Data Sources

Data sources available for use by the ICS community

Platforms

ICS supported platforms.

Teams

ICS Teams


Menu Button Menu Button

Resource Group: Hiccaps_RG

Overview

The Hiccaps_RG resource group is designed to deploy and manage a collection of Azure resources associated with the HiccapsWhisper application. The main purpose of this resource group is to provision a Cognitive Services account that contains AI capabilities powered by OpenAI, leveraging specific network settings and security configurations. The design allows for controlled access to the resources while maintaining efficient communication within the Azure ecosystem.

Resources

1. Cognitive Services Account

  • Type: Microsoft.CognitiveServices/accounts
  • Name: HiccapsWhisper
  • Location: northcentralus
  • Properties:
    • SKU: S0 (standard service tier).
    • Custom Sub-Domain Name: hiccapswhisper.
    • Public Network Access: Enabled, allowing access from the public internet.
    • Network ACLs:
      • Default Action: Deny.
      • IP Rules: [34.172.242.222] - this specific IP address is permitted to access the resources.
      • Virtual Network Rules: Includes two subnets from the wusm-prod-vnet-main virtual network, establishing controlled access to the other networked resources.

2. Virtual Network

  • Type: Microsoft.Network/virtualNetworks
  • Name: vnet01
  • Properties:
    • Address Space: 172.16.0.0/26 - providing 64 IP addresses for allocation.
    • Subnets:
      • Subnet Name: subnet-1
        • Address Prefix: 172.16.0.0/26.
        • Service Endpoints: Allows integration with Microsoft.CognitiveServices.
        • Private Link Service Network Policies: Enabled.

3. OpenAI Whisper Deployment

  • Type: Microsoft.CognitiveServices/accounts/deployments
  • Name: HiccapsWhisper/whisper
  • Properties:
    • SKU: Standard with a capacity of 2.
    • Model: OpenAI Whisper, version 001, designed for advanced audio transcription capabilities.

4. Defender for AI Settings

  • Type: Microsoft.CognitiveServices/accounts/defenderForAISettings
  • Name: HiccapsWhisper/Default
  • Depends On: The main Cognitive Services account named HiccapsWhisper.
  • Properties:
    • State: Disabled (this can be customized based on security requirements).

5. AI Content Filtering Policies

  • Multiple entries for content filtering policies indicate protective measures against harmful content:
    • Type: Microsoft.CognitiveServices/accounts/raiPolicies
    • Names: HiccapsWhisper/Microsoft.Default, HiccapsWhisper/Microsoft.DefaultV2, and HiccapsWhisper/Microsoft.Nil.

Each policy includes:

  • Blocking Mode: Active blocking for specified content categories (e.g., Hate, Sexual, Violence) across various sources (Prompt and Completion).
  • High Severity Levels: Policies like HiccapsWhisper/Microsoft.Nil have non-blocking rules but flag high-risk items, which may require careful monitoring.

Data Storage

Data is primarily handled within the Cognitive Services account, which utilizes Azure's built-in capabilities for processing and generating insights from unstructured data (like audio and text). While there are no explicit storage accounts mentioned in the template, the storage for processed data, configurations, and model deployments will typically occur in Azure's secure infrastructure.

Networking

Virtual Network

  • Virtual Network Name: vnet01
  • Address Space: 172.16.0.0/26, with a subnet for allocating IPs.
  • Subnets:
    • Name: subnet-1
    • Address Prefix: 172.16.0.0/26

IP Address Configuration

  • The Cognitive Services account is reachable via public IP, and specific rules allow access from the IP address 34.172.242.222.

Virtual Network Peering

  • There are currently no virtual network peerings established in this template. It’s recommended to consider peerings if communication with other VNETs is necessary.

Security Overview

Security is primarily focused on network access controls and content moderation. Here are key points:

  • Network ACLs: Default action for access is set to Deny, which is a good practice to enhance security. Only specified IPs and subnets are allowed access.
  • Content Filtering: The deployment includes multiple blocking policies against various forms of harmful content. Overall, blocking is enforced; however, the Microsoft.Nil policy allows for logging of high-severity risks.
  • Public Access: While the Cognitive Services account does allow public access, it is tightly controlled through ACLs, ensuring safeguarding against unauthorized access.

Recommendations:

  • Regularly audit the IP allowlist.
  • Consider enabling the Defender for AI settings for enhanced threat protection.
  • Monitor logs frequently and adjust filtering policies as necessary based on detected activities.

Other Information

Cost Management

  • The use of Standard SKU for Cognitive Services is cost-effective for small to medium workloads. Ensure to monitor usage and capacity to avoid unforeseen charges.

Scalability

  • Depending on demand, it may be required to adjust the capacities of deployed services. The ARM template allows for easy updates and redeployment.

Unique Configurations

  • The use of network rules to tightly control access to resources ensures compliance with best practices for security.

Final Notes

This template reflects a well-thought-out structure for deploying Azure Cognitive Services with strong controls for security, networking, and governed AI capabilities. As deployments scale, it will be crucial to adjust the resources to meet both functional and security requirements effectively.

Note: This document was generated using the Azure Assistants script and an LLM

Table of Contents

Updated on October 29, 2024