Skip to content

Commit 40caddf

Browse files
ryhudryhud
committed
updating 201 AML
1 parent 38e62ab commit 40caddf

5 files changed

Lines changed: 223 additions & 14 deletions

File tree

quickstart/201-machine-learning-moderately-secure/.gitignore

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
# Local .terraform directories
2+
**/.terraform/*
3+
4+
# .tfstate files
5+
*.tfstate
6+
*.tfstate.*
7+
8+
# Crash log files
9+
crash.log
10+
11+
# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
12+
# .tfvars files are managed as part of configuration and so should be included in
13+
# version control.
14+
#
15+
# example.tfvars
16+
17+
# Ignore override files as they are usually used to override resources locally and so
18+
# are not checked in
19+
override.tf
20+
override.tf.json
21+
*_override.tf
22+
*_override.tf.json
23+
values.tfvars
24+
*.tfvars
25+
settings.tfvars
26+
# Include override files you do wish to add to version control using negated pattern
27+
#
28+
# !example_override.tf
29+
30+
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
31+
# example: *tfplan*
32+
terraform/.terraform.lock.hcl
33+
.DS_Store
34+
terraform/.terraform.lock.hcl
35+
terraform/.terraform.lock.hcl
36+
.terraform.lock.hcl
37+
terraform/.terraform.lock.hcl

quickstart/201-machine-learning-moderately-secure/main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ terraform {
44
required_providers {
55
azurerm = {
66
source = "hashicorp/azurerm"
7-
version = "=2.72.0"
7+
version = "=2.76.0"
88
}
99
}
1010
}

quickstart/201-machine-learning-moderately-secure/network.tf

Lines changed: 126 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,27 @@ resource "azurerm_virtual_network" "default" {
66
resource_group_name = azurerm_resource_group.default.name
77
}
88

9-
resource "azurerm_subnet" "mlsubnet" {
10-
name = "mlsubnet"
9+
resource "azurerm_subnet" "training-subnet" {
10+
name = "training-subnet"
1111
resource_group_name = azurerm_resource_group.default.name
1212
virtual_network_name = azurerm_virtual_network.default.name
13-
address_prefixes = var.subnet_address_space
13+
address_prefixes = var.training_subnet_address_space
14+
enforce_private_link_endpoint_network_policies = true
15+
}
16+
17+
resource "azurerm_subnet" "aks-subnet" {
18+
name = "aks-subnet"
19+
resource_group_name = azurerm_resource_group.default.name
20+
virtual_network_name = azurerm_virtual_network.default.name
21+
address_prefixes = var.aks_subnet_address_space
22+
enforce_private_link_endpoint_network_policies = true
23+
}
24+
25+
resource "azurerm_subnet" "ml-subnet" {
26+
name = "ml-subnet"
27+
resource_group_name = azurerm_resource_group.default.name
28+
virtual_network_name = azurerm_virtual_network.default.name
29+
address_prefixes = var.ml_subnet_address_space
1430
enforce_private_link_endpoint_network_policies = true
1531
}
1632

