Restrict Cognitive Service endpoints#

Security · Cognitive Services · 2022_09

Restrict access of Cognitive Services accounts to authorized virtual networks.

Description#

By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated.

Configure service endpoints and private links where appropriate.

Recommendation#

Consider configuring network access restrictions for Cognitive Services accounts. Limit access to accounts so that access is permitted from authorized virtual networks only.

Examples#

Configure with Azure template#

To deploy accounts that pass this rule:

Set the properties.networkAcls.defaultAction property to Deny, or
Set the properties.publicNetworkAccess property to Disabled.

For example:

Azure Template snippet

{
    "type": "Microsoft.CognitiveServices/accounts",
    "apiVersion": "2022-03-01",
    "name": "[parameters('name')]",
    "location": "[parameters('location')]",
    "identity": {
        "type": "SystemAssigned"
    },
    "sku": {
        "name": "S0"
    },
    "kind": "CognitiveServices",
    "properties": {
        "publicNetworkAccess": "Disabled",
        "networkAcls": {
            "defaultAction": "Deny"
        },
        "disableLocalAuth": true
    }
}

Configure with Bicep#

To deploy accounts that pass this rule:

Set the properties.networkAcls.defaultAction property to Deny, or
Set the properties.publicNetworkAccess property to Disabled.

For example:

Azure Bicep snippet

resource account 'Microsoft.CognitiveServices/accounts@2022-03-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'S0'
  }
  kind: 'CognitiveServices'
  properties: {
    publicNetworkAccess: 'Disabled'
    networkAcls: {
      defaultAction: 'Deny'
    }
    disableLocalAuth: true
  }
}

Links#

Last update: 2022-12-03