使用虛擬網路保護 Azure Machine Learning 定型環境Secure an Azure Machine Learning training environment with virtual networks

在本文中,您將瞭解如何使用 Azure Machine Learning 中的虛擬網路來保護定型環境。In this article, you learn how to secure training environments with a virtual network in Azure Machine Learning.

本文是五部分系列的第三部分,將逐步引導您保護 Azure Machine Learning 的工作流程。This article is part three of a five-part series that walks you through securing an Azure Machine Learning workflow. 強烈建議您仔細閱讀第 一部: VNet 總覽 ,以瞭解整體架構。We highly recommend that you read through Part one: VNet overview to understand the overall architecture first.

請參閱本系列的其他文章:See the other articles in this series:

1. VNet 總覽 > 2。保護工作區 > 3。保護定型環境 > 4。保護推斷環境 > 5。啟用 studio 功能1. VNet overview > 2. Secure the workspace > 3. Secure the training environment > 4. Secure the inferencing environment > 5. Enable studio functionality

在本文中,您將瞭解如何保護虛擬網路中的下列定型計算資源:In this article you learn how to secure the following training compute resources in a virtual network:

  • Azure Machine Learning 計算叢集Azure Machine Learning compute cluster
  • Azure Machine Learning 計算執行個體Azure Machine Learning compute instance
  • Azure DatabricksAzure Databricks
  • 虛擬機器Virtual Machine
  • HDInsight 叢集HDInsight cluster

必要條件Prerequisites

  • 閱讀 網路安全性總覽 文章,以瞭解常見的虛擬網路案例和整體虛擬網路架構。Read the Network security overview article to understand common virtual network scenarios and overall virtual network architecture.

  • 要搭配您的計算資源使用的現有虛擬網路和子網。An existing virtual network and subnet to use with your compute resources.

  • 若要將資源部署到虛擬網路或子網,您的使用者帳戶必須具有 Azure 角色型存取控制 (Azure RBAC) 中下列動作的許可權:To deploy resources into a virtual network or subnet, your user account must have permissions to the following actions in Azure role-based access control (Azure RBAC):

    • 虛擬網路資源上的「Microsoft. Network/virtualNetworks/*/read」。"Microsoft.Network/virtualNetworks/*/read" on the virtual network resource.
    • 子網資源上的「Microsoft. Network/virtualNetworks/subnet/join/action」。"Microsoft.Network/virtualNetworks/subnet/join/action" on the subnet resource.

    如需有關具有網路功能的 Azure RBAC 的詳細資訊,請參閱 網路內建角色For more information on Azure RBAC with networking, see the Networking built-in roles

計算叢集和執行個體Compute clusters & instances

若要在虛擬網路中使用 受控 Azure Machine Learning 計算目標Azure Machine Learning 計算 執行個體,您必須符合下列網路需求:To use either a managed Azure Machine Learning compute target or an Azure Machine Learning compute instance in a virtual network, the following network requirements must be met:

