Azure 机器学习的企业安全性Enterprise security for Azure Machine Learning

本文介绍 Azure 机器学习可用的安全性功能。In this article, you'll learn about security features available for Azure Machine Learning.

使用某个云服务时,最佳做法是仅限需要该服务的用户访问它。When you use a cloud service, a best practice is to restrict access to only the users who need it. 首先需要了解服务使用的身份验证和授权模型。Start by understanding the authentication and authorization model used by the service. 此外,你可能想要限制网络访问,或者安全地将本地网络中的资源加入云中。You might also want to restrict network access or securely join resources in your on-premises network with the cloud. 静态数据以及在服务之间移动的数据的加密也至关重要。Data encryption is also vital, both at rest and while data moves between services. 最后,需要能够监视服务并生成所有活动的审核日志。Finally, you need to be able to monitor the service and produce an audit log of all activity.

Note

本文中的信息适用于 Azure 机器学习 Python SDK 1.0.83.1 或更高版本。The information in this article works with the Azure Machine Learning Python SDK version 1.0.83.1 or higher.

AuthenticationAuthentication

如果 Azure Active Directory (Azure AD) 已配置为使用多重身份验证,则支持多重身份验证。Multi-factor authentication is supported if Azure Active Directory (Azure AD) is configured to use it. 下面是身份验证过程:Here's the authentication process:

  1. 客户端登录到 Azure AD 并获取 Azure 资源管理器令牌。The client signs in to Azure AD and gets an Azure Resource Manager token. 完全支持用户和服务主体。Users and service principals are fully supported.
  2. 客户端将令牌提供给 Azure 资源管理器和所有 Azure 机器学习服务。The client presents the token to Azure Resource Manager and to all Azure Machine Learning.
  3. 机器学习服务将机器学习服务令牌提供给用户计算目标(例如机器学习计算)。The Machine Learning service provides a Machine Learning service token to the user compute target (for example, Machine Learning Compute). 运行完成后,用户计算目标使用此令牌回调机器学习服务。This token is used by the user compute target to call back into the Machine Learning service after the run is complete. 范围限制为工作区。Scope is limited to the workspace.

Azure 机器学习中的身份验证Authentication in Azure Machine Learning

有关详细信息,请参阅为 Azure 机器学习资源和工作流设置身份验证For more information, see Set up authentication for Azure Machine Learning resources and workflows. 本文提供有关身份验证的信息和示例,包括如何使用服务主体和自动化工作流。This article provides information and examples on authentication, including using service principals and automated workflows.

Web 服务部署的身份验证Authentication for web service deployment

对于 Web 服务,Azure 机器学习支持两种形式的身份验证:密钥和令牌。Azure Machine Learning supports two forms of authentication for web services: key and token. 每个 Web 服务每次只能启用一种形式的身份验证。Each web service can enable only one form of authentication at a time.

身份验证方法Authentication method 说明Description Azure 容器实例Azure Container Instances AKSAKS
密钥Key 密钥是静态的,无需刷新。Keys are static and do not need to be refreshed. 可以手动重新生成密钥。Keys can be regenerated manually. 默认已禁用Disabled by default 默认已启用Enabled by default
标记Token 令牌会在指定的时限后过期,需要刷新。Tokens expire after a specified time period and need to be refreshed. 不可用Not available 默认已禁用Disabled by default

有关代码示例,请参阅 Web 服务身份验证部分。For code examples, see the web-service authentication section.

授权Authorization

你可以创建多个工作区,并且每个工作区可由多个用户共享。You can create multiple workspaces, and each workspace can be shared by multiple people. 共享工作区时,可通过向用户分配以下角色来控制对该工作区的访问:When you share a workspace, you can control access to it by assigning these roles to users:

  • “所有者”Owner
  • 参与者Contributor
  • 读取器Reader

下表列出了一些主要 Azure 机器学习操作,以及可执行这些操作的角色:The following table lists some of the major Azure Machine Learning operations and the roles that can perform them:

Azure 机器学习操作Azure Machine Learning operation “所有者”Owner 参与者Contributor 读取器Reader
创建工作区Create workspace
共享工作区Share workspace
将工作区升级到企业版Upgrade workspace to Enterprise edition
创建计算目标Create compute target
附加计算目标Attach compute target
附加数据存储Attach data stores
运行试验Run experiment
查看运行/指标View runs/metrics
注册模型Register model
创建映像Create image
部署 Web 服务Deploy web service
查看模型/映像View models/images
调用 Web 服务Call web service

