使用 Azure 资源管理器模板创建 Azure 机器学习的工作区Use an Azure Resource Manager template to create a workspace for Azure Machine Learning


本文介绍几种使用 Azure 资源管理器模板创建 Azure 机器学习工作区的方法。In this article, you learn several ways to create an Azure Machine Learning workspace using Azure Resource Manager templates. 使用资源管理器模板可以轻松地通过单个协调操作创建资源。A Resource Manager template makes it easy to create resources as a single, coordinated operation. 模板是一个 JSON 文档,定义部署所需的资源。A template is a JSON document that defines the resources that are needed for a deployment. 它还可以指定部署参数。It may also specify deployment parameters. 使用模板时,参数用于提供输入值。Parameters are used to provide input values when using the template.

有关详细信息,请参阅使用 Azure Resource Manager 模板部署应用程序For more information, see Deploy an application with Azure Resource Manager template.

先决条件Prerequisites

  • 一个 Azure 订阅An Azure subscription. 如果没有订阅,可试用 Azure 机器学习试用版If you do not have one, try the trial version of Azure Machine Learning.

  • 若要在 CLI 中使用模板,需要安装 Azure PowerShellAzure CLITo use a template from a CLI, you need either Azure PowerShell or the Azure CLI.

  • 某些方案需要你开具支持票证。Some scenarios require you to open a support ticket. 这些方案为:These scenarios are:

    • 使用客户管理的密钥启用专用链接的工作区Private Link enabled workspace with a customer-managed key
    • 虚拟网络后的工作区的 Azure 容器注册表Azure Container Registry for the workspace behind your virtual network

    有关详细信息,请参阅管理和增加配额For more information, see Manage and increase quotas.

限制Limitations

  • 创建新的工作区时,可以自动创建工作区所需的服务或使用现有的服务。When creating a new workspace, you can either automatically create services needed by the workspace or use existing services. 如果要使用来自不同于工作区所在的 Azure 订阅的现有服务,则必须在包含这些服务的订阅中注册 Azure 机器学习命名空间。If you want to use existing services from a different Azure subscription than the workspace, you must register the Azure Machine Learning namespace in the subscription that contains those services. 例如,在订阅 A 中创建一个使用订阅 B 中的存储帐户的工作区时,必须在订阅 B 中注册 Azure 机器学习命名空间,然后才能将此存储帐户用于该工作区。For example, creating a workspace in subscription A that uses a storage account from subscription B, the Azure Machine Learning namespace must be registered in subscription B before you can use the storage account with the workspace.

    Azure 机器学习的资源提供程序是 Microsoft.MachineLearningService。The resource provider for Azure Machine Learning is Microsoft.MachineLearningService. 有关如何查看它是否已注册以及如何注册的信息,请参阅 Azure 资源提供程序和类型一文。For information on how to see if it is registered and how to register it, see the Azure resource providers and types article.

    重要

    这仅适用于工作区创建期间提供的资源:Azure 存储帐户、Azure 容器注册表、Azure Key Vault 和 Application Insights。This only applies to resources provided during workspace creation; Azure Storage Accounts, Azure Container Register, Azure Key Vault, and Application Insights.

工作区资源管理器模板Workspace Resource Manager template

可以在 Azure 快速入门模板 GitHub 存储库的 201-machine-learning-advanced 目录中找到本文档中使用的 Azure 资源管理器模板。The Azure Resource Manager template used throughout this document can be found in the 201-machine-learning-advanced directory of the Azure quickstart templates GitHub repository.

此模板创建以下 Azure 服务:This template creates the following Azure services:

  • Azure 存储帐户Azure Storage Account
  • Azure Key VaultAzure Key Vault
  • Azure Application InsightsAzure Application Insights
  • Azure 容器注册表Azure Container Registry
  • Azure 机器学习工作区Azure Machine Learning workspace

资源组是保存服务的容器。The resource group is the container that holds the services. Azure 机器学习工作区需要多种服务。The various services are required by the Azure Machine Learning workspace.

示例模板具有两个 必需 参数:The example template has two required parameters:

  • 将在其中创建资源的 位置The location where the resources will be created.

    模板将使用你为大多数资源选择的位置。The template will use the location you select for most resources. 例外的情况是 Application Insights 服务,它不像其他所有服务一样在所有位置都可用。The exception is the Application Insights service, which is not available in all of the locations that the other services are. 如果选择该服务不可用的位置,将会在中国东部 2 位置创建该服务。If you select a location where it is not available, the service will be created in the China East 2 location.

  • 工作区名称:Azure 机器学习工作区的友好名称。The workspace name, which is the friendly name of the Azure Machine Learning workspace.

    备注

    工作区名称不区分大小写。The workspace name is case-insensitive.

    其他服务的名称将随机生成。The names of the other services are generated randomly.

提示

当与本文档关联的模板创建了新的 Azure 容器注册表时,你还可以在无需创建容器注册表的情况下创建新工作区。While the template associated with this document creates a new Azure Container Registry, you can also create a new workspace without creating a container registry. 当你执行需要容器注册表的操作时,会创建容器注册表。One will be created when you perform an operation that requires a container registry. 例如,训练或部署模型。For example, training or deploying a model.

还可以在 Azure 资源管理器模板中引用现有的容器注册表或存储帐户,而不是创建一个新的。You can also reference an existing container registry or storage account in the Azure Resource Manager template, instead of creating a new one. 执行此操作时,必须使用托管标识(预览版),或者为容器注册表启用管理员帐户When doing so, you must either use a managed identity (preview), or enable the admin account for the container registry.

警告

为工作区创建 Azure 容器注册表后,请不要将其删除。Once an Azure Container Registry has been created for a workspace, do not delete it. 删除该注册表将损坏 Azure 机器学习工作区。Doing so will break your Azure Machine Learning workspace.

有关模板的详细信息,请参阅以下文章:For more information on templates, see the following articles:

部署模板Deploy template

若要部署模板,你必须创建资源组。To deploy your template you have to create a resource group.

如果你首选使用图形用户界面,请参阅 Azure 门户部分。See the Azure portal section if you prefer using the graphical user interface.

az group create --name "examplegroup" --location "chinaeast"

成功创建资源组后,使用以下命令来部署模板:Once your resource group is successfully created, deploy the template with the following command:

az deployment group create \
    --name "exampledeployment" \
    --resource-group "examplegroup" \
    --template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-machine-learning-advanced/azuredeploy.json" \
    --parameters workspaceName="exampleworkspace" location="chinaeast"

默认情况下,作为模板的一部分创建的所有资源都是新的。By default, all of the resources created as part of the template are new. 不过,你也可以选择使用现有资源。However, you also have the option of using existing resources. 可以通过向模板提供其他参数来使用现有资源。By providing additional parameters to the template, you can use existing resources. 例如,如果你想要使用现有的存储帐户,请将 storageAccountOption 值设置为 existing,并在 storageAccountName 参数中提供存储帐户的名称。For example, if you want to use an existing storage account set the storageAccountOption value to existing and provide the name of your storage account in the storageAccountName parameter.

重要

若要使用现有 Azure 存储帐户,则该帐户不能是高级帐户(Premium_LRS 和 Premium_GRS)。If you want to use an existing Azure Storage account, it cannot be a premium account (Premium_LRS and Premium_GRS). 它也不能具有分层命名空间(与 Azure Data Lake Storage Gen2 一起使用)。It also cannot have a hierarchical namespace (used with Azure Data Lake Storage Gen2). 工作区的默认存储帐户不支持高级存储和分层命名空间。Neither premium storage or hierarchical namespace are supported with the default storage account of the workspace. 工作区的默认存储帐户不支持高级存储和分层命名空间。Neither premium storage or hierarchical namespaces are supported with the default storage account of the workspace. 可以将高级存储或分层命名空间用于非默认存储帐户。You can use premium storage or hierarchical namespace with non-default storage accounts.

az deployment group create \
    --name "exampledeployment" \
    --resource-group "examplegroup" \
    --template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-machine-learning-advanced/azuredeploy.json" \
    --parameters workspaceName="exampleworkspace" \
      location="chinaeast" \
      storageAccountOption="existing" \
      storageAccountName="existingstorageaccountname"

部署加密的工作区Deploy an encrypted workspace

以下示例模板演示如何创建具有三项设置的工作区:The following example template demonstrates how to create a workspace with three settings:

  • 为工作区启用高保密性设置。Enable high confidentiality settings for the workspace. 这将创建新 Cosmos DB 实例。This creates a new Cosmos DB instance.

  • 为工作区启用加密。Enable encryption for the workspace.

  • 使用现有的 Azure Key Vault 检索客户管理的密钥。Uses an existing Azure Key Vault to retrieve customer-managed keys. 使用客户管理的密钥为工作区创建新 Cosmos DB 实例。Customer-managed keys are used to create a new Cosmos DB instance for the workspace.

    重要

    此 Cosmos DB 实例及其所需的全部资源是在订阅的 Microsoft 托管资源组中创建的。The Cosmos DB instance is created in a Microsoft-managed resource group in your subscription, along with any resources it needs. 这意味着需要为此 Cosmos DB 实例付费。This means that you are charged for this Cosmos DB instance. 托管资源组的命名格式为 <AML Workspace Resource Group Name><GUID>The managed resource group is named in the format <AML Workspace Resource Group Name><GUID>. 如果 Azure 机器学习工作区使用专用终结点,则还会为 Cosmos DB 实例创建一个虚拟网络。If your Azure Machine Learning workspace uses a private endpoint, a virtual network is also created for the Cosmos DB instance. 此 VNet 用于保护 Cosmos DB 与 Azure 机器学习之间的通信。This VNet is used to secure communication between Cosmos DB and Azure Machine Learning.

    • 请勿删除包含此 Cosmos DB 实例的资源组,也不要删除此组中自动创建的任何资源。Do not delete the resource group that contains this Cosmos DB instance, or any of the resources automatically created in this group. 如果需要删除该资源组和 Cosmos DB 实例等内容,必须删除使用它的 Azure 机器学习工作区。If you need to delete the resource group, Cosmos DB instance, etc., you must delete the Azure Machine Learning workspace that uses it. 删除与资源组、Cosmos DB 实例和其他自动创建的资源相关联的工作区时,这些资源都将被删除。The resource group, Cosmos DB instance, and other automatically created resources are deleted when the associated workspace is deleted.
    • 此 Cosmos DB 帐户的默认请求单位数设置为“8000” 。The default Request Units for this Cosmos DB account is set at 8000.
    • 不能提供自己的 VNet 来与创建的 Cosmos DB 实例一起使用。You cannot provide your own VNet for use with the Cosmos DB instance that is created. 也不能修改虚拟网络。You also cannot modify the virtual network. 例如,你不能更改它使用的 IP 地址范围。For example, you cannot change the IP address range that it uses.

重要

创建工作区后,无法更改机密数据、加密、密钥保管库 ID 或密钥标识符的设置。Once a workspace has been created, you cannot change the settings for confidential data, encryption, key vault ID, or key identifiers. 要更改这些值,必须使用新值创建新工作区。To change these values, you must create a new workspace using the new values.

有关详细信息,请参阅静态加密For more information, see Encryption at rest.

重要

在使用此模板之前,订阅必须满足一些特定要求:There are some specific requirements your subscription must meet before using this template:

  • 你必须具有包含加密密钥的现有 Azure Key Vault。You must have an existing Azure Key Vault that contains an encryption key.
  • Azure Key Vault 必须位于计划创建 Azure 机器学习工作区的同一区域。The Azure Key Vault must be in the same region where you plan to create the Azure Machine Learning workspace.
  • 必须指定 Azure Key Vault 的 ID 和加密密钥的 URI。You must specify the ID of the Azure Key Vault and the URI of the encryption key.

