创建和管理 Azure 机器学习工作区Create and manage Azure Machine Learning workspaces

本文介绍如何通过 Azure 门户或 SDK for Python 创建、查看和删除用于 Azure 机器学习Azure 机器学习工作区In this article, you'll create, view, and delete Azure Machine Learning workspaces for Azure Machine Learning, using the Azure portal or the SDK for Python

随着需求的变化或自动化要求的增加,还可以使用 CLI通过 VS Code 扩展创建和删除工作区。As your needs change or requirements for automation increase you can also create and delete workspaces using the CLI, or via the VS Code extension.

必备条件Prerequisites

限制Limitations

  • 创建新的工作区时,可以自动创建工作区所需的服务或使用现有的服务。When creating a new workspace, you can either automatically create services needed by the workspace or use existing services. 如果要使用来自不同于工作区所在的 Azure 订阅的现有服务,则必须在包含这些服务的订阅中注册 Azure 机器学习命名空间。If you want to use existing services from a different Azure subscription than the workspace, you must register the Azure Machine Learning namespace in the subscription that contains those services. 例如,在订阅 A 中创建一个使用订阅 B 中的存储帐户的工作区时,必须在订阅 B 中注册 Azure 机器学习命名空间,然后才能将此存储帐户用于该工作区。For example, creating a workspace in subscription A that uses a storage account from subscription B, the Azure Machine Learning namespace must be registered in subscription B before you can use the storage account with the workspace.

    Azure 机器学习的资源提供程序是 Microsoft.MachineLearningService。The resource provider for Azure Machine Learning is Microsoft.MachineLearningService. 有关如何查看它是否已注册以及如何注册的信息,请参阅 Azure 资源提供程序和类型一文。For information on how to see if it is registered and how to register it, see the Azure resource providers and types article.

    重要

    这仅适用于工作区创建期间提供的资源:Azure 存储帐户、Azure 容器注册表、Azure Key Vault 和 Application Insights。This only applies to resources provided during workspace creation; Azure Storage Accounts, Azure Container Register, Azure Key Vault, and Application Insights.

默认情况下,创建工作区时还会创建 Azure 容器注册表 (ACR)。By default, creating a workspace also creates an Azure Container Registry (ACR). 由于 ACR 当前不支持在资源组名称中使用 unicode 字符,因此请使用不包含这些字符的资源组。Since ACR does not currently support unicode characters in resource group names, use a resource group that does not contain these characters.

创建工作区Create a workspace

  • 默认规范。Default specification. 默认情况下,系统会自动创建依赖资源和资源组。By default, dependent resources as well as the resource group will be created automatically. 以下代码创建一个名为 myworkspace 的工作区,并在 chinaeast2 中创建一个名为 myresourcegroup 的资源组。This code creates a workspace named myworkspace and a resource group named myresourcegroup in chinaeast2.

    from azureml.core import Workspace
    
    ws = Workspace.create(name='myworkspace',
                   subscription_id='<azure-subscription-id>',
                   resource_group='myresourcegroup',
                   create_resource_group=True,
                   location='chinaeast2'
                   )
    

    如果需要将一个现有的 Azure 资源组用于该工作区,请将 create_resource_group 设置为 False。Set create_resource_group to False if you have an existing Azure resource group that you want to use for the workspace.

  • 多个租户。Multiple tenants. 如果有多个帐户,请添加要使用的 Azure Active Directory 的租户 ID。If you have multiple accounts, add the tenant ID of the Azure Active Directory you wish to use. Azure 门户的“Azure Active Directory 外部标识”下找到你的租户 ID。Find your tenant ID from the Azure portal under Azure Active Directory, External Identities.

    from azureml.core.authentication import InteractiveLoginAuthentication
    from azureml.core import Workspace
    
    interactive_auth = InteractiveLoginAuthentication(tenant_id="my-tenant-id")
    ws = Workspace.create(name='myworkspace',
                subscription_id='<azure-subscription-id>',
                resource_group='myresourcegroup',
                create_resource_group=True,
                location='chinaeast2',
                auth=interactive_auth
                )
    
  • 主权云Sovereign cloud. 如果你在主权云中操作,则需要使用额外的代码向 Azure 进行身份验证。You'll need extra code to authenticate to Azure if you're working in a sovereign cloud.

