Use Docker containers in disconnected environments

Containers enable you to run Cognitive Services APIs in your own environment, and are great for your specific security and data governance requirements. Disconnected containers enable you to use several of these APIs disconnected from the internet. Currently, the following containers can be run in this manner:

Disconnected container usage is also available for the following Applied AI service:

Before attempting to run a Docker container in an offline environment, make sure you know the steps to successfully download and use the container. For example:

  • Host computer requirements and recommendations.
  • The Docker pull command you'll use to download the container.
  • How to validate that a container is running.
  • How to send queries to the container's endpoint, once it's running.

Request access to use containers in disconnected environments

Fill out and submit the request form to request access to the containers disconnected from the internet.

The form requests information about you, your company, and the user scenario for which you'll use the container. After you submit the form, the Azure Cognitive Services team reviews it and emails you with a decision within 10 business days.

Important

  • On the form, you must use an email address associated with an Azure subscription ID.
  • The Azure resource you use to run the container must have been created with the approved Azure subscription ID.
  • Check your email (both inbox and junk folders) for updates on the status of your application from Microsoft.

After you're approved, you'll be able to run the container after you download it from the Microsoft Container Registry (MCR), described later in the article.

You won't be able to run the container if your Azure subscription hasn't been approved.

Access is limited to customers that meet the following requirements:

  • Your organization must have a Microsoft Enterprise Agreement or an equivalent agreement and should be identified as strategic customer or partner with Microsoft.
  • Disconnected containers are expected to run fully offline, hence your use cases must meet one of below or similar requirements:
    • Environment or device(s) with zero connectivity to internet.
    • Remote location that occasionally has internet access.
    • Organization under strict regulation of not sending any kind of data back to cloud.
  • Application completed as instructed - Please pay close attention to guidance provided throughout the application to ensure you provide all the necessary information required for approval.

Purchase a commitment plan to use containers in disconnected environments

Create a new resource

  1. Sign into the Azure portal and select Create a new resource for one of the applicable Cognitive Services or Applied AI services listed above.

  2. Enter the applicable information to create your resource. Be sure to select Commitment tier disconnected containers as your pricing tier.

    Note

    • You will only see the option to purchase a commitment tier if you have been approved by Microsoft.
    • Pricing details are for example only.

    A screenshot showing resource creation on the Azure portal.

  3. Select Review + Create at the bottom of the page. Review the information, and select Create.

Gather required parameters

There are three primary parameters for all Cognitive Services' containers that are required. The end-user license agreement (EULA) must be present with a value of accept. Additionally, both an endpoint URL and API key are needed when you first run the container, to configure it for disconnected usage.

You can find the key and endpoint on the Key and endpoint page for your resource.

Important

You will only use your key and endpoint to configure the container to be run in a disconnected environment. After you configure the container, you won't need them to send API requests. Store them securely, for example, using Azure Key Vault. Only one key is necessary for this process.

Download a Docker container with docker pull

After you have a license file, download the Docker container you have approval to run in a disconnected environment. For example:

docker pull mcr.microsoft.com/azure-cognitive-services/form-recognizer/invoice:latest

Configure the container to be run in a disconnected environment

Now that you've downloaded your container, you'll need to run the container with the DownloadLicense=True parameter in your docker run command. This parameter will download a license file that will enable your Docker container to run when it isn't connected to the internet. It also contains an expiration date, after which the license file will be invalid to run the container. You can only use a license file with the appropriate container that you've been approved for. For example, you can't use a license file for a speech-to-text container with a form recognizer container.

Important

  • Translator container only:
    • You must include a parameter to download model files for the languages you want to translate. For example: -e Languages=en,es
    • The container will generate a docker run template that you can use to run the container, containing parameters you will need for the downloaded models and configuration file. Make sure you save this template.

The following example shows the formatting of the docker run command you'll use, with placeholder values. Replace these placeholder values with your own values.

Placeholder Value Format or example
{IMAGE} The container image you want to use. mcr.microsoft.com/azure-cognitive-services/form-recognizer/invoice
{LICENSE_MOUNT} The path where the license will be downloaded, and mounted. /volume/license:/path/to/license/directory
{ENDPOINT_URI} The endpoint for authenticating your service request. You can find it on your resource's Key and endpoint page, on the Azure portal. https://<your-custom-subdomain>.cognitiveservices.azure.com
{API_KEY} The key for your Text Analytics resource. You can find it on your resource's Key and endpoint page, on the Azure portal. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
docker run {IMAGE} --rm -it -p 5000:5000 \ 
-v {LICENSE_MOUNT} \
eula=accept \
billing={ENDPOINT_URI} \
apikey={API_KEY} \
DownloadLicense=True \
Mounts:License={LICENSE_MOUNT} \ 

After you've configured the container, use the next section to run the container in your environment with the license, and appropriate memory and CPU allocations.