要获取此模板所需的 cmk_keyvault(Key Vault 的 ID)和 resource_cmk_uri(密钥 URI)参数的值,请执行以下操作:To get the values for the cmk_keyvault (ID of the Key Vault) and the resource_cmk_uri (key URI) parameters needed by this template, use the following steps:

  1. 要获取 Key Vault ID,请使用以下命令:To get the Key Vault ID, use the following command:

    az keyvault show --name <keyvault-name> --query 'id' --output tsv
    

    此命令会返回类似于 /subscriptions/{subscription-guid}/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<keyvault-name> 的值。This command returns a value similar to /subscriptions/{subscription-guid}/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<keyvault-name>.

  2. 要获取客户托管密钥的 URI 值,请使用以下命令:To get the value for the URI for the customer managed key, use the following command:

    az keyvault key show --vault-name <keyvault-name> --name <key-name> --query 'key.kid' --output tsv
    

    此命令会返回类似于 https://mykeyvault.vault.azure.net/keys/mykey/{guid} 的值。This command returns a value similar to https://mykeyvault.vault.azure.net/keys/mykey/{guid}.

重要

创建工作区后,无法更改机密数据、加密、密钥保管库 ID 或密钥标识符的设置。Once a workspace has been created, you cannot change the settings for confidential data, encryption, key vault ID, or key identifiers. 要更改这些值,必须使用新值创建新工作区。To change these values, you must create a new workspace using the new values.

若要允许使用客户管理的密钥,请在部署该模板时设置以下参数:To enable use of Customer Managed Keys, set the following parameters when deploying the template:

  • encryption_status 设置为 Enabledencryption_status to Enabled.
  • cmk_keyvault 设置为在前面的步骤中获取的 cmk_keyvault 值。cmk_keyvault to the cmk_keyvault value obtained in previous steps.
  • resource_cmk_uri 设置为在前面的步骤中获取的 resource_cmk_uri 值。resource_cmk_uri to the resource_cmk_uri value obtained in previous steps.
az deployment group create \
    --name "exampledeployment" \
    --resource-group "examplegroup" \
    --template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-machine-learning-advanced/azuredeploy.json" \
    --parameters workspaceName="exampleworkspace" \
      location="chinaeast" \
      encryption_status="Enabled" \
      cmk_keyvault="/subscriptions/{subscription-guid}/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<keyvault-name>" \
      resource_cmk_uri="https://mykeyvault.vault.azure.net/keys/mykey/{guid}" \

当使用客户管理的密钥时,Azure 机器学习会创建包含 Cosmos DB 实例的另一个资源组。When using a customer-managed key, Azure Machine Learning creates a secondary resource group which contains the Cosmos DB instance. 有关详细信息,请参阅静态加密 - Cosmos DBFor more information, see encryption at rest - Cosmos DB.

你可为数据提供的一个附加配置是将 confidential_data 参数设置为 trueAn additional configuration you can provide for your data is to set the confidential_data parameter to true. 为此,请执行以下操作:Doing so, does the following:

  • 开始加密 Azure 机器学习计算群集的本地暂存磁盘(如果以前未在该订阅中创建任何群集)。Starts encrypting the local scratch disk for Azure Machine Learning compute clusters, providing you have not created any previous clusters in your subscription. 如果你之前在订阅中创建了群集,请创建一个支持票证,为你的计算群集启用暂存磁盘加密。If you have previously created a cluster in the subscription, open a support ticket to have encryption of the scratch disk enabled for your compute clusters.

  • 在各次运行之间清理本地暂存磁盘。Cleans up the local scratch disk between runs.

  • 利用密钥保管库,将存储帐户、容器注册表和 SSH 帐户的凭据从执行层安全地传递到计算群集。Securely passes credentials for the storage account, container registry, and SSH account from the execution layer to your compute clusters by using key vault.

  • 启用 IP 筛选,以确保基础批处理池不会由除 AzureMachineLearningService 以外的任何外部服务调用。Enables IP filtering to ensure the underlying batch pools cannot be called by any external services other than AzureMachineLearningService.