如果内置角色不符合你的需求,可以创建自定义角色。If the built-in roles don't meet your needs, you can create custom roles. 只有针对工作区上和机器学习计算的操作支持自定义角色。Custom roles are supported only for operations on the workspace and Machine Learning Compute. 自定义角色对工作区及其中的计算资源拥有读取、写入或删除权限。Custom roles can have read, write, or delete permissions on the workspace and on the compute resource in that workspace. 可以使角色在特定工作区级别、特定资源组级别或特定订阅级别可用。You can make the role available at a specific workspace level, a specific resource-group level, or a specific subscription level. 有关详细信息,请参阅管理 Azure 机器学习工作区中的用户和角色For more information, see Manage users and roles in an Azure Machine Learning workspace.

保护计算目标和数据Securing compute targets and data

所有者和参与者可以使用已附加到工作区的所有计算目标和数据存储。Owners and contributors can use all compute targets and data stores that are attached to the workspace.

每个工作区还有一个关联的系统分配的托管标识,该标识与工作区同名。Each workspace also has an associated system-assigned managed identity that has the same name as the workspace. 托管标识对工作区中使用的附加资源拥有以下权限。The managed identity has the following permissions on attached resources used in the workspace.

有关托管标识的详细信息,请参阅 Azure 资源的托管标识For more information on managed identities, see Managed identities for Azure resources.

资源Resource 权限Permissions
工作区Workspace 参与者Contributor
存储帐户Storage account 存储 Blob 数据参与者Storage Blob Data Contributor
密钥保管库Key vault 访问所有密钥、机密和证书Access to all keys, secrets, certificates
Azure 容器注册表Azure Container Registry 参与者Contributor
包含工作区的资源组Resource group that contains the workspace 参与者Contributor
包含 Key Vault 的资源组(如果不同于包含工作区的资源组)Resource group that contains the key vault (if different from the one that contains the workspace) 参与者Contributor

不建议管理员撤销托管标识对上表中所述资源的访问权限。We don't recommend that admins revoke the access of the managed identity to the resources mentioned in the preceding table. 可以使用重新同步密钥操作来恢复访问权限。You can restore access by using the resync keys operation.

对于每个工作区区域,Azure 机器学习将在订阅中创建一个拥有参与者级别访问权限的附加应用程序(名称以 aml-Microsoft-AzureML-Support-App- 开头)。Azure Machine Learning creates an additional application (the name starts with aml- or Microsoft-AzureML-Support-App-) with contributor-level access in your subscription for every workspace region. 例如,如果你在“中国东部”有一个工作区,在“中国北部”的相同订阅中有另一个工作区,则会看到其中的两个应用程序。For example, if you have one workspace in China East and another workspace in China North in the same subscription, you'll see two of these applications. Azure 机器学习可以通过这些应用程序来帮助你管理计算资源。These applications enable Azure Machine Learning to help you manage compute resources.

网络安全Network security

Azure 机器学习依赖于其他 Azure 服务提供计算资源。Azure Machine Learning relies on other Azure services for compute resources. 计算资源(计算目标)用于训练和部署模型。Compute resources (compute targets) are used to train and deploy models. 可以在虚拟网络中创建这些计算目标。You can create these compute targets in a virtual network. 例如,可以使用 Azure Data Science Virtual Machine 来训练模型,然后将该模型部署到 AKS。For example, you can use Azure Data Science Virtual Machine to train a model and then deploy the model to AKS.

有关详细信息,请参阅如何在虚拟网络中运行试验和推理For more information, see How to run experiments and inference in a virtual network.

数据加密Data encryption

静态加密Encryption at rest

Important

如果工作区包含敏感数据,我们建议在创建工作区时设置 hbi_workspace 标志If your workspace contains sensitive data we recommend setting the hbi_workspace flag while creating your workspace. 此标志控制 Microsoft 出于诊断目的收集的数据量,并可以在 Microsoft 托管环境中启用额外的加密。This controls the amount of data Microsoft collects for diagnostic purposes and enables additional encryption in Microsoft managed environments.

