- Knowledge Base
- Microsoft Azure
- Machine Learning
- Check for Subnet Isolation
To ensure the secure isolation of compute instances and control planes within your organization's network boundary, deploy your Azure Machine Learning compute instances to specific Virtual Network (VNet) subnets.
Security Deploying your Azure Machine Learning compute instances to Virtual Network (VNet) subnets provides strong network isolation. This removes public Internet access to the compute resources, allowing you to control inbound and outbound traffic using Network Security Groups (NSGs), thereby preventing data exfiltration and ensuring compliance with organization policies.
Audit
To determine if your Azure Machine Learning compute instances were deployed to Virtual Network (VNet) subnets, perform the following operations:
Using Azure Console
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Machine Learning workspace for Value, then choose Apply to list the Azure Machine Learning workspaces available in the selected subscription.
05 Click on the name (link) of the Machine Learning workspace that you want to examine.
06 In the resource navigation panel, select Overview, and choose Launch studio to open the Azure Machine Learning Studio.
07 In the left navigation panel, under Manage, choose Compute, and select the Compute instances tab to list the compute instances provisioned for the selected Azure Machine Learning workspace.
08 Click on the name (link) of the compute instance that you want to examine.
09 Select the Details tab and check the Virtual network/subnet attribute value to determine the state of the VNet integration. If the Virtual network/subnet configuration attribute does not have a value, the selected Azure Machine Learning compute instance was not deployed to an Virtual Network (VNet) subnet. Consequently, subnet isolation is not enabled for your compute instance.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run ml workspace list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Machine Learning workspace available in the current subscription:
az ml workspace list
--output table
--query '[*].{name:name, resourceGroup:resourceGroup}'
05 The command output should return the requested Azure Machine Learning workspace identifiers:
Name ResourceGroup ------------------------ ------------------------------ cc-ml-project5-workspace cloud-shell-storage-westeurope cc-ml-production-workspace cloud-shell-storage-westeurope
06 Run ml compute list command (Windows/macOS/Linux) with custom output filters to list the name of each compute instance provisioned for the selected Azure Machine Learning workspace:
az ml compute list
--resource-group cloud-shell-storage-westeurope
--workspace-name cc-ml-project5-workspace
--output table
--query "[].{Name:name}"
07 The command output should return the requested compute instance identifiers (names):
Name ---------------------- project5-ml-instance01 project5-ml-instance02 project5-ml-instance03
08 Run ml compute show command (Windows/macOS/Linux) with the name of the Azure Machine Learning compute instance that you want to examine as the identifier parameter, to describe the ID of the VNet subnet configured for the selected compute instance:
az ml compute show
--name project5-ml-instance01
--workspace-name cc-ml-project5-workspace
--resource-group cloud-shell-storage-westeurope
--query "{subnetId:network_settings.subnet}"
09 The command output should return the full ID of the associated VNet subnet:
{
"subnetId": null
}
If the ml compute show command output returns null for the "subnetId" attribute, as shown in the example above, the selected Azure Machine Learning compute instance was not deployed to an Virtual Network (VNet) subnet. As a result, subnet isolation is not enabled for your compute instance.
Remediation / Resolution
The lack of network isolation increases attack surface. To ensure that your Azure Machine Learning compute instances are running within Virtual Network (VNet) subnets, perform the following operations:
Using Azure Console
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Machine Learning workspace for Value, then choose Apply to list the Azure Machine Learning workspaces available in the selected subscription.
05 Click on the name (link) of the Machine Learning workspace that you want to access.
06 In the resource navigation panel, select Overview, and choose Launch studio to open the Azure Machine Learning Studio.
07 In the left navigation panel, under Manage, choose Compute, and select the Compute instances tab.
08 To ensure that your Azure Machine Learning compute instances are running within Virtual Network (VNet) subnets, you must redeploy them to specific subnets. Choose New and perform the following actions to create your new compute instance:
- For Required settings, enter a name for the new instance in the Compute name box, select the instance type from the Virtual machine type, choose Select from all options under Virtual machine size, and select the appropriate VM size for your instance. Choose Next to continue the setup process.
