Proposal: Lock Down Public Network Access for Cognitive Services Account

[aymenfurter]

Proposal: Lock Down Public Network Access for Cognitive Services Account

Current Resource Configuration:

resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
  name: name
  location: location
  tags: union(tags, { 'azd-service-name': name })
  kind: kind
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${managedIdentity.id}': {}
    }
  }
  properties: {
    customSubDomainName: name
  }
  sku: sku
}

Relevant Code Snippet:

From the AI Hub Gateway Solution Accelerator:

resource symbolicname 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
  name: 'string'
  location: 'string'
  // other properties
  properties: {
    // implicitly enabled by not setting publicNetworkAccess to 'Disabled'
  }
}

Proposal:

To enhance security, I propose locking down the public network access (i.e., public endpoint) so that communication can exclusively flow through API Management.

Required Changes:

• Set publicNetworkAccess to Disabled
• Configure DNS and network settings appropriately

Benefits / Rationale:

Many customers prefer to minimize their public infrastructure footprint for security reasons. Implementing this change will help meet this requirement.

Documentation Reference: For more details, refer to the Microsoft Documentation.

Could this be considered for implementation? Many customers would appreciate this added security feature.

[mohamedsaif]

@aymenfurter Thanks for your feedback. It is very important indeed and currently being implemented and will be published with the next update of the gateway.

[aymenfurter]

(Work in progress) https://github.com/aymenfurter/ai-hub-gateway-solution-accelerator/commit/62c42bc7140ed773e7cc3e9fdf7590d30534f154

[mohamedsaif]

Thanks @aymenfurter for your contribution. With this PR, full networking implementation is completed.