Azure OpenAI Landing Zone reference architecture
Published Jul 24 2023 08:51 AM 146K Views
Microsoft

Azure Landing Zones provide a solid foundation for your cloud environment. When deploying complex AI services such as Azure OpenAI, using a Landing Zone approach helps you manage your resources in a structured, consistent manner, ensuring governance, compliance, and security are properly maintained.

 

In this article, we delve into the synergy of Azure Landing Zones and Azure OpenAI Service, building a secure and scalable AI environment. unpacking the Azure OpenAI Landing Zone architecture, which integrates numerous Azure services for optimal AI workloads. Furthermore we will also explore  security measures and the significance of monitoring for operational success. 

 

Introduction to Azure OpenAI Service

 

Azure OpenAI Service is a managed AI service that enables you to deploy and manage AI models based on OpenAI technologies such as GPT-4. This service is integrated with Azure Machine Learning, allowing you to build, train, and deploy AI models with the scalability, security, and efficiency of Azure. In addition, Azure OpenAI provides flexible pricing options, making it cost-effective for various use cases.

Azure OpenAI Service integrates seamlessly with other Azure services giving you the flexibility to build and deploy complex AI applications with ease.

 

Reference Architecture

 

AIArchitecture.png

 

 

The Azure OpenAI Landing Zone is a reference architecture that integrates a variety of services to create a seamless infrastructure for running OpenAI workloads.

 

  • Azure API Management (APIM)
    • Provides a unified API gateway for existing back-end services and APIs. It is used in the Landing Zone for managing and securing APIs used by OpenAI applications. APIM can be configured with an Application Gateway as a Web Application Firewall (WAF) to further enhance security. The WAF protects APIs from common web-based attacks like SQL injection or Cross-Site Scripting (XSS) and can be customized to suit specific needs.
    • Using APIM you can manage and implement policies such as rate throttling and quotas.
  • Azure Web Apps
    • Provides a fully managed platform for building and hosting web applications. It is used for hosting in a simple way web applications that consume OpenAI services in the Landing Zone.
  • Azure AI services
    • Offers AI services such as Azure Semantic Search that can be easily integrated into intelligent applications. OpenAI services, being part of Azure AI services, leverage this to deliver advanced language models.
  • Azure Managed Identities
    • Provides an identity for applications to use when connecting to resources. In the Landing Zone, it allows OpenAI applications to authenticate to any Azure service that supports Azure Active Directory authentication.
    • OpenAI supports Azure Active Directory (Azure AD) authentication with managed identities for Azure resources. Managed identities for Azure resources can authorize access to Azure AI services resources using Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud.
  • Azure Application Gateway
    • An Application Gateway can function as a Web Application Firewall (WAF) providing protection against common web-based attacks. The WAF is configured with a custom set of rules that match the requirements of your OpenAI Applicartion to ensure only authorized access.
  • Azure Private DNS Zones
    • This service provides name resolution for VMs within a VNet and between VNets. This is important for efficient communication between services in Azure.
  • Azure Private DNS Resolver
    • In combination with Private DNS Zones, the Azure Private DNS Resolver helps ensure that name resolution for resources in your virtual network is secure and private. This service forwards DNS queries for specific domains to your own DNS servers, enhancing control over DNS results.

The Azure OpenAI Landing Zone integrates all these services to provide a secure and efficient environment for deploying and running OpenAI workloads. This architecture is designed to be scalable, resilient, and customizable to suit the unique needs of your applications.

 

Network and Security

 

Azure provides a robust set of networking and security features that can be used to secure your OpenAI workloads.

 

  • Azure Key Vault
    • This service safeguards cryptographic keys and secrets used by cloud applications and services. In this architecture, Key Vault stores secrets and keys for the OpenAI service, adding an extra layer of security for sensitive data.
  • Azure Virtual Network (VNet)
    • Azure Virtual Network enables you to securely connect Azure resources to each other with virtual networks (VNets). A VNet is a representation of your own network in the cloud and you can also connect VNets to your on-premises network.
  • Azure Private Endpoints
    • Provides secure, private IP address access over a Virtual Network. This is used in the Landing Zone to ensure secure and private connectivity to Azure OpenAI services.
  • Azure Private Link
    • Azure Private Link provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services. It simplifies the network architecture and secures the connection between endpoints in Azure by eliminating data exposure to the public internet.
  • Azure Network Security Groups (NSGs)
    • Network Security Groups (NSGs) are one way to control access and secure your resources in Azure. NSGs act as a firewall, allowing you to define a list of security rules that can allow or deny network traffic to resources.
  • Azure Application Gateway and Web Application Firewall
    • Azure Application Gateway is a load balancer that enables you to manage traffic to your web applications. The Web Application Firewall (WAF) feature protects your web applications from common web-based attacks like SQL injection and cross-site scripting. The WAF comes pre-configured with protection from many common attacks, but can be customized based on your application's traffic patterns.
  • Azure AI services and Network Security
    • Azure AI services provides a layered security model. This model enables you to secure your AI services accounts to a specific subset of networks. When network rules are configured, only applications requesting data over the specified set of networks can access the account. You can limit access to your resources with request filtering, allowing only requests originating from specified IP addresses, IP ranges or from a list of subnets in Azure Virtual Networks.

 

Monitoring Azure OpenAI Service

 

When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation.

 

Azure OpenAI Service collects the same kinds of monitoring data as other Azure resources. Platform metrics and the Activity log are collected and stored automatically, but can be routed to other locations by using a diagnostic setting.

 

Azure Monitor alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address issues in your system before your customers notice them. In the context of Azure Open AI you can proactively analyze and monitor metrics such as Blocked Calls, client errors and others.

 

Conclusion

 

In conclusion, this article offers a brief exploration of how Azure Landing Zones and Azure OpenAI Service work together, providing a strong foundation for creating secure and scalable AI applications. It digs deep into the details of the Azure OpenAI Landing Zone reference architecture, highlighting how it blends various Azure services to enhance and streamline OpenAI tasks.

 

The discussion extends to key features of Azure's strong network and security offerings, including Azure Virtual Network, Private Link, and Network Security Groups. These elements play an essential role in protecting your OpenAI projects.

 

Finally, the combination of Azure Landing Zones and Azure OpenAI Service offers a powerful toolkit, making it easier to build, deploy, and manage AI applications. With Azure Landing Zones, you can rest assured that your Azure OpenAI deployments are set up for success, fulfilling your needs for governance, compliance, and security.

18 Comments
Version history
Last update:
‎Aug 04 2023 11:17 AM
Updated by: