Using azure cognitive with subnet
TypeScriptTo use Azure Cognitive Services within a subnet, you will need to set up a couple of Azure resources:
-
Azure Cognitive Services Account: This will provide access to a suite of AI services including vision, speech, language, and decision-making capabilities.
-
Azure Virtual Network (VNet) and Subnet: A Virtual Network is required to provide a private network in the cloud where you can launch various Azure resources. A subnet, which is a range of IP addresses in the VNet, is where we'll specifically associate the Cognitive Services account to restrict access to the cognitive services.
-
Network Security Group (NSG) and Network Rules (optional): To further secure the subnet, an NSG can be deployed with rules that define how traffic to and from the subnet and Cognitive Services is controlled.
Here is a TypeScript program using Pulumi to set up an Azure Cognitive Services account within a subnet. The code will create all the necessary resources, assuming you have Azure credentials configured with Pulumi.
import * as pulumi from "@pulumi/pulumi"; import * as azure_native from "@pulumi/azure-native"; // Enter your desired resource group name, VNet name, and Cognitive Services name const resourceGroupName = "myResourceGroup"; const vnetName = "myVirtualNetwork"; const cognitiveServicesName = "myCognitiveServices"; // Create a new resource group const resourceGroup = new azure_native.resources.ResourceGroup(resourceGroupName); // Create a virtual network const virtualNetwork = new azure_native.network.VirtualNetwork(vnetName, { resourceGroupName: resourceGroup.name, location: resourceGroup.location, addressSpace: { addressPrefixes: ["10.0.0.0/16"], }, }); // Create a subnet within the virtual network const subnet = new azure_native.network.Subnet("mySubnet", { resourceGroupName: resourceGroup.name, virtualNetworkName: virtualNetwork.name, addressPrefix: "10.0.1.0/24", // Associate the subnet with the Cognitive Services delegations: [{ name: "cognitiveservicesdelegation", serviceName: "Microsoft.CognitiveServices/accounts", }], }); // Create a Cognitive Services account with network restrictions const cognitiveServicesAccount = new azure_native.cognitiveservices.Account(cognitiveServicesName, { resourceGroupName: resourceGroup.name, kind: "TextAnalytics", // Replace with the specific kind of cognitive service needed sku: { name: "S0", // Replace with the desired pricing tier }, location: resourceGroup.location, properties: { // Restrict the cognitive services to be accessed from the subnet only publicNetworkAccess: "Enabled", networkAcls: { defaultAction: "Deny", // By default, deny all public access virtualNetworkRules: [{ // Allow access only from the subnet id: subnet.id, ignoreMissingVnetServiceEndpoint: false, }], }, }, }); // Export the important end points export const cognitiveServicesEndpoint = cognitiveServicesAccount.properties.endpoint; export const subnetId = subnet.id;
Explanation:
-
Resource Group: A logical container that holds related resources for an Azure solution. In this code, the
ResourceGroup
class is used to create a new resource group. -
Virtual Network: This facilitates the provision of a private network for your Azure resources. The
VirtualNetwork
resource is used to create a new VNet. -
Subnet: A subnet is a range within a VNet. The
Subnet
resource creates a subnet within the VNet and delegates it to the Cognitive Services account using theserviceName
parameter underdelegations
. -
Cognitive Services Account: The Azure Cognitive Services are accessed through this account. The code uses the
Account
class of theazure_native.cognitiveservices
module to create an account, specifying the type and tier as "TextAnalytics" and "S0" respectively (you would replace these with the service and tier you need). -
Network Security: The
networkAcls
property of the Cognitive Services Account is used to specify network level access controls. Here, the default action is set toDeny
to block public access and only allow access from the specified subnet through thevirtualNetworkRules
.
Next Steps:
After deploying this code with Pulumi, the Cognitive Services account will only be accessible from resources within the specified subnet. This ensures that any cognitive services are consumed privately within the network, enhancing security.
-