The public preview of enhanced security and IT governance features in Azure AI Foundry was introduced by Azure this month. By default, these modifications can help companies create and grow safe GenAI solutions:
- By providing cross-functional teams with a simplified, unified administration and governance experience within the Azure AI Foundry interface, the management center saves developers time and expedites resource management, security, and compliance procedures.
- Give particular IP addresses access to Azure Machine Learning workspaces for more accurate network security control. AI Foundry support will soon be accessible.
- A new Azure AI Admin role helps companies ensure that system identities have access to the bare minimum of resources needed by enforcing the "least privilege" approach by default.
- Using user credential passthrough, IT managers may now access default storage with a new identity-based option that simplifies management and improves the security of default settings.
Additionally, Azure stated that connections in Azure AI Foundry are now widely available to help with data sharing, administration, and access control while creating GenAI apps. Users can access external data through these connections without having to copy it to a project or hub.
Cross-functional teams may now access the management center through the Azure AI Foundry interface, which provides centralized, simplified governance and management capabilities for GenAI apps. AI development, operations, and compliance teams can now easily create, manage, and audit their organization's hubs, projects, and resources from within the Azure AI Foundry portal, eliminating the need to visit Azure Portal or other areas of the Azure AI Foundry portal for routine administrative tasks.
By using the management center to see key subscription information such as login credentials, quota usage, and associated resources, users can make sure that projects are in compliance. For further in-depth information on subjects like network configurations and latency, the management center also provides connections to relevant Azure Portal areas for IT managers.
The management center integrates essential subscription data directly into the Azure AI Foundry site, saving businesses time and streamlining resource management, security, and compliance procedures across the AI development lifecycle.
A third option that allows for more exact control is now available to Azure AI Foundry and Azure Machine Learning customers: the creation of rules that permit inbound access to their hubs and workspaces using specific IPs. In other words, IT administrators can allowlist certain IPs to access a workspace or hub without having to build up a fully public workspace or private endpoints via a VPN or ExpressRoute connection. Each Azure AI hub supports up to 200 rules, or IPs. While limiting general internet traffic, these policies permit access to certain on-premises networks and internet-based services.
Enabling from specific IPs is presently possible with Azure Machine Learning, and Azure AI Foundry will soon follow.
Administrators can now apply the scope of this new job at the normal resource group level or at the individual resource level, allowing for a more granular tightening of access.
With this update, IT managers can leverage identity-based access to grant granular permissions at the user level, allowing for more precise management. Furthermore, by making it simpler to set up secure setups by default, the new method reduces the IT overhead associated with credential maintenance. This enables more efficient and secure management of storage account access.
The main advantages of Azure AI Foundry Connections are:
Presenting the Azure AI Foundry management center
Various roles often need to complete administrative tasks, such as creating new data connections, setting up additional resources, or monitoring production quota consumption, in order to support AI projects. Some of these roles would prefer to start quickly with basic, default configurations and do not need or want the complex controls of an IT administrator.Cross-functional teams may now access the management center through the Azure AI Foundry interface, which provides centralized, simplified governance and management capabilities for GenAI apps. AI development, operations, and compliance teams can now easily create, manage, and audit their organization's hubs, projects, and resources from within the Azure AI Foundry portal, eliminating the need to visit Azure Portal or other areas of the Azure AI Foundry portal for routine administrative tasks.
By using the management center to see key subscription information such as login credentials, quota usage, and associated resources, users can make sure that projects are in compliance. For further in-depth information on subjects like network configurations and latency, the management center also provides connections to relevant Azure Portal areas for IT managers.
The management center integrates essential subscription data directly into the Azure AI Foundry site, saving businesses time and streamlining resource management, security, and compliance procedures across the AI development lifecycle.
Allow certain IPs to access your work areas or hubs
Previously, Azure Machine Learning workspaces and Azure AI Foundry hubs provided either private or public access control. However, security and administrative concerns prevent some companies from implementing all private links. For instance, they do not want to use fully public workspaces and cannot provide virtual private network (VPN) connections to all members of their data science team.A third option that allows for more exact control is now available to Azure AI Foundry and Azure Machine Learning customers: the creation of rules that permit inbound access to their hubs and workspaces using specific IPs. In other words, IT administrators can allowlist certain IPs to access a workspace or hub without having to build up a fully public workspace or private endpoints via a VPN or ExpressRoute connection. Each Azure AI hub supports up to 200 rules, or IPs. While limiting general internet traffic, these policies permit access to certain on-premises networks and internet-based services.
Enabling from specific IPs is presently possible with Azure Machine Learning, and Azure AI Foundry will soon follow.
New role as an administrator of Azure AI
As part of our commitment to enhancing client security by default, Azure is introducing a new built-in role called "Azure AI Administrator" that will allow workspace apps to access all dependant resources at the resource group level. Previously, the general "Contributor" position was in use. Following the "least privilege" principle, this new position, which is now in public preview, makes sure that system identities have access to the bare minimum of resources required by default. This approach significantly reduces the likelihood of breaches or unauthorized access in the event that credentials are compromised.Administrators can now apply the scope of this new job at the normal resource group level or at the individual resource level, allowing for a more granular tightening of access.
New identity-based access constraints for default storage
Many businesses would prefer not to employ credential-based access for their storage accounts due to security issues, such as the potential for credential breaches and the inadvertent granting of highly privileged access. Additionally, managing the maintenance problems caused by the time-consuming process of frequent credential rotations can be challenging. The credential-based approach, which uses an account key or SAS token, and the new identity-based approach, which uses user credential passthrough and is currently in public preview, are the two access options that Azure Machine Learning and Azure AI Foundry default storage accounts now offer to address these issues.With this update, IT managers can leverage identity-based access to grant granular permissions at the user level, allowing for more precise management. Furthermore, by making it simpler to set up secure setups by default, the new method reduces the IT overhead associated with credential maintenance. This enables more efficient and secure management of storage account access.
Data and service connections in Azure AI Foundry
You can create data and service references with ease thanks to connections in Azure AI Foundry, which are now broadly available. This makes it possible to easily access several data sources and stand-alone AI services, and it also removes the need to repeat data within your project. Instead, the connection only provides a link to the service or data source.The main advantages of Azure AI Foundry Connections are:
- It is simpler to locate helpful links for team operations: Use expedited access to important data sources and services to boost productivity and teamwork.
- Simplified APIs: Utilize an easy-to-use API that works with distinct storage types like Microsoft OneLake, Azure Blob Storage, and Azure Data Lake Gen2, as well as a range of standalone Azure AI services like Azure Content Safety, Azure Speech, and Azure AI Search.
- Secure credential management: For credential-based access (service principal, SAS, and API keys), Azure AI Foundry securely stores credential data in Azure Key Vault. This guarantees that you won't need to include crucial secrets in your scripts or code, which enhances security and simplifies credential administration.
0 Comments