Can I redirect Azure AI Vision endpoint privately through Application Gateway

Sanjay Singh 40 Reputation points
2024-01-02T06:18:50.21+00:00

Hi Microsoft,

Can you please confirm if Azure AI Vision endpoint expose externally through Application Gateway to add security layer?

We have one requirement where AI Vision endpoint privately/securely expose to outer world.

Below service planned to use for this solution

1)Azure AI Vision Service

2)Application Gateway + WAF2

3)API to extract data from AWS database

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,003 questions
Azure AI Custom Vision
Azure AI Custom Vision
An Azure artificial intelligence service and end-to-end platform for applying computer vision to specific domains.
233 questions
Azure AI services
Azure AI services
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.
2,582 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Priya Kumar 1,096 Reputation points Microsoft Employee
    2024-01-02T07:46:12.5433333+00:00

    Hello @Sanjay Singh ,

    Thanks for reaching out to Microsoft Q and A platform.

    Please find the details regarding the query you have raised.

    2.      Coming to the query, you need to use AI vision service, API to extract the Data from AWS database and with the same making use of Application Gateway.

    3.      Application Gateway:

    Backends supported by the application gateway: Application gateway components | Microsoft Learn

    ·       NICs

    ·       Virtual machine scale sets

    ·       Public IP addresses

    ·       Internal IP addresses

    ·       FQDN

    ·       Multitenant backends (such as App Service)

    4.      So, we can’t add Azure AI vision service directly as a backend pool, but you could add a FQDN which is the Endpoint of the “Custom Vision”.

    5.      But here the issue is that, you visualize the “Custom Vision” resource created via https://www.customvision.ai/ which would indeed make use of the resource created.

    6.      Layering of the Application Gateway for this scenario has not been documented. But if you are worried about the security of the AI vision endpoint, please do consider the below option:

    |Virtual
    networks|Virtual networks allow you to
    specify which endpoints can make API calls to your resource. The Azure
    service will reject API calls from devices outside of your network. You can
    set a formula-based definition of the allowed network, or you can define an exhaustive
    list of endpoints to allow. This is another layer of security that can be
    used in combination with others.| | -------- | -------- | ||

     

    7.      Document:

    https://video2.skills-academy.com/en-us/azure/ai-services/security-features#security-features

    Configure Virtual Networks for Azure AI services - Azure AI services | Microsoft Learn

     

    So, since the visualization done via the https://www.customvision.ai/ project, at this time am not seeing any ready architecture which would make all the calls to go via the Application gateway. I would encourage you to re-analyze the requirement.

     

    Current flow is : https://www.customvision.ai/ è Having a project with the “Custom View” è which would make the API calls to get the details to visualize form.

     

    ANSWER: Privately you could achieve this scenario by using “Private Endpoint” or “Service Endpoint”, without the use of “Application Gateway”.

    https://video2.skills-academy.com/en-us/azure/ai-services/cognitive-services-virtual-networks?tabs=portal#use-private-endpoints

     

    Please do let me know if my understanding of your requirement is wrong. I would love to help you with more details.

     

    Regards,

    Priya Kumar