Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Tip
You can use Azure Machine Learning managed virtual networks instead of the steps in this article. With a managed virtual network, Azure Machine Learning handles the job of network isolation for your workspace and managed computes. You can also add private endpoints for resources needed by the workspace, such as Azure Storage Account. For more information, see Workspace managed network isolation.
In this article, you learn about network isolation changes with the v2 API platform on Azure Resource Manager (ARM) and the effect on network isolation.
Tip
For new workspaces, consider using workspace managed virtual network isolation, which is the recommended approach for configuring network isolation.
How the v2 API platform uses Azure Resource Manager (ARM)
Important
The v1 API is deprecated as of March 31, 2025. Support for CLI v1 ended on September 30, 2025. Support for SDK v1 ends on June 30, 2026. We recommend that you transition to the v2 API. For more information, see Upgrade to v2.
The v2 API routes most operations — including workspace, compute, datastore, job, environment, code, component, and endpoint management — through Azure Resource Manager (ARM). Only a small set of operations communicate directly within the workspace virtual network. This provides a consistent API, easier Azure role-based access control, and Azure Policy support.
The Azure Machine Learning CLI v2 uses the v2 API platform. Features such as managed online endpoints are only available through the v2 API.
In contrast, the deprecated v1 API routed most operations through the workspace, with only workspace and compute CRUD operations going through ARM.
How the v2 API affects network isolation
Because the v2 API routes most operations through ARM, enabling a private endpoint on your workspace doesn't isolate those operations from public networks. Operations that use ARM communicate over public networks, and include any metadata (such as your resource IDs) or parameters used by the operation. For example, the parameters.
Previously, with the v1 API, most operations used the workspace directly. A private endpoint on the workspace provided network isolation for everything except workspace and compute CRUD operations.
Important
For most people, using the public ARM communications is OK:
- Public ARM communications is the standard for management operations with Azure services. For example, creating an Azure Storage Account or Azure Virtual Network uses ARM.
- The Azure Machine Learning operations do not expose data in your storage account (or other storage in the VNet) on public networks. For example, a training job that runs on a compute cluster in the VNet, and uses data from a storage account in the VNet, would securely access the data directly using the VNet.
- All communication with public ARM is encrypted using TLS 1.2.
If you need time to evaluate the v2 API before adopting it in your enterprise solutions, or have a company policy that prohibits sending communication over public networks, you can either:
- Use Azure Private Link for managing Azure resources to keep ARM communications private.
- Enable the v1_legacy_mode parameter. When enabled, this parameter disables the v2 API for your workspace.
Warning
Enabling v1_legacy_mode might prevent you from using features provided by the v2 API. For example, some features of Azure Machine Learning studio might be unavailable.
Scenarios and required actions
To use v2 API features, set v1_legacy_mode to false. You only need v1_legacy_mode set to true if you use a private endpoint with the workspace and have a policy against public ARM communications.
If you don't use a private endpoint, or you're OK with operations communicating with public ARM, no action is needed — v1_legacy_mode doesn't affect your workspace.
Note
For existing workspaces, the flag was automatically set to true for workspaces with a private endpoint, and false for public workspaces. For workspaces created with REST API version 2022-05-01 or newer, the default is false.
How to update v1_legacy_mode parameter
To update v1_legacy_mode, use the following steps:
Use the REST API to update the v1LegacyMode property on your workspace. This approach works with any HTTP client and doesn't require deprecated CLI or SDK extensions.
Send a PATCH request to your workspace resource:
PATCH https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}?api-version=2025-04-01
Content-Type: application/json
{
"properties": {
"v1LegacyMode": false
}
}
To check the current value, send a GET request:
GET https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}?api-version=2025-04-01
In the response, check the properties.v1LegacyMode value.
Important
Note that it takes about 30 minutes to an hour or more for changing v1_legacy_mode parameter from true to false to be reflected in the workspace. Therefore, if you set the parameter to false but receive an error that the parameter is true in a subsequent operation, please try after a few more minutes.