Container support in Azure Cognitive Services
Container support in Azure Cognitive Services allows developers to use the same rich APIs that are available in Azure, and enables flexibility in where to deploy and host the services that come with Docker containers. Container support is currently available for a subset of Azure Cognitive Services, including parts of:
Containerization is an approach to software distribution in which an application or service, including its dependencies & configuration, is packaged together as a container image. With little or no modification, a container image can be deployed on a container host. Containers are isolated from each other and the underlying operating system, with a smaller footprint than a virtual machine. Containers can be instantiated from container images for short-term tasks, and removed when no longer needed.
Features and benefits
- Immutable infrastructure: Enable DevOps teams' to leverage a consistent and reliable set of known system parameters, while being able to adapt to change. Containers provide the flexibility to pivot within a predictable ecosystem and avoid configuration drift.
- Control over data: Allow customers to choose where these Cognitive Services process their data. This is essential for customers that cannot send data to the cloud but need access to Cognitive Services technology. Support consistency in hybrid environments – across data, management, identity, and security.
- Control over model updates: Provide customers flexibility in versioning and updating of models deployed in their solutions.
- Portable architecture: Enable the creation of a portable application architecture that can be deployed on Azure, on-premises and the edge. Containers can be deployed directly to Azure Kubernetes Service, Azure Container Instances, or to a Kubernetes cluster deployed to Azure Stack. For more information, see Deploy Kubernetes to Azure Stack.
- High throughput / low latency: Provide customers the ability to scale for high throughput and low latency requirements by enabling Cognitive Services to run physically close to their application logic and data. Containers do not cap transactions per second (TPS) and can be made to scale both up and out to handle demand if you provide the necessary hardware resources.
- Scalability: With the ever growing popularity of containerization and container orchestration software, such as Kubernetes; scalability is at the forefront of technological advancements. Building on a scalable cluster foundation, application development caters to high availability.
Containers in Azure Cognitive Services
Azure Cognitive Services containers provide the following set of Docker containers, each of which contains a subset of functionality from services in Azure Cognitive Services:
|Service||Supported Pricing Tier||Container||Description|
|Anomaly detector||F0, S0||Anomaly-Detector||The Anomaly Detector API enables you to monitor and detect abnormalities in your time series data with machine learning.
|Computer Vision||F0, S1||Read||Extracts printed text from images of various objects with different surfaces and backgrounds, such as receipts, posters, and business cards. The Read container also detects handwritten text in images and provides PDF/TIFF/multi-page support.
Important: The Read container currently works only with English.
|Face||F0, S0||Face||Detects human faces in images, and identifies attributes, including face landmarks (such as noses and eyes), gender, age, and other machine-predicted facial features. In addition to detection, Face can check if two faces in the same image or different images are the same by using a confidence score, or compare faces against a database to see if a similar-looking or identical face already exists. It can also organize similar faces into groups, using shared visual traits.
|Form recognizer||F0, S0||Form Recognizer||Form Understanding applies machine learning technology to identify and extract key-value pairs and tables from forms.
|LUIS||F0, S0||LUIS (image)||Loads a trained or published Language Understanding model, also known as a LUIS app, into a docker container and provides access to the query predictions from the container's API endpoints. You can collect query logs from the container and upload these back to the LUIS portal to improve the app's prediction accuracy.|
|Speech Service API||F0, S0||Speech-to-text||Transcribes continuous real-time speech into text.|
|Speech Service API||F0, S0||Custom Speech-to-text||Transcribes continuous real-time speech into text using a custom model.|
|Speech Service API||F0, S0||Text-to-speech||Converts text to natural-sounding speech.|
|Speech Service API||F0, S0||Custom Text-to-speech||Converts text to natural-sounding speech using a custom model.|
|Text Analytics||F0, S||Key Phrase Extraction (image)||Extracts key phrases to identify the main points. For example, for the input text "The food was delicious and there were wonderful staff", the API returns the main talking points: "food" and "wonderful staff".|
|Text Analytics||F0, S||Language Detection (image)||For up to 120 languages, detects which language the input text is written in and report a single language code for every document submitted on the request. The language code is paired with a score indicating the strength of the score.|
|Text Analytics||F0, S||Sentiment Analysis (image)||Analyzes raw text for clues about positive or negative sentiment. This API returns a sentiment score between 0 and 1 for each document, where 1 is the most positive. The analysis models are pre-trained using an extensive body of text and natural language technologies from Microsoft. For selected languages, the API can analyze and score any raw text that you provide, directly returning results to the calling application.|
In addition, some containers are supported in Cognitive Services All-In-One offering resource keys. You can create one single Cognitive Services All-In-One resource and use the same billing key across supported services for the following services:
- Computer Vision
- Text Analytics
Container availability in Azure Cognitive Services
Azure Cognitive Services containers are publicly available through your Azure subscription, and Docker container images can be pulled from either the Microsoft Container Registry or Docker Hub. You can use the docker pull command to download a container image from the appropriate registry.
