Skip to content

Commit

Permalink
Add pipeline for firewall to Azure ML (microsoft#2479)
Browse files Browse the repository at this point in the history
  • Loading branch information
@marrobi
marrobi authored Aug 30, 2022
1 parent ff38915 commit ae16e81
Show file tree
Hide file tree
Showing 10 changed files with 370 additions and 157 deletions.
2 changes: 1 addition & 1 deletion api_app/_version.py
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = "0.4.22"
__version__ = "0.4.23"
2 changes: 1 addition & 1 deletion api_app/service_bus/substitutions.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ def recurse_object(obj: dict, primary_resource_dict: dict) -> dict:
else:
obj[prop][i] = substitute_value(obj[prop][i], primary_resource_dict)
if isinstance(obj[prop], dict):
obj[prop] = recurse_object(obj[prop])
obj[prop] = recurse_object(obj[prop], primary_resource_dict)
else:
obj[prop] = substitute_value(obj[prop], primary_resource_dict)

Expand Down
16 changes: 15 additions & 1 deletion templates/workspace_services/azureml/porter.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
name: tre-service-azureml
version: 0.4.3
version: 0.4.4
description: "An Azure TRE service for Azure Machine Learning"
registry: azuretre
dockerfile: Dockerfile.tmpl
Expand Down Expand Up @@ -64,6 +64,16 @@ outputs:
applyTo:
- install
- upgrade
- name: workspace_services_subnet_address_prefix
type: string
applyTo:
- install
- upgrade
- name: storage_tag
type: string
applyTo:
- install
- upgrade

mixins:
- terraform:
Expand Down Expand Up @@ -92,6 +102,8 @@ install:
- name: azureml_acr_id
- name: azureml_storage_account_id
- name: connection_uri
- name: workspace_services_subnet_address_prefix
- name: storage_tag

upgrade:
- terraform:
Expand All @@ -116,6 +128,8 @@ upgrade:
- name: azureml_acr_id
- name: azureml_storage_account_id
- name: connection_uri
- name: workspace_services_subnet_address_prefix
- name: storage_tag

