Set up the Bring your own storage (BYOS) Speech resource

Bring your own storage (BYOS) is an Azure AI technology for customers, who have high requirements for data security and privacy. The core of the technology is the ability to associate an Azure Storage account, that the user owns and fully controls with the Speech resource. The Speech resource then uses this storage account for storing different artifacts related to the user data processing, instead of storing the same artifacts within the Speech service premises as it is done in the regular case. This approach allows using all set of security features of Azure Storage account, including encrypting the data with the Customer-managed keys, using Private endpoints to access the data, etc.

In BYOS scenarios, all traffic between the Speech resource and the Storage account is maintained using Azure global network, in other words all communication is performed using private network, completely bypassing public internet. Speech resource in BYOS scenario is using Azure Trusted services mechanism to access the Storage account, relying on System-assigned managed identities as a method of authentication, and Role-based access control (RBAC) as a method of authorization.

There's one exception: if you use Text to speech, and your Speech resource and the associated Storage account are located in different Azure regions, then public internet is used for the operations, involving User delegation SAS. See details in this section.

BYOS can be used with several Azure AI services. For Speech, it can be used in the following scenarios:

Speech to text

Text to speech

One Speech resource – Storage account combination can be used for all four scenarios simultaneously in all combinations.

This article describes how to create and maintain BYOS-enabled Speech resource and applicable to all mentioned scenarios. See the scenario-specific information in the corresponding articles.

BYOS-enabled Speech resource: Basic rules

Consider the following rules when planning BYOS-enabled Speech resource configuration:

  • Speech resource can be BYOS-enabled only during creation. Existing Speech resource can't be converted to BYOS-enabled. BYOS-enabled Speech resource can't be converted to the “conventional” (non-BYOS) one.
  • Storage account association with the Speech resource is declared during the Speech resource creation. It can't be changed later. That is, you can't change what Storage account is associated with the existing BYOS-enabled Speech resource. To use another Storage account, you have to create another BYOS-enabled Speech resource.
  • When creating a BYOS-enabled Speech resource, you can use an existing Storage account or create one automatically during Speech resource provisioning (the latter is valid only when using Azure portal).
  • One Storage account can be associated with many Speech resources. We recommend using one Storage account per one Speech resource.
  • Storage account and the related BYOS-enabled Speech resource can be located in either the same or different Azure regions. We recommend using the same region to minimize latency. For the same reason, we don't recommend selecting too remote regions for multi-region configuration. (For example, we don’t recommend placing Storage account in East US and the associated Speech resource in West Europe).

Create and configure BYOS-enabled Speech resource

This section describes how to create a BYOS enabled Speech resource.

Request access to BYOS for your Azure subscriptions

You need to request access to BYOS functionality for each of the Azure subscriptions you plan to use. To request access, fill and submit Cognitive Services & Applied AI Customer Managed Keys and Bring Your Own Storage access request form. Wait for the request to be approved.

Plan and prepare your Storage account

If you use Azure portal to create a BYOS-enabled Speech resource, an associated Storage account can be created automatically. For all other provisioning methods (Azure CLI, PowerShell, REST API Request) you need to use existing Storage account.

If you want to use existing Storage account and don't intend to use Azure portal method for BYOS-enabled Speech resource provisioning, note the following regarding this Storage account:

  • You need the full Azure resource ID of the Storage account. To obtain it navigate to the Storage account in Azure portal, then select Endpoints menu from Settings group. Copy and store the value of Storage account resource ID field.
  • To fully configure BYOS, you need at least Resource Owner right for the selected Storage account.

Note

Storage account Resource Owner right or higher is not required to use a BYOS-enabled Speech resource. However it is required during the one-time initial configuration of the Storage account for the usage in BYOS scenario. See details in this section.

Create BYOS-enabled Speech resource

Make sure your Azure subscription is enabled for using BYOS before attempting to create the Speech resource. See this section.

There are two ways of creating a BYOS-enabled Speech resource:

  • With Azure portal.
  • With Cognitive Services API (PowerShell, Azure CLI, REST request).

Azure portal option has tighter requirements:

  • Account used for the BYOS-enabled Speech resource provisioning should have a right of the Subscription Owner.
  • BYOS-associated Storage account should only be located in the same region as the Speech resource.

If any of these extra requirements don't fit your scenario, use Cognitive Services API option (PowerShell, Azure CLI, REST request).