    重要

    创建工作区后,无法更改机密数据、加密、密钥保管库 ID 或密钥标识符的设置。Once a workspace has been created, you cannot change the settings for confidential data, encryption, key vault ID, or key identifiers. 要更改这些值,必须使用新值创建新工作区。To change these values, you must create a new workspace using the new values.

    有关详细信息,请参阅静态加密For more information, see encryption at rest.

将工作区部署到虚拟网络后面Deploy workspace behind a virtual network

通过将 vnetOption 参数值设置为 newexisting,可以在虚拟网络后面创建工作区使用的资源。By setting the vnetOption parameter value to either new or existing, you are able to create the resources used by a workspace behind a virtual network.

重要

对于容器注册表,仅支持“高级”SKU。For container registry, only the 'Premium' sku is supported.

重要

Application Insights 不支持部署到虚拟网络后面。Application Insights does not support deployment behind a virtual network.

仅将工作区部署到专用终结点后面Only deploy workspace behind private endpoint

如果关联的资源不在虚拟网络后面,则可以将 privateEndpointType 参数设置为 AutoAprovalManualApproval,以将工作区部署到专用终结点后面。If your associated resources are not behind a virtual network, you can set the privateEndpointType parameter to AutoAproval or ManualApproval to deploy the workspace behind a private endpoint. 对于新的和现有的工作区,都可以这样做。This can be done for both new and existing workspaces. 更新现有工作区时,请使用现有工作区中的信息填写模板参数。When updating an existing workspace, fill in the template parameters with the information from the existing workspace.

重要

Azure 政府区域或 Azure 中国世纪互联区域不支持使用具有专用链接的 Azure 机器学习工作区。Using an Azure Machine Learning workspace with private link is not available in the Azure Government regions or Azure China 21Vianet regions.

az deployment group create \
    --name "exampledeployment" \
    --resource-group "examplegroup" \
    --template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-machine-learning-advanced/azuredeploy.json" \
    --parameters workspaceName="exampleworkspace" \
      location="chinaeast" \
      privateEndpointType="AutoApproval"

使用新的虚拟网络Use a new virtual network

若要在新的虚拟网络后面部署资源,请将 vnetOption 设置为 new 并为相应的资源提供虚拟网络设置。To deploy a resource behind a new virtual network, set the vnetOption to new along with the virtual network settings for the respective resource. 下面的部署展示了如何部署其中的存储帐户资源位于新的虚拟网络后面的工作区。The deployment below shows how to deploy a workspace with the storage account resource behind a new virtual network.

az deployment group create \
    --name "exampledeployment" \
    --resource-group "examplegroup" \
    --template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-machine-learning-advanced/azuredeploy.json" \
    --parameters workspaceName="exampleworkspace" \
      location="chinaeast" \
      vnetOption="new" \
      vnetName="examplevnet" \
      storageAccountBehindVNet="true"
      privateEndpointType="AutoApproval"

另外,你可以在虚拟网络后面部署多个或所有从属资源。Alternatively, you can deploy multiple or all dependent resources behind a virtual network.

az deployment group create \
    --name "exampledeployment" \
    --resource-group "examplegroup" \
    --template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-machine-learning-advanced/azuredeploy.json" \
    --parameters workspaceName="exampleworkspace" \
      location="chinaeast" \
      vnetOption="new" \
      vnetName="examplevnet" \
      storageAccountBehindVNet="true" \
      keyVaultBehindVNet="true" \
      containerRegistryBehindVNet="true" \
      containerRegistryOption="new" \
      containerRegistrySku="Premium"
      privateEndpointType="AutoApproval"

使用现有虚拟网络和资源Use an existing virtual network & resources

若要使用现有的关联资源来部署工作区,你必须将 vnetOption 参数设置为 existing,并设置子网参数。To deploy a workspace with existing associated resources you have to set the vnetOption parameter to existing along with subnet parameters. 但是,在进行部署之前,你需要在虚拟网络中为每个资源创建服务终结点。However, you need to create service endpoints in the virtual network for each of the resources before deployment. 与使用新的虚拟网络部署类似,在虚拟网络后面可以有一个资源或全部资源。Like with new virtual network deployments, you can have one or all of your resources behind a virtual network.

