Virtual network isolation and privacy overview

In this article, you learn how to use virtual networks (VNets) to secure network communication in Azure Machine Learning. This article uses an example scenario to show you how to configure a complete virtual network.

This article is part one of a five-part series that walks you through securing an Azure Machine Learning workflow. We highly recommend that you read through this overview article to understand the concepts first.

Here are the other articles in this series:

1. VNet overview > 2. Secure the workspace > 3. Secure the training environment > 4. Secure the inferencing environment > 5. Enable studio functionality


This article assumes that you have familiarity with the following topics:

Example scenario

In this section, you learn how a common network scenario is set up to secure Azure Machine Learning communication with private IP addresses.

The table below compares how services access different parts of an Azure Machine Learning network both with a VNet and without a VNet.

Scenario Workspace Associated resources Training compute environment Inferencing compute environment
No virtual network Public IP Public IP Public IP Public IP
Secure resources in a virtual network Private IP (private endpoint) Public IP (service endpoint)
- or -
Private IP (private endpoint)
Private IP Private IP
  • Workspace - Create a private endpoint from your VNet to connect to Private Link on the workspace. The private endpoint connects the workspace to the vnet through several private IP addresses.
  • Associated resource - Use service endpoints or private endpoints to connect to workspace resources like Azure storage, Azure Key Vault, and Azure Container Services.
    • Service endpoints provide the identity of your virtual network to the Azure service. Once you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network. Service endpoints use public IP addresses.
    • Private endpoints are network interfaces that securely connect you to a service powered by Azure Private Link. Private endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet.
  • Training compute access - Access training compute targets like Azure Machine Learning Compute Instance and Azure Machine Learning Compute Clusters securely with private IP addresses.
  • Inferencing compute access - Access Azure Kubernetes Services (AKS) compute clusters with private IP addresses.

The next five sections show you how to secure the network scenario described above. To secure your network, you must:

  1. Secure the workspace and associated resources.
  2. Secure the training environment.
  3. Secure the inferencing environment.
  4. Optionally: enable studio functionality.
  5. Configure firewall settings

Secure the workspace and associated resources

Use the following steps to secure your workspace and associated resources. These steps allow your services to communicate in the virtual network.

  1. Create a Private Link-enabled workspace to enable communication between your VNet and workspace.
  2. Add Azure Key Vault to the virtual network with a service endpoint or a private endpoint. Set Key Vault to "Allow trusted Microsoft services to bypass this firewall".
  3. Add you Azure storage account to the virtual network with a service endpoint or a private endpoint.
  4. Configure Azure Container Registry to use a private endpoint and enable subnet delegation in Azure Container Instances.

Architecture diagram showing how the workspace and associated resources communicate to each other over service endpoints or private endpoints inside of a VNet

For detailed instructions on how to complete these steps, see Secure an Azure Machine Learning workspace.


Securing your workspace and associated resources within a virtual network have the following limitations:

  • Using an Azure Machine Learning workspace with private link is not available in the Azure Government or Azure China 21Vianet regions.
  • All resources must be behind the same VNet. However, subnets within the same VNet are allowed.

Secure the training environment

In this section, you learn how to secure the training environment in Azure Machine Learning. You also learn how Azure Machine Learning completes a training job to understand how the network configurations work together.

To secure the training environment, use the following steps:

  1. Create an Azure Machine Learning compute instance and computer cluster in the virtual network to run the training job.
  2. Allow inbound communication from Azure Batch Service so that Batch Service can submit jobs to your compute resources.

Architecture diagram showing how to secure managed compute clusters and instances

For detailed instructions on how to complete these steps, see Secure a training environment.

Example training job submission

In this section, you learn how Azure Machine Learning securely communicates between services to submit a training job. This shows you how all your configurations work together to secure communication.

  1. The client uploads training scripts and training data to storage accounts that are secured with a service or private endpoint.

  2. The client submits a training job to the Azure Machine Learning workspace through the private endpoint.

  3. Azure Batch services receives the job from the workspace and submits the training job to the compute environment through the public load balancer that's provisioned with the compute resource.

  4. The compute resource receive the job and begins training. The compute resources accesses secure storage accounts to download training files and upload output.

Architecture diagram showing how an Azure Machine Learning training job gets submitted while using a VNet


  • Azure Compute Instance and Azure Compute Clusters must be in the same VNet, region, and subscription as the workspace and its associated resources.

Secure the inferencing environment

In this section, you learn the options available for securing an inferencing environment. We recommend that you use Azure Kubernetes Services (AKS) clusters for high-scale, production deployments.

You have two options for AKS clusters in a virtual network:

  • Deploy or attach a default AKS cluster to your VNet.
  • Attach a private AKS cluster to your VNet.

Default AKS clusters have a control plane with public IP addresses. You can add a default AKS cluster to your VNet during the deployment or attach a cluster after it's created.

Private AKS clusters have a control plane, which can only be accessed through private IPs. Private AKS clusters must be attached after the cluster is created.

For detailed instructions on how to add default and private clusters, see Secure an inferencing environment.

The following network diagram shows a secured Azure Machine Learning workspace with a private AKS cluster attached to the virtual network.

Architecture diagram showing how to attach a private AKS cluster to the virtual network. The AKS control plane is placed outside of the customer VNet


  • AKS clusters must belong to the same VNet as the workspace and its associated resources.

Optional: enable studio functionality

Secure the workspace > Secure the training environment > Secure the inferencing environment > Enable studio functionality > Configure firewall settings

If your storage is in a VNet, you first must perform additional configuration steps to enable full functionality in the studio. By default, the following feature are disabled:

  • Preview data in the studio.
  • Visualize data in the designer.
  • Deploy a model in the designer.
  • Submit an AutoML experiment.
  • Start a labeling project.

To enable full studio functionality while inside of a VNet, see Use Azure Machine Learning studio in a virtual network. The studio supports storage accounts using either service endpoints or private endpoints.


ML-assisted data labeling does not support default storage accounts secured behind a virtual network. You must use a non-default storage account for ML assisted data labeling. Note, the non-default storage account can be secured behind the virtual network.

Configure firewall settings

Configure your firewall to control access to your Azure Machine Learning workspace resources and the public internet. While we recommend Azure Firewall, you should be able to use other firewall products to secure your network. If you have questions about how to allow communication through your firewall, please consult the documentation for the firewall you are using.

For more information on firewall settings, see Use workspace behind a Firewall.

Custom DNS

If you need to use a custom DNS solution for your virtual network, you must add host records for your workspace.

For more information on the required domain names and IP addresses, see how to use a workspace with a custom DNS server.

Next steps

This article is part one of a four-part virtual network series. See the rest of the articles to learn how to secure a virtual network: