1. Secure Network Isolation for Azure Cognitive Services


    Certainly! When you want to establish secure network isolation for Azure Cognitive Services, you typically need to:

    1. Create an Azure Cognitive Services account.
    2. Configure network security settings to restrict access to the service.
    3. Optionally, use a private endpoint for tight network integration with Azure Virtual Networks, effectively placing the Azure service directly into your private network.

    To accomplish this with Pulumi, we will:

    • Use azure_native.cognitiveservices.Account to create a Cognitive Services account.
    • Set up its network rules to restrict access to specific IP addresses or Azure Virtual Networks.
    • Optionally, use azure_native.network.PrivateEndpoint to configure a private endpoint for the service.

    Below is a Pulumi program in Python that demonstrates how to do this. The script includes:

    • Creation of a new Cognitive Services account.
    • Configuration of Network Access Control Lists (ACLs) for the account to only allow access from specific IPs.
    • Creation of a Private Endpoint, which connects the Cognitive Services to a specified subnet within an Azure Virtual Network (this part is optional and can be included if required).
    import pulumi import pulumi_azure_native.cognitiveservices as cognitiveservices import pulumi_azure_native.network as network import pulumi_azure_native.resources as resources # Create an Azure Resource Group resource_group = resources.ResourceGroup('resource_group') # Create a Cognitive Services account with network ACLs cognitive_services_account = cognitiveservices.Account('cognitiveServicesAccount', # Required args resource_group_name=resource_group.name, kind="CognitiveServices", # The kind of Cognitive Services to create sku=cognitiveservices.SkuArgs( name="S0", # "S0" is a standard performance tier ), # Network rules to secure the cognitive service (ACLs) properties=cognitiveservices.AccountPropertiesArgs( network_acls=cognitiveservices.NetworkRuleSetArgs( default_action="Deny", ip_rules=[ cognitiveservices.IPRuleArgs(value=""), # Replace with your IP # You can add more IPs here ], # You can also add virtual network rules here if needed ), # The following are optional configurations custom_sub_domain_name="my-cognitive-service", # Custom subdomain name (if needed) public_network_access="Enabled", # Enable or disable public network access ), # Location of the cognitive service location="WestUS", ) # Optional: Configure a private endpoint for the Cognitive Services account # Note: You need to have an existing Virtual Network and Subnet for this to work # Uncomment below code to configure private endpoint # private_endpoint = network.PrivateEndpoint("privateEndpoint", # # Required arguments # resource_group_name=resource_group.name, # subnet=network.SubnetArgs(id="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}"), # # The private link service connection to the cognitive service # private_link_service_connections=[ # network.PrivateLinkServiceConnectionArgs( # name="cognitiveServicesPLSConnection", # private_link_service_id=cognitive_services_account.id, # group_ids=["cognitiveservices"], # The group ID for the Cognitive Service # ), # ], # location="WestUS", # ) # Export the Cognitive Services account URL so we can see/use it in the Pulumi stack output pulumi.export('cognitive_services_account_endpoint', cognitive_services_account.properties.endpoint) # If you've configured a private endpoint, you would export the private endpoint's ID as well # pulumi.export('private_endpoint_id', private_endpoint.id)

    In this program, we first create a resource group, which is a logical container for Azure resources. Then, we define our Cognitive Services account, specifying the kind, the SKU (which determines the pricing and scale options), and crucially, the ACLs that will control the access. In the network_acls argument, we set the default_action to "Deny" to ensure that only explicitly allowed IPs (specified in ip_rules) or Virtual Networks can access the service.

    Finally, if a private endpoint is necessary for your use case, we've provided commented-out code that, once supplied with the appropriate subnet information and uncommented, will provision a Private Endpoint associated with the Cognitive Services account. This endpoint would route traffic between the service and the virtual network through a private link.

    Remember to replace placeholders like IP addresses and subnet IDs with actual values suitable for your environment. If private network integration is not required, you can leave out the PrivateEndpoint resource and its related code. The necessary parts for the program to work for network isolation are included above.