Azure Machine Learning entities can be grouped into two broad categories:
- Assets such as models, environments, components, and datasets are durable entities that are workspace agnostic. For example, a model can be registered with any workspace and deployed to any endpoint.
- Resources such as compute, job, and endpoints are transient entities that are workspace specific. For example, an online endpoint has a scoring URI that is unique to a specific instance in a specific workspace. Similarly, a job runs for a known duration and generates logs and metrics each time it's run.
Assets lend themselves to being stored in a central repository and used in different workspaces, possibly in different regions. Resources are workspace specific.
AzureML registries (preview) enable you to create and use those assets in different workspaces. Registries support multi-region replication for low latency access to assets, so you can use assets in workspaces located in different Azure regions. Creating a registry will provision Azure resources required to facilitate replication. First, Azure blob storage accounts in each supported region. Second, a single Azure Container Registry with replication enabled to each supported region.
:::image type="content" source="./media/how-to-manage-registries/machine-learning-registry-block-diagram.png" alt-text="Diagram of the relationships between assets in workspace and registry.":::
[!INCLUDE CLI v2 preres]
You need to decide the following information carefully before proceeding to create a registry:
Consider the following factors before picking a name.
- Registries are meant to facilitate sharing of ML assets across teams within your organization across all workspaces. Choose a name that is reflective of the sharing scope. The name should help identify your group, division or organization.
- Registry unique with your organization (Azure Active Directory tenant). It's recommended to prefix your team or organization name and avoid generic names.
- Registry names can't be changed once created because they're used in IDs of models, environments and components that are referenced in code.
- Length can be 2-32 characters.
- Alphanumerics, underscore, hyphen are allowed. No other special characters. No spaces - registry names are part of model, environment, and component IDs that can be referenced in code.
- Name can contain underscore or hyphen but can't start with an underscore or hyphen. Needs to start with an alphanumeric.
Registries enable sharing of assets across workspaces. To do so, a registry replicates content across multiple Azure regions. You need to define the list of regions that a registry supports when creating the registry. Create a list of all regions in which you have workspaces today and plan to add in near future. This list is a good set of regions to start with. When creating a registry, you define a primary region and a set of additional regions. The primary region can't be changed after registry creation, but the additional regions can be updated at a later point.
Make sure you're the "Owner" or "Contributor" of the subscription or resource group in which you plan to create the registry. If you don't have one of these built-in roles, review the section on permissions toward the end of this article.
Create the YAML definition and name it registry.yml.
Note
The primary location is listed twice in the YAML file. In the following example, eastus is listed first as the primary location (location item) and also in the replication_locations list.
name: DemoRegistry1
description: Basic registry with one primary region and to additional regions
tags:
foo: bar
location: eastus
replication_locations:
- location: eastus
- location: eastus2
- location: westusTip
You typically see display names of Azure regions such as 'East US' in the Azure Portal but the registry creation YAML needs names of regions without spaces and lower case letters. Use az account list-locations -o table to find the mapping of region display names to the name of the region that can be specified in YAML.
Run the registry create command.
az ml registry create --file registry.yml
You can create registries in AzureML studio using the following steps:
-
In the AzureML studio, select the Registries, and then Manage registries. Select + Create registry.
[!TIP] If you are in a workspace, navigate to the global UI by clicking your organization or tenant name in the navigation pane to find the Registries entry. You can also go directly there by navigating to https://ml.azure.com/registries.
:::image type="content" source="./media/how-to-manage-registries/studio-create-registry-button.png" lightbox="./media/how-to-manage-registries/studio-create-registry-button.png" alt-text="Screenshot of the create registry screen.":::
-
Enter the registry name, select the subscription and resource group and then select Next.
:::image type="content" source="./media/how-to-manage-registries/studio-create-registry-basics.png" alt-text="Screenshot of the registry creation basics tab.":::
-
Select the Primary region and Additional region, then select Next.
:::image type="content" source="./media/how-to-manage-registries/studio-registry-select-regions.png" alt-text="Screenshot of the registry region selection":::
-
Review the information you provided, and then select Create. You can track the progress of the create operation in the Azure portal. Once the registry is successfully created, you can find it listed in the Manage Registries tab.
:::image type="content" source="./media/how-to-manage-registries/studio-create-registry-review.png" alt-text="Screenshot of the create + review tab.":::
-
From the Azure portal, navigate to the Azure Machine Learning service. You can get there by searching for Azure Machine Learning in the search bar at the top of the page or going to All Services looking for Azure Machine Learning under the AI + machine learning category.
-
Select Create, and then select Azure Machine Learning registry. Enter the registry name, select the subscription, resource group and primary region, then select Next.
-
Select the additional regions the registry must support, then select Next until you arrive at the Review + Create tab.
:::image type="content" source="./media/how-to-manage-registries/create-registry-review.png" alt-text="Screenshot of the review + create tab.":::
-
Review the information and select Create.
Tip
Specifying the Azure Storage Account type and SKU is only available from the Azure CLI.
Azure storage offers several types of storage accounts with different features and pricing. For more information, see the Types of storage accounts article. Once you identify the optimal storage account SKU that best suites your needs, find the value for the appropriate SKU type. In the YAML file, use your selected SKU type as the value of the storage_account_type field. This field is under each location in the replication_locations list.
Next, decide if you want to use an Azure Blob storage account or Azure Data Lake Storage Gen2. To create Azure Data Lake Storage Gen2, set storage_account_hns to true. To create Azure Blob Storage, set storage_account_hns to false. The storage_account_hns field is under each location in the replication_locations list.
Note
The hns portion of storage_account_hns refers to the hierarchical namespace capability of Azure Data Lake Storage Gen2 accounts.
Below is an example YAML that demonstrates this advanced storage configuration:
name: DemoRegistry2
description: Registry with additional configuration for storage accounts
tags:
foo: bar
location: eastus
replication_locations:
- location: eastus
storage_config:
storage_account_hns: False
storage_account_type: Standard_LRS
- location: eastus2
storage_config:
storage_account_hns: False
storage_account_type: Standard_LRS
- location: westus
storage_config:
storage_account_hns: False
storage_account_type: Standard_LRSDecide if you want to allow users to only use assets (models, environments and components) from the registry or both use and create assets in the registry. Review steps to assign a role if you aren't familiar how to manage permissions using Azure role-based access control.
To let a user only read assets, you can grant the user the built-in Reader role. If don't want to use the built-in role, create a custom role with the following permissions
| Permission | Description |
|---|---|
| Microsoft.MachineLearningServices/registries/read | Allows the user to list registries and get registry metadata |
| Microsoft.MachineLearningServices/registries/assets/read | Allows the user to browse assets and use the assets in a workspace |
To let the user both read and create or delete assets, grant the following write permission in addition to the above read permissions.
| Permission | Description |
|---|---|
| Microsoft.MachineLearningServices/registries/assets/write | Create assets in registries |
| Microsoft.MachineLearningServices/registries/assets/delete | Delete assets in registries |
Warning
The built-in Contributor and Owner roles allow users to create, update and delete registries. You must create a custom role if you want the user to create and use assets from the registry, but not create or update registries. Review custom roles to learn how to create custom roles from permissions.
To let users create, update and delete registries, grant them the built-in Contributor or Owner role. If you don't want to use built in roles, create a custom role with the following permissions, in addition to all the above permissions to read, create and delete assets in registry.
| Permission | Description |
|---|---|
| Microsoft.MachineLearningServices/registries/write | Allows the user to create or update registries |
| Microsoft.MachineLearningServices/registries/delete | Allows the user to delete registries |