    from azureml.core.authentication import InteractiveLoginAuthentication
    from azureml.core import Workspace
    
    interactive_auth = InteractiveLoginAuthentication(cloud="<cloud name>") # for example, cloud="AzureUSGovernment"
    ws = Workspace.create(name='myworkspace',
                subscription_id='<azure-subscription-id>',
                resource_group='myresourcegroup',
                create_resource_group=True,
                location='chinaeast2',
                auth=interactive_auth
                )
    
  • 使用现有的 Azure 资源。Use existing Azure resources. 你还可以创建一个工作区,该工作区使用带有 Azure 资源 ID 格式的现有 Azure 资源。You can also create a workspace that uses existing Azure resources with the Azure resource ID format. 请在 Azure 门户中或通过 SDK 查找特定的 Azure 资源 ID。Find the specific Azure resource IDs in the Azure portal or with the SDK. 此示例假设资源组、存储帐户、密钥保管库、App Insights 和容器注册表已存在。This example assumes that the resource group, storage account, key vault, App Insights and container registry already exist.

    import os
    from azureml.core import Workspace
    from azureml.core.authentication import ServicePrincipalAuthentication
    
    service_principal_password = os.environ.get("AZUREML_PASSWORD")
    
    service_principal_auth = ServicePrincipalAuthentication(
        tenant_id="<tenant-id>",
        username="<application-id>",
        password=service_principal_password)
    
                          auth=service_principal_auth,
                               subscription_id='<azure-subscription-id>',
                               resource_group='myresourcegroup',
                               create_resource_group=False,
                               location='chinaeast2',
                               friendly_name='My workspace',
                               storage_account='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.storage/storageaccounts/mystorageaccount',
                               key_vault='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.keyvault/vaults/mykeyvault',
                               app_insights='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.insights/components/myappinsights',
                               container_registry='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.containerregistry/registries/mycontainerregistry',
                               exist_ok=False)
    

有关详细信息,请查看工作区 SDK 参考For more information, see Workspace SDK reference.

如果在访问订阅时遇到问题,请参阅为 Azure 机器学习资源和工作流设置身份验证以及 Azure 机器学习中的身份验证笔记本。If you have problems in accessing your subscription, see Set up authentication for Azure Machine Learning resources and workflows, as well as the Authentication in Azure Machine Learning notebook.

网络Networking

Azure 机器学习 Python SDK 提供 PrivateEndpointConfig 类,此类可与 Workspace.create() 配合使用来创建具有专用终结点的工作区。The Azure Machine Learning Python SDK provides the PrivateEndpointConfig class, which can be used with Workspace.create() to create a workspace with a private endpoint. 此类需要现有虚拟网络。This class requires an existing virtual network.

重要

将专用终结点与 Azure 机器学习工作区配合使用的功能目前为公共预览版。Using a private endpoint with Azure Machine Learning workspace is currently in public preview. 此预览版在提供时没有附带服务级别协议,不建议将其用于生产工作负荷。This preview is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities.
有关详细信息,请参阅 Microsoft Azure 预览版补充使用条款For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

多个具有专用终结点的工作区Multiple workspaces with private endpoint

创建专用终结点时,会创建一个名为“privatelink.api.azureml.ms”的新专用 DNS 区域。When you create a private endpoint, a new Private DNS Zone named privatelink.api.azureml.ms is created. 其中包含指向虚拟网络的链接。This contains a link to the virtual network. 如果在同一资源组中创建具有专用终结点的多个工作区,则仅可将第一个专用终结点的虚拟网络添加到 DNS 区域。If you create multiple workspaces with private endpoints in the same resource group, only the virtual network for the first private endpoint may be added to the DNS zone. 若要添加其他工作区/专用终结点使用的虚拟网络的条目,请执行以下步骤:To add entries for the virtual networks used by the additional workspaces/private endpoints, use the following steps:

  1. Azure 门户中,选择包含工作区的资源组。In the Azure portal, select the resource group that contains the workspace. 然后选择名为“privatelink.api.azureml.ms”的专用 DNS 区域资源Then select the Private DNS Zone resource named privatelink.api.azureml.ms
  2. 在“设置”中,选择“虚拟网络链接”。 In the Settings, select Virtual network links.
  3. 选择 添加Select Add. 在“添加虚拟网络链接”页中提供唯一的“链接名称”,然后选择要添加的“虚拟网络”。From the Add virtual network link page, provide a unique Link name, and then select the Virtual network to be added. 选择“确定”以添加网络链接。Select OK to add the network link.

有关详细信息,请参阅 Azure 专用终结点 DNS 配置For more information, see Azure Private Endpoint DNS configuration.

