Isolating Azure Cognitive Services Resources with NSGs

Question

Pulumi · Accepted Answer

To isolate Azure Cognitive Services resources using Network Security Groups (NSGs), you'll need to create an NSG and associate it with the subnet that your Cognitive Services resources are connected to. This will allow you to define security rules that control the inbound and outbound traffic to the subnet, effectively creating a boundary around your Cognitive Services.

Here's how you can accomplish this using Pulumi with Azure:

1. Create a resource group to contain your resources.
2. Set up a virtual network along with a subnet.
3. Create a Network Security Group (NSG) with the required security rules.
4. Associate the NSG with the subnet where your Cognitive Services will reside.
5. Provision the Cognitive Services in the secured subnet.

Below is the Pulumi program written in Python that demonstrates these steps:

```python
import pulumi
import pulumi_azure_native as azure_native

# 1. Create a resource group to contain your resources.
resource_group = azure_native.resources.ResourceGroup("resource_group")

# 2. Set up a virtual network along with a subnet.
vnet = azure_native.network.VirtualNetwork(
    "vnet",
    resource_group_name=resource_group.name,
    address_space=azure_native.network.AddressSpaceArgs(
        address_prefixes=["10.0.0.0/16"],
    ),
    location=resource_group.location,
)

subnet = azure_native.network.Subnet(
    "subnet",
    resource_group_name=resource_group.name,
    address_prefix="10.0.0.0/24",
    virtual_network_name=vnet.name,
)

# 3. Create a Network Security Group (NSG) with the required security rules.
nsg = azure_native.network.NetworkSecurityGroup(
    "nsg",
    resource_group_name=resource_group.name,
    location=resource_group.location,
    security_rules=[
        azure_native.network.SecurityRuleArgs(
            name="ALLOW-HTTPS-INBOUND",
            direction="Inbound",
            protocol="Tcp",
            source_port_range="*",
            destination_port_range="443",
            source_address_prefix="*",
            destination_address_prefix="*",
            access="Allow",
            priority=100,
        ),
    ],
)

# 4. Associate the NSG with the subnet where your Cognitive Services will reside.
subnet_update = azure_native.network.Subnet(
    "subnet_update",
    resource_group_name=resource_group.name,
    subnet_name=subnet.name,
    virtual_network_name=vnet.name,
    address_prefix=subnet.address_prefix,
    network_security_group=azure_native.network.SubnetNetworkSecurityGroupArgs(
        id=nsg.id,
    ),
    opts=pulumi.ResourceOptions(depends_on=[subnet]),
)

# 5. Provision the Cognitive Services in the secured subnet.
cognitive_services = azure_native.cognitiveservices.Account(
    "cognitive_services",
    resource_group_name=resource_group.name,
    kind="CognitiveServices",
    sku=azure_native.cognitiveservices.SkuArgs(
        name="S0",
    ),
    location=resource_group.location,
)

# Export the NSG id and the Cognitive Services id
pulumi.export("nsg_id", nsg.id)
pulumi.export("cognitive_services_id", cognitive_services.id)
```

This program will set up a basic infrastructure in Azure to deploy Azure Cognitive Services in a secure manner using a Network Security Group.

Here's a breakdown of what each part of the code does:

- **Resource Group**: A container that holds related resources for an Azure solution. In this case, the Cognitive Services and related network components will be part of this group.

- **Virtual Network and Subnet**: A VNet is a representation of your own network in the cloud, and a subnet is a range of IP addresses in the VNet. You can use a subnet to segment the VNet into multiple segments.

- **Network Security Group and Security Rules**: NSGs are used to filter network traffic to and from Azure resources in an Azure Virtual Network. A security rule is a condition that when matched, allows or denies network traffic to your Cognitive Services.

- **Associating NSG to Subnet**: By associating an NSG to a subnet, all the resources within that subnet will have the traffic controlled as per the NSG's rules. Here we ensure HTTPS traffic is allowed, which is typical for Cognitive Services.

- **Cognitive Services**: This is the Azure Cognitive Services account where you'll hold your cognitive API resources.

At the end of the program, we export the NSG ID and the Cognitive Services ID, which can be used to reference these resources in future operations or other Pulumi programs.