Private Endpoint for Azure Machine Learning Workspace

Question

Pulumi · Accepted Answer

To create a private endpoint for an Azure Machine Learning workspace in Pulumi, you'll need to use the `azure-native.machinelearningservices.Workspace` resource to create the workspace. Then, you will use the `azure-native.network.PrivateEndpoint` resource to create a private endpoint that connects to that workspace. This setup ensures that your communication between Azure resources and the Azure Machine Learning workspace is over a private network.

Here's how you would create this setup with Pulumi:

1. First, you set up the Azure Machine Learning workspace using the `azure-native.machinelearningservices.Workspace` resource.
2. Then, you create a subnet in your Azure Virtual Network with private endpoint network policies disabled.
3. Finally, you create the Private Endpoint using the `azure-native.network.PrivateEndpoint` resource, pointing it to the subnet and the Machine Learning workspace.

The `azure-native.machinelearningservices.Workspace` resource establishes an Azure Machine Learning service in your cloud environment. You can configure its compute instances, storage, and other features.

The `azure-native.network.PrivateEndpoint` resource allows you to secure the communication between your services by keeping it within Azure's network, making it so that it is not accessible from the public internet.

Below you will find a Pulumi program written in Python that performs these tasks:

```python
import pulumi
from pulumi_azure_native import network as azure_network
from pulumi_azure_native import machinelearningservices as azure_ml

# Set up a resource group
resource_group = azure_network.ResourceGroup("resource-group")

# Set up the Azure Machine Learning workspace
machine_learning_workspace = azure_ml.Workspace("machineLearningWorkspace",
    resource_group_name=resource_group.name,
    location=resource_group.location,
    sku=azure_ml.SkuArgs(
        name="Enterprise",
    ),
    # Additional properties such as identity, encryption, description can be provided here
)

# Set up a virtual network
vnet = azure_network.VirtualNetwork("virtualNetwork",
    resource_group_name=resource_group.name,
    location=resource_group.location,
    address_space=azure_network.AddressSpaceArgs(
        address_prefixes=["10.0.0.0/16"],
    ),
)

# Set up a subnet within the virtual network with the PrivateEndpointNetworkPolicies disabled
subnet = azure_network.Subnet("subnet",
    resource_group_name=resource_group.name,
    virtual_network_name=vnet.name,
    address_prefix="10.0.1.0/24",
    private_endpoint_network_policies="Disabled",
)

# Set up the private endpoint
private_endpoint = azure_network.PrivateEndpoint("privateEndpoint",
    resource_group_name=resource_group.name,
    location=resource_group.location,
    subnet=azure_network.SubnetArgs(
        id=subnet.id,
    ),
    private_link_service_connections=[azure_network.PrivateLinkServiceConnectionArgs(
        name="mlWorkspaceConnection",
        private_link_service_id=machine_learning_workspace.id,
        group_ids=["amlworkspace"],  # The group ID for Machine Learning workspaces
    )],
)

pulumi.export("privateEndpointId", private_endpoint.id)
```

This program starts by creating a resource group in which all resources will reside. The Azure Machine Learning workspace is then set up with the desired SKU (in this example, "Enterprise"). Then, a virtual network and a subnet are established to later host the private endpoint. Note that 'PrivateEndpointNetworkPolicies' is specifically disabled for the subnet to allow the creation of the private endpoint. Finally, the private endpoint is created, linked to both the subnet and the machine learning workspace.

The `group_ids` value of `["amlworkspace"]` is specific to Azure Machine Learning workspaces when making the connection.

The program outputs the ID of the created private endpoint, which can be used to reference this endpoint in other parts of your Pulumi code or in the Pulumi console.

Remember to replace placeholders like `"Enterprise"` with actual values that suit your organizational requirements.

To run this Pulumi program:

1. Ensure you have Pulumi installed and configured with access to your Azure account.
2. Save this script to a file with a `.py` extension, let's say `azure_ml_private_endpoint.py`.
3. Run `pulumi up` from the command line in the directory where the script is saved. Pulumi will perform the deployment according to this script.

Please let me know if you have further questions or need clarification on any of these steps.