To use any of the methods above you need an Azure account that is assigned a role allowing to create resources in your subscription, like Subscription Contributor.

Note

If you use Azure portal to create a BYOS-enabled Speech resource, we recommend selecting the option of creating a new Storage account.

To create a BYOS-enabled Speech resource with Azure portal, you need to access some portal preview features. Perform the following steps:

  1. Navigate to Create Speech page using this link.
  2. Note the Storage account section at the bottom of the page.
  3. Select Yes for Bring your own storage option.
  4. Configure the required Storage account settings and proceed with the Speech resource creation.

If you used Azure portal for creating a BYOS-enabled Speech resource, it's fully ready to use. If you used any other method, you need to perform the role assignment for the Speech resource managed identity within the scope of the associated Storage account. In all cases, you also need to review different Storage account settings related to data security. See this section.

(Optional) Verify Speech resource BYOS configuration

You may always check, whether any given Speech resource is BYOS enabled, and what is the associated Storage account. You can do it either via Azure portal, or via Cognitive Services API.

To check BYOS configuration of a Speech resource with Azure portal, you need to access some portal preview features. Perform the following steps:

  1. Navigate to Create Speech page using this link.
  2. Close Create Speech screen by pressing X in the right upper corner.
  3. If asked agree to discard unsaved changes.
  4. Navigate to the Speech resource you want to check.
  5. Select Storage menu in the Resource Management group.
  6. Check that:
    1. Attached storage field contains the Azure resource ID of the BYOS-associated Storage account.
    2. Identity type has System Assigned selected.

If Storage menu item is missing in the Resource Management group, the selected Speech resource isn't BYOS-enabled.

Configure BYOS-associated Storage account

To achieve high security and privacy of your data you need to properly configure the settings of the BYOS-associated Storage account. In case you didn't use Azure portal to create your BYOS-enabled Speech resource, you also need to perform a mandatory step of role assignment.

Assign resource access role

This step is mandatory if you didn't use Azure portal to create your BYOS-enabled Speech resource.

BYOS uses the Blob storage of a Storage account. Because of this, BYOS-enabled Speech resource managed identity needs Storage Blob Data Contributor role assignment within the scope of BYOS-associated Storage account.

If you used Azure portal to create your BYOS-enabled Speech resource, you may skip the rest of this subsection. Your role assignment is already done. Otherwise, follow these steps.

Important

You need to be assigned the Owner role of the Storage account or higher scope (like Subscription) to perform the operation in the next steps. This is because only the Owner role can assign roles to others. See details here.

  1. Go to the Azure portal and sign in to your Azure account.
  2. Select the Storage account.
  3. Select Access Control (IAM) menu in the left pane.
  4. Select Add role assignment in the Grant access to this resource tile.
  5. Select Storage Blob Data Contributor under Role and then select Next.
  6. Select Managed identity under Members > Assign access to.
  7. Assign the managed identity of your Speech resource and then select Review + assign.
  8. After confirming the settings, select Review + assign.

Configure Storage account security settings for Speech to text

This section describes how to set up Storage account security settings, if you intend to use BYOS-associated Storage account only for Speech to text scenarios. In case you use the BYOS-associated Storage account for Text to speech or a combination of both Speech to text and Text to speech, use this section.

For Speech to text BYOS is using the trusted Azure services security mechanism to communicate with Storage account. The mechanism allows setting very restricted Storage account data access rules.

If you perform all actions in the section, your Storage account will be in the following configuration:

So in effect your Storage account becomes completely "locked" and can only be accessed by your Speech resource, which will be able to:

  • Write artifacts of your Speech data processing (see details in the correspondent articles),
  • Read the files that were already present by the time the new configuration was applied. For example, source audio files for the Batch transcription or Dataset files for Custom model training and testing.

You should consider this configuration as a model as far as the security of your data is concerned and customize it according to your needs.

For example, you may allow traffic from selected public IP addresses and Azure Virtual networks. You may also set up access to your Storage account using private endpoints (see as well this tutorial), re-enable access using Storage account key, allow access to other Azure trusted services, etc.

Note

Using private endpoints for Speech isn't required to secure the Storage account. Private endpoints for Speech secure the channels for Speech API requests, and can be used as an extra component in your solution.

