Data Sources

Data sources available for use by the ICS community

Platforms

ICS supported platforms.

Teams

ICS Teams


Menu Button Menu Button

Resource Group: wusm-prod-rg-main

Overview

The wusm-prod-rg-main resource group is designed to support various applications and services related to cognitive computing, data analytics, and virtual machine management for Washington University School of Medicine (WUSM). This resource group leverages Azure capabilities to optimize storage, networking, and security for sensitive data and workloads. It consists of multiple resources spanning Azure Cognitive Services, Databricks workspaces, Azure Key Vaults, Virtual Networks, and various storage accounts, all working together to ensure seamless data processing and analytics.

Resources

1. Cognitive Services Accounts

  • Type: Microsoft.CognitiveServices/accounts
  • Names Include:
    • accounts_open_ai_multitude
    • accounts_open_ai_critical_care_name
    • accounts_open_ai_moving_stories_translator_name
  • Purpose: These accounts enable various AI capabilities such as text translation, image processing, and anomaly detection through Azure's Cognitive Services.
  • Relationships: They are configured to allow access from specific virtual network subnets, ensuring that only designated services can interact with them. Network ACLs are set with defaultAction: Deny, allowing only specified IP address ranges (e.g., 128.252.0.0/16, 34.41.236.11) for security purposes.

2. Databricks Workspaces

  • Type: Microsoft.Databricks/workspaces
  • Names Include: workspaces_wusm_prod_adb_name
  • Purpose: Facilitates big data analysis and machine learning workloads via the Databricks platform.
  • Configurations: The workspaces are integrated with custom subnets for optimized performance and security.
  • Networking: They rely on configured virtual network rules to ensure data privacy.

3. Key Vaults

  • Type: Microsoft.KeyVault/vaults
  • Names Include:
    • vaults_wusm_prod_kv_name
    • vaults_wusm_prod_biostats_kv_name
  • Purpose: Securely stores and manages sensitive information such as API keys, secrets, and certificates.
  • Security Policies: Access policies are highly restrictive, only allowing specified identities limited permissions.
  • Networking: Key vaults feature network ACLs that ensure connections are restricted to defined virtual network subnets.

4. Virtual Networks

  • Type: Microsoft.Network/virtualNetworks
  • Name: virtualNetworks_wusm_prod_vnet_main_name
  • Purpose: Provides a secure and isolated network environment for all resources.
  • Subnets Included:
    • ADBContainerSubnet
    • ADBHostSubnet
    • AuxSubnet
  • Configurations: Contains various subnets for managing app gateway configurations, Databricks services, and private endpoints.
  • IP Addresses: Dynamic private IP addresses assigned, such as 10.25.47.156 for the Databricks worker nodes and 10.25.47.155 for the Tableau server.

5. Public IP Addresses

  • Type: Microsoft.Network/publicIPAddresses
  • Name: publicIPAddresses_wusm_prod_appgw_name
  • Purpose: Allocates public IP addresses for the Application Gateway, enabling external access.
  • IP Address: 20.236.205.7, categorized as static, with associated DDoS protection settings.

Data Storage

Data is primarily stored in various Azure Storage Accounts across different configurations, each serving specific purposes and accessibility levels:

  • General Purpose Storage Accounts: Multiple storage accounts like wusmprodadls_name use the Standard_LRS SKU and restrict access to specific IP addresses and Azure services while allowing public access where necessary.
  • Blob Containers: Blob storage is used to store larger files and structured data. There are specific containers for each service/application, such as insights-logs and databasin, which are linked to Azure services like Databricks for logs and data processing.

Networking

The networking architecture is underpinned by a well-configured Virtual Network (VNet) that prioritizes security and compliance:

  • VNet: virtualNetworks_wusm_prod_vnet_main_name
    • Features subnets such as ADBContainerSubnet, ADBHostSubnet, and AuxSubnet with specific address spaces.
  • Subnets: Each subnet is configured with Network Security Groups (NSGs) that enforce security rules, allowing only trusted traffic.
  • Virtual Network Peering: Enables seamless resource communication across different network boundaries, enhancing data flow without public exposure.

Security Overview

The resource group employs stringent security measures to protect data privacy:

  • IP Rule Restrictions: Many services are embedded with specific IP rules to limit external access.
  • Access Policies: Azure Key Vault access policies are granular, permitting only the necessary identities with restricted permissions.
  • Network ACLs: Resource access is controlled through network rules that specify which IP addresses can access services, significantly reducing the attack surface.
  • Recommendations: Regular audits for access policies and IP restrictions, alongside implementing Azure Security Center for monitoring.

Other Information

  • Cost Management: Tags assigned to various resources help in tracking costs across departments and initiatives (e.g., "Cost Center": "CC0006083").
  • Scalability: Resources, especially Databricks workspaces, are configured to scale according to workload, enabling efficient resource management based on usage.
  • Compliance: Adhering to regulatory and internal policies is critical due to the sensitive nature of the data handled within this resource group.

This configuration supports WUSM’s contributions to medical research and education, focusing on advanced analytical capabilities powered by Azure’s extensive cloud infrastructure. Regular review and updates to security configurations and access permissions are advisable to maintain high security standards.

Note: This document was generated using the Azure Assistants script and an LLM

Table of Contents

Updated on October 30, 2024