|
| 1 | +--- |
| 2 | +title: Use Model Catalog collections with workspace managed virtual network |
| 3 | +titleSuffix: Azure Machine Learning |
| 4 | +description: Learn how to use the Model Catalog in an isolated network. |
| 5 | +services: machine-learning |
| 6 | +ms.service: machine-learning |
| 7 | +ms.subservice: training |
| 8 | +ms.topic: how-to |
| 9 | +author: tinaem |
| 10 | +ms.author: timanghn |
| 11 | +ms.reviewer: ssalgadodev |
| 12 | +ms.date: 12/15/2023 |
| 13 | +--- |
| 14 | + |
| 15 | +# Use Model Catalog collections with workspace managed virtual network |
| 16 | + |
| 17 | +In this article, you learn how you can use the various collections in the Model Catalog within an isolated network. |
| 18 | + |
| 19 | +Workspace [managed virtual network](./how-to-network-isolation-planning.md) is the recommended way to support network isolation with the Model Catalog. It provides easily configuration to secure your workspace. After you enable managed virtual network in the workspace level, resources related to workspace in the same virtual network, will use the same network setting in the workspace level. You can also configure the workspace to use private endpoint to access other Azure resources such as Azure OpenAI. Furthermore, you can configure FQDN rule to approve outbound to non-Azure resources, whose relevance you learn in the rest of this article. See [how to Workspace managed network isolation](./how-to-managed-network.md) to enable workspace managed virtual network. |
| 20 | + |
| 21 | +The creation of the managed virtual network is deferred until a compute resource is created or provisioning is manually started. You can use following command to manually trigger network provisioning. |
| 22 | +```bash |
| 23 | +az ml workspace provision-network --subscription <sub_id> -g <resource_group_name> -n <workspace_name> |
| 24 | +``` |
| 25 | + |
| 26 | +## Workspace managed virtual network to allow internet outbound |
| 27 | + |
| 28 | +1. Configure a workspace with managed virtual network to allow internet outbound by following the steps listed [here](./how-to-managed-network.md#configure-a-managed-virtual-network-to-allow-internet-outbound). |
| 29 | +2. If you choose to set the public network access to the workspace to disabled, you can connect to the workspace using one of the following methods: |
| 30 | + |
| 31 | + * [Azure VPN gateway](/azure/vpn-gateway/vpn-gateway-about-vpngateways) - Connects on-premises networks to the virtual network over a private connection. Connection is made over the public internet. There are two types of VPN gateways that you might use: |
| 32 | + |
| 33 | + * [Point-to-site](/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal): Each client computer uses a VPN client to connect to the virtual network. |
| 34 | + * [Site-to-site](/azure/vpn-gateway/tutorial-site-to-site-portal): A VPN device connects the virtual network to your on-premises network. |
| 35 | + |
| 36 | + * [ExpressRoute](https://azure.microsoft.com/products/expressroute/) - Connects on-premises networks into the cloud over a private connection. Connection is made using a connectivity provider. |
| 37 | + |
| 38 | + * [Azure Bastion](/azure/bastion/bastion-overview) - In this scenario, you create an Azure Virtual Machine (sometimes called a jump box) inside the virtual network. You then connect to the VM using Azure Bastion. Bastion allows you to connect to the VM using either an RDP or SSH session from your local web browser. You then use the jump box as your development environment. Since it is inside the virtual network, it can directly access the workspace. |
| 39 | +3. Since the workspace managed virtual network can access internet in this configuration, you can work with all the Collections in the Model Catalog from within the workspace. |
| 40 | + |
| 41 | +## Workspace managed virtual network to allow only approved outbound |
| 42 | + |
| 43 | +1. Configure a workspace with managed virtual network to allow only approved outbound by following the steps listed [here](./how-to-managed-network.md#configure-a-managed-virtual-network-to-allow-only-approved-outbound). |
| 44 | +2. If you choose to set the public network access to the workspace to disabled, you can connect to the workspace using one of the methods as listed in Scenario 1. |
| 45 | + |
| 46 | + |
| 47 | +## Work with open source models curated by Azure Machine Learning |
| 48 | + |
| 49 | +Workspace managed virtual network to allow only approved outbound uses a Service Endpoint Policy to Azure Machine managed storage accounts, to help access the models in the collections curated by Azure Machine Learning in an out-of-the-box manner. This mode of workspace configuration also has default outbound to Microsoft Container Registry where the docker image used to deploy the models is present. |
| 50 | + |
| 51 | +### Language models in 'Curated by Azure AI' collection |
| 52 | + |
| 53 | +Today, these models involve dynamic installation of dependencies at runtime. Therefore, users should add user defined outbound rules for the following FQDNs at the workspace level: |
| 54 | + |
| 55 | + * `*.anaconda.org` |
| 56 | + * `*.anaconda.com` |
| 57 | + * `anaconda.com` |
| 58 | + * `pypi.org` |
| 59 | + * `*.pythonhosted.org` |
| 60 | + * `*.pytorch.org` |
| 61 | + * `pytorch.org` |
| 62 | + |
| 63 | +> [!WARNING] |
| 64 | +> FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](./how-to-managed-network.md#pricing). |
| 65 | + |
| 66 | +### Meta collection |
| 67 | + |
| 68 | +Users can work with this collection in network isolated workspaces with no other user defined outbound rules required. |
| 69 | + |
| 70 | +> [!NOTE] |
| 71 | +> New curated collections are added to the Model Catalog frequently. We will update this documentation to reflect the support in private networks for various collections. |
| 72 | +
|
| 73 | +## Work with Hugging Face collection |
| 74 | + |
| 75 | +The model weights aren't hosted on Azure if you're using the Hugging Face registry. The model weights are downloaded directly from Hugging Face hub to the online endpoints in your workspace during deployment. |
| 76 | +Users need to add the following outbound FQDNs rules for Hugging Face Hub, Docker Hub and their CDNs to allow traffic to the following hosts: |
| 77 | + |
| 78 | + * `docker.io` |
| 79 | + * `huggingface.co` |
| 80 | + * `production.cloudflare.docker.com` |
| 81 | + * `cdn-lfs.huggingface.co` |
| 82 | + * `cdn.auth0.com` |
| 83 | + |
| 84 | +## Next steps |
| 85 | + |
| 86 | +* Learn how-to [troubleshoot managed virtual network](./how-to-troubleshoot-managed-network.md) |
| 87 | + |
0 commit comments