Restrict access to the Storage account

  1. Go to the Azure portal and sign in to your Azure account.
  2. Select the Storage account.
  3. In the Settings group in the left pane, select Configuration.
  4. Select Disabled for Allow Blob public access.
  5. Select Disabled for Allow storage account key access
  6. Select Save.

For more information, see Prevent anonymous public read access to containers and blobs and Prevent Shared Key authorization for an Azure Storage account.

Configure Azure Storage firewall

Having restricted access to the Storage account, you need to grant networking access to your Speech resource managed identity. Follow these steps to add access for the Speech resource.

  1. Go to the Azure portal and sign in to your Azure account.

  2. Select the Storage account.

  3. In the Security + networking group in the left pane, select Networking.

  4. In the Firewalls and virtual networks tab, select Enabled from selected virtual networks and IP addresses.

  5. Deselect all check boxes.

  6. Make sure Microsoft network routing is selected.

  7. Under the Resource instances section, select Microsoft.CognitiveServices/accounts as the resource type and select your Speech resource as the instance name.

  8. Select Save.

    Note

    It may take up to 5 minutes for the network changes to propagate.

Configure Storage account security settings for Text to Speech

This section describes how to set up Storage account security settings, if you intend to use BYOS-associated Storage account for Text to speech or a combination of both Speech to text and Text to speech. In case you use the BYOS-associated Storage account for Speech to text only, use this section.

Note

Text to speech requires more relaxed settings of Storage account firewall, compared to Speech to text. If you use both Speech to text and Text to speech, and need maximally restricted Storage account security settings to protect your data, you may consider using different Storage accounts and the corresponding Speech resources for Speech to Text and Text to speech tasks.

If you perform all actions in the section, your Storage account will be in the following configuration:

These are the most restricted security settings possible for Text to speech scenario. You may further customize them according to your needs.

Restrict access to the Storage account

  1. Go to the Azure portal and sign in to your Azure account.
  2. Select the Storage account.
  3. In the Settings group in the left pane, select Configuration.
  4. Select Disabled for Allow Blob public access.
  5. Select Disabled for Allow storage account key access
  6. Select Save.

For more information, see Prevent anonymous public read access to containers and blobs and Prevent Shared Key authorization for an Azure Storage account.

Configure Azure Storage firewall

Custom Neural Voice uses User delegation SAS to read the data for Custom Neural Voice model training. It requires allowing external network traffic access to the Storage account.

  1. Go to the Azure portal and sign in to your Azure account.
  2. Select the Storage account.
  3. In the Security + networking group in the left pane, select Networking.
  4. In the Firewalls and virtual networks tab, select Enabled from all networks.
  5. Select Save.

Configure BYOS-associated Storage account for use with Speech Studio

Many Speech Studio operations like dataset upload, or custom model training and testing don't require any special configuration in the case of BYOS-enabled Speech resource.

However, if you need to read data stored withing BYOS-associated Storage account through Speech Studio Web interface, you need to configure additional settings of your BYOS-associated Storage account. For example, it's required to view the contents of a dataset.

Configure Cross-Origin Resource Sharing (CORS)

Speech Studio needs permission to make requests to the Blob storage of the BYOS-associated Storage account. To grant such permission, you use Cross-Origin Resource Sharing (CORS). Follow these steps.

  1. Go to the Azure portal and sign in to your Azure account.
  2. Select the Storage account.
  3. In the Settings group in the left pane, select Resource sharing (CORS).
  4. Ensure, that Blob storage tab is selected.
  5. Configure the following record:
    • Allowed origins: https://speech.microsoft.com
    • Allowed methods: GET, OPTIONS
    • Allowed headers: *
    • Exposed headers: *
    • Max age: 1000
  6. Select Save.

Warning

Allowed origins field should contain URL without trailing slash. That is it should be https://speech.microsoft.com, and not https://speech.microsoft.com/. Adding trailing slash will result in Speech Studio not showing the details of datasets and model tests.

Configure Azure Storage firewall

You need to allow access for the machine, where you run the browser using Speech Studio. If your Storage account firewall settings allow public access from all networks, you may skip this subsection. Otherwise, follow these steps.

  1. Go to the Azure portal and sign in to your Azure account.
  2. Select the Storage account.
  3. In the Security + networking group in the left pane, select Networking.
  4. In the Firewall section, enter either IP address of the machine where you run the web browser or IP subnet, to which the IP address of the machine belongs.
  5. Select Save.

Next steps