When this feature is enabled, you can test public endpoints using any client tool such as Curl, but the Endpoint Test tool in the portal isn't supported. ## Securely connect to your workspace @@ -344,9 +347,9 @@ The following restrictions apply to IP address ranges: Azure Machine Learning supports multiple private endpoints for a workspace. Multiple private endpoints are often used when you want to keep different environments separate. The following are some scenarios that are enabled by using multiple private endpoints: -* Client development environments in a separate VNet. -* An Azure Kubernetes Service (AKS) cluster in a separate VNet. -* Other Azure services in a separate VNet. For example, Azure Synapse and Azure Data Factory can use a Microsoft managed virtual network. In either case, a private endpoint for the workspace can be added to the managed VNet used by those services. For more information on using a managed virtual network with these services, see the following articles: +* Client development environments in a separate virtual network. +* An Azure Kubernetes Service (AKS) cluster in a separate virtual network. +* Other Azure services in a separate virtual network. For example, Azure Synapse and Azure Data Factory can use a Microsoft managed virtual network. In either case, a private endpoint for the workspace can be added to the managed virtual network used by those services. For more information on using a managed virtual network with these services, see the following articles: * [Synapse managed private endpoints](/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints) * [Azure Data Factory managed virtual network](/azure/data-factory/managed-virtual-network-private-endpoint). @@ -366,13 +369,13 @@ If you want to isolate the development clients, so they don't have direct access > [!NOTE] > These steps assume that you have an existing workspace, Azure Storage Account, Azure Key Vault, and Azure Container Registry. Each of these services has a private endpoints in an existing VNet. -1. Create another VNet for the clients. This VNet might contain Azure Virtual Machines that act as your clients, or it may contain a VPN Gateway used by on-premises clients to connect to the VNet. -1. Add a new private endpoint for the Azure Storage Account, Azure Key Vault, and Azure Container Registry used by your workspace. These private endpoints should exist in the client VNet. -1. If you have another storage that is used by your workspace, add a new private endpoint for that storage. The private endpoint should exist in the client VNet and have private DNS zone integration enabled. -1. Add a new private endpoint to your workspace. This private endpoint should exist in the client VNet and have private DNS zone integration enabled. -1. Use the steps in the [Use studio in a virtual network](how-to-enable-studio-virtual-network.md#datastore-azure-storage-account) article to enable studio to access the storage account(s). +1. Create another virtual network for the clients. This virtual network might contain Azure Virtual Machines that act as your clients, or it might contain a VPN Gateway used by on-premises clients to connect to the virtual network. +1. Add a new private endpoint for the Azure Storage Account, Azure Key Vault, and Azure Container Registry used by your workspace. These private endpoints should exist in the client virtual network. +1. If you have another storage that is used by your workspace, add a new private endpoint for that storage. The private endpoint should exist in the client virtual network and have private DNS zone integration enabled. +1. Add a new private endpoint to your workspace. This private endpoint should exist in the client virtual network and have private DNS zone integration enabled. +1. To enable Azure Machine Learning studio to access the storage accounts, visit the [studio in a virtual network](how-to-enable-studio-virtual-network.md#datastore-azure-storage-account) article. -The following diagram illustrates this configuration. The __Workload__ VNet contains computes created by the workspace for training & deployment. The __Client__ VNet contains clients or client ExpressRoute/VPN connections. Both VNets contain private endpoints for the workspace, Azure Storage Account, Azure Key Vault, and Azure Container Registry. +The following diagram illustrates this configuration. The __Workload__ virtual network contains compute resources created by the workspace for training & deployment. The __Client__ virtual network contains clients or client ExpressRoute/VPN connections. Both VNets contain private endpoints for the workspace, Azure Storage Account, Azure Key Vault, and Azure Container Registry. :::image type="content" source="./media/how-to-configure-private-link/multiple-private-endpoint-workspace-client.png" alt-text="Diagram of isolated client VNet"::: @@ -383,18 +386,18 @@ If you want to create an isolated Azure Kubernetes Service used by the workspace > [!NOTE] > These steps assume that you have an existing workspace, Azure Storage Account, Azure Key Vault, and Azure Container Registry. Each of these services has a private endpoints in an existing VNet. -1. Create an Azure Kubernetes Service instance. During creation, AKS creates a VNet that contains the AKS cluster. -1. Add a new private endpoint for the Azure Storage Account, Azure Key Vault, and Azure Container Registry used by your workspace. These private endpoints should exist in the client VNet. -1. If you have other storage that is used by your workspace, add a new private endpoint for that storage. The private endpoint should exist in the client VNet and have private DNS zone integration enabled. -1. Add a new private endpoint to your workspace. This private endpoint should exist in the client VNet and have private DNS zone integration enabled. +1. Create an Azure Kubernetes Service instance. During creation, AKS creates a virtual network that contains the AKS cluster. +1. Add a new private endpoint for the Azure Storage Account, Azure Key Vault, and Azure Container Registry used by your workspace. These private endpoints should exist in the client virtual network. +1. If you have other storage that is used by your workspace, add a new private endpoint for that storage. The private endpoint should exist in the client virtual network and have private DNS zone integration enabled. +1. Add a new private endpoint to your workspace. This private endpoint should exist in the client virtual network and have private DNS zone integration enabled. 1. Attach the AKS cluster to the Azure Machine Learning workspace. For more information, see [Create and attach an Azure Kubernetes Service cluster](how-to-create-attach-kubernetes.md#attach-an-existing-aks-cluster). :::image type="content" source="./media/how-to-configure-private-link/multiple-private-endpoint-workspace-aks.png" alt-text="Diagram of isolated AKS VNet"::: -## Next step +## Related content -* For more information on securing your Azure Machine Learning workspace, see the [Virtual network isolation and privacy overview](how-to-network-security-overview.md) article. +* [Virtual network isolation and privacy overview](how-to-network-security-overview.md) -* If you plan on using a custom DNS solution in your virtual network, see [how to use a workspace with a custom DNS server](how-to-custom-dns.md). +* [How to use a workspace with a custom DNS server](how-to-custom-dns.md) * [API platform network isolation](how-to-configure-network-isolation-with-v2.md) diff --git a/articles/machine-learning/how-to-troubleshoot-secure-connection-workspace.md b/articles/machine-learning/how-to-troubleshoot-secure-connection-workspace.md index 3e6ce0a6e23..a6ceed3ebca 100644 --- a/articles/machine-learning/how-to-troubleshoot-secure-connection-workspace.md +++ b/articles/machine-learning/how-to-troubleshoot-secure-connection-workspace.md @@ -5,16 +5,17 @@ description: 'Learn how to troubleshoot connectivity problems to a workspace tha services: machine-learning ms.service: azure-machine-learning ms.subservice: enterprise-readiness -ms.topic: how-to +ms.topic: troubleshooting ms.author: larryfr author: Blackmist ms.reviewer: meerakurup -ms.date: 01/24/2024 +ms.date: 09/05/2024 +# Customer Intent: As an admin, I need to understand how to troubleshoot connectivity problems to a workspace that is configured with a private endpoint. --- # Troubleshoot private endpoint connection problems -When you connect to an Azure Machine Learning workspace that's configured with a private endpoint, you might encounter a *403* error or a message saying that access is forbidden. This article explains how you can check for common configuration problems that cause this error. +When you connect to an Azure Machine Learning workspace configured with a private endpoint, you might encounter a *403* error or a message saying that access is forbidden. This article explains how you can check for common configuration problems that cause this error. > [!TIP] > Before using the steps in this article, try the Azure Machine Learning workspace diagnostic API. It can help identify configuration problems with your workspace. For more information, see [How to use workspace diagnostics](how-to-workspace-diagnostic-api.md). @@ -60,13 +61,13 @@ Use the following steps to verify if your custom DNS solution is correctly resol `nslookup ` - For example, running the command `nslookup 29395bb6-8bdb-4737-bf06-848a6857793f.workspace.eastus.api.azureml.ms` returns a value similar to the following text: + For example, running the command `nslookup a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1.workspace.eastus.api.azureml.ms` returns a value similar to the following text: ```output Server: yourdnsserver Address: yourdnsserver-IP-address - Name: 29395bb6-8bdb-4737-bf06-848a6857793f.workspace.eastus.api.azureml.ms + Name: a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1.workspace.eastus.api.azureml.ms Address: 10.3.0.5 ``` diff --git a/articles/machine-learning/media/how-to-configure-private-link/remove-private-endpoint.png b/articles/machine-learning/media/how-to-configure-private-link/remove-private-endpoint.png index 95a1a48e3e7..72b39493ea0 100644 Binary files a/articles/machine-learning/media/how-to-configure-private-link/remove-private-endpoint.png and b/articles/machine-learning/media/how-to-configure-private-link/remove-private-endpoint.png differ diff --git a/articles/machine-learning/media/how-to-configure-private-link/workspace-public-access-ip-ranges.png b/articles/machine-learning/media/how-to-configure-private-link/workspace-public-access-ip-ranges.png index b27cbe2fbdc..7e204ae958b 100644 Binary files a/articles/machine-learning/media/how-to-configure-private-link/workspace-public-access-ip-ranges.png and b/articles/machine-learning/media/how-to-configure-private-link/workspace-public-access-ip-ranges.png differ diff --git a/articles/machine-learning/media/how-to-configure-private-link/workspace-public-access.png b/articles/machine-learning/media/how-to-configure-private-link/workspace-public-access.png index 1bc7c5c1c8c..e05431e312c 100644 Binary files a/articles/machine-learning/media/how-to-configure-private-link/workspace-public-access.png and b/articles/machine-learning/media/how-to-configure-private-link/workspace-public-access.png differ