Run the container in a disconnected environment

Important

If you're using the Translator, Neural text-to-speech, or Speech-to-text containers, read the Additional parameters section below for information on commands or additional parameters you will need to use.

Once the license file has been downloaded, you can run the container in a disconnected environment. The following example shows the formatting of the docker run command you'll use, with placeholder values. Replace these placeholder values with your own values.

Wherever the container is run, the license file must be mounted to the container and the location of the license folder on the container's local filesystem must be specified with Mounts:License=. An output mount must also be specified so that billing usage records can be written.

Placeholder Value Format or example
{IMAGE} The container image you want to use. mcr.microsoft.com/azure-cognitive-services/form-recognizer/invoice
{MEMORY_SIZE} The appropriate size of memory to allocate for your container. 4g
{NUMBER_CPUS} The appropriate number of CPUs to allocate for your container. 4
{LICENSE_MOUNT} The path where the license will be located and mounted. /volume/license:/path/to/license/directory
{OUTPUT_PATH} The output path for logging usage records. /host/output:/path/to/output/directory
docker run {IMAGE} --rm -it -p 5000:5000 --memory {MEMORY_SIZE} --cpus {NUMBER_CPUS} \ 
-v {LICENSE_MOUNT} \ 
-v {OUTPUT_PATH} \
eula=accept \
Mounts:License={LICENSE_MOUNT}
Mounts:Output={OUTPUT_PATH}

Additional parameters and commands

See the following sections for additional parameters and commands you may need to run the container.

Translator container

If you're using the Translator container, you'll need to add parameters for the downloaded translation models and container configuration. These values are generated and displayed in the container output when you configure the container as described above. For example:

-e MODELS= /path/to/model1/, /path/to/model2/
-e TRANSLATORSYSTEMCONFIG=/path/to/model/config/translatorsystemconfig.json

Speech-to-text and Neural text-to-speech containers

The speech-to-text and neural text-to-speech containers provide a default directory for writing the license file and billing log at runtime. When you're mounting these directories to the container with the docker run -v command, make sure the local machine directory is set ownership to user:group nonroot:nonroot before running the container.

Below is a sample command to set file/directory ownership.

sudo chown -R nonroot:nonroot <YOUR_LOCAL_MACHINE_PATH_1> <YOUR_LOCAL_MACHINE_PATH_2> ...

Usage records

When operating Docker containers in a disconnected environment, the container will write usage records to a volume where they're collected over time. You can also call a REST endpoint to generate a report about service usage.

Arguments for storing logs

When run in a disconnected environment, an output mount must be available to the container to store usage logs. For example, you would include -v /host/output:{OUTPUT_PATH} and Mounts:Output={OUTPUT_PATH} in the example below, replacing {OUTPUT_PATH} with the path where the logs will be stored:

docker run -v /host/output:{OUTPUT_PATH} ... <image> ... Mounts:Output={OUTPUT_PATH}

Get records using the container endpoints

The container provides two endpoints for returning records about its usage.

Get all records

The following endpoint will provide a report summarizing all of the usage collected in the mounted billing record directory.

https://<service>/records/usage-logs/

It will return JSON similar to the example below.

{
  "apiType": "noop",
  "serviceName": "noop",
  "meters": [
    {
      "name": "Sample.Meter",
      "quantity": 253
    }
  ]
}

Get records for a specific month

The following endpoint will provide a report summarizing usage over a specific month and year.

https://<service>/records/usage-logs/{MONTH}/{YEAR}

it will return a JSON response similar to the example below:

{
  "apiType": "string",
  "serviceName": "string",
  "meters": [
    {
      "name": "string",
      "quantity": 253
    }
  ]
}

Purchase a different commitment plan for disconnected containers

Commitment plans for disconnected containers have a calendar year commitment period. When you purchase a plan, you'll be charged the full price immediately. During the commitment period, you can't change your commitment plan, however you can purchase additional unit(s) at a pro-rated price for the remaining days in the year. You have until midnight (UTC) on the last day of your commitment, to end a commitment plan.

You can choose a different commitment plan in the Commitment Tier pricing settings of your resource.

End a commitment plan

If you decide that you don't want to continue purchasing a commitment plan, you can set your resource's auto-renewal to Do not auto-renew. Your commitment plan will expire on the displayed commitment end date. After this date, you won't be charged for the commitment plan. You'll be able to continue using the Azure resource to make API calls, charged at pay-as-you-go pricing. You have until midnight (UTC) on the last day of the year to end a commitment plan for disconnected containers, and not be charged for the following year.

Troubleshooting

If you run the container with an output mount and logging enabled, the container generates log files that are helpful to troubleshoot issues that happen while starting or running the container.

Tip

For more troubleshooting information and guidance, see Disconnected containers Frequently asked questions (FAQ).

Next steps

Azure Cognitive Services containers overview