1. Using azure cognitive with subnet

    TypeScript

    To use Azure Cognitive Services within a subnet, you will need to set up a couple of Azure resources:

    1. Azure Cognitive Services Account: This will provide access to a suite of AI services including vision, speech, language, and decision-making capabilities.

    2. Azure Virtual Network (VNet) and Subnet: A Virtual Network is required to provide a private network in the cloud where you can launch various Azure resources. A subnet, which is a range of IP addresses in the VNet, is where we'll specifically associate the Cognitive Services account to restrict access to the cognitive services.

    3. Network Security Group (NSG) and Network Rules (optional): To further secure the subnet, an NSG can be deployed with rules that define how traffic to and from the subnet and Cognitive Services is controlled.

    Here is a TypeScript program using Pulumi to set up an Azure Cognitive Services account within a subnet. The code will create all the necessary resources, assuming you have Azure credentials configured with Pulumi.

    import * as pulumi from "@pulumi/pulumi"; import * as azure_native from "@pulumi/azure-native"; // Enter your desired resource group name, VNet name, and Cognitive Services name const resourceGroupName = "myResourceGroup"; const vnetName = "myVirtualNetwork"; const cognitiveServicesName = "myCognitiveServices"; // Create a new resource group const resourceGroup = new azure_native.resources.ResourceGroup(resourceGroupName); // Create a virtual network const virtualNetwork = new azure_native.network.VirtualNetwork(vnetName, { resourceGroupName: resourceGroup.name, location: resourceGroup.location, addressSpace: { addressPrefixes: ["10.0.0.0/16"], }, }); // Create a subnet within the virtual network const subnet = new azure_native.network.Subnet("mySubnet", { resourceGroupName: resourceGroup.name, virtualNetworkName: virtualNetwork.name, addressPrefix: "10.0.1.0/24", // Associate the subnet with the Cognitive Services delegations: [{ name: "cognitiveservicesdelegation", serviceName: "Microsoft.CognitiveServices/accounts", }], }); // Create a Cognitive Services account with network restrictions const cognitiveServicesAccount = new azure_native.cognitiveservices.Account(cognitiveServicesName, { resourceGroupName: resourceGroup.name, kind: "TextAnalytics", // Replace with the specific kind of cognitive service needed sku: { name: "S0", // Replace with the desired pricing tier }, location: resourceGroup.location, properties: { // Restrict the cognitive services to be accessed from the subnet only publicNetworkAccess: "Enabled", networkAcls: { defaultAction: "Deny", // By default, deny all public access virtualNetworkRules: [{ // Allow access only from the subnet id: subnet.id, ignoreMissingVnetServiceEndpoint: false, }], }, }, }); // Export the important end points export const cognitiveServicesEndpoint = cognitiveServicesAccount.properties.endpoint; export const subnetId = subnet.id;

    Explanation:

    • Resource Group: A logical container that holds related resources for an Azure solution. In this code, the ResourceGroup class is used to create a new resource group.

    • Virtual Network: This facilitates the provision of a private network for your Azure resources. The VirtualNetwork resource is used to create a new VNet.

    • Subnet: A subnet is a range within a VNet. The Subnet resource creates a subnet within the VNet and delegates it to the Cognitive Services account using the serviceName parameter under delegations.

    • Cognitive Services Account: The Azure Cognitive Services are accessed through this account. The code uses the Account class of the azure_native.cognitiveservices module to create an account, specifying the type and tier as "TextAnalytics" and "S0" respectively (you would replace these with the service and tier you need).

    • Network Security: The networkAcls property of the Cognitive Services Account is used to specify network level access controls. Here, the default action is set to Deny to block public access and only allow access from the specified subnet through the virtualNetworkRules.

    Next Steps:

    After deploying this code with Pulumi, the Cognitive Services account will only be accessible from resources within the specified subnet. This ensures that any cognitive services are consumed privately within the network, enhancing security.