AI Workload Compliance with Azure Subnets and Network Security Groups

Question

Pulumi · Accepted Answer

To ensure AI workload compliance within an Azure environment, you typically need a robust network setup that requires configuring subnets and network security groups (NSGs) according to your compliance requirements. This involves selecting the correct resources which are:

- **Azure Subnet**: A subnet is a range of IP addresses in your virtual network. You can use subnets to partition your network into multiple segments for better network organization and security.
  
- **Azure Network Security Group (NSG)**: An NSG contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated with either subnets or individual VM instances within the subnet.

For AI workloads, subnets and NSGs must be configured to restrict access to only necessary services and resources. For example, you may want to allow only certain IP ranges to access your training and inference endpoints or require specific protocols and ports for communication with data sources.

The following program demonstrates how to create a subnet and associate an NSG with it, including the creation of a security rule to allow HTTPS traffic, which is commonly needed for AI services. Remember to replace placeholder values with your actual resource names and properties necessary for your specific compliance needs.

```python
import pulumi
import pulumi_azure_native as azure_native

# Create a resource group
resource_group = azure_native.resources.ResourceGroup("ai_compliance_resource_group")

# Create a virtual network
vnet = azure_native.network.VirtualNetwork(
    "ai_compliance_vnet",
    resource_group_name=resource_group.name,
    address_space=azure_native.network.AddressSpaceArgs(
        address_prefixes=["10.0.0.0/16"]
    )
)

# Create a subnet within the virtual network
subnet = azure_native.network.Subnet(
    "ai_compliance_subnet",
    resource_group_name=resource_group.name,
    virtual_network_name=vnet.name,
    address_prefix="10.0.1.0/24"
)

# Create a network security group
nsg = azure_native.network.NetworkSecurityGroup(
    "ai_compliance_nsg",
    resource_group_name=resource_group.name
)

# Create a network security rule that allows HTTPS traffic
security_rule = azure_native.network.SecurityRule(
    "ai_compliance_https_rule",
    resource_group_name=resource_group.name,
    network_security_group_name=nsg.name,
    access=azure_native.network.SecurityRuleAccess.ALLOW,
    description="Allow HTTPS traffic",
    destination_address_prefix="*",
    destination_port_range="443",
    direction=azure_native.network.SecurityRuleDirection.INBOUND,
    priority=100,
    protocol=azure_native.network.SecurityRuleProtocol.TCP,
    source_address_prefix="*",
    source_port_range="*"
)

# Associate the network security group with the subnet
subnet_update = azure_native.network.Subnet(
    "ai_compliance_subnet_association",
    resource_group_name=resource_group.name,
    virtual_network_name=vnet.name,
    subnet_name=subnet.name,
    network_security_group=azure_native.network.SubnetNetworkSecurityGroupArgs(
        id=nsg.id
    )
)

# Export the IDs of the resources
pulumi.export("resource_group_id", resource_group.id)
pulumi.export("virtual_network_id", vnet.id)
pulumi.export("subnet_id", subnet.id)
pulumi.export("network_security_group_id", nsg.id)
```

This code performs the following actions:

1. **Resource Group Creation**: It creates a resource group in Azure to organize related resources for your AI workloads. A resource group is a container that holds related resources in Azure. [(Azure ResourceGroup Documentation)](https://www.pulumi.com/registry/packages/azure-native/api-docs/resources/resourcegroup/)

2. **Virtual Network Creation**: It defines a virtual network with a specified address range, which is crucial for creating isolated subnetworks that can be secured and managed separately. [(Azure VirtualNetwork Documentation)](https://www.pulumi.com/registry/packages/azure-native/api-docs/network/virtualnetwork/)

3. **Subnet Creation**: Within the virtual network, we create a subnet that partitions the VNet into a smaller segment. This will be the network segment where your AI resources reside. [(Azure Subnet Documentation)](https://www.pulumi.com/registry/packages/azure-native/api-docs/network/subnet/)

4. **Network Security Group Creation**: It then creates a network security group (NSG) to define security rules for incoming and outgoing traffic to protect your network resources. [(Azure NetworkSecurityGroup Documentation)](https://www.pulumi.com/registry/packages/azure-native/api-docs/network/networksecuritygroup/)

5. **Security Rule Creation**: To allow HTTPS traffic, which is commonly used for secure web communications in AI services, it defines an NSG security rule that permits inbound TCP traffic on port 443. [(Azure SecurityRule Documentation)](https://www.pulumi.com/registry/packages/azure-native/api-docs/network/securityrule/)

6. **Associating NSG with Subnet**: It associates the created NSG with the subnet so that all the AI resources within this subnet will adhere to the security rules defined in the NSG, facilitating the compliance of your workloads. [(Azure Subnet Documentation)](https://www.pulumi.com/registry/packages/azure-native/api-docs/network/subnet/)

7. **Exports**: At the end of the program, the `pulumi.export` statements reveal the resources' IDs, which can be useful for querying your infrastructure's state after deployment.

To use this program, make sure you have Pulumi installed and configured for Azure, then place this code in a `__main__.py` file within a new Pulumi project directory. Run `pulumi up` to deploy these resources to your Azure account.