使用 Azure Policy 审核和管理 Azure 机器学习Audit and manage Azure Machine Learning using Azure Policy

Azure Policy 是一种管理工具,你可用它来确保 Azure 资源符合你的策略。Azure Policy is a governance tool that allows you to ensure that Azure resources are compliant with your policies. 通过 Azure 机器学习,你可分配以下策略:With Azure Machine Learning, you can assign the following policies:

  • 客户管理的密钥:审核或强制执行工作区是否必须使用客户管理的密钥。Customer-managed key: Audit or enforce whether workspaces must use a customer-managed key.
  • 专用链接:审核工作区是否使用专用终结点与虚拟网络进行通信。Private link: Audit whether workspaces use a private endpoint to communicate with a virtual network.

可以在不同的范围(如订阅或资源组级别)内设置策略。Policies can be set at different scopes, such as at the subscription or resource group level. 有关详细信息,请参阅 Azure Policy 文档For more information, see the Azure Policy documentation.

内置策略Built-in policies

Azure 机器学习提供了一组策略,可用于 Azure 机器学习的常见方案。Azure Machine Learning provides a set of policies that you can use for common scenarios with Azure Machine Learning. 你可以将这些策略定义分配给现有订阅,也可以将它们作为基础来创建你自己的自定义定义。You can assign these policy definitions to your existing subscription or use them as the basis to create your own custom definitions. 有关 Azure 机器学习的内置策略的完整列表,请参阅 Azure 机器学习的内置策略For a complete list of the built-in policies for Azure Machine Learning, see Built-in policies for Azure Machine Learning.

若要查看与 Azure 机器学习相关的内置策略定义,请使用以下步骤:To view the built-in policy definitions related to Azure Machine Learning, use the following steps:

  1. Azure 门户中转到“Azure Policy”。Go to Azure Policy in the Azure portal.
  2. 选择“定义”。Select Definitions.
  3. 对于“类型”,请选择“内置”;对于“类别”,请选择“机器学习” 。For Type, select Built-in, and for Category, select Machine Learning.

可在此选择策略定义以进行查看。From here, you can select policy definitions to view them. 查看定义时,可使用“分配”链接将策略分配到某个特定范围,并配置策略的参数。While viewing a definition, you can use the Assign link to assign the policy to a specific scope, and configure the parameters for the policy. 有关详细信息,请参阅分配策略 - 门户For more information, see Assign a policy - portal.

还可以使用 Azure PowerShellAzure CLI模板来分配策略。You can also assign policies by using Azure PowerShell, Azure CLI, and templates.

使用客户管理的密钥对工作区进行加密Workspaces encryption with customer-managed key

控制是应使用客户管理的密钥对工作区进行加密,还是应使用 Microsoft 管理的密钥来加密指标和元数据。Controls whether workspaces should be encrypted with a customer-managed key, or using a Microsoft-managed key to encrypt metrics and metadata. 若要详细了解如何使用客户管理的密钥,请参阅数据加密文章的 Azure Cosmos DB 部分。For more information on using customer-managed key, see the Azure Cosmos DB section of the data encryption article.

若要配置此策略,请将 effect 参数设置为“审核”或“拒绝” 。To configure this policy, set the effect parameter to audit or deny. 如果设置为“审核”,则无需客户管理的密钥即可创建工作区,并在活动日志中创建警告事件。If set to audit, you can create workspaces without a customer-managed key and a warning event is created in the activity log.

如果策略设置为“拒绝”,则无法创建工作区,除非该策略指定了客户管理的密钥。If the policy is set to deny, then you cannot create a workspace unless it specifies a customer-managed key. 尝试在不使用客户管理的密钥的情况下创建工作区会导致类似于“Resource 'clustername' was disallowed by policy”的错误,会在活动日志中创建一个错误。Attempting to create a workspace without a customer-managed key results in an error similar to Resource 'clustername' was disallowed by policy and creates an error in the activity log. 策略标识符也作为此错误的一部分返回。The policy identifier is also returned as part of this error.

后续步骤Next steps