  • 虛擬網路必須在與 Azure Machine Learning 工作區相同的訂用帳戶和區域中。The virtual network must be in the same subscription and region as the Azure Machine Learning workspace.
  • 為計算執行個體或叢集指定的子網路必須有足夠的未指派 IP 位址,以容納目標 VM 的數目。The subnet that's specified for the compute instance or cluster must have enough unassigned IP addresses to accommodate the number of VMs that are targeted. 如果子網路沒有足夠的未指派 IP 位址,則計算叢集只會完成部分配置。If the subnet doesn't have enough unassigned IP addresses, a compute cluster will be partially allocated.
  • 查看您對虛擬網路其訂用帳戶或資源群組的安全性原則或鎖定是否限制了管理虛擬網路的權限。Check to see whether your security policies or locks on the virtual network's subscription or resource group restrict permissions to manage the virtual network. 如果您打算透過限制流量來保護虛擬網路,請針對計算服務開放一些連接埠。If you plan to secure the virtual network by restricting traffic, leave some ports open for the compute service. 如需詳細資訊,請參閱必要連接埠一節。For more information, see the Required ports section.
  • 如果您要將多個計算執行個體或叢集放在一個虛擬網路中,您可能必須要求一或多個資源的配額增加。If you're going to put multiple compute instances or clusters in one virtual network, you might need to request a quota increase for one or more of your resources.
  • 如果工作區的 Azure 儲存體帳戶) (也會在虛擬網路中受到保護,則它們必須位於與 Azure Machine Learning 計算實例或叢集相同的虛擬網路和子網中。If the Azure Storage Account(s) for the workspace are also secured in a virtual network, they must be in the same virtual network and subnet as the Azure Machine Learning compute instance or cluster. 請設定您的儲存體防火牆設定,以允許對虛擬網路和子網計算的通訊。Please configure your storage firewall settings to allow communication to virtual network and subnet compute resides in. 請注意,選取 [允許信任的 Microsoft 服務存取此帳戶] 核取方塊,並不足以允許從計算進行通訊。Please note selecting checkbox for "Allow trusted Microsoft services to access this account" is not sufficient to allow communication from compute.
  • 若要讓計算執行個體 Jupyter 功能能夠運作,請確定您並未停用 Web 通訊端通訊。For compute instance Jupyter functionality to work, ensure that web socket communication is not disabled. 請確定您的網路允許 websocket 連接到 *. instances.azureml.net 和 *. instances.azureml.ms。Please ensure your network allows websocket connections to *.instances.azureml.net and *.instances.azureml.ms.
  • 當計算實例部署在私人連結工作區時,只能從虛擬網路中存取。When compute instance is deployed in a private link workspace it can be only be accessed from within virtual network. 如果您使用自訂 DNS 或 hosts 檔案,請新增 <instance-name>.<region>.instances.azureml.ms 具有工作區私人端點私人 IP 位址的專案。If you are using custom DNS or hosts file please add an entry for <instance-name>.<region>.instances.azureml.ms with private IP address of workspace private endpoint. 如需詳細資訊,請參閱 自訂 DNS 文章。For more information see the custom DNS article.
  • 用來部署計算叢集/實例的子網不應委派給任何其他服務,例如 ACIThe subnet used to deploy compute cluster/instance should not be delegated to any other service like ACI
  • 虛擬網路服務端點原則無法針對計算叢集/實例系統儲存體帳戶運作Virtual network service endpoint policies do not work for compute cluster/instance system storage accounts

提示

Machine Learning 計算執行個體或叢集會自動將額外的網路資源配置 在包含虛擬網路的資源群組中The Machine Learning compute instance or cluster automatically allocates additional networking resources in the resource group that contains the virtual network. 針對每個計算執行個體或叢集,服務會配置下列資源:For each compute instance or cluster, the service allocates the following resources:

  • 一個網路安全性群組One network security group
  • 一個公用 IP 位址。One public IP address. 如果您有 Azure 原則會禁止建立公用 IP,則叢集/實例的部署將會失敗If you have Azure policy prohibiting Public IP creation then deployment of cluster/instances will fail
  • 一個負載平衡器One load balancer

如果是叢集,這些資源會在每次叢集縮小為 0 個節點時遭到刪除 (然後再重新建立),不過如果是執行個體,資源則會一直保留到執行個體遭到徹底刪除為止 (停止執行個體並不會移除資源)。In the case of clusters these resources are deleted (and recreated) every time the cluster scales down to 0 nodes, however for an instance the resources are held onto till the instance is completely deleted (stopping does not remove the resources). 這些資源會被訂用帳戶的資源配額所限制。These resources are limited by the subscription's resource quotas. 如果虛擬網路資源群組已鎖定,則刪除計算叢集/實例將會失敗。If the virtual network resource group is locked then deletion of compute cluster/instance will fail. 在刪除計算叢集/實例之前,無法刪除負載平衡器。Load balancer cannot be deleted until the compute cluster/instance is deleted. 此外,請確定沒有任何 Azure 原則會禁止建立網路安全性群組。Also please ensure there is no Azure policy which prohibits creation of network security groups.