重要

子网应具有 Microsoft.Storage 服务终结点Subnet should have Microsoft.Storage service endpoint

重要

子网不允许创建专用终结点。Subnets do not allow creation of private endpoints. 禁用专用终结点以启用子网。Disable private endpoint to enable subnet.

  1. 为资源启用服务终结点。Enable service endpoints for the resources.

    az network vnet subnet update --resource-group "examplegroup" --vnet-name "examplevnet" --name "examplesubnet" --service-endpoints "Microsoft.Storage"
    az network vnet subnet update --resource-group "examplegroup" --vnet-name "examplevnet" --name "examplesubnet" --service-endpoints "Microsoft.KeyVault"
    az network vnet subnet update --resource-group "examplegroup" --vnet-name "examplevnet" --name "examplesubnet" --service-endpoints "Microsoft.ContainerRegistry"
    
  2. 部署工作区Deploy the workspace

    az deployment group create \
    --name "exampledeployment" \
    --resource-group "examplegroup" \
    --template-uri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-machine-learning-advanced/azuredeploy.json" \
    --parameters workspaceName="exampleworkspace" \
      location="chinaeast" \
      vnetOption="existing" \
      vnetName="examplevnet" \
      vnetResourceGroupName="examplegroup" \
      storageAccountBehindVNet="true" \
      keyVaultBehindVNet="true" \
      containerRegistryBehindVNet="true" \
      containerRegistryOption="new" \
      containerRegistrySku="Premium" \
      subnetName="examplesubnet" \
      subnetOption="existing"
      privateEndpointType="AutoApproval"
    

使用 Azure 门户Use the Azure portal

  1. 遵循从自定义模板部署资源中的步骤。Follow the steps in Deploy resources from custom template. 在到达“选择模板”屏幕时,从下拉列表中选择 201-machine-learning-advanced 模板。When you arrive at the Select a template screen, choose the 201-machine-learning-advanced template from the dropdown.

  2. 选择“选择模板”以使用该模板。Select Select template to use the template. 根据你的部署方案,提供以下必需的信息和任何其他参数。Provide the following required information and any other parameters depending on your deployment scenario.

    • 订阅:选择用于这些资源的 Azure 订阅。Subscription: Select the Azure subscription to use for these resources.
    • 资源组:选择或创建一个用于包含服务的资源组。Resource group: Select or create a resource group to contain the services.
    • 地区:选择将在其中创建资源的 Azure 区域。Region: Select the Azure region where the resources will be created.
    • 工作区名称:要创建的 Azure 机器学习工作区所用的名称。Workspace name: The name to use for the Azure Machine Learning workspace that will be created. 工作区名称的长度必须为 3 到 33 个字符。The workspace name must be between 3 and 33 characters. 只能包含字母数字字符和“-”。It may only contain alphanumeric characters and '-'.
    • 位置:选择要在其中创建资源的位置。Location: Select the location where the resources will be created.
  3. 选择“查看 + 创建”。Select Review + create.

  4. 在“查看 + 创建”屏幕中,同意列出的条款和条件,并选择“创建”。In the Review + create screen, agree to the listed terms and conditions and select Create.

有关详细信息,请参阅从自定义模板部署资源For more information, see Deploy resources from custom template.

疑难解答Troubleshooting

资源提供程序错误Resource provider errors

创建 Azure 机器学习工作区或工作区使用的资源时,可能会收到类似于以下消息的错误:When creating an Azure Machine Learning workspace, or a resource used by the workspace, you may receive an error similar to the following messages:

  • No registered resource provider found for location {location}
  • The subscription is not registered to use namespace {resource-provider-namespace}

大多数资源提供程序均已自动注册,但并非全部。Most resource providers are automatically registered, but not all. 如果收到此消息,则需要注册提到的提供程序。If you receive this message, you need to register the provider mentioned.

有关注册资源提供程序的信息,请参阅解决资源提供程序注册的错误For information on registering resource providers, see Resolve errors for resource provider registration.

Azure Key Vault 访问策略和 Azure 资源管理器模板Azure Key Vault access policy and Azure Resource Manager templates

使用 Azure 资源管理器模板多次创建工作区和关联的资源(包括 Azure Key Vault)时。When you use an Azure Resource Manager template to create the workspace and associated resources (including Azure Key Vault), multiple times. 例如,在持续集成和部署管道过程中,对同一参数多次使用模板。For example, using the template multiple times with the same parameters as part of a continuous integration and deployment pipeline.

大多数通过模板的资源创建操作都是幂等的,但 Key Vault 每次使用模板时都将清除访问策略。Most resource creation operations through templates are idempotent, but Key Vault clears the access policies each time the template is used. 清除访问策略会中断任何使用该访问的现有工作区对 Key Vault 的访问。Clearing the access policies breaks access to the Key Vault for any existing workspace that is using it. 例如,Azure Notebooks VM 的停止/创建功能可能会失败。For example, Stop/Create functionalities of Azure Notebooks VM may fail.

若要避免此问题,我们建议运用以下方法之一:To avoid this problem, we recommend one of the following approaches:

  • 请不要对同一个参数多次部署模板。Do not deploy the template more than once for the same parameters. 或是在使用模板重新创建之前删除现有资源。Or delete the existing resources before using the template to recreate them.

  • 检查 Key Vault 访问策略,然后使用这些策略设置模板的 accessPolicies 属性。Examine the Key Vault access policies and then use these policies to set the accessPolicies property of the template. 若要查看访问策略,请使用以下 Azure CLI 命令:To view the access policies, use the following Azure CLI command:

    az keyvault show --name mykeyvault --resource-group myresourcegroup --query properties.accessPolicies
    

    若要详细了解如何使用模板的 accessPolicies 部分,请参阅 AccessPolicyEntry 对象参考For more information on using the accessPolicies section of the template, see the AccessPolicyEntry object reference.

  • 查看 Key Vault 资源是否已存在。Check if the Key Vault resource already exists. 如果是这样,请不要通过模板重新创建它。If it does, do not recreate it through the template. 例如,若要使用现有 Key Vault 而不是创建一个新的,请对模板进行以下更改:For example, to use the existing Key Vault instead of creating a new one, make the following changes to the template:

    • 添加 一个参数,该参数接受现有 Key Vault 资源的 ID:Add a parameter that accepts the ID of an existing Key Vault resource:

      "keyVaultId":{
        "type": "string",
        "metadata": {
          "description": "Specify the existing Key Vault ID."
        }
      }
      
    • 删除 用于创建 Key Vault 资源的部分:Remove the section that creates a Key Vault resource:

      {
        "type": "Microsoft.KeyVault/vaults",
        "apiVersion": "2018-02-14",
        "name": "[variables('keyVaultName')]",
        "location": "[parameters('location')]",
        "properties": {
          "tenantId": "[variables('tenantId')]",
          "sku": {
            "name": "standard",
            "family": "A"
          },
          "accessPolicies": [
          ]
        }
      },
      
    • 从工作区的 dependsOn 部分 删除 "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]", 行。Remove the "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]", line from the dependsOn section of the workspace. 另请 更改 工作区的 properties 部分中的 keyVault 条目,使之引用 keyVaultId 参数:Also Change the keyVault entry in the properties section of the workspace to reference the keyVaultId parameter:

      {
        "type": "Microsoft.MachineLearningServices/workspaces",
        "apiVersion": "2019-11-01",
        "name": "[parameters('workspaceName')]",
        "location": "[parameters('location')]",
        "dependsOn": [
          "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
          "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]"
        ],
        "identity": {
          "type": "systemAssigned"
        },
        "sku": {
          "tier": "[parameters('sku')]",
          "name": "[parameters('sku')]"
        },
        "properties": {
          "friendlyName": "[parameters('workspaceName')]",
          "keyVault": "[parameters('keyVaultId')]",
          "applicationInsights": "[resourceId('Microsoft.Insights/components',variables('applicationInsightsName'))]",
          "storageAccount": "[resourceId('Microsoft.Storage/storageAccounts/',variables('storageAccountName'))]"
        }
      }
      

    完成这些更改后,可以在运行模板时指定现有 Key Vault 资源的 ID。After these changes, you can specify the ID of the existing Key Vault resource when running the template. 然后,模板会通过将工作区的 keyVault 属性设置为其 ID 来重用 Key Vault。The template will then reuse the Key Vault by setting the keyVault property of the workspace to its ID.

    若要获取 Key Vault 的 ID,可以引用原始模板运行的输出或使用 Azure CLI。To get the ID of the Key Vault, you can reference the output of the original template run or use the Azure CLI. 以下命令是使用 Azure CLI 获取 Key Vault 资源 ID 的示例:The following command is an example of using the Azure CLI to get the Key Vault resource ID:

    az keyvault show --name mykeyvault --resource-group myresourcegroup --query id
    

    此命令返回类似于以下文本的值:This command returns a value similar to the following text:

    /subscriptions/{subscription-guid}/resourceGroups/myresourcegroup/providers/Microsoft.KeyVault/vaults/mykeyvault
    

未链接到专用 DNS 区域的虚拟网络Virtual network not linked to private DNS zone

创建具有专用终结点的工作区时,该模板会创建一个名为“privatelink.api.azureml.ms”的专用 DNS 区域。When creating a workspace with a private endpoint, the template creates a Private DNS Zone named privatelink.api.azureml.ms. 一个虚拟网络链接会自动添加到此专用 DNS 区域。A virtual network link is automatically added to this private DNS zone. 该链接只为在资源组中创建的第一个工作区和专用终结点添加;如果在同一资源组中创建另一个具有专用终结点的虚拟网络和工作区,第二个虚拟网络添可能不会被添加到专用 DNS 区域。The link is only added for the first workspace and private endpoint you create in a resource group; if you create another virtual network and workspace with a private endpoint in the same resource group, the second virtual network may not get added to the private DNS zone.

若要查看对于专用 DNS 区域已存在的虚拟网络链接,请使用以下 Azure CLI 命令:To view the virtual network links that already exist for the private DNS zone, use the following Azure CLI command:

az network private-dns link vnet list --zone-name privatelink.api.azureml.ms --resource-group myresourcegroup

若要添加包含另一工作区和专用终结点的虚拟网络,请执行以下步骤:To add the virtual network that contains another workspace and private endpoint, use the following steps:

  1. 若要查找需要添加的网络的虚拟网络 ID,请使用以下命令:To find the virtual network ID for the network that you want to add, use the following command:

    az network vnet show --name myvnet --resource-group myresourcegroup --query id
    

    此命令返回一个类似于“"/subscriptions/GUID/resourceGroups/myresourcegroup/providers/Microsoft.Network/virtualNetworks/myvnet"”的值。This command returns a value similar to `"/subscriptions/GUID/resourceGroups/myresourcegroup/providers/Microsoft.Network/virtualNetworks/myvnet"'. 请保存此值并在下一步中使用它。Save this value and use it in the next step.

  2. 若要将虚拟网络链接添加到 privatelink.api.azureml.ms 专用 DNS 区域,请使用以下命令。To add a virtual network link to the privatelink.api.azureml.ms Private DNS Zone, use the following command. 对于 --virtual-network 参数,请使用上一命令的输出:For the --virtual-network parameter, use the output of the previous command:

    az network private-dns link vnet create --name mylinkname --registration-enabled true --resource-group myresourcegroup --virtual-network myvirtualnetworkid --zone-name privatelink.api.azureml.ms
    

后续步骤Next steps