Secure Model Storage in Azure Container Registry

Question

Pulumi · Accepted Answer

To set up a secure model storage in Azure Container Registry (ACR), you'll need to create an ACR instance where you can store and manage your container images. This involves several steps:

1. **Create an Azure Container Registry**: A container registry is a centralized place for keeping container images and related artifacts.
2. **Enable security features**: Ensuring that security features like admin user, network rules and potentially Azure Active Directory (Azure AD) authentication is set up for your registry.
3. **Push container images to the registry**: Once the registry is set up, you can push your images from your local environment or CI/CD pipeline.

Below is a Pulumi program written in Python which sets up an ACR with some security features enabled:

```python
import pulumi
import pulumi_azure_native as azure_native

# Create a Resource Group
resource_group = azure_native.resources.ResourceGroup("my-resource-group")

# Create an ACR instance within the Resource Group.
# Change the SKU to 'Premium' for zone redundancy, geo-replication and more (optional)
container_registry = azure_native.containerregistry.Registry("my-registry",
    resource_group_name=resource_group.name,
    sku=azure_native.containerregistry.SkuArgs(
        name="Standard",  # For 'Basic', 'Standard', or 'Premium' tiers use "Basic", "Standard", or "Premium"
    ),
    location=resource_group.location,
    admin_user_enabled=True,  # Enable the admin user for simplified authentication
    network_rule_set=azure_native.containerregistry.NetworkRuleSetArgs(
        default_action="Deny",  # Deny public network access by default
        ip_rules=[
            azure_native.containerregistry.IPRuleArgs(
                action="Allow",  # Update the action as required
                ip_address_or_range="YOUR_IP_ADDRESS"  # Restricted IP range or specific IP
            ),
        ],
    ),
    public_network_access="Disabled",  # No public network access to the registry
)

# Output the URL of the created registry
pulumi.export("registry_url", container_registry.login_server)

# Output the credentials for the registry admin user.
# IMPORTANT: This will expose credentials in the Pulumi output.
# Remove or secure the output in production environments.
# SENSITIVE: pulumi.export("admin_username", container_registry.admin_username)
# SENSITIVE: pulumi.export("admin_password", container_registry.admin_password)

# Optional: Enable AAD authentication, zone redundancy, encryption, etc.
# as needed to meet additional security requirements.
```

### Explanation:

- A resource group is being created, which is a container that holds related resources for an Azure solution.
- Inside the resource group, we have instantiated an ACR using the `Registry` class with the required arguments like SKU, location, and others.
- We have set the ACR `sku` to `Standard`. Azure Container Registry comes in three service tiers: Basic, Standard, and Premium. Each tier has different capabilities and prices.
- The `admin_user_enabled` option is set to `True` so that a simple admin account is created for initial pushing and pulling of container images to the ACR. For production environments, it's recommended to manage authentication via Azure Active Directory (Azure AD).
- Network rules are being applied to control access to the registry. Here, the default action is set to `Deny` to restrict any public network access. You can then allow access from specific IP addresses with `ip_rules`.
- The ACR public access is disabled, which means it can't be accessed from the internet.
- Finally, the login server URL of the registry is exported as an output. This is the endpoint you use to authenticate your docker client to this registry.

After applying this Pulumi code, you can push your model (container image) to the ACR using Docker CLI or any other tool that works with Docker registries:

```bash
docker tag my-model $REGISTRY_URL/my-model:v1
docker push $REGISTRY_URL/my-model:v1
```

Remember to replace `$REGISTRY_URL` by the output value from Pulumi.

Note: In the pulumi.export comments for admin credentials, I have designated these as sensitive outputs. Please ensure to handle these credentials securely without exposing them unintentionally. You can also take advantage of Pulumi's secret handling to encrypt sensitive data at rest.

You can now proceed to push your container images containing your models securely to Azure Container Registry.