所需連接埠Required ports

如果您打算藉由限制進出公用網際網路的網路流量來保護虛擬網路,您必須允許來自 Azure Batch 服務的輸入通訊。If you plan on securing the virtual network by restricting network traffic to/from the public internet, you must allow inbound communications from the Azure Batch service.

Batch 服務會在連結至 VM 的網路介面 (NIC) 層級新增網路安全性群組 (NSG)。The Batch service adds network security groups (NSGs) at the level of network interfaces (NICs) that are attached to VMs. 這些 NSG 會自動設定輸入和輸出規則,以允許下列流量:These NSGs automatically configure inbound and outbound rules to allow the following traffic:

  • 連接埠 29876 和 29877 上的輸入 TCP 流量,來自 BatchNodeManagement服務標籤Inbound TCP traffic on ports 29876 and 29877 from a Service Tag of BatchNodeManagement. 這些埠上的流量會經過加密,並由 Azure Batch 用於排程器/節點通訊。Traffic over these ports is encrypted and is used by Azure Batch for scheduler/node communication.

    使用 BatchNodeManagement 服務標籤的輸入規則

  • (選擇性) 連接埠 22 上的輸入 TCP 流量,用來允許遠端存取。(Optional) Inbound TCP traffic on port 22 to permit remote access. 只有在想要於公用 IP 上使用 SSH 進行連線時,才可使用此連接埠。Use this port only if you want to connect by using SSH on the public IP.

  • 任何連接埠上傳至虛擬網路的輸出流量。Outbound traffic on any port to the virtual network.

  • 任何連接埠上傳至網際網路的輸出流量。Outbound traffic on any port to the internet.

  • 針對連接埠 44224 上的計算執行個體輸入 TCP 流量,來自 AzureMachineLearning服務標籤For compute instance inbound TCP traffic on port 44224 from a Service Tag of AzureMachineLearning. 透過此埠的流量會經過加密,並由 Azure Machine Learning 用來與在計算實例上執行的應用程式進行通訊。Traffic over this port is encrypted and is used by Azure Machine Learning for communication with applications running on Compute Instances.

重要

如果您要在 Batch 設定的 NSG 中修改或新增輸入或輸出規則,請謹慎操作。Exercise caution if you modify or add inbound or outbound rules in Batch-configured NSGs. 如果 NSG 封鎖對計算節點的通訊,則計算服務會將計算節點的狀態設定為 [無法使用]。If an NSG blocks communication to the compute nodes, the compute service sets the state of the compute nodes to unusable.

您不需要在子網路層級指定 NSG,因為 Azure Batch 服務會設定其本身的 NSG。You don't need to specify NSGs at the subnet level, because the Azure Batch service configures its own NSGs. 但是,如果包含 Azure Machine Learning 計算的子網有相關聯的 Nsg 或防火牆,您也必須允許先前列出的流量。However, if the subnet that contains the Azure Machine Learning compute has associated NSGs or a firewall, you must also allow the traffic listed earlier.

下圖顯示 Azure 入口網站中的 NSG 規則設定:The NSG rule configuration in the Azure portal is shown in the following images:

Machine Learning Compute 的輸入 NSG 規則

Machine Learning Compute 的輸入 NSG 規則

限制來自虛擬網路的輸出連線能力Limit outbound connectivity from the virtual network

如果您不想要使用預設輸出規則,而是想要限制虛擬網路的輸出存取,請使用下列步驟:If you don't want to use the default outbound rules and you do want to limit the outbound access of your virtual network, use the following steps:

  • 使用 NSG 規則來拒絕輸出網際網路連線。Deny outbound internet connection by using the NSG rules.

