Ensure Azure Machine Learning Workspace is not publicly accessible

Error: Azure Machine Learning Workspace is publicly accessible

Bridgecrew Policy ID: BC_AZR_NETWORKING_53
Checkov Check ID: CKV_AZURE_144
Severity: LOW

Azure Machine Learning Workspace is publicly accessible

Description

Disabling the public network access property improves security by ensuring your Azure Machine Learning Workspaces can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules.

Fix - Runtime

Fix - Buildtime

Terraform

  • Resource: azurerm_machine_learning_workspace
  • Argument: public_network_access_enabled
resource "azurerm_machine_learning_workspace" "ckv_unittest_pass" {
  name                          = "example-workspace"
  location                      = azurerm_resource_group.example.location
  resource_group_name           = azurerm_resource_group.example.name
  application_insights_id       = azurerm_application_insights.example.id
  key_vault_id                  = azurerm_key_vault.example.id
  storage_account_id            = azurerm_storage_account.example.id
  public_network_access_enabled = false

  identity {
    type = "SystemAssigned"
  }

  encryption {
    key_vault_id = azurerm_key_vault.example.id
    key_id       = azurerm_key_vault_key.example.id
  }
}