Azure Blob 存储Azure Blob storage

Azure 机器学习在绑定到 Azure 机器学习工作区和订阅的 Azure Blob 存储帐户中存储快照、输出与日志。Azure Machine Learning stores snapshots, output, and logs in the Azure Blob storage account that's tied to the Azure Machine Learning workspace and your subscription. Azure Blob 存储中存储的所有数据已通过 Microsoft 管理的密钥静态加密。All the data stored in Azure Blob storage is encrypted at rest with Microsoft-managed keys.

有关如何对 Azure Blob 存储中存储的数据使用自己密钥的信息,请参阅使用 Azure Key Vault 中客户管理的密钥进行 Azure 存储加密For information on how to use your own keys for data stored in Azure Blob storage, see Azure Storage encryption with customer-managed keys in Azure Key Vault.

训练数据通常也存储在 Azure Blob 存储中,因此可供训练计算目标访问。Training data is typically also stored in Azure Blob storage so that it's accessible to training compute targets. 此存储不由 Azure 机器学习管理,而是作为远程文件系统装载到计算目标。This storage isn't managed by Azure Machine Learning but mounted to compute targets as a remote file system.

有关重新生成访问密钥的信息,请参阅重新生成存储访问密钥For information on regenerating the access keys, see Regenerate storage access keys.

Azure 容器注册表Azure Container Registry

注册表(Azure 容器注册表)中的所有容器映像均已进行静态加密。All container images in your registry (Azure Container Registry) are encrypted at rest. Azure 会在存储映像之前自动将其加密,并在 Azure 机器学习提取映像时将其解密。Azure automatically encrypts an image before storing it and decrypts it when Azure Machine Learning pulls the image.

若要使用自己的(客户管理的)密钥来加密 Azure 容器注册表,需要创建自己的 ACR 并在预配工作区时附加它,或者加密预配工作区时创建的默认实例。To use your own (customer-managed) keys to encrypt your Azure Container Registry, you need to create your own ACR and attach it while provisioning the workspace or encrypt the default instance that gets created at the time of workspace provisioning.

有关使用现有 Azure 容器注册表创建工作区的示例,请参阅以下文章:For an example of creating a workspace using an existing Azure Container Registry, see the following articles:

Azure 容器实例Azure Container Instance

Azure 容器实例不支持磁盘加密。Azure Container Instance does not support disk encryption. 如果需要磁盘加密,我们建议改为部署到 Azure Kubernetes 服务实例If you need disk encryption, we recommend deploying to an Azure Kubernetes Service instance instead. 在这种情况下,你可能还想要使用 Azure 机器学习对基于角色的访问控制的支持,来防止部署到订阅中的 Azure 容器实例。In this case, you may also want to use Azure Machine Learning’s support for role-based access controls to prevent deployments to an Azure Container Instance in your subscription.

Azure Kubernetes 服务Azure Kubernetes Service

随时可以使用客户管理的密钥来加密已部署的 Azure Kubernetes 服务资源。You may encrypt a deployed Azure Kubernetes Service resource using customer-managed keys at any time.

此过程允许加密 Kubernetes 群集中已部署的虚拟机的数据和 OS 磁盘。This process allows you to encrypt both the Data and the OS Disk of the deployed virtual machines in the Kubernetes cluster.

Important

此过程仅适用于 AKS K8s 1.17 或更高版本。This process only works with AKS K8s version 1.17 or higher. Azure 机器学习在 2020 年 1 月 13 日添加了对 AKS 1.17 的支持。Azure Machine Learning added support for AKS 1.17 on Jan 13, 2020.

机器学习计算Machine Learning Compute

Azure 存储中存储的每个计算节点的 OS 磁盘,已通过 Azure 机器学习存储帐户中由 Microsoft 管理的密钥进行加密。The OS disk for each compute node stored in Azure Storage is encrypted with Microsoft-managed keys in Azure Machine Learning storage accounts. 此计算目标是暂时的;没有排队的运行时,群集通常会缩减。This compute target is ephemeral, and clusters are typically scaled down when no runs are queued. 底层虚拟机将解除预配,OS 磁盘将被删除。The underlying virtual machine is de-provisioned, and the OS disk is deleted. OS 磁盘不支持 Azure 磁盘加密。Azure Disk Encryption isn't supported for the OS disk.