@@ -87,3 +103,110 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinknbs" {
87103
private_dns_zone_name = azurerm_private_dns_zone.dnsnotebooks.name
88104
virtual_network_id = azurerm_virtual_network.default.id
89105
}
106+
107+
# Network Security Groups
108+
109+
resource "azurerm_network_security_group" "training-NSG" {
110+
name = "training-NSG"
111+
location = azurerm_resource_group.default.location
112+
resource_group_name = azurerm_resource_group.default.name
113+
114+
security_rule {
115+
name = "BatchNodeManagement"
116+
priority = 100
117+
direction = "Inbound"
118+
access = "Allow"
119+
protocol = "Tcp"
120+
source_port_range = "*"
121+
destination_port_range = "29876-29877"
122+
source_address_prefix = "BatchNodeManagement"
123+
destination_address_prefix = "*"
124+
}
125+
security_rule {
126+
name = "AzureMachineLearning"
127+
priority = 110
128+
direction = "Inbound"
129+
access = "Allow"
130+
protocol = "Tcp"
131+
source_port_range = "*"
132+
destination_port_range = "44224"
133+
source_address_prefix = "AzureMachineLearning"
134+
destination_address_prefix = "*"
135+
}
136+
}
137+
138+
resource "azurerm_subnet_network_security_group_association" "training-NSG-link" {
139+
subnet_id = azurerm_subnet.training-subnet.id
140+
network_security_group_id = azurerm_network_security_group.training-NSG.id
141+
}
142+
143+
resource "azurerm_network_security_group" "aks-NSG" {
144+
name = "aks-NSG"
145+
location = azurerm_resource_group.default.location
146+
resource_group_name = azurerm_resource_group.default.name
147+
148+
149+
}
150+
151+
resource "azurerm_subnet_network_security_group_association" "aks-NSG-link" {
152+
subnet_id = azurerm_subnet.aks-subnet.id
153+
network_security_group_id = azurerm_network_security_group.aks-NSG.id
154+
}
155+
156+
# User Defined Routes
157+
158+
#UDR for Compute instance and compute clusters
159+
resource "azurerm_route_table" "training-UDR" {
160+
name = "training-UDR"
161+
location = azurerm_resource_group.default.location
162+
resource_group_name = azurerm_resource_group.default.name
163+
}
164+
165+
resource "azurerm_route" "training-Internet-Route" {
166+
name = "Internet"
167+
resource_group_name = azurerm_resource_group.default.name
168+
route_table_name = azurerm_route_table.training-UDR.name
169+
address_prefix = "0.0.0.0/0"
170+
next_hop_type = "Internet"
171+
}
172+
173+
resource "azurerm_route" "training-AzureMLRoute" {
174+
name = "AzureMLRoute"
175+
resource_group_name = azurerm_resource_group.default.name
176+
route_table_name = azurerm_route_table.training-UDR.name
177+
address_prefix = "AzureMachineLearning"
178+
next_hop_type = "Internet"
179+
}
180+
181+
resource "azurerm_route" "training-BatchRoute" {
182+
name = "BatchRoute"
183+
resource_group_name = azurerm_resource_group.default.name
184+
route_table_name = azurerm_route_table.training-UDR.name
185+
address_prefix = "BatchNodeManagement"
186+
next_hop_type = "Internet"
187+
}
188+
189+
resource "azurerm_subnet_route_table_association" "training-UDRlink" {
190+
subnet_id = azurerm_subnet.training-subnet.id
191+
route_table_id = azurerm_route_table.training-UDR.id
192+
}
193+
# Inferencing (AKS) Route
194+
195+
resource "azurerm_route_table" "aks-UDR" {
196+
name = "aks-UDR"
197+
location = azurerm_resource_group.default.location
198+
resource_group_name = azurerm_resource_group.default.name
199+
}
200+
201+
resource "azurerm_route" "aks-Internet-Route" {
202+
name = "Internet"
203+
resource_group_name = azurerm_resource_group.default.name
204+
route_table_name = azurerm_route_table.aks-UDR.name
205+
address_prefix = "0.0.0.0/0"
206+
next_hop_type = "Internet"
207+
}
208+
209+
resource "azurerm_subnet_route_table_association" "aks-UDR-link" {
210+
subnet_id = azurerm_subnet.aks-subnet.id
211+
route_table_id = azurerm_route_table.aks-UDR.id
212+
}

quickstart/201-machine-learning-moderately-secure/variables.tf

Lines changed: 21 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,12 +17,30 @@ variable "location" {
1717

1818
variable "vnet_address_space" {
1919
type = list(string)
20-
description = "Address space of the subnet"
20+
description = "Address space of the virtual network"
2121
default = ["10.0.0.0/16"]
2222
}
2323

24-
variable "subnet_address_space" {
24+
variable "training_subnet_address_space" {
2525
type = list(string)
26-
description = "Address space of the subnet"
26+
description = "Address space of the training subnet"
2727
default = ["10.0.0.0/24"]
28+
}
29+
30+
variable "aks_subnet_address_space" {
31+
type = list(string)
32+
description = "Address space of the aks subnet"
33+
default = ["10.0.1.0/24"]
34+
}
35+
36+
variable "ml_subnet_address_space" {
37+
type = list(string)
38+
description = "Address space of the ML workspace subnet"
39+
default = ["10.0.2.0/24"]
40+
}
41+
42+
variable "image_build_compute_name" {
43+
type = string
44+
description = "Name of the compute cluster to be created and set to build docker images"
45+
default = "image-builder"
2846
}

quickstart/201-machine-learning-moderately-secure/workspace.tf

Lines changed: 38 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ resource "azurerm_key_vault" "default" {
1212
resource_group_name = azurerm_resource_group.default.name
1313
tenant_id = data.azurerm_client_config.current.tenant_id
1414
sku_name = "premium"
15-
purge_protection_enabled = false
15+
purge_protection_enabled = true
1616

