Secure Network Isolation for Azure Cognitive Services

Question

Pulumi · Accepted Answer

Certainly! When you want to establish secure network isolation for Azure Cognitive Services, you typically need to:

1. Create an Azure Cognitive Services account.
2. Configure network security settings to restrict access to the service.
3. Optionally, use a private endpoint for tight network integration with Azure Virtual Networks, effectively placing the Azure service directly into your private network.

To accomplish this with Pulumi, we will:

- Use `azure_native.cognitiveservices.Account` to create a Cognitive Services account.
- Set up its network rules to restrict access to specific IP addresses or Azure Virtual Networks.
- Optionally, use `azure_native.network.PrivateEndpoint` to configure a private endpoint for the service.

Below is a Pulumi program in Python that demonstrates how to do this. The script includes:

- Creation of a new Cognitive Services account.
- Configuration of Network Access Control Lists (ACLs) for the account to only allow access from specific IPs.
- Creation of a Private Endpoint, which connects the Cognitive Services to a specified subnet within an Azure Virtual Network (this part is optional and can be included if required).

```python
import pulumi
import pulumi_azure_native.cognitiveservices as cognitiveservices
import pulumi_azure_native.network as network
import pulumi_azure_native.resources as resources

# Create an Azure Resource Group
resource_group = resources.ResourceGroup('resource_group')

# Create a Cognitive Services account with network ACLs
cognitive_services_account = cognitiveservices.Account('cognitiveServicesAccount',
    # Required args
    resource_group_name=resource_group.name,
    kind="CognitiveServices", # The kind of Cognitive Services to create
    sku=cognitiveservices.SkuArgs(
        name="S0", # "S0" is a standard performance tier
    ),
    # Network rules to secure the cognitive service (ACLs)
    properties=cognitiveservices.AccountPropertiesArgs(
        network_acls=cognitiveservices.NetworkRuleSetArgs(
            default_action="Deny",
            ip_rules=[
                cognitiveservices.IPRuleArgs(value="1.2.3.4"),  # Replace with your IP
                # You can add more IPs here
            ],
            # You can also add virtual network rules here if needed
        ),
        # The following are optional configurations
        custom_sub_domain_name="my-cognitive-service",  # Custom subdomain name (if needed)
        public_network_access="Enabled",  # Enable or disable public network access
    ),
    # Location of the cognitive service
    location="WestUS",
)

# Optional: Configure a private endpoint for the Cognitive Services account
# Note: You need to have an existing Virtual Network and Subnet for this to work
# Uncomment below code to configure private endpoint

# private_endpoint = network.PrivateEndpoint("privateEndpoint",
#     # Required arguments
#     resource_group_name=resource_group.name,
#     subnet=network.SubnetArgs(id="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}"),
#     # The private link service connection to the cognitive service
#     private_link_service_connections=[
#         network.PrivateLinkServiceConnectionArgs(
#             name="cognitiveServicesPLSConnection",
#             private_link_service_id=cognitive_services_account.id,
#             group_ids=["cognitiveservices"],  # The group ID for the Cognitive Service
#         ),
#     ],
#     location="WestUS",
# )

# Export the Cognitive Services account URL so we can see/use it in the Pulumi stack output
pulumi.export('cognitive_services_account_endpoint', cognitive_services_account.properties.endpoint)

# If you've configured a private endpoint, you would export the private endpoint's ID as well
# pulumi.export('private_endpoint_id', private_endpoint.id)
```

In this program, we first create a resource group, which is a logical container for Azure resources. Then, we define our Cognitive Services account, specifying the kind, the SKU (which determines the pricing and scale options), and crucially, the ACLs that will control the access. In the `network_acls` argument, we set the `default_action` to "Deny" to ensure that only explicitly allowed IPs (specified in `ip_rules`) or Virtual Networks can access the service.

Finally, if a private endpoint is necessary for your use case, we've provided commented-out code that, once supplied with the appropriate subnet information and uncommented, will provision a Private Endpoint associated with the Cognitive Services account. This endpoint would route traffic between the service and the virtual network through a private link.

Remember to replace placeholders like IP addresses and subnet IDs with actual values suitable for your environment. If private network integration is not required, you can leave out the `PrivateEndpoint` resource and its related code. The necessary parts for the program to work for network isolation are included above.