Private Machine Learning Endpoint with Azure App Service VNET Swift Connection

Question

Pulumi · Accepted Answer

To create a private machine learning endpoint with Azure App Service VNET Swift Connection using Pulumi, we need to set up several Azure resources. The primary resources involved in this process include:

1. Azure App Service: A platform to build, deploy, and scale web apps quickly. We'll connect this service to a virtual network to ensure it can communicate privately with other Azure services.
2. Virtual Network (VNet): An isolated network within the Azure cloud that can be used to securely communicate with other services in Azure.
3. Azure Machine Learning workspace: A centralized place to work with all the artifacts you create when you use Azure Machine Learning.
4. Azure Machine Learning Online Endpoint: They are a fully managed, real-time serving platform for machine learning models.
5. Virtual Network Swift Connection: This is a new method of integrating an Azure App Service with an Azure Virtual Network (VNet), providing enhanced security and isolation for your apps.

Below is the Python Pulumi program that sets up these resources:

1. We start by importing the required Pulumi Azure packages.
2. Next, we define the necessary resources, such as the virtual network, subnet, app service plan, and app service.
3. We also create a machine learning workspace and an online endpoint to deploy the models.
4. Finally, we establish a Swift VNet integration for the App Service, allowing restricted access to the machine learning endpoint.

Let's look at the Python Pulumi code for achieving this:

```python
import pulumi
import pulumi_azure as azure
import pulumi_azure_native as azure_native

# Create a resource group
resource_group = azure.core.ResourceGroup('my-resource-group')

# Create a virtual network
vnet = azure.network.VirtualNetwork('my-vnet',
    resource_group_name=resource_group.name,
    address_spaces=['10.0.0.0/16'],
    subnets=[
        {
            'name': 'default',
            'addressPrefix': '10.0.1.0/24'
        }
    ]
)

# Create an Azure Machine Learning Workspace
ml_workspace = azure_native.machinelearningservices.Workspace("my-ml-workspace",
    resource_group_name=resource_group.name,
    location=resource_group.location,
    sku=azure_native.machinelearningservices.SkuArgs(
        name="Enterprise"
    ),
)

# Create an Azure Machine Learning Online Endpoint
# The endpoint's compute will be associated with the same VNet for private connectivity
ml_online_endpoint = azure_native.machinelearningservices.OnlineEndpoint("my-ml-endpoint",
    resource_group_name=resource_group.name,
    location=ml_workspace.location,
    workspace_name=ml_workspace.name,
    online_endpoint_properties=azure_native.machinelearningservices.OnlineEndpointPropertiesArgs(
        public_network_access="Disabled"  # Set this to Disabled to ensure it's only accessible from the VNet
    )
)

# Create an App Service Plan
app_service_plan = azure.appservice.Plan('my-appservice-plan',
    resource_group_name=resource_group.name,
    kind='Linux',
    reserved=True,
    sku={
        'tier': 'Basic',
        'size': 'B1',
    }
)

# Create an App Service with a system-assigned managed identity
app_service = azure.appservice.AppService('my-appservice',
    resource_group_name=resource_group.name,
    app_service_plan_id=app_service_plan.id,
    app_settings={
        "WEBSITE_VNET_ROUTE_ALL": "1"  # Enable VNet integration
    },
    identity=azure.appservice.AppServiceIdentityArgs(
        type="SystemAssigned"
    )
)

# Establish a Swift VNet integration
swift_connection = azure_native.web.WebAppSwiftVirtualNetworkConnection("my-swift-connection",
    resource_group_name=resource_group.name,
    name=app_service.name,
    subnet_resource_id=vnet.subnets.apply(lambda subnets: subnets[0]['id'])
)

# Export the endpoints and names as outputs
pulumi.export('app_service_url', app_service.default_site_hostname)
pulumi.export('ml_online_endpoint', ml_online_endpoint.name)
```

This code sets up the infrastructure as described, with the App Service securely connected to the virtual network, and the machine learning endpoint being private to the VNet only. The `SwiftVirtualNetworkConnection` is established with the App Service to enable it's VNet integration. This ensures that the App Service is only accessible within the virtual network, securing the machine learning endpoint as well.

Each of the resources is given a meaningful name, and the most critical parameters are passed as options where required. The SKU, size, and tier for the resources like the ML Workspace and App Service Plan should be chosen according to your workload's needs and budget.

The outputs at the end of the program will give you the URLs to access the App Service and the name of the Machine Learning Online Endpoint, which can be used for further management or integration steps.

Remember to ensure that the Pulumi Azure plugin, the CLI, and any necessary authentication with Azure are properly set up in your environment to deploy this stack.