1717
network_acls {
1818
default_action = "Deny"
@@ -61,7 +61,7 @@ resource "azurerm_private_endpoint" "kv_ple" {
6161
name = "ple-${var.name}-${var.environment}-kv"
6262
location = azurerm_resource_group.default.location
6363
resource_group_name = azurerm_resource_group.default.name
64-
subnet_id = azurerm_subnet.mlsubnet.id
64+
subnet_id = azurerm_subnet.ml-subnet.id
6565

6666
private_dns_zone_group {
6767
name = "private-dns-zone-group"
@@ -80,7 +80,7 @@ resource "azurerm_private_endpoint" "st_ple_blob" {
8080
name = "ple-${var.name}-${var.environment}-st-blob"
8181
location = azurerm_resource_group.default.location
8282
resource_group_name = azurerm_resource_group.default.name
83-
subnet_id = azurerm_subnet.mlsubnet.id
83+
subnet_id = azurerm_subnet.ml-subnet.id
8484

8585
private_dns_zone_group {
8686
name = "private-dns-zone-group"
@@ -99,7 +99,7 @@ resource "azurerm_private_endpoint" "storage_ple_file" {
9999
name = "ple-${var.name}-${var.environment}-st-file"
100100
location = azurerm_resource_group.default.location
101101
resource_group_name = azurerm_resource_group.default.name
102-
subnet_id = azurerm_subnet.mlsubnet.id
102+
subnet_id = azurerm_subnet.ml-subnet.id
103103

104104
private_dns_zone_group {
105105
name = "private-dns-zone-group"
@@ -118,7 +118,7 @@ resource "azurerm_private_endpoint" "cr_ple" {
118118
name = "ple-${var.name}-${var.environment}-cr"
119119
location = azurerm_resource_group.default.location
120120
resource_group_name = azurerm_resource_group.default.name
121-
subnet_id = azurerm_subnet.mlsubnet.id
121+
subnet_id = azurerm_subnet.ml-subnet.id
122122

123123
private_dns_zone_group {
124124
name = "private-dns-zone-group"
@@ -137,7 +137,7 @@ resource "azurerm_private_endpoint" "mlw_ple" {
137137
name = "ple-${var.name}-${var.environment}-mlw"
138138
location = azurerm_resource_group.default.location
139139
resource_group_name = azurerm_resource_group.default.name
140-
subnet_id = azurerm_subnet.mlsubnet.id
140+
subnet_id = azurerm_subnet.ml-subnet.id
141141

142142
private_dns_zone_group {
143143
name = "private-dns-zone-group"
@@ -153,5 +153,36 @@ resource "azurerm_private_endpoint" "mlw_ple" {
153153
subresource_names = [ "amlworkspace" ]
154154
is_manual_connection = false
155155
}
156+
}
157+
#Compute cluster for image building https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds
158+
159+
resource "azurerm_machine_learning_compute_cluster" "image-builder" {
160+
name = "${var.image_build_compute_name}"
161+
location = azurerm_resource_group.default.location
162+
vm_priority = "LowPriority"
163+
vm_size = "Standard_DS2_v2"
164+
machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id
165+
subnet_resource_id = azurerm_subnet.training-subnet.id
166+
167+
scale_settings {
168+
min_node_count = 0
169+
max_node_count = 1
170+
scale_down_nodes_after_idle_duration = "PT30S" # 30 seconds
171+
}
172+
173+
identity {
174+
type = "SystemAssigned"
175+
}
176+
}
177+
178+
# Update workspace for image-build-compute
156179

157-
}
180+
resource "null_resource" "ws_image_build_compute"{
181+
provisioner "local-exec" {
182+
command = <<EOF
183+
az ml workspace update --resource-group ${azurerm_resource_group.default.name} --workspace-name ${azurerm_machine_learning_workspace.default.name} --image-build-compute ${azurerm_machine_learning_compute_cluster.image-builder.name}
184+
185+
EOF
186+
}
187+
depends_on = [azurerm_machine_learning_compute_cluster.image-builder]
188+
}

0 commit comments

Comments
 (0)