The Compute and Data Layer of Valohai can be deployed to your Azure Resource Group. This enables you to:
- Use your own Virtual Machines instances to run machine learning jobs.
- Use your own Azure Blob Storage for storing training artifacts such as trained models, preprocessed datasets, visualizations, etc.
- Access databases and data warehouses directly from the workers, which are inside your network.
Valohai doesn’t have direct access to the virtual machine instances that execute the machine learning jobs. Instead, it communicates with a static virtual machine in your resource group that’s responsible for storing the job queue, job states, and short-term logs.
Creating a Subscription (optional)
This document prepares your Microsoft Azure account for Valohai worker installation. You can either use an existing Microsoft Azure subscription or set up a new subscription for the Valohai resources.
If you wish to create a separate subscription for Valohai, navigate to the Subscriptions panel and click “Add” at the top left of the screen to get started.
Creating a Resource Group
You need to create a resource group to host the Valohai-managed resources.
Navigate to Resource Group Management and select “Add”.
Select the Subscription you’d like the resources to be created within, then name the Resource Group.
If you’re not feeling creative, name the group valohai
for simplicity. However, take note of the name, as Valohai engineers will need this.
Also, select the appropriate region for the resources:
- When selecting your region, remember that regions have different collections of available GPU types.
- For US customers, we recommend East US or West US 2 as they have the widest array of GPU machine types in the United States.
- For EU customers, we recommend West Europe as it has the widest array of GPU machine types in Europe.
- Check the Azure product availability page for more details.
- Consider using the same region where your data is located to reduce data transfer times.
- Consider using the regions where you’ve already acquired GPU quota from Microsoft.
Creating a virtual network
Valohai will need to know which virtual network to use. You can either provide an existing vNet and subnets or create a new one.
To create a new virtual network go to your resource group and select Add and search for Virtual Network. Give it a name (for example valohai-vnet) and select your region. You can then either specify specific IP addresses or just proceed with the default configuration by clicking Review + create.
Valohai will spin all the virtual machines used for your machine learning jobs inside this virtual network.
Creating an App Registration
Next, create an app registration in your Azure AD to allow Valohai programmatic access to your resource group:
- This can be done at the App Registration management panel
- Click
New registration
- Any name for the application will do – “Valohai” is a good choice.
- The “Supported Account Type” option should be left at “Accounts in this organizational directory only (Your Organization Name Here)”.
- The Redirect URI can be left empty.
Once the App Registration is created, take a note of the Application (client) and Directory (tenant) ID values displayed.
Then navigate to the new app registration and select “Certificates & Secrets”, then “New client secret”.
- Any Description will do – “Valohai Secret”, for instance, is fine.
- The Expiry time should preferably be “Never”. Otherwise, Valohai’s access to manage your resources will expire and another secret will need to be created.
Once the Secret is created, copy the value from the table and make a note of it – this is the only time you’ll be able to see it.
Adding permissions for the App Registration
Once the App Registration has been created, you will need to grant it access to manage resources.
Navigate to the Subscriptions panel, select the subscription you chose for your resource group.
Take a note of the subscription ID.
Now select “Access Control (IAM)”. We'll need to create a new role ValohaiMasterRole:
- Open the Roles tab.
- Click Add custom role.
- Give the role the name ValohaiMasterRole.
- Open the Assignable scopes tab. Make sure you've selected the correct resource group(s).
- Open the JSON tab and replace the permissions section with the permissions from below.
- Save your changes.
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/operationStatuses/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/effectiveRouteTable/action",
"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action",
"Microsoft.Network/networkInterfaces/UpdateParentNicAttachmentOnElasticNic/action",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
Next, we'll assign the role to our service principal.
- On the IAM page, click Add role assignment
- Search for the ValohaiMasterRole and click next
- Make sure "User, group, or service principal" is selected and click Select members. Then search for the service principal by writing its name.
- Click Review and assign and save your changes.
Next, add the Virtual Machine Contributor role
- On the IAM page, click Add role assignment
- Search for the Virtual Machine Contributor and click next
- Make sure "User, group, or service principal" is selected and click Select members. Then search for the service principal by writing its name.
- Click Review and assign and save your changes.
Registering Resource Providers for the Subscription
Registering a resource provider configures your subscription to work with the given resource provider. Essentially registering a provider means “enabling” the related services on your subscription.
Valohai uses the following resource providers:
- Microsoft.Compute
- Microsoft.Network
To verify that the above resource providers are registered:
- Navigate to “Azure Portal > Subscriptions”.
- Select the subscription that will be used for Valohai.
- Navigate to “Resource providers” through the menu on the left.
-
- Register the following providers if they aren’t already:
-
- Microsoft.Compute
- Microsoft.Network
Conclusion
You should now have the following values:
- Region
- Subscription ID
- Resource Group Name
- Directory (tenant) ID
- Application (client) ID
- Application Secret
- Virtual Network name
- Subnet name (optional)
Share this information with your Valohai contact using the Vault credentials provided to you.
Comments
0 comments
Please sign in to leave a comment.