Azure Machine learning workspace is not configured with private endpoint
Description
This policy detects whether an Azure Machine Learning workspace is configured with a private endpoint. Configuring a private endpoint for the Azure Machine Learning workspace is recommended to enhance security by restricting network access and preventing public internet access to the workspace.
Code Example
json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.MachineLearningServices/workspaces",
"apiVersion": "2022-12-01",
"name": "fail1",
"location": "West US",
"properties": {
"managedNetwork": {
"outboundRules": {
"rule1": {
+ "type": "PrivateEndpoint"
}
}
}
}
}
]
}Remediation
ARM
- Resource: Microsoft.MachineLearningServices/workspaces
- Arguments: managedNetwork.outboundRules
Configure the Azure Machine Learning workspace to use a private endpoint. To achieve this, add an outboundRule with the type set to PrivateEndpoint. This effectively directs traffic to the workspace solely through the secure private network connection.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0746 |
| Severity | MEDIUM |
| IaC Type | arm |
| Frameworks | ARM, Bicep |
| Checkov ID | CKV_AZURE_239 |