Implement Network Security

By Ashwin Venugopal -

 






About

Network security plays a crucial role in preventing unauthorized individuals from accessing the services you aim to protect. Restricting user visibility is always a smart strategy, as they cannot jeopardize what they cannot observe.

Apply network access restrictions

By default, all networks can access Azure AI services. Certain individual resources within AI services (like Azure AI Face service, Azure AI Vision, and others) can be set up to limit access to designated network addresses, whether those are public Internet addresses or addresses within virtual networks.

When network restrictions are in place, a client attempting to connect from an unauthorized IP address will encounter an Access Denied error.

Secure key Access With Azure Key Vault

Using a key for authentication, you can create apps that use Azure AI services. But this implies that the key must be obtainable by the application code. One choice is to keep the key in a configuration file or environment variable where the application is deployed, but this method exposes the key to unwanted access. When creating apps on Azure, it is preferable to keep the key safely in Azure Key Vault and grant access to it via a managed identity, or user account that the application uses.

Create a key vault and add a secret

  • First, you need to create a key vault and add a secret for the Azure AI services key.

  • Make a note of the key1 value for your Azure AI services resource (or copy it to the clipboard).

  • In the Azure portal, on the Home page, select the Create a resource button, search for Key Vault.

  • Create a Key Vault resource.

  • Access configuration tab.

  • Scroll down to Access policies section and select your user using the checkbox on the left.

  • Wait for deployment to complete and then go to your key vault resource.

  • In the left navigation pane, select Secrets (in the Objects section).

  • Select + Generate/Import and add a new secret.

  • Select Create.

Create a service principal

Your application needs to use a service principal with access to the secret in order to access it in the key vault. You will use the Azure command line interface (CLI) to create the service principal, find its object ID, and grant access to the secret in Azure Vault.

  • Run Azure CLI command, replacing <spName> with a unique suitable name for an application identity. Also replace <subscriptionId> and <resourceGroup> with the correct values for your subscription ID and the resource group containing your Azure AI services and key vault resources. The output of this command will include information about your new service principal.

  • To get the object ID of your service principal, run the Azure CLI command, replacing <appId> with the value of your service principal's app ID.

  • Copy the id value in the JSON returned in response.

  • To assign permission for your new service principal to access secrets in your Key Vault, run the <objectId> Azure CLI command, replacing with the name of your Azure Key Vault resource and with the value of your service principal's ID value you've just copied.

Use the service principal in an application

Now you're ready to use the service principal identity in an application, so it can access the secret Azure AI services key in your key vault and use it to connect to your Azure AI services resource.

  • In your terminal, switch to the C-Sharp or Python folder depending on your language preference by running cd C-Sharp or cd Python . Then run cd keyvault_client to navigate to the app folder.

  • Install the packages you will need to use for Azure Key Vault and the Text Analytics API in your Azure AI services resource by running the appropriate command for your language preference.

  • View the contents of the keyvault-client folder, and note that it contains a file for configuration settings.

  • Note that the keyvault-client folder contains a code file for the client application.

  • Enter the command to run the program.

  • When prompted, enter some text and review the language that is detected by the service.

  • When you have finished testing the application, enter "quit" to stop the program.

Clean Up Resources

If you're not using the Azure resource, you can delete them to avoid incurring further charges:

  • Open the Azure portal at https://portal.azure.com , and in the top search bar, search for the resources you created.

  • On the resource page, select Delete and follow the instructions to delete the resource. Alternatively, you can delete the entire resource group to clean up all resources at the same time.

Conclusion

We have successfully learnt about the network access restrictions and secured key access.

 

 

 




Comments

Post a Comment

Popular posts from this blog

Information Protection Scanner: Resolve Issues with Information Protection Scanner Deployment

By Ashwin Venugopal -
Image
  About If you are experiencing problems with the Microsoft Purview Information Protection scanner, check the health of your deployment by utilizing the Start-ScannerDiagnosticsPowerShell cmdlet to start the scanner diagnostic tool. The diagnostics tool checks the following details and then creates a log files with the results: Whether the database is up to date. Whether network URLs are accessible. Whether there's a valid authentication token and policy can be acquired. Whether the profile is defined in the Azure portal. Whether offline/online configuration exists and can be acquired. Whether the rules configured are valid.  The Start-ScannerDiagnostics command does not perform a comprehensive check of prerequisites. If you encounter problems with the scanner, you need to verify that your system meets the scanner's requirements, and that your scanner's configuration and installation are finished.  Verify Scanning Details Per Scanner Node and Repository Run the Get-ScanSt...
Read more

How AMI Store & Restore Works?

By Ashwin Venugopal -
Image
  CreateStoreImageTask The CreateStoreImageTask API stores an AMI as a single object in an S3 bucket. The API initiates a task that collects all the data from the AMI and its associated snapshots, subsequently using an S3 multipart upload to store this data in an S3 object. It gathers all elements of the AMI, including most of the non-Region-specific metadata and all EBS snapshots included in the AMI, and consolidates them into a single object in S3. During the upload process, the data is compressed to minimize the space utilized in S3, which means that the S3 object could be smaller than the total sizes of the snapshots in the AMI. If the account making this API call has access to AMI and snapshot tags, they will be retained. The S3 object shares the same ID as the AMI, except it has a .bin extension. Additionally, the S3 metadata tags for the object include the AMI name, AMI description, AMI registration date, AMI owner account, and a timestamp indicating when the store operation...
Read more

Create A Store Image Task

By Ashwin Venugopal -
Image
  Introduction When you save an AMI in an S3 bucket, a task for storing the image is initiated. This store image task allows you to track the progress and result of the procedure. Securing your AMIs It is crucial to verify that the S3 bucket is set up with adequate security to protect the content of the AMI and that this security is upheld for the entire duration that the AMI objects are stored in the bucket. If this cannot be achieved, it is advisable to refrain from using these APIs. Make sure that public access to the S3 bucket is prohibited. It is suggested to activate Server-side encryption for the S3 buckets where you keep the AMIs, even though it’s not mandatory. When AMI snapshots are transferred to the S3 object, they are sent over TLS connections. It is possible to save AMIs that contain encrypted snapshots; however, the snapshots will be decrypted during the storing process. Identify the source AMI used to create a new Amazon EC2 AMI You can determine the AMI that was us...
Read more