每个虚拟机还包含一个本地临时磁盘用于 OS 操作。Each virtual machine also has a local temporary disk for OS operations. 如果需要,可以使用该磁盘来暂存训练数据。If you want, you can use the disk to stage training data. 对于其 hbi_workspace 参数设置为 TRUE 的工作区,默认会加密磁盘。The disk is encrypted by default for workspaces with the hbi_workspace parameter set to TRUE. 此环境的生存期较短(与运行的持续时间相当),加密支持仅限于系统托管的密钥。This environment is short-lived only for the duration of your run, and encryption support is limited to system-managed keys only.

有关 Azure 中静态加密的工作原理的详细信息,请参阅 Azure 静态数据加密For more information on how encryption at rest works in Azure, see Azure data encryption at rest.

传输中加密Encryption in transit

可以使用 SSL 来保护 Azure 机器学习微服务之间的内部通信,以及保护对评分终结点的外部调用。You can use SSL to secure internal communication between Azure Machine Learning microservices and to secure external calls to the scoring endpoint. 所有 Azure 存储访问也是通过安全通道发生的。All Azure Storage access also occurs over a secure channel.

有关详细信息,请参阅使用 SSL 通过 Azure 机器学习保护 Web 服务For more information, see Use SSL to secure a web service through Azure Machine Learning.

使用 Azure Key VaultUsing Azure Key Vault

Azure 机器学习使用与工作区关联的 Azure Key Vault 实例来存储各种凭据:Azure Machine Learning uses the Azure Key Vault instance associated with the workspace to store credentials of various kinds:

  • 关联的存储帐户连接字符串The associated storage account connection string
  • Azure 容器存储库实例的密码Passwords to Azure Container Repository instances
  • 数据存储的连接字符串Connection strings to data stores

Azure HDInsight 等计算目标和 VM 的 SSH 密码与密钥存储在与 Microsoft 订阅关联的独立 Key Vault 中。SSH passwords and keys to compute targets like Azure HDInsight and VMs are stored in a separate key vault that's associated with the Microsoft subscription. Azure 机器学习不会存储用户提供的任何密码或密钥,Azure Machine Learning doesn't store any passwords or keys provided by users. 而是生成、授权并存储自身的 SSH 密钥,用于连接到 VM 和 HDInsight 以运行试验。Instead, it generates, authorizes, and stores its own SSH keys to connect to VMs and HDInsight to run the experiments.

每个工作区有一个关联的系统分配的托管标识,该标识与工作区同名。Each workspace has an associated system-assigned managed identity that has the same name as the workspace. 此托管标识有权访问 Key Vault 中的所有密钥、机密和证书。This managed identity has access to all keys, secrets, and certificates in the key vault.

数据收集和处理Data collection and handling

Microsoft 收集的数据Microsoft collected data

Microsoft 可能会出于诊断目的而收集非用户身份信息,例如资源名称(如数据集名称或机器学习试验名称)或作业环境变量。Microsoft may collect non-user identifying information like resource names (for example the dataset name, or the machine learning experiment name), or job environment variables for diagnostic purposes. 所有此类数据将使用 Microsoft 托管的密钥存储在承载于 Microsoft 自有订阅中的存储内,并遵守 Microsoft 的标准隐私政策和数据处理标准All such data is stored using Microsoft-managed keys in storage hosted in Microsoft owned subscriptions and follows Microsoft’s standard Privacy policy and data handling standards.

另外,Microsoft 建议不要在环境变量中存储敏感信息(例如帐户密钥机密)。Microsoft also recommends not storing sensitive information (such as account key secrets) in environment variables. 我们会记录、加密和存储环境变量。Environment variables are logged, encrypted, and stored by us.

可以选择不收集诊断数据,只需在预配工作区时将 hbi_workspace 参数设置为 TRUE 即可。You may opt out from diagnostic data being collected by setting the hbi_workspace parameter to TRUE while provisioning the workspace. 使用 AzureML Python SDK、CLI、REST API 或 Azure 资源管理器模板时支持此功能。This functionality is supported when using the AzureML Python SDK, CLI, REST APIs, or Azure Resource Manager templates.

Microsoft 生成的数据Microsoft-generated data

使用自动化机器学习等服务时,Microsoft 可能会生成经过预处理的暂用数据用于训练多个模型。When using services such as Automated Machine Learning, Microsoft may generate a transient, pre-processed data for training multiple models. 此数据存储在工作区中的数据存储内,使你可以适当地强制实施访问控制和加密。This data is stored in a datastore in your workspace, which allows you to enforce access controls and encryption appropriately.

