Skip to content

Commit

Permalink
Aoai update10 (#525)
Browse files Browse the repository at this point in the history 
* updating PE for AI Search info

* update
  • Loading branch information
@krnese
krnese authored Feb 2, 2024
1 parent bd68db2 commit 98e924f
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 19 deletions.
27 changes: 21 additions & 6 deletions fsi/docs/fsiAOAI.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Secure and Compliant Generative Azure Open AI - User Guide
# Secure and Compliant Generative AI on Azure - User Guide

![Benefits](./ai-overview.png)

Expand All @@ -7,8 +7,9 @@ The reference implementation has been developed, validated, and proven with seve

## Table of Contents

- [What is Secure and Compliant Generative Azure Open AI?](#what-is-secure-and-compliant-generative-azure-open-ai)
- [What is Secure and Compliant Generative AI on Azure?](#what-is-secure-and-compliant-generative-ai-on-azure)
- [Alignment with FSI Landing Zones](#alignment-with-fsi-landing-zones)
- [Deploy for PoC and testing purposes](#deploy-for-poc-and-testing-purposes)
- [Architecture and scale-out considerations](#architecture-and-scale-out-considerations)
- [Deployment instructions](#deployment-instructions)
- [Pre-requisites](#pre-requisites)
Expand All @@ -18,9 +19,9 @@ The reference implementation has been developed, validated, and proven with seve

| Reference Implementation | Description | Deploy | Documentation
|:----------------------|:------------|--------|--------------|
| Secure and Compliant Generative Azure Open AI | Secure and Compliant Generative Azure Open AI, aligned with the prescriptive guidance for FSI Landing Zones, ensuring a secure and compliant Azure Open AI workload composition into the landing zones |[![Deploy To Microsoft Cloud](../../docs/deploytomicrosoftcloud.svg)](https://aka.ms/fsiazureai) | [User Guide](./fsiAOAI.md)
| Secure and Compliant Generative AI on Azure | Secure and Compliant Generative AI, aligned with the prescriptive guidance for FSI Landing Zones, ensuring a secure and compliant Azure Open AI workload composition into the landing zones |[![Deploy To Microsoft Cloud](../../docs/deploytomicrosoftcloud.svg)](https://aka.ms/fsiazureai) | [User Guide](./fsiAOAI.md)

## What is Secure and Compliant Generative Azure Open AI?
## What is Secure and Compliant Generative AI on Azure?

Azure Open AI provides powerful, generative AI capabilities that organizations can access securely over a private network, use their own customer-managed keys to encrypt the data, and enable sophisitcated monitoring and observability of their AI workloads, while managing authentication and authorization centrally. This reference implementation provides a secure and compliant deployment of Azure Open AI, and the recommended configuration is aligned with the recommended Azure policies provided by FSI Landing Zones for the Azure services in this workload composition.

Expand All @@ -30,17 +31,27 @@ The Secure and Compliant Generative Azure Open AI includes the following Azure s

* Cognitive Services
* Azure Open AI
* Private Link
* Private Endpoint
* Network Security Groups
* Application Security Groups
* Storage Accounts
* Key Vault
* Key Vault for CMK
* Azure Monitor
* Log Analytics
* Managed Identity
* Role Assignments

Optionally, you can also get started with the initial Gen AI use case (e.g., Azure native RAG architecture and setup) to accelerate the adoption of Generative AI in your organization.

* Model deployments, such as:
* GPT-3
* GPT-4
* GPT-35-turbo
* GPT-35-turbo-16k
* GPT-4-32k
* GPT-4 with Vision
* Azure AI Search

## Alignment with FSI Landing Zones

FSI Landing Zones on Microsoft Azure provides a secure-by-default architecture and deployment guidance for Azure services, and the Secure and Compliant Generative Azure Open AI reference implementation is aligned with the recommended Azure policies provided by FSI Landing Zones for the Azure services in this workload composition.
Expand All @@ -53,6 +64,10 @@ A few examples:
2. It is also recommended to enable Azure RBAC for Azure Open AI, so both the level of access, and what type of access is granted to the service can be controlled centrally. This is enforced by the Azure Policy "Configure Cognitive Services accounts to disable local authentication methods".
3. Lastly, it is recommended to use a customer-managed key to encrypt the data, hence an Azure Key Vault is required, as well as several additional Azure policies to ensure the correct configuration of the Key Vault. This is enforced by the Azure Policy "Cognitive Services accounts should enable data encryption with a customer-managed key".

## Deploy for PoC and testing purposes

Although the reference implementation is tailored for the FSI industry, it can be used by any organization that requires a secure and compliant deployment of Azure Open AI. The reference implementation is designed to be deployed in a single Azure region, in a subscription where the virtual network with a dedicated subnet has been created upfront, to be used for the Private Endpoint. However, you can toggle any of the options to deploy the Azure Open AI instance(s) to the regions of your choice, and where capacity exists for the respective model deployments, while honoring the connectivity and networking requirements of the organization. For PoC and testing, you may want to quickly validate a use-case without requiring private connectivity, or monitoring enabled, and the reference implementation provides the flexibility to enable or disable these features as needed.

## Architecture and scale-out considerations

> Note: It is recommended to follow the best practices and overall recommendations when deploying the Secure and Compliang Generative Azure Open AI reference implementation, however, everything can be configured to meet the exact requirements of your organization. With that said, e.g., enablig Public Endpoint for one or more of the Azure services, the FSI Landing Zones provides additional controls to limit the scope of the public endpoint to a specific IP address range with firewall enabled.
Expand Down
36 changes: 23 additions & 13 deletions fsi/solutions/generativeAi/EnterpriseAIPortal.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -568,9 +568,9 @@
"visible": true
},
{
"name": "aiRestrictOutboundNetworkAccess",
"name": "aiDisableNetworkAccess",
"type": "Microsoft.Common.OptionsGroup",
"label": "Restric Outbound Network Access for Azure Open AI",
"label": "Disable Public Network Access",
"defaultValue": "Yes (recommended)",
"toolTip": "",
"constraints": {
Expand All @@ -589,9 +589,9 @@
"visible": true
},
{
"name": "aiDisableNetworkAccess",
"name": "aiRestrictOutboundNetworkAccess",
"type": "Microsoft.Common.OptionsGroup",
"label": "Disable Public Network Access",
"label": "Restric Outbound Network Access for Azure Open AI",
"defaultValue": "Yes (recommended)",
"toolTip": "",
"constraints": {
Expand All @@ -607,7 +607,7 @@
],
"required": true
},
"visible": true
"visible": "[equals(steps('aiSettings').aiDisableNetworkAccess, 'Yes')]"
},
{
"name": "aiNwLocationOption",
Expand Down Expand Up @@ -1334,7 +1334,7 @@
},
{
"name": "aiAuxiliarySettings",
"label": "Generative AI use-cases setup",
"label": "Use Cases and Additional Services",
"subLabel": {
"preValidation": "",
"postValidation": "Done"
Expand All @@ -1347,14 +1347,14 @@
"visible": true,
"options": {
"icon": "None",
"text": "Subject to your initial use-cases, you can enable additional Azure services for the complete Generative AI architecture on Azure.",
"text": "Subject to your initial use cases, you can enable additional Azure services for the complete Generative AI architecture on Azure.",
"uri": "https://www.microsoft.com"
}
},
{
"name": "aiUseCaseSection",
"type": "Microsoft.Common.Section",
"label": "Use-cases",
"label": "Use Cases",
"elements": [],
"visible": true
},
Expand All @@ -1373,7 +1373,7 @@
{
"name": "aiUseCaseDeployment",
"type": "Microsoft.Common.OptionsGroup",
"label": "Create Azure AI services for the initial use-cases",
"label": "Create Azure AI services for the initial use cases",
"defaultValue": "Yes",
"toolTip": "",
"constraints": {
Expand All @@ -1394,14 +1394,14 @@
{
"name": "aiUseCaseSelection",
"type": "Microsoft.Common.DropDown",
"label": "Select the initial use-case you want to deploy",
"label": "Select the initial use case you want to deploy",
"placeholder": "",
"defaultValue": "Image and video recognition",
"toolTip": "",
"multiselect": false,
"multiLine": true,
"selectAll": false,
"defaultDescription": "Select the initial use-case you want to start with.",
"defaultDescription": "Select the initial use case you want to start with.",
"filter": true,
"constraints": {
"allowedValues": [
Expand Down Expand Up @@ -1485,6 +1485,16 @@
},
"visible": "[equals(steps('aiAuxiliarySettings').aiUseCaseDeployment, 'Yes')]"
},
{
"name": "aiSearchPrivateEndpointInfo",
"type": "Microsoft.Common.InfoBox",
"visible": "[and(equals(steps('aiAuxiliarySettings').aiUseCaseDeployment, 'Yes'), equals(steps('aiAuxiliarySettings').aiSearchDisableNetworkAccess, 'Yes'))]",
"options": {
"icon": "warning",
"text": "To allow access to your Azure AI Search resource from Azure OpenAI resource, you need to submit an application form. The application will be reviewed in 10 business days and you will be contacted via email about the results. If you are eligible, we will provision the private endpoint in Microsoft managed virtual network, and send a private endpoint connection request to your search service, and you will need to approve the request.",
"uri": "https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbRw_T3EIZ1KNCuv_1duLJBgpUMUcwV1Y5QjI3UTVTMkhSVUo3R09NNVQxSyQlQCN0PWcu"
}
},
{
"name": "aiSearchNwLocationOption",
"type": "Microsoft.Common.OptionsGroup",
Expand Down Expand Up @@ -1592,7 +1602,7 @@
"type": "Microsoft.Common.Section",
"label": "Azure Monitor Settings",
"elements": [],
"visible": true
"visible": "[equals(steps('aiAuxiliarySettings').aiUseCaseDeployment, 'Yes')]"
},
{
"name": "aiSearchMonCreation",
Expand All @@ -1613,7 +1623,7 @@
],
"required": true
},
"visible": true
"visible": "[equals(steps('aiAuxiliarySettings').aiUseCaseDeployment, 'Yes')]"
}
]
}
Expand Down

0 comments on commit 98e924f

Please sign in to comment.