Azure Kubernetes token based authentication to ML webservice - azure

I'm able to deploy ML model into Azure Kubernetes Services using AML services. I have enabled token authentication while deploying model into AKS.
As mentioned in the document "https://learn.microsoft.com/en-us/azure/machine-learning/service/concept-enterprise-security" 2 ways authentication(Key and token) is possible to consume ML model webservice, deployed in Azure Kubernetes services. To consume the webservice. we have to provide the token along with the service request. But I couldn’t find any document how to generate/get token from Kubernetes services. How to get the new token every time whenever call is made from client application to the model running in the Azure Kubernetes services. It would be great help if you could able to provide more information on this.

Once you have enabled token authentication, you fetch the token by fetching the service and invoking get_token() method on it. An example of this is available at: https://learn.microsoft.com/en-us/azure/machine-learning/service/concept-enterprise-security#authentication-with-tokens.
token, refresh_by = service.get_token()
print(token)

Related

Can I call the Graph API within Azure functions?

I am new to azure functions.
I created a ReactApp and used the graph API to get information about users registered in Azure ADB2C.
At this time, a client credential flow was used, but user information could not be obtained due to a CORS error.
Previous Idea(CORS error): ReactApp↔graphAPI↔Azure ADB2C
So I thought of using Azure functions.
First, ReactApp calls azure functions as an API.
Next, call the graphAPI in the azure functions.
At this point, we want to use the client credential flow.
Then, the user data of Azure ADB2C can be obtained because the graphAPI was used.
This user data is returned to Azure functions so that it can be used in ReactApp.
My Idea: ReactApp↔Azure functions ↔ graph API ↔ Azure ADB2C
Is this feasible?
If it is possible and you have a sample, please let me know.
Thanks for reading.
• Yes, you can surely do the same as per what you have stated in your post. You can surely deploy a react app in Azure functions and trigger a graph API query from the function to an Azure AD B2C tenant. To do so, you will have to first deploy an Azure Static Web app in Azure, then build and deploy it through a workflow in Github by creating a repository there, then create an Azure function API for the react app deployed. This Azure function service provides serverless APIs which allows you to focus on your TypeScript code and not have to configure a full back-end web server.
• Once done, then connect the react client app to Azure function API. The Azure static web app resource deployed earlier provides a proxy between the react client and the Azure function API. Hence, while deploying the above, I would suggest you to please follow the below Microsoft documentation link and its subsequent article series for the said above resources.
https://learn.microsoft.com/en-us/azure/developer/javascript/how-to/with-web-app/static-web-app-with-swa-cli/introduction
Please follow the series of documentation articles stated above till the end of connecting the react client to Azure function API. Once done, then register an application in Azure AD B2C for authentication purposes and copy the application’s required credentials like the client ID, tenant ID, tenant name and client secret for inserting these details in the HTTP trigger function API created earlier. Also, give the registered application in Azure AD B2C the required application permissions of ‘User.ReadWrite.All’ for the Microsoft Graph API. Ensure that you are adding the ‘Microsoft.Identity.Client’, ‘Microsoft.Graph.Auth’ and ‘Microsoft.Graph.Beta’ nuget packages to your Azure function solution created earlier. Then modify the constant parameters and variables in the Azure solution code file as in the below snapshot: -
• Once the above has been done successfully, you can then test the deployed solution through ‘Postman’ application API as well as by redirecting to the react app page there by triggering a HTTP response in the function API which will ensure that you read the logged in Azure AD B2C user in the react app. For detailed information on the above-mentioned configuration, I would suggest you to please go through the video link below as it perfectly describes your condition in detail: -
https://www.youtube.com/watch?v=4uJHSwA-TZE