  • 針對 計算執行個體計算叢集,限制目的地為下列項目的輸出流量:For a compute instance or a compute cluster, limit outbound traffic to the following items:

    • Azure 儲存體,方法是使用 Storage.RegionName服務標籤Azure Storage, by using Service Tag of Storage.RegionName. 其中 {RegionName} 是 Azure 區域的名稱。Where {RegionName} is the name of an Azure region.
    • Azure Container Registry,方法是使用 AzureContainerRegistry.RegionName服務標籤Azure Container Registry, by using Service Tag of AzureContainerRegistry.RegionName. 其中 {RegionName} 是 Azure 區域的名稱。Where {RegionName} is the name of an Azure region.
    • Azure Machine Learning,方法是使用 AzureMachineLearning服務標籤Azure Machine Learning, by using Service Tag of AzureMachineLearning
    • Azure Resource Manager,方法是使用 AzureResourceManager服務標籤Azure Resource Manager, by using Service Tag of AzureResourceManager
    • Azure Active Directory,方法是使用 AzureActiveDirectory服務標籤Azure Active Directory, by using Service Tag of AzureActiveDirectory

下圖顯示 Azure 入口網站中的 NSG 規則設定:The NSG rule configuration in the Azure portal is shown in the following image:

Machine Learning Compute 的輸出 NSG 規則The outbound NSG rules for Machine Learning Compute

注意

如果您打算使用 Microsoft 提供的預設 Docker 映射,以及啟用使用者管理的相依性,您也必須使用下列 服務標記If you plan on using default Docker images provided by Microsoft, and enabling user managed dependencies, you must also use the following Service Tags:

  • MicrosoftContainerRegistryMicrosoftContainerRegistry
  • AzureFrontDoor.FirstPartyAzureFrontDoor.FirstParty

當您用來作為定型指令碼一部分的程式碼與下列程式碼片段類似時,則需要進行下列設定:This configuration is needed when you have code similar to the following snippets as part of your training scripts:

RunConfig 定型RunConfig training

# create a new runconfig object
run_config = RunConfiguration()

# configure Docker 
run_config.environment.docker.enabled = True
# For GPU, use DEFAULT_GPU_IMAGE
run_config.environment.docker.base_image = DEFAULT_CPU_IMAGE 
run_config.environment.python.user_managed_dependencies = True

估算器定型Estimator training

est = Estimator(source_directory='.',
                script_params=script_params,
                compute_target='local',
                entry_script='dummy_train.py',
                user_managed=True)
run = exp.submit(est)

強制通道Forced tunneling

如果您搭配 Azure Machine Learning 的計算使用 強制通道 ,您必須允許從包含計算資源的子網與公用網際網路進行通訊。If you're using forced tunneling with Azure Machine Learning compute, you must allow communication with the public internet from the subnet that contains the compute resource. 這項通訊用於工作排程和存取 Azure 儲存體。This communication is used for task scheduling and accessing Azure Storage.

您可以透過兩種方式來完成此動作:There are two ways that you can accomplish this:

  • 使用 虛擬網路 NATUse a Virtual Network NAT. NAT 閘道可為您虛擬網路中的一或多個子網提供輸出網際網路連線能力。A NAT gateway provides outbound internet connectivity for one or more subnets in your virtual network. 如需詳細資訊,請參閱 使用 NAT 閘道資源設計虛擬網路For information, see Designing virtual networks with NAT gateway resources.

  • 使用者定義的路由 (udr) 新增至包含計算資源的子網。Add user-defined routes (UDRs) to the subnet that contains the compute resource. 在資源所在的區域中,為 Azure Batch 服務所使用的每個 IP 位址建立一個 UDR。Establish a UDR for each IP address that's used by the Azure Batch service in the region where your resources exist. 這些 UDR 可讓 Batch 服務與計算節點通訊,以排程工作。These UDRs enable the Batch service to communicate with compute nodes for task scheduling. 此外,也請新增 Azure Machine Learning 服務的 IP 位址,因為這是存取計算實例的必要項。Also add the IP address for the Azure Machine Learning service, as this is required for access to Compute Instances. 新增 Azure Machine Learning 服務的 IP 時,您必須同時為 主要和次要 Azure 區域新增 ip。When adding the IP for the Azure Machine Learning service, you must add the IP for both the primary and secondary Azure regions. 主要區域是您工作區所在的區域。The primary region being the one where your workspace is located.

    若要尋找次要區域,請參閱 使用 Azure 配對的區域確保商務持續性 &嚴重損壞修復。To find the secondary region, see the Ensure business continuity & disaster recovery using Azure Paired Regions. 例如,如果您的 Azure Machine Learning 服務在美國東部2,次要地區會是美國中部。For example, if your Azure Machine Learning service is in East US 2, the secondary region is Central US.

    若要取得 Batch 服務和 Azure Machine Learning 服務的 IP 位址清單,請使用下列其中一種方法:To get a list of IP addresses of the Batch service and Azure Machine Learning service, use one of the following methods:

    • 下載 Azure IP 範圍和服務標籤並搜尋檔案中的 BatchNodeManagement.<region>AzureMachineLearning.<region>,其中 <region> 是您的 Azure 區域。Download the Azure IP Ranges and Service Tags and search the file for BatchNodeManagement.<region> and AzureMachineLearning.<region>, where <region> is your Azure region.

    • 使用 Azure CLI 下載該資訊。Use the Azure CLI to download the information. 下列範例會下載 IP 位址資訊,並篩選出美國東部2區域的資訊, (主要) 和美國中部區域 (次要) :The following example downloads the IP address information and filters out the information for the East US 2 region (primary) and Central US region (secondary):

      az network list-service-tags -l "East US 2" --query "values[?starts_with(id, 'Batch')] | [?properties.region=='eastus2']"
      # Get primary region IPs
      az network list-service-tags -l "East US 2" --query "values[?starts_with(id, 'AzureMachineLearning')] | [?properties.region=='eastus2']"
      # Get secondary region IPs
      az network list-service-tags -l "Central US" --query "values[?starts_with(id, 'AzureMachineLearning')] | [?properties.region=='centralus']"
      

      提示

      如果您使用美國弗吉尼亞州、US-Arizona 地區或中國東部2區域,則這些命令不會傳回任何 IP 位址。If you are using the US-Virginia, US-Arizona regions, or China-East-2 regions, these commands return no IP addresses. 相反地,請使用下列其中一個連結來下載 IP 位址清單:Instead, use one of the following links to download a list of IP addresses:

    當您新增 UDR 時,請為每個相關的「批次 IP」位址首碼定義路由,然後將 [下一個躍點類型] 設定為 [網際網路]。When you add the UDRs, define the route for each related Batch IP address prefix and set Next hop type to Internet. 下圖顯示此 UDR 在 Azure 入口網站中的範例:The following image shows an example of this UDR in the Azure portal:

    位址首碼的 UDR 範例

    重要

    IP 位址可能會隨著時間而變更。The IP addresses may change over time.

    除了您定義的任何 Udr 之外,您也必須透過內部部署網路設備來允許 Azure 儲存體的輸出流量。In addition to any UDRs that you define, outbound traffic to Azure Storage must be allowed through your on-premises network appliance. 具體而言,此流量的 Url 的格式如下: <account>.table.core.windows.net<account>.queue.core.windows.net<account>.blob.core.windows.netSpecifically, the URLs for this traffic are in the following forms: <account>.table.core.windows.net, <account>.queue.core.windows.net, and <account>.blob.core.windows.net.

    如需詳細資訊,請參閱在虛擬網路中建立 Azure Batch 集區For more information, see Create an Azure Batch pool in a virtual network.

在虛擬網路中建立計算叢集Create a compute cluster in a virtual network

若要建立 Machine Learning Compute 叢集,請使用下列步驟:To create a Machine Learning Compute cluster, use the following steps:

  1. 登入 Azure Machine Learning Studio,然後選取您的訂用帳戶和工作區。Sign in to Azure Machine Learning studio, and then select your subscription and workspace.

  2. 選取左側的 [計算]。Select Compute on the left.

  3. 從中央選取 [定型叢集],然後選取 [+]。Select Training clusters from the center, and then select +.

  4. 在 [新增定型叢集] 對話方塊中,展開 [進階設定] 區段。In the New Training Cluster dialog, expand the Advanced settings section.

  5. 若要將此計算資源設定為使用虛擬網路,請在 [設定虛擬網路] 區段中執行下列動作:To configure this compute resource to use a virtual network, perform the following actions in the Configure virtual network section:

    1. 在 [資源群組] 下拉式清單中,選取包含虛擬網路的資源群組。In the Resource group drop-down list, select the resource group that contains the virtual network.
    2. 在 [虛擬網路] 下拉式清單中,選取包含子網路的虛擬網路。In the Virtual network drop-down list, select the virtual network that contains the subnet.
    3. 在 [子網路] 下拉式清單中,選取要使用的子網路。In the Subnet drop-down list, select the subnet to use.

    Machine Learning Compute 的虛擬網路設定

您也可以透過使用 Azure Machine Learning SDK 建立 Machine Learning Compute 叢集。You can also create a Machine Learning Compute cluster by using the Azure Machine Learning SDK. 下列程式碼會在名為 mynetwork 的虛擬網路其 default 子網路中建立新的 Machine Learning Compute 叢集:The following code creates a new Machine Learning Compute cluster in the default subnet of a virtual network named mynetwork:

from azureml.core.compute import ComputeTarget, AmlCompute
from azureml.core.compute_target import ComputeTargetException

# The Azure virtual network name, subnet, and resource group
vnet_name = 'mynetwork'
subnet_name = 'default'
vnet_resourcegroup_name = 'mygroup'

# Choose a name for your CPU cluster
cpu_cluster_name = "cpucluster"

# Verify that cluster does not exist already
try:
    cpu_cluster = ComputeTarget(workspace=ws, name=cpu_cluster_name)
    print("Found existing cpucluster")
except ComputeTargetException:
    print("Creating new cpucluster")

    # Specify the configuration for the new cluster
    compute_config = AmlCompute.provisioning_configuration(vm_size="STANDARD_D2_V2",
                                                           min_nodes=0,
                                                           max_nodes=4,
                                                           vnet_resourcegroup_name=vnet_resourcegroup_name,
                                                           vnet_name=vnet_name,
                                                           subnet_name=subnet_name)

    # Create the cluster with the specified name and configuration
    cpu_cluster = ComputeTarget.create(ws, cpu_cluster_name, compute_config)

    # Wait for the cluster to be completed, show the output log
    cpu_cluster.wait_for_completion(show_output=True)

建立程序完成後,您便會在實驗中使用叢集來將模型定型。When the creation process finishes, you train your model by using the cluster in an experiment. 如需詳細資訊,請參閱選取與使用定型的計算目標For more information, see Select and use a compute target for training.

注意

您可以選擇使用低優先順序的 VM 來執行部分或所有的工作負載。You may choose to use low-priority VMs to run some or all of your workloads. 請參閱如何建立低優先順序的 VMSee how to create a low-priority VM.

存取計算實例筆記本中的資料Access data in a Compute Instance notebook

如果您在 Azure 計算實例上使用筆記本,您必須確定您的筆記本正在相同虛擬網路和子網後方的計算資源上執行,以作為您的資料。If you're using notebooks on an Azure Compute instance, you must ensure that your notebook is running on a compute resource behind the same virtual network and subnet as your data.

您必須在 [設定 > 虛擬網路] 下的 [Advanced settings] 下,將您的計算實例設定為在相同的虛擬網路中。You must configure your Compute Instance to be in the same virtual network during creation under Advanced settings > Configure virtual network. 您無法將現有的計算實例新增至虛擬網路。You cannot add an existing Compute Instance to a virtual network.

Azure DatabricksAzure Databricks

若要搭配您的工作區使用虛擬網路中的 Azure Databricks,您必須符合下列需求:To use Azure Databricks in a virtual network with your workspace, the following requirements must be met:

  • 虛擬網路必須在與 Azure Machine Learning 工作區相同的訂用帳戶和區域中。The virtual network must be in the same subscription and region as the Azure Machine Learning workspace.
  • 如果工作區的 Azure 儲存體帳戶也在虛擬網路中受到保護,則這些帳戶必須位於與 Azure Databricks 叢集相同的虛擬網路中。If the Azure Storage Account(s) for the workspace are also secured in a virtual network, they must be in the same virtual network as the Azure Databricks cluster.
  • 除了 Azure Databricks 所使用的 databricks-privatedatabricks-public 子網路外,還需要有針對虛擬網路所建立的 預設 子網路。In addition to the databricks-private and databricks-public subnets used by Azure Databricks, the default subnet created for the virtual network is also required.

如需搭配虛擬網路使用 Azure Databricks 的特定資訊,請參閱在 Azure 虛擬網路中部署 Azure DatabricksFor specific information on using Azure Databricks with a virtual network, see Deploy Azure Databricks in your Azure Virtual Network.

虛擬機器或 HDInsight 叢集Virtual machine or HDInsight cluster

重要

Azure Machine Learning 僅支援執行 Ubuntu 的虛擬機器。Azure Machine Learning supports only virtual machines that are running Ubuntu.

在本節中,您將瞭解如何使用虛擬網路中的虛擬機器或 Azure HDInsight 叢集搭配您的工作區。In this section you learn how to use a virtual machine or Azure HDInsight cluster in a virtual network with your workspace.

建立 VM 或 HDInsight 叢集Create the VM or HDInsight cluster

透過使用 Azure 入口網站或 Azure CLI 來建立 VM 或 HDInsight 叢集,並將叢集放在 Azure 虛擬網路中。Create a VM or HDInsight cluster by using the Azure portal or the Azure CLI, and put the cluster in an Azure virtual network. 如需詳細資訊,請參閱下列文章:For more information, see the following articles:

設定網路埠Configure network ports

允許 Azure Machine Learning 與 VM 或叢集上的 SSH 埠通訊,設定網路安全性群組的來源專案。Allow Azure Machine Learning to communicate with the SSH port on the VM or cluster, configure a source entry for the network security group. SSH 連接埠通常是連接埠 22。The SSH port is usually port 22. 若要允許來自此來源的流量,請執行下列動作:To allow traffic from this source, do the following actions:

  1. 在 [來源] 下拉式清單中選取 [服務標籤]。In the Source drop-down list, select Service Tag.

  2. 在 [來源服務標籤] 下拉式清單中選取 [AzureMachineLearning]。In the Source service tag drop-down list, select AzureMachineLearning.

    用於對虛擬網路內的 VM 或 HDInsight 叢集進行測試的輸入規則

  3. 在 [來源連接埠範圍] 下拉式清單中選取 [ * ]。In the Source port ranges drop-down list, select *.

  4. 在 [目的地] 下拉式清單中選取 [任何]。In the Destination drop-down list, select Any.

  5. 在 [目的地連接埠範圍] 下拉式清單中選取 [22]。In the Destination port ranges drop-down list, select 22.

  6. 在 [通訊協定] 底下選取 [任何]。Under Protocol, select Any.

  7. 在 [動作] 底下選取 [允許]。Under Action, select Allow.

請保留網路安全性群組的預設輸出規則。Keep the default outbound rules for the network security group. 如需詳細資訊,請參閱安全性群組中的預設安全性規則一節。For more information, see the default security rules in Security groups.

如果您不想使用預設輸出規則,而是想要限制虛擬網路的輸出存取,請參閱限制來自虛擬網路的輸出連線能力一節。If you don't want to use the default outbound rules and you do want to limit the outbound access of your virtual network, see the Limit outbound connectivity from the virtual network section.

連接 VM 或 HDInsight 叢集Attach the VM or HDInsight cluster

將 VM 或 HDInsight 叢集連結至 Azure Machine Learning 工作區。Attach the VM or HDInsight cluster to your Azure Machine Learning workspace. 如需詳細資訊,請參閱為模型定型設定計算目標For more information, see Set up compute targets for model training.

後續步驟Next steps

本文是五部分虛擬網路系列的第三部分。This article is part three of a five-part virtual network series. 請參閱文章的其餘部分,以瞭解如何保護虛擬網路:See the rest of the articles to learn how to secure a virtual network:

另請參閱有關使用 自訂 DNS 進行名稱解析的文章。Also see the article on using custom DNS for name resolution.