Manage Azure Machine Learning hub workspaces in the portal

  • Article

In this article, you create, view, and delete Azure Machine Learning hub workspaces for Azure Machine Learning, with the Azure portal.

Tip

An Azure Machine Learning hub workspace and an Azure AI Studio hub are the same thing. Azure AI Studio brings multiple Azure AI resources together for a unified experience. Azure Machine Learning is one of the resources, and provides both Azure AI Studio hub and project workspaces. Hub and project workspaces can be used from both Azure Machine Learning studio and Azure AI Studio.

As your needs change or your automation requirements increase, you can manage workspaces with the CLI, Azure PowerShell, or via the Visual Studio Code extension.

Prerequisites

Limitations

  • When you create a new workspace, you can either automatically create services needed by the workspace or use existing services. If you want to use existing services from a different Azure subscription than the workspace, you must register the Azure Machine Learning namespace in the subscription that contains those services. For example, if you create a workspace in subscription A that uses a storage account in subscription B, the Azure Machine Learning namespace must be registered in subscription B before the workspace can use the storage account.

    The resource provider for Azure Machine Learning is Microsoft.MachineLearningServices. For information on seeing whether it's registered or registering it, see Azure resource providers and types.

    Important

    This information applies only to resources provided during workspace creation: Azure Storage Accounts, Azure Container Registry, Azure Key Vault, and Application Insights.

  • For network isolation with online endpoints, you can use workspace-associated resources (Azure Container Registry (ACR), Storage account, Key Vault, and Application Insights) from a resource group different from your workspace. However, these resources must belong to the same subscription and tenant as your workspace. For information about the limitations that apply to securing managed online endpoints, using a workspace's managed virtual network, see Network isolation with managed online endpoints.

  • Workspace creation also creates an Azure Container Registry (ACR) by default. Since ACR doesn't currently support unicode characters in resource group names, use a resource group that avoids these characters.

  • Azure Machine Learning doesn't support hierarchical namespace (Azure Data Lake Storage Gen2 feature) for the default storage account of the workspace.

Tip

An Azure Application Insights instance is created when you create the workspace. You can delete the Application Insights instance after cluster creation if you want. Deleting it limits the information gathered from the workspace, and might make it more difficult to troubleshoot problems. If you delete the Application Insights instance created by the workspace, the only way to recreate it is to delete and recreate the workspace.

For more information on using the Application Insights instance, see Monitor and collect data from Machine Learning web service endpoints.

Create a hub

Use the following steps to create a hub from the Azure portal:

  1. From the Azure portal, search for Azure AI Studio and create a new resource by selecting + New Azure AI

  2. Enter your AI hub name, subscription, resource group, and location details.

  3. For advanced settings, select Next: Resources to specify resources, networking, encryption, identity, and tags.

    Screenshot of the option to set Azure AI hub basic information.

  4. Select an existing Azure AI services resource or create a new one. New Azure AI services include multiple API endpoints for Speech, Content Safety. You can also bring an existing Azure OpenAI resource. Optionally, choose an existing Storage account, Key vault, Container Registry, and Application insights to host artifacts generated when you use AI Studio.

    Tip

    You can skip selecting Azure AI Services if you plan to only work in Azure Machine Learning studio. Azure AI Services is required for Azure AI Studio, and provide access to pre-built AI models for use in prompt flow.

    Screenshot of the Create an Azure AI hub with the option to set resource information.

  5. Set up Network isolation.

    Screenshot of the Create an Azure AI hub with the option to set network isolation information.

  6. Set up data encryption. You can either use Azure-managed keys or enable Customer-managed keys.

    Screenshot of the Create an Azure AI hub with the option to select your encryption type.

  7. By default, System assigned identity is enabled, but you can switch to User assigned identity if existing storage, key vault, and container registry are selected in Resources.

    Screenshot of the Create an Azure AI hub with the option to select a managed identity.

    Note

    If you select User assigned identity and also selected an Azure AI Service, your identity needs to have the Cognitive Services Contributor role in order to successfully create a new Azure AI hub.

  8. Add tags.

    Screenshot of the Create an Azure AI hub with the option to add tags.

  9. Select Review + create

Manage your hub from the Azure portal

Manage access control

Manage role assignments from Access control (IAM) within the Azure portal.

To add grant users permissions:

  1. Select + Add to add users to your hub.

  2. Select the Role you want to assign.

    Screenshot of the page to add a role within the Azure AI hub Azure portal view.

  3. Select the Members you want to give the role to.

    Screenshot of the add members page within the Azure AI hub Azure portal view.

  4. Review + assign. It can take up to an hour for permissions to be applied to users.

Networking

Hub networking settings can be set during resource creation or changed in the Networking tab in the Azure portal view. Creating a new hub invokes a managed virtual network. This streamlines and automates your network isolation configuration with a built-in managed virtual network. The managed virtual network settings are applied to all project workspaces created within a hub.

At hub creation, select between the networking isolation modes: Public, Private with Internet Outbound, and Private with Approved Outbound. To secure your resource, select either Private with Internet Outbound or Private with Approved Outbound for your networking needs. For the private isolation modes, a private endpoint should be created for inbound access.

At hub creation in the Azure portal, creation of associated Azure AI services, Storage account, Key vault, Application insights, and Container registry is given. These resources are found on the Resources tab during creation.

To connect to Azure AI services (Azure AI Search, and Azure AI Content Safety) or storage accounts in Azure AI Studio, create a private endpoint in your virtual network. Ensure the public network access (PNA) flag is disabled when creating the private endpoint connection. For more about Azure AI services connections, see Azure AI services and virtual networks. You can optionally bring your own (BYO) search, but this requires a private endpoint connection from your virtual network.

Encryption

Projects that use the same hub, share their encryption configuration. Encryption mode can be set only at the time of hub creation between Azure-managed keys and Customer-managed keys.

From the Azure portal view, navigate to the encryption tab, to find the encryption settings for your hub. For hubs that use customer-managed key encryption mode, you can update the encryption key to a new key version. This update operation is constrained to keys and key versions within the same Key Vault instance as the original key.

Screenshot of the Encryption page of the Azure AI hub in the Azure portal.

Update Azure Application Insights and Azure Container Registry

To use custom environments for Prompt Flow, you're required to configure an Azure Container Registry for your AI hub. To use Azure Application Insights for Prompt Flow deployments, a configured Azure Application Insights resource is required for your AI hub.

You can configure your hub for these resources during creation or update after creation. To update Azure Application Insights from the Azure portal, navigate to the Properties for your hub in the Azure portal, then select Change Application Insights. You can also use the Azure SDK/CLI options or infrastructure-as-code templates to update both Azure Application Insights and Azure Container Registry for the AI Hub.

Screenshot of the properties page of the Azure AI resource in the Azure portal.

Next steps

Once you have a workspace hub, you can Create a project using Azure Machine Learning studio, Azure SDK, or Using automation templates.