API Key for Azure Machine Learning Endpoint

I am using Azure ML, I made my models and now I want to connect them to Data Factory to run some process.
I implement an endpoint, but I can't find the API key for the endpoints. Right now, I have the REST endpoint, but not in key-based authentication enabled, it's false. Do you know how to generate the API key?
Currently the only way to retrieve the token is by using the Azure Machine Learning SDK or the Azure CLI machine learning extension.
Key-based auth is supported for Azure Container Instance and Azure Kubernetes Service deployed web-services, and token-based auth is only available for Azure Kubernetes Service deployments.
You can find more information here

Securing and configuring Azure Service Bus for public facing webapp (using B2C) to call downstream APIs and services using AAD

Follow up to other question posted here:
Azure microservices: authenticating downstream APIs from B2C to Azure AD, how to configure AD?
All our apps and microservices are hosted in a AKS cluster.
Want to have a single webapp decoupled from other services: using a message broker seems a good approach.
How should a public-facing portal be setup to be able to push data down into a queue or endpoint
How can calls to specific API endpoints and microservices to and from the webapp be secured from the public FE?
How would this be configured in terms of authentication, app reg etc.?
Lets answer your questions one after another which you have.
The first question
How should a public-facing portal be setup to be able to push data down into a queue or endpoint ?
For this first we need to use a Web API to push data to Azure Service Bus Queue. You can create a new ASP.NET Core Web API project and install Azure Service Bus NuGet package. Check this document for the way to do it.
Then we can use Service Bus Queue trigger Azure function to read the message from the queue and the process it or store it depending on the requirement. Check Azure Service Bus trigger for Azure Functions for more information.
The second question
How can calls to specific API endpoints and microservices to and from the webapp be secured from the public FE ?
We can achieve this requirement by securing the front end using Application Gateway. We need to configure Application Gateway in front of the Web API.
Check this Configure App Service with Application Gateway document from Microsoft for more information.
Lastly, the third question
How would this be configured in terms of authentication, app reg etc.?
In this case we can use Azure Managed Identity. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication.
So, we can use Azure Managed Identities with the Azure Resources like AKS. Check this Use managed identities in Azure Kubernetes Service for more information.

How to pass access token acquired by b2c authentication to Azure API Management Service from Angular/MVC application to Micro services

I have created two different micro services.
I have created API application in B2C tenant and I am able to access both micro service APIs from client (MVC/Angular) application using token acquired by B2C authentication.
Now, I would like to access these two micro services from my client application via azure API management service.
I tried to follow below article but it seems out dated.
https://winterdom.com/2017/11/17/aad-b2c-api-management
Can some one please provide an article link or sample to match my requirement.
You can refer to https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad. This also applies to Azure AD B2C.

How to get the usage metrics data for the Web Application Service?

I am trying to execute the REST API to get the usage metrics data from Web Application deployed on Azure.
Hi,
I am trying to execute the REST API to get the usage metrics data from Web Application deployed on Azure.
https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//metrics?$filter=startTime%20eq%202016-04-12T06:05:42.907Z%20and%20endTime%20eq%202016-04-12T06:10:42.907Z&api-version=2014-04-01
But I am getting constantly 500 Internal Server Error.
Also, I tried to find out the given URL in Resource Explorer under the Mincrosoft.Web But in that I can see the metricsDefinitions but metrics is not available for this.
Can someone please let me know what how can I get the usage metrics data for the Web Application Services?
You can retrieve resource metrics via the Azure Insights API.By using the Azure Insights API it is possible to programmatically retrieve the available default metric definitions (the type of metric such as CPU Time, Requests, etc.), granularity, and metric values.
https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/{resource-provider-namespace}/{resource-type}/{resource-name}/metrics?api-version=2014-04-01&$filter={filter}
It seems the REST API URI you are using is right, but before that the first step is to authenticate the Azure Insights API request. The easiest way to set up authentication is by creating an Azure AD service principal and retrieve the authentication token.
A very detailed walkthrough at https://blogs.msdn.microsoft.com/cloud_solution_architect/2016/02/23/retrieving-resource-metrics-via-the-azure-insights-api/.

Resources