Skip to content

Latest commit

 

History

History
51 lines (33 loc) · 2.94 KB

silo_open.md

File metadata and controls

51 lines (33 loc) · 2.94 KB
Raw

Create an open sandbox silo

⚠️ This should be used for development purpose only.

Prerequisites

To run these deployment options, you first need:

  • an existing Azure ML workspace (see cookbook)
  • an existing orchestrator (see tutorial)
  • have permissions to create resources, set permissions, and create identities in this subscription (or at least in one resource group),
    • Note that to set permissions, you typically need Owner role in the subscription or resource group - Contributor role is not enough. This is key for being able to secure the setup.
  • Optional: install the Azure CLI.

Create a compute and storage pair for the silo

Note: both orchestrator and silo can be deployed using the same arm/bicep script.

Option 1 : one click deployment

  1. Click on Deploy to Azure

  2. Adjust parameters, in particular:

    • Region: this will be set by Azure to the region of your resource group.
    • Machine Learning Name: need to match the name of the AzureML workspace in the resource group.
    • Machine Learning Region: the region in which the AzureML workspace was deployed (default: same as resource group).
    • Pair Region: the region where the compute and storage will be deployed (default: same as resource group).
    • Pair Base Name: a unique name for the silo, example silo1-westus. This will be used to create all other resources (storage name, compute name, etc.).

Option 2 : deployment using az cli

In the resource group of your AzureML workspace, use the following command with parameters corresponding to your setup:

az deployment group create --template-file ./mlops/bicep/modules/fl_pairs/open_compute_storage_pair.bicep --resource-group <resource group name> --parameters pairBaseName="silo1-westus" pairRegion="westus" machineLearningName="aml-fldemo" machineLearningRegion="eastus"

Set permissions for the silo's compute to R/W from/to the orchestrator

  1. Navigate the Azure portal to find your resource group.

  2. Look for a resource of type Managed Identity in the region of the silo named like uai-<pairBaseName>. It should have been created by the instructions above.

  3. Open this identity and click on Azure role assignments. You should see the list of assignments for this identity.

    It should contain 3 roles towards the storage account of the silo itself:

    • Storage Blob Data Contributor
    • Reader and Data Access
    • Storage Account Key Operator Service Role

  4. Click on Add role assignment and add each of these same role towards the storage account of your orchestrator.