Cognitive Services inside virtual network service tag configuration

Question

Cognitive Services inside virtual network service tag configuration

Gayatri Krishnan 66

Hi,

I am provisioning single services of Cognitive Service inside a virtual network. I have setup the services as mentioned in the documentation.
https://learn.microsoft.com/en-us/azure/cognitive-services/cognitive-services-virtual-networks?tabs=portal

I saw a note in the documentation about service tags to be applied and I am wondering how does that work?

I didn't configure any rule for CognitiveServiceManagement tag in my associated NSG and yet I was able to successfully test Rest endpoints using postman from a VM in virtual network. Only default rules are allowed. Also note the outbound network access and public network access for the service is disabled.

romungi-MSFT 48,916 Reputation points Microsoft Employee Moderator

2022-07-15T09:14:09.283+00:00

@Gayatri Krishnan For the speech, LUIS and language service there are additional portals that are used which will not be accessible from virtual network if the additional service tags are not added on your virtual network's NSG. These are basically a group of IPs managed by microsoft that can be easily added to a NSG for inbound/outbound instead of manually adding IPs for each of the service.

I am not an expert in networking but in your case, what are the default set of rules that are already allowed on your VM NSG? If any of the default rules based on priority allows a certain port, in this case if 443 is allowed, then this might have enabled access to the endpoint through REST API.

If you are unsure, you can always run nslookup on the endpoint used to trace the path of your request from the VM.
Gayatri Krishnan 66 Reputation points

2022-07-18T03:50:14.11+00:00

I have not changed any NSG rule and only using the default rules that is created on NSG creation.
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules

Are you referring to the following portals?
https://language.cognitive.azure.com/
luis.ai
romungi-MSFT 48,916 Reputation points Microsoft Employee Moderator

2022-07-18T13:43:15.507+00:00

Yes, the portals are correct. The guidance in document is to add additional tags to access these portals from the virtual network.
Gayatri Krishnan 66 Reputation points

2022-07-20T07:42:47.667+00:00

I understand for portal perspective but I am bit lost about CognitiveServiceManagement tag that is mentioned will allow Rest Api and SDK access only for LUIS, speech, language services. I have tested it without this tag and I can definitely get a response from REST API from a virtual network. Can you elaborate under what circumstance is that sentence true and why can I operate without it?

Accepted answer

0 additional answers

Your answer

romungi-MSFT 48,916 Reputation points Microsoft Employee Moderator

2022-07-15T09:14:09.283+00:00

@Gayatri Krishnan For the speech, LUIS and language service there are additional portals that are used which will not be accessible from virtual network if the additional service tags are not added on your virtual network's NSG. These are basically a group of IPs managed by microsoft that can be easily added to a NSG for inbound/outbound instead of manually adding IPs for each of the service.

I am not an expert in networking but in your case, what are the default set of rules that are already allowed on your VM NSG? If any of the default rules based on priority allows a certain port, in this case if 443 is allowed, then this might have enabled access to the endpoint through REST API.

If you are unsure, you can always run nslookup on the endpoint used to trace the path of your request from the VM.
Gayatri Krishnan 66 Reputation points

2022-07-18T03:50:14.11+00:00

I have not changed any NSG rule and only using the default rules that is created on NSG creation.
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules

Are you referring to the following portals?
https://language.cognitive.azure.com/
luis.ai
romungi-MSFT 48,916 Reputation points Microsoft Employee Moderator

2022-07-18T13:43:15.507+00:00

Yes, the portals are correct. The guidance in document is to add additional tags to access these portals from the virtual network.
Gayatri Krishnan 66 Reputation points

2022-07-20T07:42:47.667+00:00

I understand for portal perspective but I am bit lost about CognitiveServiceManagement tag that is mentioned will allow Rest Api and SDK access only for LUIS, speech, language services. I have tested it without this tag and I can definitely get a response from REST API from a virtual network. Can you elaborate under what circumstance is that sentence true and why can I operate without it?

Answer 1

As per the default security group I see outbound internet is allowed.

Since the rules are stateful i.e if you specify an outbound security rule to any address over port 443, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. I believe this behavior is allowing you to initiate requests from a VM in your network to your endpoint irrespective of a CognitiveServiceManagement tag added to allow inbound requests.

The security rules section from this page explains this behavior and if you try to change the Access to Deny for rule 65001 in your outbound rules your request should fail.

If an answer is helpful, please click on or upvote which might help other community members reading this thread.

Share via

Cognitive Services inside virtual network service tag configuration

0 additional answers

Your answer