Use SSL to secure web services with Azure Machine Learning service
In this article, you will learn how to secure a web service deployed with the Azure Machine Learning service. You can restrict access to web services and secure the data submitted by clients using Hypertext Transfer Protocol Secure (HTTPS).
HTTPS is used to secure communications between a client and your web service by encrypting communications between the two. Encryption is handled using Transport Layer Security (TLS). Sometimes TLS is still referred to as Secure Sockets Layer (SSL), which was the predecessor to TLS.
The Azure Machine Learning SDK uses the term 'SSL' for properties related to enabling secure communications. This does not mean that TLS is not used by your web service, just that SSL is the more recognizable term for many readers.
TLS and SSL both rely on digital certificates, which are used to perform encryption and identity verification. For more information on how digital certificates work, see the Wikipedia entry on public key infrastructure (PKI).
If you do not enable and use HTTPS for your web service, data sent to and from the service may be visible on to others on the internet.
HTTPS also enables the client to verify the authenticity of the server that it is connecting to. This protects clients against man-in-the-middle attacks.
The general process of securing a new web service or an existing one is as follows:
Get a domain name.
Get a digital certificate.
Deploy or update the web service with the SSL setting enabled.
Update your DNS to point to the web service.
If you are deploying to Azure Kubernetes Service (AKS), you can provide your own certificate or use a certificate provided by Microsoft. If you use the Microsoft provided certificate, you do not need to get a domain name or SSL certificate. For more information, see the Enable SSL and deploy section.
There are slight differences when securing web services across the deployment targets.
Get a domain name
If you do not already own a domain name, you can purchase one from a domain name registrar. The process differs between registrars, as does the cost. The registrar also provides you with tools for managing the domain name. These tools are used to map a fully qualified domain name (such as www.contoso.com) to the IP address hosting your web service.
Get an SSL certificate
There are many ways to get an SSL certificate (digital certificate). The most common is to purchase one from a Certificate Authority (CA). Regardless of where you obtain the certificate, you need the following files:
- A certificate. The certificate must contain the full certificate chain, and must be PEM-encoded.
- A key. The key must be PEM-encoded.
When requesting a certificate, you must provide the fully qualified domain name (FQDN) of the address you plan to use for the web service. For example, www.contoso.com. The address stamped into the certificate and the address used by the clients are compared when validating the identity of the web service. If the addresses do not match, the clients will receive an error.
If the Certificate Authority cannot provide the certificate and key as PEM-encoded files, you can use a utility such as OpenSSL to change the format.
Self-signed certificates should be used only for development. They should not be used in production. Self-signed certificates can cause problems in your client applications. For more information, see the documentation for the network libraries used in your client application.
Enable SSL and deploy
To deploy (or redeploy) the service with SSL enabled, set the
ssl_enabled parameter to
True, wherever applicable. Set the
ssl_certificate parameter to the value of the certificate file and the
ssl_key to the value of the key file.
Deploy on Azure Kubernetes Service (AKS) and FPGA
The information in this section also applies when deploying a secure web service for the visual interface. If you are not familiar with using the Python SDK, see the Azure Machine Learning Python SDK Overview..
When deploying to AKS, you can either create a new AKS cluster or attach an existing one. Creating a new cluster uses AksCompute.provisionining_configuration() while attaching an existing cluster uses AksCompute.attach_configuration(). Both return a configuration object that has an
enable_sslmethod can either use a certificate provided by Microsoft, or one that you supply.
When using a certificate provided by Microsoft, you must use the
leaf_domain_labelparameter. Using this parameter will create the service using a certificate provided by Microsoft. The
leaf_domain_labelis used to generate the DNS name for the service. For example, a value of
myservicecreates a domain name of
<azureregion>is the region that contains the service. Optionally, you can use the
overwrite_existing_domainparameter to overwrite the existing leaf domain label.
To deploy (or re-deploy) the service with SSL enabled, set the
True, wherever applicable. Set the
ssl_certificateparameter to the value of the certificate file and the
ssl_keyto the value of the key file.
When using a certificate provided by Microsoft, you do not need to purchase your own certificate or domain name.
The following example demonstrates how to create configurations that enable an SSL certificate created by Microsoft:
from azureml.core.compute import AksCompute # Config used to create a new AKS cluster and enable SSL provisioning_config = AksCompute.provisioning_configuration() provisioning_config.enable_ssl(leaf_domain_label = "myservice") # Config used to attach an existing AKS cluster to your workspace and enable SSL attach_config = AksCompute.attach_configuration(resource_group = resource_group, cluster_name = cluster_name) attach_config.enable_ssl(leaf_domain_label = "myservice")
When using a certificate you purchased, use the
ssl_cnameparameters. The following example demonstrates how to create configurations that use an SSL certificate you provide using
from azureml.core.compute import AksCompute # Config used to create a new AKS cluster and enable SSL provisioning_config = AksCompute.provisioning_configuration() provisioning_config.enable_ssl(ssl_cert_pem_file="cert.pem", ssl_key_pem_file="key.pem", ssl_cname="www.contoso.com") # Config used to attach an existing AKS cluster to your workspace and enable SSL attach_config = AksCompute.attach_configuration(resource_group = resource_group, cluster_name = cluster_name) attach_config.enable_ssl(ssl_cert_pem_file="cert.pem", ssl_key_pem_file="key.pem", ssl_cname="www.contoso.com")
Deploy on Azure Container Instances (ACI)
While deploying to ACI, provide values for SSL-related parameters as shown in the code snippet:
from azureml.core.webservice import AciWebservice aci_config = AciWebservice.deploy_configuration(ssl_enabled=True, ssl_cert_pem_file="cert.pem", ssl_key_pem_file="key.pem", ssl_cname="www.contoso.com")
For more information, see AciWebservice.deploy_configuration().
Update your DNS
Next, you must update your DNS to point to the web service.
Use the tools provided by your domain name registrar to update the DNS record for your domain name. The record must point to the IP address of the service.
Depending on the registrar, and the time to live (TTL) configured for the domain name, it can take several minutes to several hours before clients can resolve the domain name.
If you used the
leaf_domain_labelto create the service with a certificate provided by Microsoft, do not manually update the DNS value for the cluster. The value should be set automatically.
Update the DNS under the "Configuration" tab of the "Public IP Address" of the AKS cluster as shown in the image. You can find the Public IP Address as one of the resource types created under the resource group that contains the AKS agent nodes and other networking resources.
Learn how to:
Send feedback about: