Azure Machine Learning workspace Public Access in Networking

Question

When we specified IP addresses to restrict access from unauthorized access, we can't run a job in the AutomatedML in the Workplace, "pinnacle_ml".

"Error AzureMLCompute job failed UserError: Failed to get snapshot metadata from service. Permission was denied. Tip: Please check the compute identity for this job. Make sure the request is not blocked by a firewall, virtual network, or other security settings."

If we set Publick Network access on Networking to "Enabled from all networks" then, all jobs run fine using the same account, from the same device, and same office with the static IP address.

p.s. NSG that handles the traffic for the dataset used by Automated ML jobs are already whitelisted using nsg policy attached to the nic.

Has anyone experienced this issue? Thank you for your inputs.

Answer 1

Hello Jay Yoo ,

Thanks for reaching out in the Microsoft Q&A!

To resolve the issue with running AutomatedML jobs in the "pinnacle_ml" workspace while restricting IP addresses, ensure the compute identity associated with the job has adequate permissions. Check that the compute identity has the necessary Azure roles assigned, such as Reader access to the storage account and Contributor access on the workspace. Additionally, review Network Security Group (NSG) rules to ensure they allow traffic on relevant ports, typically port 443 for HTTPS. If using a managed identity, verify its permissions at the subscription or resource group level. Consider configuring Virtual Network (VNet) with private IP addresses and NSGs to enhance security.

If you found this solution helpful, consider accepting it.