漏洞扫描Vulnerability scanning

Azure 安全中心跨混合云工作负荷提供统一的安全管理和高级威胁防护。Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads. 你应该允许 Azure 安全中心扫描你的资源并遵循其建议。You should allow Azure Security Center to scan your resources and follow its recommendations. 有关详细信息,请参阅 Azure Kubernetes 服务与安全中心的集成For more, see Azure Kubernetes Services integration with Security Center.

高级Advanced

默认情况下,工作区的元数据存储在 Microsoft 维护的 Azure Cosmos DB 实例中。By default, metadata for the workspace is stored in an Azure Cosmos DB instance that Microsoft maintains. 该数据是使用 Microsoft 管理的密钥加密的。This data is encrypted using Microsoft-managed keys.

若要限制 Microsoft 在你的工作区中收集的数据,请在门户中选择“高业务影响工作区”,或在 Python 中设置 hbi_workspace=true To limit the data that Microsoft collects on your workspace, select High business impact workspace in the portal, or set hbi_workspace=true in Python. 有关此设置的详细信息,请参阅静态加密For more information on this setting, see Encryption at rest.

重要

只能在创建工作区时选择高业务影响。Selecting high business impact can only be done when creating a workspace. 在创建工作区后,不能更改此设置。You cannot change this setting after workspace creation.

使用自己的密钥Use your own key

你可以提供自己的密钥来加密数据。You can provide your own key for data encryption. 这样做会创建在 Azure 订阅中存储元数据的 Azure Cosmos DB 实例。Doing so creates the Azure Cosmos DB instance that stores metadata in your Azure subscription.

重要

此 Cosmos DB 实例及其所需的全部资源是在订阅的 Microsoft 托管资源组中创建的。The Cosmos DB instance is created in a Microsoft-managed resource group in your subscription, along with any resources it needs. 这意味着需要为此 Cosmos DB 实例付费。This means that you are charged for this Cosmos DB instance. 托管资源组的命名格式为 <AML Workspace Resource Group Name><GUID>The managed resource group is named in the format <AML Workspace Resource Group Name><GUID>. 如果 Azure 机器学习工作区使用专用终结点,则还会为 Cosmos DB 实例创建一个虚拟网络。If your Azure Machine Learning workspace uses a private endpoint, a virtual network is also created for the Cosmos DB instance. 此 VNet 用于保护 Cosmos DB 与 Azure 机器学习之间的通信。This VNet is used to secure communication between Cosmos DB and Azure Machine Learning.

  • 请勿删除包含此 Cosmos DB 实例的资源组,也不要删除此组中自动创建的任何资源。Do not delete the resource group that contains this Cosmos DB instance, or any of the resources automatically created in this group. 如果需要删除该资源组和 Cosmos DB 实例等内容,必须删除使用它的 Azure 机器学习工作区。If you need to delete the resource group, Cosmos DB instance, etc., you must delete the Azure Machine Learning workspace that uses it. 删除与资源组、Cosmos DB 实例和其他自动创建的资源相关联的工作区时,这些资源都将被删除。The resource group, Cosmos DB instance, and other automatically created resources are deleted when the associated workspace is deleted.
  • 此 Cosmos DB 帐户的默认请求单位数设置为“8000” 。The default Request Units for this Cosmos DB account is set at 8000.
  • 不能提供自己的 VNet 来与创建的 Cosmos DB 实例一起使用。You cannot provide your own VNet for use with the Cosmos DB instance that is created. 也不能修改虚拟网络。You also cannot modify the virtual network. 例如,你不能更改它使用的 IP 地址范围。For example, you cannot change the IP address range that it uses.

通过以下步骤提供你自己的密钥:Use the following steps to provide your own key:

重要

在执行这些步骤之前,必须先执行以下操作:Before following these steps, you must first perform the following actions:

  1. 授予机器学习应用(在“标识和访问管理”中)对订阅的参与者权限。Authorize the Machine Learning App (in Identity and Access Management) with contributor permissions on your subscription.

  2. 按照配置客户管理的密钥中的步骤完成以下操作:Follow the steps in Configure customer-managed keys to:

    • 注册 Azure Cosmos DB 提供程序Register the Azure Cosmos DB provider
    • 创建和配置 Azure Key VaultCreate and configure an Azure Key Vault
    • 生成密钥Generate a key

    你无需手动创建 Azure Cosmos DB 实例,系统会在创建工作区期间为你创建一个实例。You do not need to manually create the Azure Cosmos DB instance, one will be created for you during workspace creation. 将使用一个基于 <your-workspace-resource-name>_<GUID> 模式的名称在单独的资源组中创建此 Azure Cosmos DB 实例。This Azure Cosmos DB instance will be created in a separate resource group using a name based on this pattern: <your-workspace-resource-name>_<GUID>.