Currently, you must complete a sign-up process to access the following containers, in which you fill out and submit a questionnaire with questions about you, your company, and the use case for which you want to implement the containers. Once you're granted access and provided credentials, you can then pull the container images from a private container registry hosted by Azure Container Registry.
Container repositories and images
The tables below are a listing of the available container images offered by Azure Cognitive Services. For a complete list of all the available container image names and their available tags, see Cognitive Services container image tags. Currently, there are no Cognitive Services containers that are generally available (GA). For the time being, until further announcements are made -- containers are available as either Public Ungated or Public Gated Preview.
- Public Ungated: containers are available publicly without a gating mechanism.
- Public Gated Preview: containers are available publicly, but first require formal request to access the container registry.
Public "Ungated" (container registry:
The Microsoft Container Registry (MCR) syndicates all of the publicly available "ungated" containers for Cognitive Services. The containers are also available directly from the Docker hub.
|Service||Container||Container Registry / Repository / Image Name|
|Text Analytics||Key Phrase Extraction||
|Text Analytics||Language Detection||
|Text Analytics||Sentiment Analysis||
Public "Gated" Preview (container registry:
The Container Preview registry hosts all of the publicly available "gated" containers for Cognitive Services. These containers require a formal request for access them via their container registry.
|Service||Container||Container Registry / Repository / Image Name|
|Anomaly detector||Anomaly Detector||
|Form recognizer||Form Recognizer||
|Speech Service API||Speech-to-text||
|Speech Service API||Custom Speech-to-text||
|Speech Service API||Text-to-speech||
|Speech Service API||Custom Text-to-speech||
You must satisfy the following prerequisites before using Azure Cognitive Services containers:
Docker Engine: You must have Docker Engine installed locally. Docker provides packages that configure the Docker environment on macOS, Linux, and Windows. On Windows, Docker must be configured to support Linux containers. Docker containers can also be deployed directly to Azure Kubernetes Service or Azure Container Instances.
Docker must be configured to allow the containers to connect with and send billing data to Azure.
Familiarity with Microsoft Container Registry and Docker: You should have a basic understanding of both Microsoft Container Registry and Docker concepts, like registries, repositories, containers, and container images, as well as knowledge of basic
For a primer on Docker and container basics, see the Docker overview.
Individual containers can have their own requirements, as well, including server and memory allocation requirements.
Azure Cognitive Services container security
Security should be a primary focus whenever you're developing applications. The importance of security is a metric for success. When you're architecting a software solution that includes Cognitive Services containers, it's vital to understand the limitations and capabilities available to you. For more information about network security, see Configure Azure Cognitive Services virtual networks.
By default there is no security on the Cognitive Services container API. The reason for this is that most often the container will run as part of a pod which is protected from the outside by a network bridge. However, it is possible to enable authentication which works identically to the authentication used when accessing the cloud-based Cognitive Services.
The diagram below illustrates the default and non-secure approach:
As an alternative and secure approach, consumers of Cognitive Services containers could augment a container with a front-facing component, keeping the container endpoint private. Let's consider a scenario where we use Istio as an ingress gateway. Istio supports HTTPS/TLS and client-certificate authentication. In this scenario, the Istio frontend exposes the container access, presenting the client certificate that is whitelisted beforehand with Istio.
Nginx is another popular choice in the same category. Both Istio and Nginx act as a service mesh and offer additional features including things like load-balancing, routing, and rate-control.
The Cognitive Services containers are required to submit metering information for billing purposes. The only exception, is Offline containers as they follow a different billing methodology. Failure to allow list various network channels that the Cognitive Services containers rely on will prevent the container from working.
Allow list Cognitive Services domains and ports
The host should allow list port 443 and the following domains:
Disable deep packet inspection
Deep packet inspection (DPI) is a type of data processing that inspects in detail the data being sent over a computer network, and usually takes action by blocking, re-routing, or logging it accordingly.
Disable DPI on the secure channels that the Cognitive Services containers create to Microsoft servers. Failure to do so will prevent the container from functioning correctly.
Developer samples are available at our GitHub repository.
Join the webinar to learn about:
- How to deploy Cognitive Services to any machine using Docker
- How to deploy Cognitive Services to AKS
Learn about container recipes you can use with the Cognitive Services.
Install and explore the functionality provided by containers in Azure Cognitive Services: