Secure Model Serving APIs with Azure Relay Hybrid Connections
PythonTo secure model serving APIs using Azure Relay Hybrid Connections, you will be creating an Azure Relay Namespace and within it, a Hybrid Connection. This setup enables a secure way to communicate between the Azure services and your on-premises applications without exposing your local services to the public internet.
Azure Relay acts as an intermediary to facilitate these communications. The Hybrid Connection within the relay namespace is what your on-premises APIs will connect to, so they can be accessed from your Azure services.
Here are the steps we will be taking in this Pulumi program:
- Create an Azure Resource Group to house our resources.
- Create a Relay Namespace, which is a scoping container for all messaging components.
- Define a Hybrid Connection within the Namespace, which will be used to manage the relay of messages.
I'll be defining a simple Pulumi Python program that sets up these resources. The program doesn't include details on the on-premises API as that setup is beyond the scope of this program and highly dependent on your local infrastructure.
import pulumi import pulumi_azure_native as azure_native # Create an Azure Resource Group resource_group = azure_native.resources.ResourceGroup("resource_group") # Creating an Azure Relay Namespace relay_namespace = azure_native.relay.Namespace("relayNamespace", resource_group_name=resource_group.name, location=resource_group.location, sku=azure_native.relay.SkuArgs( name="Standard" ) ) # Define a Hybrid Connection within the Relay Namespace hybrid_connection = azure_native.relay.HybridConnection("hybridConnection", resource_group_name=resource_group.name, namespace_name=relay_namespace.name, user_metadata="Secure connection for Model API" ) # Export the primary connection string for the Hybrid Connection # This connection string is typically used in your on-premises application to set up the connection primary_key = pulumi.Output.all(resource_group.name, relay_namespace.name, hybrid_connection.name).apply( lambda args: azure_native.relay.list_hybrid_connection_keys(args[0], args[1], args[2]) ).apply(lambda keys: keys.primary_key) pulumi.export('hybridConnectionName', hybrid_connection.name) pulumi.export('primaryKey', primary_key)Let's go over what each part of this program does:
- Azure Resource Group: The resource group is a collection of resources that share the same lifecycle, permissions, and policies.
- Relay Namespace: This is the Azure Relay component that groups a set of messaging entities. It provides a unique scoping container where you will then create the Hybrid Connection.
- Hybrid Connection: The actual connection object that will be used for communication is created within the relay namespace. It uses a policy-based authorization model, providing high granularity of control.
The output of this Pulumi program includes the name of the Hybrid Connection and the primary key of the Hybrid Connection, which you will use in your on-premises API and Azure services to secure communication.
To run this Pulumi program, you would:
- Save this into a file named
__main__.py. - Use the Pulumi CLI to create a new stack and update it, which will deploy the resources defined above.
Ensure that you have the Azure provider configured in your Pulumi project and that you have appropriate permissions to create these resources in your Azure subscription.