1. SSL Termination for AI Endpoints with Azure NGINX


    When setting up SSL termination for AI endpoints using Azure NGINX, you generally want to establish a secure listener for incoming traffic, which then gets decrypted (SSL termination) so that your NGINX can process the requests in plaintext. This technique is commonly used for performance reasons and to centralize the SSL termination process for multiple services.

    Since the Pulumi Registry Results suggest using Azure Front Door or Azure Application Gateway for SSL termination, I will create an example with Azure Front Door as it provides global load balancing capabilities with SSL termination.

    In this Pulumi program, I will define the following resources:

    1. FrontDoor: A resource that represents Azure Front Door itself. It enables you to define how traffic is routed to the backend pools and can be configured to terminate SSL at the routing level.

    2. BackendPool: This is where you specify your AI endpoint. Front Door will forward the decrypted traffic to this endpoint after terminating the SSL.

    3. HealthProbeSettings: Defines how Azure Front Door will probe the backend to ensure it is healthy and able to receive traffic.

    4. RoutingRule: Determines how requests are forwarded to backend pools and potentially rewritten before they are sent to the backend.

    5. FrontendEndpoint: For SSL termination, we define a custom domain and certificate to use with our Front Door instance.

    Below is a Python program that uses Pulumi to create an Azure Front Door resource to route and terminate SSL for AI endpoints with NGINX on Azure.

    import pulumi import pulumi_azure_native as azure_native # Create an Azure resource group resource_group = azure_native.resources.ResourceGroup('example-resources') # Define the frontend endpoint with SSL settings (using Azure-managed certificates for simplicity) fd_frontend_endpoint = azure_native.network.FrontendEndpoint( "fdFrontendEndpoint", resource_group_name=resource_group.name, front_door_name="example-frontdoor", name="exampleFrontendEndpoint", session_affinity_enabled_state="Disabled", session_affinity_ttl_seconds=0, web_application_firewall_policy_link=None, # Hosting your own domain, you would use 'CustomHttpsConfiguration' here with your certificate details custom_https_provisioning_state="Enabled", custom_https_configuration=azure_native.network.customHttpsConfigurationArgs( certificate_source="FrontDoor", ), ) # Define the backend pool with your AI endpoint fd_backend_pool = azure_native.network.BackendPool( "fdBackendPool", resource_group_name=resource_group.name, front_door_name="example-frontdoor", name="exampleBackendPool", backends=[azure_native.network.BackendArgs( address="nginxaiendpoint.example.com", # Replace with your NGINX AI Endpoint domain http_port=80, https_port=443, enabled_state="Enabled", weight=50, priority=1, )], ) # Define routing rules fd_routing_rule = azure_native.network.RoutingRule( "fdRoutingRule", resource_group_name=resource_group.name, front_door_name="example-frontdoor", name="exampleRoutingRule", frontend_endpoints=[ fd_frontend_endpoint.name, ], accepted_protocols=["Https"], patterns_to_match=["/*"], route_configuration=azure_native.network.ForwardingConfigurationArgs( forwarding_protocol="HttpsOnly", backend_pool=fd_backend_pool.id, ), ) # Define health probe settings fd_health_probe_settings = azure_native.network.HealthProbeSettingsModel( "fdHealthProbeSettings", resource_group_name=resource_group.name, front_door_name="example-frontdoor", name="exampleHealthProbeSettings", protocol="Https", path="/health", interval_in_seconds=30, ) # Create the Front Door instance front_door = azure_native.network.FrontDoor( "example-frontdoor", resource_group_name=resource_group.name, location="global", tags={ "environment": "production", }, backend_pools=[fd_backend_pool], health_probe_settings=[fd_health_probe_settings], routing_rules=[fd_routing_rule], frontend_endpoints=[fd_frontend_endpoint] ) # Output the endpoint URL pulumi.export('endpoint_url', fd_frontend_endpoint.host_name)

    In this program, we have set up a simple Front Door service with default settings for illustration purposes. The backend endpoint should be replaced with your actual NGINX AI Endpoint. Health probe settings allow Front Door to check the health of your backend before sending traffic to it. Since we're using Azure-managed certificates in this example, CustomHttpsConfigurationArgs is set to source from FrontDoor.

    Ensure that you have the necessary DNS setup for your domain and access to the SSL certificate required for the frontend endpoint. If you are hosting your domain and SSL certificate, update CustomHttpsConfigurationArgs accordingly. The program outputs the hostname for the frontend endpoint, which you can use to access your Front Door service over HTTPS.