Encrypted Model Serving Endpoints with Alicloud CAS

Question

Pulumi · Accepted Answer

To create encrypted model serving endpoints using Alicloud, we need to do the following:

1. **Create a Model Serving Endpoint in Databricks**: By leveraging the `databricks.ModelServing` resource, we can set up a model serving endpoint, which is where the machine learning models are hosted for prediction requests.

2. **Use Alicloud CAS for Certificates**: We'll use Alibaba Cloud Certificate Authority Service (CAS) to obtain an SSL/TLS certificate to encrypt the data transfer.

3. **Configure an Application Load Balancer (ALB)**: We can use `alicloud.alb` to set up an ALB listener and enforce encryption by binding the SSL certificate from CAS to it, ensuring secure communications.

Below is a Pulumi program in Python that sets up an encrypted model serving endpoint using the resources mentioned above. Note that some details regarding data like names, the Databricks model information, and the specific configurations for the ALB will need to be filled in according to your specific use case.

```python
import pulumi
import pulumi_databricks as databricks
import pulumi_alicloud as alicloud

# Create a Databricks Model Serving endpoint
# Detailed documentation here: https://www.pulumi.com/registry/packages/databricks/api-docs/modelserving/
model_serving = databricks.ModelServing("model-serving",
    name="my-model-serving-endpoint",
    config=databricks.ModelServingConfigArgs(
        served_models=[databricks.ModelServingConfigServedModelArgs(
            modelName="my-model",
            modelVersion="1",
            workloadSize="medium",
            environmentVars={"MY_ENV_VAR": "my-value"},
        )],
        traffic_config=databricks.ModelServingConfigTrafficConfigArgs(
            routes=[databricks.ModelServingConfigTrafficConfigRouteArgs(
                servedModelName="my-model",
                trafficPercentage=100,
            )],
        ),
    )
)

# Create an ECS Disk encrypted with Server-Side Encryption (as an example, here it's not directly related to model serving)
# Considering you may need persistent storage, with sensitive data, encrypted via KMS.
# Detailed documentation here: https://www.pulumi.com/registry/packages/alicloud/api-docs/ecs/ecsdisk/
ecs_disk = alicloud.ecs.EcsDisk("ecs-disk",
    size=20,
    zoneId="your-zone-id",
    diskName="my-encrypted-disk",
    kmsKeyId="your-kms-key-id",
    encrypted=True,
    deleteWithInstance=True,
    enableAutoSnapshot=True
)

# Obtain a certificate from Alicloud Certificate Authority Service (CAS) for encryption
# Detailed documentation here: https://www.pulumi.com/registry/packages/alicloud/api-docs/cas/servicecertificate/
cas_certificate = alicloud.cas.ServiceCertificate("cas-certificate",
    cert="your-certificate-content",
    key="your-private-key-content",
    certificateName="my-certificate"
)

# Setting up an ALB and listener for the model serving endpoint with an additional certificate for encryption
# Detailed documentation here: https://www.pulumi.com/registry/packages/alicloud/api-docs/alb/listeneradditionalcertificateattachment/
alb = alicloud.alb.LoadBalancer("alb",
    spec="small",
    address_type="internet"
)

# Ensure to properly configure the listener with the correct port and protocol for your use case.
listener = alicloud.alb.Listener("listener",
    load_balancer_id=alb.id,
    protocol="HTTPS",
    frontend_port=443,
    default_action=alicloud.alb.ListenerDefaultActionArgs(
        type="Forward",
        target_group_id="your-target-group-id"
    ),
    certificate_ids=[cas_certificate.id]
)

# Export the URL of the model serving endpoint
pulumi.export("model_serving_endpoint_url", model_serving.url)
```

This program sets up an endpoint for serving machine learning models securely. It involves creating a Databricks ModelServing instance to serve the model, encrypting an ECS disk for persistent storage purposes (optional and based on need for storing data), and using Alicloud's Certificate Service to create an SSL certificate which is then applied to an Application Load Balancer. This ensures that all traffic to and from your model serving endpoint is encrypted.

Replace the placeholder content (`"your-value"`, `"your-zone-id"`, `"your-kms-key-id"`, `"your-certificate-content"`, `"your-private-key-content"`, `"your-target-group-id"`) with the actual values appropriate for your infrastructure requirement. Also ensure that the configurations, such as ports and protocols, align with your application's requirements.