Data Sources

Data sources available for use by the ICS community

Platforms

ICS supported platforms.

Teams

ICS Teams


Menu Button Menu Button

Resource Group: rg-siskgptdev

Overview

The resource group rg-siskgptdev is designed to host various Azure Cognitive Services, a Cosmos DB database, a key vault for secure storage of secrets, and a web application service. This configuration serves as the backend for applications using AI capabilities, such as OpenAI services, as well as document analytics, speech recognition, and form recognition. The resource group is structured to offer high availability and performance, ensuring applications can execute complex machine learning tasks effectively.

Resources

The resource group includes the following resources:

  1. Cognitive Services Accounts

    • Type: Microsoft.CognitiveServices/accounts
    • Names:
      • siskgptdev-aidalle-jen5je3uh4mms (OpenAI Model)
      • siskgptdev-aillm-jen5je3uh4mms (OpenAI Model)
      • siskgptdev-aivision-jen5je3uh4mms (OpenAI Vision Model)
      • siskgptdev-form-jen5je3uh4mms (Form Recognizer)
      • siskgptdev-speech-jen5je3uh4mms (Speech Services)
    • Locations: swedencentral, westus, centralus
    • Common Properties: All accounts have public network access enabled and utilize a SKU of S0.

  2. Cosmos DB Account

    • Type: Microsoft.DocumentDB/databaseAccounts
    • Name: siskgptdev-cosmos-jen5je3uh4mms
    • Location: Central US
    • Key Properties:
      • Session-level consistency.
      • Periodic backups with geo-redundancy.
      • Public network access enabled.

  3. Key Vault

    • Type: Microsoft.KeyVault/vaults
    • Name: siskgpt-kv-jen5je3uh4mms
    • Location: Central US
    • Properties:
      • Public network access enabled.
      • Enable RBAC authorization and soft delete features for data retention.

  4. Log Analytics Workspace

    • Type: Microsoft.OperationalInsights/workspaces
    • Name: siskgptdev-la-jen5je3uh4mms
    • Location: Central US
    • Key Properties:
      • Public network access for ingestion and query enabled.
      • Retention of logs for 30 days.

  5. Search Service

    • Type: Microsoft.Search/searchServices
    • Name: siskgptdevsearchjen5je3uh4mms
    • Location: Central US
    • Key Properties:
      • Auth only via API key.
      • Public network access enabled.

  6. Storage Account

    • Type: Microsoft.Storage/storageAccounts
    • Name: siskgptdstojen5je3uh4mms
    • Location: Central US
    • Key Properties:
      • Access tier set to 'Hot'.
      • Public access disabled for blobs and support of HTTPS traffic only.

  7. App Service Plan

    • Type: Microsoft.Web/serverfarms
    • Name: siskgptdev-app-jen5je3uh4mms
    • Location: Central US
    • SKU: Premium0V3

  8. Web App

    • Type: Microsoft.Web/sites
    • Name: siskgptdev-webapp-jen5je3uh4mms
    • Location: Central US
    • Key Configurations:
      • Client authentication required.
      • Uses a Linux-based environment with Node.js (version 18-lts).
      • HTTPS only configured.

  9. Secrets in Key Vault: Multiple secrets corresponding to various API keys and sensitive configurations for Azure services.

Data Storage

Data is stored across several services:

  • Cosmos DB serves as the primary database, hosting multiple databases and collections for the application.
    • Database: chat with collections config and history.
  • Storage Account stores various types of objects such as blobs, files, queues, and tables.
    • Specific containers within the storage account are utilized for different data types like images for blob storage.

Networking

Currently, the ARM template does not specify explicit virtual networks or IP address assignments for these resources. However, the public network access for most services indicates that they are accessible over the internet, which might be a concern for security.

  • IP Rules: There are no specific IP address restrictions configured.
  • Public Access: Enabled for data services, meaning they are potentially exposed to unauthorized access.

Security Overview

Potential Security Issues:

  • Exposed Public Access: Several resources, including Azure Cognitive Services and Cosmos DB, have public access enabled. This can lead to unauthorized access and data breaches if appropriate authentication and authorization methods are not implemented.
  • No IP Restrictions: Lack of IP filtering for many resources increases the risk of unauthorized data access.

Recommendations:

  1. Enable Private Links: Consider configuring private endpoints for critical services like Cosmos DB and Cognitive Services to limit exposure to the public internet.
  2. Access Policies in Key Vault: Ensure that access policies for the Key Vault are defined, limiting who can access secrets and keys within the vault.
  3. Implement Azure Active Directory: Use Azure AD for authentication across services instead of API keys where possible to enhance security.

Other Information

  • Cost Management: Each service comes with associated costs based on usage and selected configurations. It's advisable to monitor costs especially for services like Cosmos DB and Cognitive Services due to their dynamic nature.
  • Scalability: The resources are structured for scaling, particularly the App Service Plan which supports elastic scaling options.
  • Monitoring and Logging: Utilize the Log Analytics workspace for monitoring the performance and logging metrics of all resources, enabling quick diagnosis and troubleshooting of issues.

In summary, this resource group serves as a robust foundation for developing applications leveraging modern AI and data processing technologies while presenting certain security considerations that require attention.

Note: This document was generated using the Azure Assistants script and an LLM

Table of Contents

Updated on October 31, 2024