Isolating Cognitive Services with Azure Private Link

Question

Pulumi · Accepted Answer

Isolating Azure Cognitive Services using Azure Private Link involves creating an instance of Cognitive Services and associating it with a Private Endpoint. Azure Private Link enables you to access Azure services (like Azure Cognitive Services) privately from your virtual network.

The solution involves these steps:
1. Create an Azure Cognitive Services account.
2. Create a private endpoint inside a subnet in your virtual network.
3. Connect the private endpoint to the Cognitive Services account, effectively securing the service and making it accessible only through the private network.

In this Pulumi program, we will:
- Provision an Azure Cognitive Services Account which will provide various AI functions.
- Set up a Private Endpoint to ensure the Cognitive Services are accessible inside a private network.

Let's see how this is done with Pulumi in Python:

```python
import pulumi
import pulumi_azure_native as azure_native

# Create an Azure Resource Group for organizing resources
resource_group = azure_native.resources.ResourceGroup("resourceGroup")

# Deploy an Azure Cognitive Services Account
cognitive_services_account = azure_native.cognitiveservices.Account("cognitiveServiceAccount",
    resource_group_name=resource_group.name,
    kind="TextAnalytics",  # Kind specifies the type of cognitive service
    sku=azure_native.cognitiveservices.SkuArgs(
        name="S0"  # S0 is a standard tier for Cognitive Services, you can choose other tiers as needed
    ),
    location=resource_group.location
)

# Create a Virtual Network for the private link
vnet = azure_native.network.VirtualNetwork("vnet",
    resource_group_name=resource_group.name,
    address_space=azure_native.network.AddressSpaceArgs(
        address_prefixes=["10.0.0.0/16"]
    )
)

# Create a Subnet within the Virtual Network for the Cognitive Services
# Note that the subnet must be delegated to `Microsoft.CognitiveServices/accounts`
subnet = azure_native.network.Subnet("subnet",
    resource_group_name=resource_group.name,
    virtual_network_name=vnet.name,
    address_prefix="10.0.0.0/24",
    delegations=[azure_native.network.DelegationArgs(
        name="delegation",
        service_name="Microsoft.CognitiveServices/accounts"
    )]
)

# Deploy a Private Endpoint to the Subnet that links to the Cognitive Services
private_endpoint = azure_native.network.PrivateEndpoint("privateEndpoint",
    resource_group_name=resource_group.name,
    subnet=azure_native.network.SubnetArgs(
        id=subnet.id
    ),
    private_link_service_connections=[azure_native.network.PrivateLinkServiceConnectionArgs(
        name="cognitiveServicesPLink",
        private_link_service_id=cognitive_services_account.id
    )],
    location=resource_group.location
)

# Export the IDs of the created resources
pulumi.export("resource_group_id", resource_group.id)
pulumi.export("cognitive_services_account_id", cognitive_services_account.id)
pulumi.export("subnet_id", subnet.id)
pulumi.export("private_endpoint_id", private_endpoint.id)
```

In the code above:

- An `azure_native.resources.ResourceGroup` is defined to organize all the resources in a single group.
- `azure_native.cognitiveservices.Account` provisions the Cognitive Services Account within the resource group we created.
- Next, we set up a virtual network (`azure_native.network.VirtualNetwork`) and a subnet (`azure_native.network.Subnet`) inside that network, which is specifically delegated to the Cognitive Services account.
- Finally, we create a `azure_native.network.PrivateEndpoint` within the subnet, which is responsible for making a private connection between the virtual network and the Cognitive Services Account.

**Important Notes:**
- The `kind` parameter when creating the Cognitive Services Account specifies the type of cognitive services you want to provision. In the above example, we used "TextAnalytics", but you can change it to other kinds according to your requirements.
- The SKU (stock-keeping unit) for the Cognitive Services account defines the pricing tier. We have used "S0" but there are other tiers with different capabilities and limits.
- Delegating the subnet to "Microsoft.CognitiveServices/accounts" is necessary for the subnet to work with Private Link.

After deploying this program with Pulumi, the Cognitive Services will be accessible privately within your Azure Virtual Network, thereby isolating it from public access and increasing security.