Securing Azure ML Workspace with Network Security Groups

Question

Pulumi · Accepted Answer

Securing an Azure Machine Learning (ML) Workspace with Network Security Groups (NSG) involves creating and configuring an NSG to control inbound and outbound network traffic to the Azure ML Workspace's associated resources. NSGs are essentially lists of access control rules that can allow or deny network traffic to your Azure resources. When securing an Azure ML workspace, the NSG would be associated with the subnet that the workspace is part of in the Azure virtual network.

In this context, we will set up an NSG with a few basic rules:
- An inbound rule to allow SSH traffic (for maintenance or management tasks).
- An inbound rule to allow HTTPS traffic (for secure workspace access).
- An outbound rule to allow any traffic to the internet (assuring the ML workspace can access external resources if needed).

To implement this in Pulumi using Python, we'll use the `azure-native` provider, which enables us to work with Azure resources directly using native Azure APIs.

Here's some sample code that demonstrates how to create a Network Security Group, set up the desired security rules, and then associate it with a subnet:

```python
import pulumi
from pulumi_azure_native import network

# Create a resource group if you do not already have one
resource_group = network.ResourceGroup('my-resource-group')

# Create a virtual network for your Azure resources
vnet = network.VirtualNetwork(
    'my-virtual-network',
    resource_group_name=resource_group.name,
    address_space=network.AddressSpaceArgs(
        address_prefixes=["10.0.0.0/16"],
    ),
)

# Create a subnet for your ML Workspace
subnet = network.Subnet(
    'my-ml-subnet',
    resource_group_name=resource_group.name,
    address_prefix='10.0.1.0/24',
    virtual_network_name=vnet.name,
)

# Create an NSG (Network Security Group)
nsg = network.NetworkSecurityGroup(
    'my-nsg',
    resource_group_name=resource_group.name,
)

# Define a security rule to allow inbound SSH traffic
ssh_rule = network.SecurityRule(
    'allow-ssh',
    network_security_group_name=nsg.name,
    resource_group_name=resource_group.name,
    access='Allow',
    description='Allow SSH',
    destination_address_prefix='*',
    destination_port_range='22',
    direction='Inbound',
    priority=100,
    protocol='Tcp',
    source_address_prefix='*',
    source_port_range='*',
)

# Define a security rule to allow inbound HTTPS traffic
https_rule = network.SecurityRule(
    'allow-https',
    network_security_group_name=nsg.name,
    resource_group_name=resource_group.name,
    access='Allow',
    description='Allow HTTPS',
    destination_address_prefix='*',
    destination_port_range='443',
    direction='Inbound',
    priority=200,
    protocol='Tcp',
    source_address_prefix='*',
    source_port_range='*',
)

# Define a security rule to allow outbound traffic to the internet
outbound_rule = network.SecurityRule(
    'allow-outbound',
    network_security_group_name=nsg.name,
    resource_group_name=resource_group.name,
    access='Allow',
    description='Allow outbound',
    destination_address_prefix='Internet',
    destination_port_range='*',
    direction='Outbound',
    priority=300,
    protocol='*',
    source_address_prefix='*',
    source_port_range='*',
)

# Associate the network security group with the subnet
subnet_update = network.Subnet(
    'my-ml-subnet-update',
    resource_group_name=resource_group.name,
    address_prefix=subnet.address_prefix,
    virtual_network_name=vnet.name,
    subnet_name=subnet.name,
    network_security_group=nsg,
    opts=pulumi.ResourceOptions(depends_on=[ssh_rule, https_rule, outbound_rule]),
)

# Export the NSG ID
pulumi.export('nsg_id', nsg.id)
```

This code performs the following actions:
- Create a virtual network to host Azure resources including the ML Workspace.
- Create a subnet within the virtual network for the Azure ML Workspace.
- Create a Network Security Group (NSG) resource within the specified resource group.
- Add three security rules to the NSG to allow SSH, HTTPS, and outbound traffic.
- Update the subnet to associate with the created NSG.

**Note**: This sample does not include the actual provisioning of Azure ML Workspace. You would typically have such a workspace provisioned within the subnet we defined here.

Keep in mind that the security rules defined here are quite permissive. In a production environment, you'd typically need to restrict source IP ranges for inbound traffic and possibly define more granular rules for outbound traffic, depending on your requirements. Always review and conform to your organization's security policies when setting up NSGs.