你可能还想要加密从已部署的终结点记录到 Azure Application Insights 实例的诊断信息You may also want to encrypt diagnostic information logged from your deployed endpoint into your Azure Application Insights instance.

监视Monitoring

度量值Metrics

可以使用 Azure Monitor 指标来查看和监视 Azure 机器学习工作区的指标。You can use Azure Monitor metrics to view and monitor metrics for your Azure Machine Learning workspace. Azure 门户中选择你的工作区,然后选择“指标”: In the Azure portal, select your workspace and then select Metrics:

显示工作区示例指标的屏幕截图Screenshot showing example metrics for a workspace

指标包含有关运行、部署和注册的信息。The metrics include information on runs, deployments, and registrations.

有关详细信息,请参阅 Azure Monitor 中的指标For more information, see Metrics in Azure Monitor.

活动日志Activity log

可以查看工作区的活动日志,以了解在工作区中执行的各项操作。You can view the activity log of a workspace to see various operations that are performed on the workspace. 日志包含操作名称、事件发起端和时间戳等基本信息。The log includes basic information like the operation name, event initiator, and timestamp.

以下屏幕截图显示了工作区的活动日志:This screenshot shows the activity log of a workspace:

显示工作区活动日志的屏幕截图Screenshot showing the activity log of a workspace

评分请求详细信息存储在 Application Insights 中。Scoring request details are stored in Application Insights. 创建工作区时,会在订阅中创建 Application Insights。Application Insights is created in your subscription when you create a workspace. 记录的信息包括如下所述的字段:Logged information includes fields such as:

  • HTTPMethodHTTPMethod
  • UserAgentUserAgent
  • ComputeTypeComputeType
  • RequestUrlRequestUrl
  • StatusCodeStatusCode
  • RequestIdRequestId
  • DurationDuration

Important

Azure 机器学习工作区中的某些操作不会将信息记录到活动日志。Some actions in the Azure Machine Learning workspace don't log information to the activity log. 例如,不会记录训练运行的启动和模型的注册。For example, the start of a training run and the registration of a model aren't logged.

其中的某些操作显示在工作区的“活动”区域,但这些通知不会指出活动是谁发起的。 Some of these actions appear in the Activities area of your workspace, but these notifications don't indicate who initiated the activity.

数据流示意图Data flow diagrams

创建工作区Create workspace

下图显示了创建工作区工作流。The following diagram shows the create workspace workflow.

  • 从某个受支持的 Azure 机器学习客户端(Azure CLI、Python SDK、Azure 门户)登录到 Azure AD,并请求相应的 Azure 资源管理器令牌。You sign in to Azure AD from one of the supported Azure Machine Learning clients (Azure CLI, Python SDK, Azure portal) and request the appropriate Azure Resource Manager token.
  • 调用 Azure 资源管理器来创建工作区。You call Azure Resource Manager to create the workspace.
  • Azure 资源管理器联系 Azure 机器学习资源提供程序来预配工作区。Azure Resource Manager contacts the Azure Machine Learning resource provider to provision the workspace.

创建工作区期间,会在用户的订阅中创建其他资源:Additional resources are created in the user's subscription during workspace creation:

  • Key Vault(用于存储机密)Key Vault (to store secrets)
  • Azure 存储帐户(包括 Blob 和文件共享)An Azure storage account (including blob and file share)
  • Azure 容器注册表(存储用于推理/评分和试验的 Docker 映像)Azure Container Registry (to store Docker images for inference/scoring and experimentation)
  • Application Insights(用于存储遥测数据)Application Insights (to store telemetry)

用户还可根据需要预配附加到工作区的其他计算目标(例如 Azure Kubernetes 服务或 VM)。The user can also provision other compute targets that are attached to a workspace (like Azure Kubernetes Service or VMs) as needed.

创建工作区工作流Create workspace workflow

保存源代码(训练脚本)Save source code (training scripts)

下图显示了代码快照工作流。The following diagram shows the code snapshot workflow.

与 Azure 机器学习工作区关联的是包含源代码(训练脚本)的目录(试验)。Associated with an Azure Machine Learning workspace are directories (experiments) that contain the source code (training scripts). 这些脚本存储在本地计算机和云中(位于订阅的 Azure Blob 存储中)。These scripts are stored on your local machine and in the cloud (in the Azure Blob storage for your subscription). 代码快照用于执行或检查历史审核。The code snapshots are used for execution or inspection for historical auditing.

