diff --git a/.gitignore b/.gitignore
index ec9e5b1d..0d6b95a3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,5 @@ quickstart/301-machine-learning-hub-spoke-secure/*.terraform.lock.hcl
 quickstart/301-machine-learning-hub-spoke-secure/*.tfstate
 quickstart/301-machine-learning-hub-spoke-secure/.terraform/providers/registry.terraform.io/hashicorp/azurerm/2.79.1/windows_amd64/terraform-provider-azurerm_v2.79.1_x5.exe
 quickstart/301-machine-learning-hub-spoke-secure/.terraform/providers/registry.terraform.io/hashicorp/random/3.1.0/windows_amd64/terraform-provider-random_v3.1.0_x5.exe
+quickstart/301-machine-learning-hub-spoke-secure/.terraform.tfstate.lock.info
+quickstart/301-machine-learning-hub-spoke-secure/terraform.tfstate.*
diff --git a/quickstart/301-machine-learning-hub-spoke-secure/azure-firewall.tf b/quickstart/301-machine-learning-hub-spoke-secure/azure-firewall.tf
index fddc61ee..c5ab0b41 100644
--- a/quickstart/301-machine-learning-hub-spoke-secure/azure-firewall.tf
+++ b/quickstart/301-machine-learning-hub-spoke-secure/azure-firewall.tf
@@ -354,6 +354,20 @@ application_rule_collection {
       source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]      
       destination_fqdns = ["dc.services.visualstudio.com"]
     }
+
+    rule {
+      name = "azureml-instances"
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      protocols {
+        type = "Https"
+        port = 443
+      }
+      source_ip_groups = [azurerm_ip_group.ip_group_spoke.id]      
+      destination_fqdns = ["*.instances.azureml.net", "*.instances.azureml.ms"]
+    }
   }
 
  network_rule_collection {
@@ -364,8 +378,8 @@ application_rule_collection {
     rule {
       name                  = "hub-to-spoke-rule"
       protocols             = ["Any"]
-      source_ip_groups      = [azurerm_ip_group.ip_group_spoke.id]   
-      destination_ip_groups = [azurerm_ip_group.ip_group_hub.id]
+      source_ip_groups      = [azurerm_ip_group.ip_group_spoke.id,azurerm_ip_group.ip_group_hub.id]   
+      destination_ip_groups = [azurerm_ip_group.ip_group_hub.id,azurerm_ip_group.ip_group_spoke.id]
       destination_ports     = ["*"]
     }
 
@@ -421,7 +435,7 @@ application_rule_collection {
       name                  = "Azure-Front-Door-Frontend"
       protocols             = ["TCP"]
       source_ip_groups      = [azurerm_ip_group.ip_group_spoke.id]      
-      destination_addresses = ["AzureFrontDoor.Frontend"]
+      destination_addresses = ["AzureFrontDoor.Frontend","AzureFrontDoor.FirstParty"]
       destination_ports     = ["443"]
     }