(4.3) Azure AI Services — Security

This is part of a series of articles called Azure Challenges. You can refer to the Intro Page to understand more about how the challenges work.

As usual…

Before we start there are some important clarification points:

(1) Troubleshooting is IMPORTANT — It is important for you to exercise the error message search and solution, find bugs in your code, environment, IDE, etc.

(2) The code IS JUST a code — There are several ways to write code and different languages. The examples here are just one way to do it.

(3) This IS NOT a prep course — The main goal here is to show the practical application of Azure Resources with a focus on Enterprise AI solutions.

(4) You won’t be graded by the challenges but, they are an important practical component in your learning experience.

(5) Make sure you are using a FREE student account and check your costs!

TIP OF THE DAY!!!

Source: https://www.datacaptains.com/blog/guide-to-data-roles

IN THIS CHALLENGE:

- Security Intro

- Network

- RBAC and LOCKS

- Azure Policies

- Application Registration

- Landing Zone

Security Intro

Networking

Choose one of your resources

Select Networking and then Generate Custom Domain Name

Fill out the info with the Custom Domain Name:

Now you can check the change.

RBAC and Locks

The following diagram shows a suggested pattern for using Azure RBAC.

Only grant the access users need

Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope.

When planning your access control strategy, it’s a best practice to grant users the least privilege to get their work done. Avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so. When creating custom roles, only include the permissions users need. By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised.

Choose one of your resources and select Identity.

you can assign users

Locks

Choose one of your resources and select the option Locks.

You can add the Lock to your resource.

Locks can be:

(1) Read-Only — Cannot be deleted and cannot be updated.

(2) Delete — Cannot be deleted but can be updated.

if you try to delete it…

Azure Policy

What is Azure Policy?

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.

All Azure Policy data and objects are encrypted at rest.

Overview of Azure Policy - Azure Policy

Go to the search bar and type Policy

You will see all the Policies implemented in your Subscription.

additional info:

More info about Azure Policy

Application Registration

What is App Registration?

Azure App Registrations are an easy and powerful way to configure authentication and authorization workflows for a variety of different client types.

Applications are added to Azure AD to leverage one or more of the services it provides, including:

(1) App authentication and authorization

(2) User authentication and authorization

(3) OAuth authorization services // used by Microsoft 365 and other MS applications to authorize access to API and resources

Select Azure Active Directory. (Azure AD).

App registration

and then + New Registration

Add the application name:

now you have all the app info

Select Certificates & secrets

add a new client secret

add a secret and expire dates

now you have a secret added.

select API permissions…

and authorize the API…

More info about App Registration

Azure Landing Zone

What is an Azure landing zone? - Cloud Adoption Framework

An Azure landing zone is an environment that follows key design principles across eight design areas. These design principles accommodate all application portfolios and enable application migration, modernization, and innovation at scale. An Azure landing zone uses subscriptions to isolate and scale application resources and platform resources. Subscriptions for application resources are called application landing zones, and subscriptions for platform resources are called platform landing zones.

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-entra-tenant

The following diagram shows the relationship between Microsoft Entra ID roles and Azure RBAC roles:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones

Best Practices

Azure

Best practices in cloud applications - Azure Architecture Center

AWS

AWS Well-Architected - Build secure, efficient cloud applications

GCP

Google Cloud Architecture Framework | Cloud Architecture Center

https://cloud.google.com/blog/topics/solutions-how-tos/best-practices-for-architecting-google-cloud-workloads

The architecture so far…

Next step (4.4) OCR | Text Analytics | Speech

(4.4) OCR | Text Analytics | Speech