Limitations on Azure
This section lists some resource limits that CML and Azure impose on workloads running in ML workspaces.
There is no ability to grant or revoke remote access (via Kubeconfig) to specific users. Users with the MLAdmin role in the environment can download a Kubeconfig file. The Kubeconfig file will continue to allow access even if the MLAdmin role is later revoked.
Support is limited to regions that provide AKS. Also, customers should check availability of Azure Files NFS or Azure NetApp Files and GPU instance types in their intended region. See Supported Azure regions for more information.
- Data is not encrypted in transit to Azure Files NFS or Azure NetApp Files or other NFS systems, so make sure to implement policies to ensure security at the network level.
Each ML workspace requires a separate subnet. For more information on this issue, see Use kubenet networking with your own IP address ranges in Azure Kubernetes Service (AKS).
- When you provision an Azure Kubernetes (AKS) cluster, a Standard load balancer is provisioned by default. The Standard load balancer always provisions a public IP for egress traffic, communication with the Kubernetes control plane, and backwards compatibility. Cloudera software does not use this public IP directly, or expose anything on it. For more information, see: Use a public Standard Load Balancer in Azure Kubernetes Service (AKS)
- The following Azure Policy add-on for AKS has a default policy that causes workspace upgrades to fail. To avoid this problem, the Kubernetes clusters should not allow container privilege escalation policy should not be enabled. For more information on AKS policies, see Azure Policy built-in definitions for Azure Kubernetes Service.
- The Workspace Backup and Restore feature, which on Azure is only available through the CDP CLI, does not perform a backup of NFS.