Controlled Access to AI Inference APIs via Network Security Groups
PythonTo control access to AI inference APIs, you typically want to secure your network such that only trusted sources can reach the APIs. This is done by setting up Network Security Groups (NSGs) that act as virtual firewalls for your cloud resources, allowing or denying network traffic to and from your services according to rules you define.
In this program, we'll create a Network Security Group using Azure's native provider,
azure-native
. We'll define rules that only allow access to a designated port, which in this scenario, could be the port your AI inference API is listening on.Here's how you might set up a Network Security Group in Azure with controlled inbound access using Pulumi and Python:
-
Import the necessary modules: We'll need to import Pulumi, specifically the
pulumi
module for core Pulumi functions andpulumi_azure_native
for Azure-specific resources. -
Create a Resource Group: Before creating a Network Security Group, we must have a Resource Group, which is a container that holds related resources in Azure.
-
Create a Network Security Group (NSG): Here, we define our NSG and set up the security rules.
-
Set up Security Rules: We will define the inbound and outbound rules for our NSG. For inbound rules, you can limit access to specific source IP addresses or ranges (
source_address_prefix
), ports (destination_port_ranges
), and protocols (protocol
). -
Deploy the Network Security Group: Finally, we run the Pulumi program to deploy the NSG in your Azure subscription.
Here is how you could set it up:
import pulumi import pulumi_azure_native as azure_native # Create an Azure Resource Group resource_group = azure_native.resources.ResourceGroup("ai-inference-rg") # Create an Azure Network Security Group network_security_group = azure_native.network.NetworkSecurityGroup( "ai-inference-nsg", resource_group_name=resource_group.name, location=resource_group.location, security_rules=[ # Allow inbound traffic on port 8080 from a specific source IP range { "name": "ALLOW-8080", "properties": { "priority": 100, "protocol": "Tcp", "access": "Allow", "direction": "Inbound", "source_address_prefix": "YOUR_TRUSTED_IP_RANGE", # Replace with your trusted IP range "source_port_range": "*", "destination_port_range": "8080", "destination_address_prefix": "*" } }, # Deny all other inbound traffic by default { "name": "DENY-ALL-INBOUND", "properties": { "priority": 4096, "protocol": "*", "access": "Deny", "direction": "Inbound", "source_address_prefix": "*", "source_port_range": "*", "destination_port_range": "*", "destination_address_prefix": "*" } } ] ) # Export the Network Security Group ID pulumi.export("nsg_id", network_security_group.id)
Why Use NSGs?
Using NSGs is critical to protect your cloud-based AI APIs from unauthorized access, securing the data and resources from potential threats. It acts by filtering the network traffic based on rules you specify. In the above program, we added a security rule that only allows inbound traffic on port 8080 from a designated IP range, which should correspond to the entities that you trust to access your AI inference API. All other inbound access is denied by default, hence securing your API from unwanted access.
After defining your NSG, you can associate this group with your service's networking settings where your AI APIs reside.
The final step is to run
pulumi up
to deploy these resources to your Azure subscription. When you execute this command, Pulumi's automation engine will provision the resources as per your code. Thepulumi.export
line will provide the NSG ID as output after deployment, which can be helpful for further configurations or reference.-