- (Optional) For Scheduling, choose whether to schedule the compute to start or stop on a recurring basis. You can also configure instance auto shutdown on this step. Choose Next to continue.
- For Security, configure security settings such as SSH access, virtual network injection, root access, Single Sign-On (SSO), and managed identity for your new compute instance. Under Virtual network, switch on the Enable virtual network button, choose the name of the Azure VNet that you want to use from the Virtual network dropdown list, and select the VNet subnet where the compute instance will be deployed from the Subnet dropdown list. Choose Next to continue the setup.
- (Optional) For Applications, choose Add application, and add custom applications you may want to use on your compute instance. You can also choose to provision the new instance with a creation and/or startup script on this step. Choose Next to continue.
- (Optional) For Tags, use the Name and Value text fields to create the tagging schema for your compute instance. Choose Next to continue the setup.
- For Review, review the instance configuration and choose Create to deploy your new compute instance.
09 (Optional) To remove the outdated compute instance from your Azure Machine Learning workspace, select the instance that you want to remove, select Delete, and choose again Delete in the confirmation box.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to access as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run ml workspace list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Machine Learning workspace available in the current subscription:
az ml workspace list
--output table
--query '[*].{name:name, resourceGroup:resourceGroup}'
05 The command output should return the requested Azure Machine Learning workspace identifiers:
Name ResourceGroup ------------------------ ------------------------------ tm-ml-project5-workspace cloud-shell-storage-westeurope tm-ml-production-workspace cloud-shell-storage-westeurope
06 To ensure that your Azure Machine Learning compute instances are running within Virtual Network (VNet) subnets, you must redeploy them to specific subnets. Run ml compute create command (Windows/macOS/Linux) to create your new compute instance. Use the --subnet command parameter to specify the name of your VNet subnet:
az ml compute create --name ml-isolated-instance01 --size Standard_DS3_v2 --type ComputeInstance --workspace-name cc-ml-project5-workspace --resource-group cloud-shell-storage-westeurope --subnet cc-project5-vnet-subnet01 --enable-node-public-ip false
07 The command output should return the configuration information available for the new compute instance:
{
"created_on": "2025-10-02T12:30:43.855643+0000",
"enable_node_public_ip": false,
"enable_os_patching": false,
"enable_root_access": true,
"enable_sso": true,
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/workspaces/cc-ml-project5-workspace/computes/ml-isolated-instance01",
"last_operation": {
"operation_name": "Create",
"operation_status": "Succeeded",
"operation_time": "2025-10-02T12:30:51.837Z",
"operation_trigger": "User"
},
"location": "westeurope",
"name": "ml-isolated-instance01",
"network_settings": {
"private_ip_address": "10.0.0.4"
},
"os_image_metadata": {
"current_image_version": "25.07.12",
"is_latest_os_image_version": true,
"latest_image_version": "25.07.12"
},
"provisioning_state": "Succeeded",
"release_quota_on_stop": false,
"resourceGroup": "cloud-shell-storage-westeurope",
"services": [
{
"display_name": "Jupyter",
"endpoint_uri": "https://ml-isolated-instance01.westeurope.instances.azureml.ms/tree/"
},
{
"display_name": "Jupyter Lab",
"endpoint_uri": "https://ml-isolated-instance01.westeurope.instances.azureml.ms/lab"
}
],
"size": "Standard_DS3_v2",
"ssh_public_access_enabled": false,
"ssh_settings": {
"admin_username": "azureuser",
"ssh_port": "50000"
},
"state": "Running",
"type": "computeinstance"
}
08 (Optional) To remove the non-compliant compute instance from your Azure Machine Learning workspace, run ml compute delete command (Windows/macOS/Linux) to delete the specified compute instance (the command does not produce an output):
az ml compute delete --name project5-ml-instance01 --workspace-name cc-ml-project5-workspace --resource-group cloud-shell-storage-westeurope --yes
References
- Azure Official Documentation
- What is an Azure Machine Learning compute instance?
- Create an Azure Machine Learning compute instance
- Azure Machine Learning compute instance image release notes
- Azure Command Line Interface (CLI) Documentation
- az account list
- az account set
- az ml workspace list
- az ml compute list
- az ml compute show
- az ml compute create
- az ml compute delete