Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added a new section to the deployments docs #1462

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Added a new section to the deployments docs #1462

wants to merge 2 commits into from

Conversation

itye-msft
Copy link
Member

And best practices to de-anonymize data when using OpenAI

Created a new README
And few subfolders with code samples of how to implement the solution.

@itye-msft itye-msft requested a review from omri374 October 6, 2024 12:24
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 6, 2024
View reviewed changes
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

checkov found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 6, 2024
View reviewed changes
.../deployments/openai-anonymaztion-and-deanonymaztion-best-practices/infrastructure/main.bicep
@@ -0,0 +1,57 @@
targetScope = 'resourceGroup'

Check failure

Code scanning / templateanalyzer

Cleanup Redis cache firewall rules. Error documentation

When using Azure Cache for Redis, injected into a VNET you are able to create firewall rules to limit access to the cache. Each firewall rules specifies a range of IP addresses that are allowed to access the cache.
If no firewall rules are set and public access is not disabled, then all IP addresses are allowed to access the cache. By default, the cache is configured to allow access from all IP addresses.
Consider using private endpoints to limit access to the cache. If this is not possible, use firewall rules to limit access to the cache. However, avoid using overly permissive firewall rules that are: Not needed. Too broad. Too many.
.../deployments/openai-anonymaztion-and-deanonymaztion-best-practices/infrastructure/main.bicep
@@ -0,0 +1,57 @@
targetScope = 'resourceGroup'

Check failure

Code scanning / templateanalyzer

Limit Redis cache number of IP addresses. Error documentation

When using Azure Cache for Redis, injected into a VNET you are able to create firewall rules to limit access to the cache. Each firewall rules specifies a range of IP addresses that are allowed to access the cache.
If no firewall rules are set and public access is not disabled, then all IP addresses are allowed to access the cache. By default, the cache is configured to allow access from all IP addresses.
Consider using private endpoints to limit access to the cache. If this is not possible, use firewall rules to limit access to the cache. However, avoid using overly permissive firewall rules that are: Not needed. Too broad. Too many.
...ments/openai-anonymaztion-and-deanonymaztion-best-practices/infrastructure/modules/aks.bicep
identity: {
type: 'SystemAssigned'
}
properties: {

Check failure

Code scanning / templateanalyzer

Authorized IP ranges should be defined on Kubernetes Services. Error documentation

To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes Service Management API server. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.
...ments/openai-anonymaztion-and-deanonymaztion-best-practices/infrastructure/modules/aks.bicep
identity: {
type: 'SystemAssigned'
}
properties: {

Check failure

Code scanning / templateanalyzer

RBAC should be used on Kubernetes Services. Error documentation

To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process.
...ments/openai-anonymaztion-and-deanonymaztion-best-practices/infrastructure/modules/aks.bicep
identity: {
type: 'SystemAssigned'
}
properties: {

Check failure

Code scanning / templateanalyzer

Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version. Error documentation

Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+. Running on older versions could mean you are not using latest security classes. Usage of such old classes and types can make your application vulnerable.
...ments/openai-anonymaztion-and-deanonymaztion-best-practices/infrastructure/modules/aks.bicep
identity: {
type: 'SystemAssigned'
}
properties: {

Check failure

Code scanning / templateanalyzer

Enable Defender profile. Error documentation

To collect and provide data plane protections of Microsoft Defender for Containers some additional daemon set and deployments needs to be deployed to the AKS clusters.
These components are installed when the Defender profile is enabled on the cluster.
The Defender profile deployed to each node provides the runtime protections and collects signals from nodes.
...nts/openai-anonymaztion-and-deanonymaztion-best-practices/infrastructure/modules/redis.bicep
resource redisCache 'Microsoft.Cache/Redis@2023-08-01' = {
name: redisCacheName
location: location
properties: {

Check failure

Code scanning / templateanalyzer

Redis Cache minimum TLS version. Error documentation

The minimum version of TLS that Redis Cache accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
...nts/openai-anonymaztion-and-deanonymaztion-best-practices/infrastructure/modules/redis.bicep
resource redisCache 'Microsoft.Cache/Redis@2023-08-01' = {
name: redisCacheName
location: location
properties: {

Check failure

Code scanning / templateanalyzer

Use private endpoints with Azure Cache for Redis. Error documentation

When using Azure Cache for Redis, you can configure the cache to be private or accessible from the public Internet. By default, the cache is configured to be accessible from the public Internet.
To limit network access to the cache you can use firewall rules or private endpoints. Using private endpoints with Azure Cache for Redis is the recommend approach for most scenarios.
Use private endpoints to improve the security posture of your Redis cache and reduce the risk of data breaches.
A private endpoint provides secure and private connectivity to Redis instances by: Using a private IP address from your VNET. Blocking all traffic from public networks. If you are using VNET injection, it is recommended to migrate to private endpoints.
...nts/openai-anonymaztion-and-deanonymaztion-best-practices/infrastructure/modules/redis.bicep
resource redisCache 'Microsoft.Cache/Redis@2023-08-01' = {
name: redisCacheName
location: location
properties: {

Check failure

Code scanning / templateanalyzer

Redis Cache minimum TLS version. Error documentation

The minimum version of TLS that Redis Cache accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
...nts/openai-anonymaztion-and-deanonymaztion-best-practices/infrastructure/modules/redis.bicep
resource redisCache 'Microsoft.Cache/Redis@2023-08-01' = {
name: redisCacheName
location: location
properties: {

Check failure

Code scanning / templateanalyzer

Use private endpoints with Azure Cache for Redis. Error documentation

When using Azure Cache for Redis, you can configure the cache to be private or accessible from the public Internet. By default, the cache is configured to be accessible from the public Internet.
To limit network access to the cache you can use firewall rules or private endpoints. Using private endpoints with Azure Cache for Redis is the recommend approach for most scenarios.
Use private endpoints to improve the security posture of your Redis cache and reduce the risk of data breaches.
A private endpoint provides secure and private connectivity to Redis instances by: Using a private IP address from your VNET. Blocking all traffic from public networks. If you are using VNET injection, it is recommended to migrate to private endpoints.
@SharonHart
Copy link
Contributor

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@omri374 omri374 Awaiting requested review from omri374

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@itye-msft @SharonHart