uninstall:
- terraform:
Expand Down
298 changes: 290 additions & 8 deletions templates/workspace_services/azureml/template_schema.json
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,293 @@
{
"$schema": "http://json-schema.org/draft-07/schema",
"$id": "https://github.com/microsoft/AzureTRE/templates/workspace_services/azureml/template_schema.json",
"type": "object",
"title": "Azure Machine Learning",
"description": "Installs Azure Machine Learning. Please be aware this template opens up additional firewall rules to enable Azure ML to function.",
"required": [
"$schema": "http://json-schema.org/draft-07/schema",
"$id": "https://github.com/microsoft/AzureTRE/templates/workspace_services/azureml/template_schema.json",
"type": "object",
"title": "Azure Machine Learning",
"description": "Installs Azure Machine Learning. Please be aware this template opens up additional firewall rules to enable Azure ML to function.",
"required": [],
"properties": {},
"pipeline": {
"install": [
{
"stepId": "main"
},
{
"stepId": "260421b3-7308-491f-b531-e007cdc0ff46",
"stepTitle": "Add network firewall rules for azureml",
"resourceTemplateName": "tre-shared-service-firewall",
"resourceType": "shared-service",
"resourceAction": "upgrade",
"properties": [
{
"name": "network_rule_collections",
"type": "array",
"arraySubstitutionAction": "replace",
"arrayMatchField": "name",
"value": {
"name": "nrc_svc_{{ resource.id }}_azureml",
"action": "Allow",
"rules": [
{
"name": "AzureMachineLearning",
"description": "Azure Machine Learning rules",
"source_addresses": [
"{{ resource.properties.workspace_services_subnet_address_prefix }}"
],
"destination_addresses": [
"AzureMachineLearning"
],
"destination_ports": [
"443",
"8787",
"18881"
],
"protocols": [
"TCP"
]
},
{
"name": "AzureActiveDirectory",
"description": "Azure Active Directory",
"source_addresses": [
"{{ resource.properties.workspace_services_subnet_address_prefix }}"
],
"destination_addresses": [
"AzureActiveDirectory"
],
"destination_ports": [
"443",
"80"
],
"protocols": [
"TCP"
]
},
{
"name": "AzureML_Dependancies",
"description": "AzureML Dependancies",
"source_addresses": [
"{{ resource.properties.workspace_services_subnet_address_prefix }}"
],
"destination_addresses": [
"AzureActiveDirectory",
"AzureResourceManager",
"MicrosoftContainerRegistry"
],
"destination_ports": [
"443"
],
"protocols": [
"TCP"
]
},
{
"name": "AzureML_Storage",
"description": "AzureML Storage",
"source_addresses": [
"{{ resource.properties.workspace_services_subnet_address_prefix }}"
],
"destination_addresses": [
"{{ resource.properties.storage_tag }}"
],
"destination_ports": [
"443",
"445"
],
"protocols": [
"TCP"
]
}
]
}
},
{
"name": "rule_collections",
"type": "array",
"arraySubstitutionAction": "replace",
"arrayMatchField": "name",
"value": {
"name": "arc_svc_{{ resource.id }}_azureml",
"action": "Allow",
"rules": [
{
"name": "AzureML",
"description": "AzureML rules",
"source_addresses": [
"{{ resource.properties.workspace_services_subnet_address_prefix }}"
],
"target_fqdns": [
"aadcdn.msftauth.net",
"ml.azure.com"
],
"protocols": [
{
"port": "443",
"type": "Https"
}
]
}
]
}
}
]
}
],
"properties": {
}
"upgrade": [
{
"stepId": "main"
},
{
"stepId": "260421b3-7308-491f-b531-e007cdc0ff47",
"stepTitle": "Add network firewall rules for azureml",
"resourceTemplateName": "tre-shared-service-firewall",
"resourceType": "shared-service",
"resourceAction": "upgrade",
"properties": [
{
"name": "network_rule_collections",
"type": "array",
"arraySubstitutionAction": "replace",
"arrayMatchField": "name",
"value": {
"name": "nrc_svc_{{ resource.id }}_azureml",
"action": "Allow",
"rules": [
{
"name": "AzureMachineLearning",
"description": "Azure Machine Learning rules",
"source_addresses": [
"{{ resource.properties.workspace_services_subnet_address_prefix }}"
],
"destination_addresses": [
"AzureMachineLearning"
],
"destination_ports": [
"443",
"8787",
"18881"
],
"protocols": [
"TCP"
]
},
{
"name": "AzureActiveDirectory",
"description": "Azure Active Directory",
"source_addresses": [
"{{ resource.properties.workspace_services_subnet_address_prefix }}"
],
"destination_addresses": [
"AzureActiveDirectory"
],
"destination_ports": [
"443",
"80"
],
"protocols": [
"TCP"
]
},
{
"name": "AzureML_Dependancies",
"description": "AzureML Dependancies",
"source_addresses": [
"{{ resource.properties.workspace_services_subnet_address_prefix }}"
],
"destination_addresses": [
"AzureActiveDirectory",
"AzureResourceManager",
"MicrosoftContainerRegistry"
],
"destination_ports": [
"443"
],
"protocols": [
"TCP"
]
},
{
"name": "AzureML_Storage",
"description": "AzureML Storage",
"source_addresses": [
"{{ resource.properties.workspace_services_subnet_address_prefix }}"
],
"destination_addresses": [
"{{ resource.properties.storage_tag }}"
],
"destination_ports": [
"443",
"445"
],
"protocols": [
"TCP"
]
}
]
}
},
{
"name": "rule_collections",
"type": "array",
"arraySubstitutionAction": "replace",
"arrayMatchField": "name",
"value": {
"name": "arc_svc_{{ resource.id }}_azureml",
"action": "Allow",
"rules": [
{
"name": "AzureML",
"description": "AzureML rules",
"source_addresses": [
"{{ resource.properties.workspace_services_subnet_address_prefix }}"
],
"target_fqdns": [
"aadcdn.msftauth.net",
"ml.azure.com"
],
"protocols": [
{
"port": "443",
"type": "Https"
}
]
}
]
}
}
]
}
],
"uninstall": [
{
"stepId": "260421b3-7308-491f-b531-e007cdc0ff48",
"stepTitle": "Add network firewall rules for azureml",
"resourceTemplateName": "tre-shared-service-firewall",
"resourceType": "shared-service",
"resourceAction": "upgrade",
"properties": [
{
"name": "network_rule_collections",
"type": "array",
"arraySubstitutionAction": "remove",
"arrayMatchField": "name",
"value": {
"name": "nrc_svc_{{ resource.id }}_azureml"
}
},
{
"name": "rule_collections",
"type": "array",
"arraySubstitutionAction": "remove",
"arrayMatchField": "name",
"value": {
"name": "arc_svc_{{ resource.id }}_azureml"
}
}
]
},
{
"stepId": "main"
}
]
}
}
Loading

0 comments on commit ae16e81

Please sign in to comment.