Azure Machine Learning Service Workspace has a premium feature to prevent confidential telemetry data being sent to Microsoft. It’s called High Business Impact.
A prerequisite is Bring Your Own Key added to a Key Vault.
To enable HBI set hbi_workspace = True in ARM or BICEP Template. Once enabled down stream services will selectively disable logging. This feature must be set when the MLSW is created and cannot be enabled after creation.
Having automated Azure Resources for over 5 years, setting hbi_workspace came with an unexpected side effect that I hadn’t encountered previously. This gives an interesting insight on how HBI works. Once the hbi_workspace flag is set and deployed a separate Resource Group is created with a random name.
This Resource Group contains Azure Search and Premium Cosmos Database. This significantly increases the cost of running MLSW. As its a self generating Azure Resource Group it might catch you by surprise. Cosmos Database is encrypted with BYOK. It stores the telemetry data generated by the MLSW. Azure Search scans all telemetry data for sensitive data and selectively redacts the logs before forwarding onto Microsoft.
Adjust ARM or BICEP Template to include the Azure Search and Premium Cosmos Database to prevent “self generating resources”. To add further security hardening attached the Cosmos Database to the vNet.