在创建工作区后,不能更改此设置。You cannot change this setting after workspace creation. 如果删除工作区使用的 Azure Cosmos DB,则还必须删除正在使用它的工作区。If you delete the Azure Cosmos DB used by your workspace, you must also delete the workspace that is using it.

使用 cmk_keyvaultresource_cmk_uri 指定客户管理的密钥。Use cmk_keyvault and resource_cmk_uri to specify the customer managed key.

from azureml.core import Workspace
   ws = Workspace.create(name='myworkspace',
               subscription_id='<azure-subscription-id>',
               resource_group='myresourcegroup',
               create_resource_group=True,
               location='chinaeast2'
               cmk_keyvault='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.keyvault/vaults/<keyvault-name>', 
               resource_cmk_uri='<key-identifier>'
               )

下载配置文件Download a configuration file

如果要创建计算实例,请跳过此步骤。If you will be creating a compute instance, skip this step. 该计算实例已为你创建此文件的副本。The compute instance has already created a copy of this file for you.

如果你计划在本地环境使用引用此工作区 (ws) 的代码,请编写配置文件:If you plan to use code on your local environment that references this workspace (ws), write the configuration file:

ws.write_config()

使用 Python 脚本或 Jupyter Notebook 将此文件放入到目录结构中。Place the file into the directory structure with your Python scripts or Jupyter Notebooks. 它可以位于同一目录(名为 .azureml 的子目录)中,也可以位于父目录中。It can be in the same directory, a subdirectory named .azureml, or in a parent directory. 创建计算实例时,此文件会添加到 VM 上的正确目录中。When you create a compute instance, this file is added to the correct directory on the VM for you.

连接到工作区Connect to a workspace

在 Python 代码中,创建一个用于连接到工作区的工作区对象。In your Python code, you create a workspace object to connect to your workspace. 此代码将读取配置文件的内容以查找工作区。This code will read the contents of the configuration file to find your workspace. 如果你尚未进行身份验证,系统会提示你登录。You will get a prompt to sign in if you are not already authenticated.

from azureml.core import Workspace

ws = Workspace.from_config()
  • 多个租户。Multiple tenants. 如果有多个帐户,请添加要使用的 Azure Active Directory 的租户 ID。If you have multiple accounts, add the tenant ID of the Azure Active Directory you wish to use. Azure 门户的“Azure Active Directory 外部标识”下找到你的租户 ID。Find your tenant ID from the Azure portal under Azure Active Directory, External Identities.

    from azureml.core.authentication import InteractiveLoginAuthentication
    from azureml.core import Workspace
    
    interactive_auth = InteractiveLoginAuthentication(tenant_id="my-tenant-id")
    ws = Workspace.from_config(auth=interactive_auth)
    
  • 主权云Sovereign cloud. 如果你在主权云中操作,则需要使用额外的代码向 Azure 进行身份验证。You'll need extra code to authenticate to Azure if you're working in a sovereign cloud.

    from azureml.core.authentication import InteractiveLoginAuthentication
    from azureml.core import Workspace
    
    interactive_auth = InteractiveLoginAuthentication(cloud="<cloud name>") # for example, cloud="AzureUSGovernment"
    ws = Workspace.from_config(auth=interactive_auth)
    

如果在访问订阅时遇到问题,请参阅为 Azure 机器学习资源和工作流设置身份验证以及 Azure 机器学习中的身份验证笔记本。If you have problems in accessing your subscription, see Set up authentication for Azure Machine Learning resources and workflows, as well as the Authentication in Azure Machine Learning notebook.

查找工作区Find a workspace

查看你可以使用的所有工作区的列表。See a list of all the workspaces you can use.

Azure 门户的“订阅”页中查找你的订阅。Find your subscriptions in the Subscriptions page in the Azure portal. 复制 ID 并在下面的代码中使用它,以便查看可用于该订阅的所有工作区。Copy the ID and use it in the code below to see all workspaces available for that subscription.

from azureml.core import Workspace

Workspace.list('<subscription-id>')

创建工作区Delete a workspace

不再需要工作区时,请删除它。When you no longer need a workspace, delete it.