代码快照工作流Code snapshot workflow

培训Training

下图显示了训练工作流。The following diagram shows the training workflow.

  • 使用在上一部分保存的代码快照的快照 ID 调用 Azure 机器学习。Azure Machine Learning is called with the snapshot ID for the code snapshot saved in the previous section.

  • Azure 机器学习创建一个运行 ID(可选)和一个机器学习服务令牌,计算目标(例如机器学习计算/VM)随后使用该令牌来与机器学习服务通信。Azure Machine Learning creates a run ID (optional) and a Machine Learning service token, which is later used by compute targets like Machine Learning Compute/VMs to communicate with the Machine Learning service.

  • 可以选择使用托管计算目标(例如机器学习计算)或非托管计算目标(例如 VM)来运行训练作业。You can choose either a managed compute target (like Machine Learning Compute) or an unmanaged compute target (like VMs) to run training jobs. 下面是这两种方案的数据流:Here are the data flows for both scenarios:

    • VM/HDInsight,通过 Microsoft 订阅中的 Key Vault 内的 SSH 凭据访问。VMs/HDInsight, accessed by SSH credentials in a key vault in the Microsoft subscription. Azure 机器学习在计算目标上运行管理代码,以执行以下操作:Azure Machine Learning runs management code on the compute target that:
    1. 准备环境。Prepares the environment. (Docker 是 VM 和本地计算机的一个选项。(Docker is an option for VMs and local computers. 请参阅适用于机器学习计算的以下步骤来了解如何在 Docker 容器上运行试验。)See the following steps for Machine Learning Compute to understand how running experiments on Docker containers works.)
    2. 下载代码。Downloads the code.
    3. 设置环境变量和配置。Sets up environment variables and configurations.
    4. 运行用户脚本(上一部分提到的代码快照)。Runs user scripts (the code snapshot mentioned in the previous section).
    • 机器学习计算,通过工作区托管标识访问。Machine Learning Compute, accessed through a workspace-managed identity. 由于机器学习计算是托管的计算目标(即,它由 Microsoft 管理),因此它会在 Microsoft 订阅下运行。Because Machine Learning Compute is a managed compute target (that is, it's managed by Microsoft) it runs under your Microsoft subscription.
    1. 根据需要启动远程 Docker 构造。Remote Docker construction is kicked off, if needed.
    2. 管理代码将写入用户的 Azure 文件共享。Management code is written to the user's Azure Files share.
    3. 使用初始命令启动容器。The container is started with an initial command. 即,使用上一步骤中所述的管理代码。That is, management code as described in the previous step.

查询运行和指标Querying runs and metrics

在以下流示意图中,当训练计算目标将运行指标从 Cosmos DB 数据库中的存储写回到 Azure 机器学习时,将执行此步骤。In the flow diagram below, this step occurs when the training compute target writes the run metrics back to Azure Machine Learning from storage in the Cosmos DB database. 客户端可以调用 Azure 机器学习。Clients can call Azure Machine Learning. 而机器学习又会从 Cosmos DB 数据库提取指标,然后将指标返回给客户端。Machine Learning will in turn pull metrics from the Cosmos DB database and return them back to the client.

训练工作流Training workflow

创建 Web 服务Creating web services

下图显示了推理工作流。The following diagram shows the inference workflow. 推理或模型评分是将部署的模型用于预测(通常针对生产数据)的阶段。Inference, or model scoring, is the phase in which the deployed model is used for prediction, most commonly on production data.

以下是详细信息:Here are the details:

  • 用户使用 Azure 机器学习 SDK 等客户端注册模型。The user registers a model by using a client like the Azure Machine Learning SDK.
  • 用户使用模型、评分文件和其他模型依赖项创建映像。The user creates an image by using a model, a score file, and other model dependencies.
  • Docker 映像在创建后存储在 Azure 容器注册表中。The Docker image is created and stored in Azure Container Registry.
  • 使用在上一步骤中创建的映像将 Web 服务部署到计算目标(容器实例/AKS)。The web service is deployed to the compute target (Container Instances/AKS) using the image created in the previous step.
  • 评分请求详细信息存储在用户订阅中的 Application Insights 内。Scoring request details are stored in Application Insights, which is in the user’s subscription.
  • 遥测数据还会推送到 Microsoft/Azure 订阅。Telemetry is also pushed to the Microsoft/Azure subscription.

推理工作流Inference workflow

后续步骤Next steps