Connecting to AMLS workspace with private endpoint using Python SDK and proxy

Question

I have created an AMLS workspace with a private endpoint in a vnet that is peered into a company's network. I would like to access the AMLS workspace using a company VM (Windows) to add compute, add datastores, deploy models, etc. using the Azure ML Python SDK.

The company VM has a proxy in place which initially was blocking my ability to even log in to the AMLS workspace. After adding an HTTPS_PROXY environment variable and configuring the powershell profile for the proxy server, I can now log in to Azure from powershell (az login) and I can access the AMLS workspace using Python (ws = Workspace.get(), ws.get_details(), etc.). However, as soon as I try to access any of the resources (e.g. ws.get_default_datastore(), cluster = ComputeTarget(workspace=ws, name=cluster_name)) I get SSL certificate verification errors:

requests.exceptions.SSLError: HTTPSConnectionPool(host='<WORKSPACE_ID>.workspace.canadacentral.api.azureml.ms', port=443): Max retries
 exceeded with url: /discovery/workspaces/<WORKSPACE_ID> (Caused by SSLError(SSLCertVerificationError(1,
 '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1091)')))

There is a similar problem mentioned here: https://github.com/Azure/azure-sdk-for-python/issues/1089, but I'm still unsure how to solve this. What is the best approach here? Should I turn off certificate validation in the Azure ML Python SDK? If so, how?

Answer 1

compute instances and compute cluster with private endpoint workspace. Please follow this guidance https://learn.microsoft.com/en-us/azure/machine-learning/how-to-secure-training-vnet?view=azure-ml-py#mlcports

published AML Terraform templates with Private Link support here:

https://github.com/csiebler/azure-machine-learning-terraform