删除工作区 wsDelete the workspace ws:

ws.delete(delete_dependent_resources=False, no_wait=False)

默认操作是不删除与工作区关联的资源,即容器注册表、存储帐户、密钥保管库和应用程序见解。The default action is not to delete resources associated with the workspace, i.e., container registry, storage account, key vault, and application insights. 如果将 delete_dependent_resources 设置为 True,则也会删除这些资源。Set delete_dependent_resources to True to delete these resources as well.

清理资源Clean up resources

重要

已创建的资源可以用作其他 Azure 机器学习教程和操作方法文章的先决条件。The resources you created can be used as prerequisites to other Azure Machine Learning tutorials and how-to articles.

如果不打算使用已创建的资源,请删除它们,以免产生任何费用:If you don't plan to use the resources you created, delete them, so you don't incur any charges:

  1. 在 Azure 门户中,选择最左侧的“资源组” 。In the Azure portal, select Resource groups on the far left.

    在 Azure 门户中删除Delete in the Azure portal

  2. 从列表中选择已创建的资源组。From the list, select the resource group you created.

  3. 选择“删除资源组” 。Select Delete resource group.

  4. 输入资源组名称。Enter the resource group name. 然后选择“删除” 。Then select Delete.

故障排除Troubleshooting

  • Azure 机器学习工作室支持的浏览器:建议使用与操作系统兼容的最新浏览器。Supported browsers in Azure Machine Learning studio: We recommend that you use the most up-to-date browser that's compatible with your operating system. 支持以下浏览器:The following browsers are supported:

    • Microsoft Edge(新的 Microsoft Edge(最新版),Microsoft Edge (The new Microsoft Edge, latest version. 不是旧版 Microsoft Edge)Not Microsoft Edge legacy)
    • Safari(最新版本,仅限 Mac)Safari (latest version, Mac only)
    • Chrome(最新版本)Chrome (latest version)
    • Firefox(最新版本)Firefox (latest version)
  • Azure 门户Azure portal:

    • 如果通过 SDK 的共享链接或 Azure 门户直接访问工作区,则无法查看扩展中包含订阅信息的标准“概述”页面。If you go directly to your workspace from a share link from the SDK or the Azure portal, you can't view the standard Overview page that has subscription information in the extension. 此情况下,也无法切换到其他工作区。In this scenario, you also can't switch to another workspace. 若要查看其他工作区,请直接转到 Azure 机器学习工作室并搜索工作区名称。To view another workspace, go directly to Azure Machine Learning studio and search for the workspace name.

    • 所有资产(数据集、试验、计算等)仅适用于 Azure 机器学习工作室All assets (Datasets, Experiments, Computes, and so on) are available only in Azure Machine Learning studio. 它们不可在 Azure 门户中使用。They're not available from the Azure portal.

资源提供程序错误Resource provider errors

创建 Azure 机器学习工作区或工作区使用的资源时,可能会收到类似于以下消息的错误:When creating an Azure Machine Learning workspace, or a resource used by the workspace, you may receive an error similar to the following messages:

  • No registered resource provider found for location {location}
  • The subscription is not registered to use namespace {resource-provider-namespace}

大多数资源提供程序均已自动注册,但并非全部。Most resource providers are automatically registered, but not all. 如果收到此消息,则需要注册提到的提供程序。If you receive this message, you need to register the provider mentioned.

有关注册资源提供程序的信息,请参阅解决资源提供程序注册的错误For information on registering resource providers, see Resolve errors for resource provider registration.

移动工作区Moving the workspace

警告

不支持将 Azure 机器学习工作区移动到另一个订阅,或将拥有的订阅移到新租户。Moving your Azure Machine Learning workspace to a different subscription, or moving the owning subscription to a new tenant, is not supported. 这样做可能会导致错误。Doing so may cause errors.

删除 Azure 容器注册表Deleting the Azure Container Registry

Azure 机器学习工作区使用 Azure 容器注册表 (ACR) 执行某些操作。The Azure Machine Learning workspace uses Azure Container Registry (ACR) for some operations. 首次需要 ACR 实例时,它会自动创建一个。It will automatically create an ACR instance when it first needs one.

警告

为工作区创建 Azure 容器注册表后,请不要将其删除。Once an Azure Container Registry has been created for a workspace, do not delete it. 删除该注册表将损坏 Azure 机器学习工作区。Doing so will break your Azure Machine Learning workspace.

示例Examples

创建工作区的示例:Examples of creating a workspace:

后续步骤Next steps

有了工作区后,请了解如何训练和部署模型Once you have a workspace, learn how to Train and deploy a model.