Set up the Bring your own storage (BYOS) Speech resource
Bring your own storage (BYOS) is an Azure AI technology for customers, who have high requirements for data security and privacy. The core of the technology is the ability to associate an Azure Storage account, that the user owns and fully controls with the Speech resource. The Speech resource then uses this storage account for storing different artifacts related to the user data processing, instead of storing the same artifacts within the Speech service premises as it is done in the regular case. This approach allows using all set of security features of Azure Storage account, including encrypting the data with the Customer-managed keys, using Private endpoints to access the data, etc.
In BYOS scenarios, all traffic between the Speech resource and the Storage account is maintained using Azure global network, in other words all communication is performed using private network, completely bypassing public internet. Speech resource in BYOS scenario is using Azure Trusted services mechanism to access the Storage account, relying on System-assigned managed identities as a method of authentication, and Role-based access control (RBAC) as a method of authorization.
There's one exception: if you use Text to speech, and your Speech resource and the associated Storage account are located in different Azure regions, then public internet is used for the operations, involving User delegation SAS. See details in this section.
BYOS can be used with several Azure AI services. For Speech, it can be used in the following scenarios:
Speech to text
- Batch transcription
- Real-time transcription with audio and transcription result logging enabled
- Custom speech (Custom models for Speech recognition)
Text to speech
One Speech resource - Storage account combination can be used for all four scenarios simultaneously in all combinations.
This article describes how to create and maintain BYOS-enabled Speech resource and applicable to all mentioned scenarios. See the scenario-specific information in the corresponding articles.
BYOS-enabled Speech resource: Basic rules
Consider the following rules when planning BYOS-enabled Speech resource configuration:
- Speech resource can be BYOS-enabled only during creation. Existing Speech resource can't be converted to BYOS-enabled. BYOS-enabled Speech resource can't be converted to the “conventional” (non-BYOS) one.
- Storage account association with the Speech resource is declared during the Speech resource creation. It can't be changed later. That is, you can't change what Storage account is associated with the existing BYOS-enabled Speech resource. To use another Storage account, you have to create another BYOS-enabled Speech resource.
- When creating a BYOS-enabled Speech resource, you can use an existing Storage account or create one automatically during Speech resource provisioning (the latter is valid only when using Azure portal).
- One Storage account can be associated with many Speech resources. We recommend using one Storage account per one Speech resource.
- Storage account and the related BYOS-enabled Speech resource can be located in either the same or different Azure regions. We recommend using the same region to minimize latency. For the same reason, we don't recommend selecting too remote regions for multi-region configuration. (For example, we don’t recommend placing Storage account in China North and the associated Speech resource in China North).
Create and configure BYOS-enabled Speech resource
This section describes how to create a BYOS enabled Speech resource.
Request access to BYOS for your Azure subscriptions
You need to request access to BYOS functionality for each of the Azure subscriptions you plan to use. To request access, fill and submit Cognitive Services & Applied AI Customer Managed Keys and Bring Your Own Storage access request form. Wait for the request to be approved.
(Optional) Check whether Azure subscription has access to BYOS
You can quickly check whether your Azure subscription has access to BYOS. This check uses preview features functionality of Azure.
This functionality isn't available through Azure portal.
Note
You may view the list of preview features for a given Azure subscription as explained in this article, however note that not all preview features, including BYOS are visible this way.
Plan and prepare your Storage account
If you use Azure portal to create a BYOS-enabled Speech resource, an associated Storage account can be created automatically. For all other provisioning methods (Azure CLI, PowerShell, REST API Request) you need to use existing Storage account.
If you want to use existing Storage account and don't intend to use Azure portal method for BYOS-enabled Speech resource provisioning, note the following regarding this Storage account:
- You need the full Azure resource ID of the Storage account. To obtain it navigate to the Storage account in Azure portal, then select Endpoints menu from Settings group. Copy and store the value of Storage account resource ID field.
- To fully configure BYOS, you need at least Resource Owner right for the selected Storage account.
Note
Storage account Resource Owner right or higher is not required to use a BYOS-enabled Speech resource. However it is required during the one-time initial configuration of the Storage account for the usage in BYOS scenario. See details in this section.
Create BYOS-enabled Speech resource
Make sure your Azure subscription is enabled for using BYOS before attempting to create the Speech resource. See this section.
There are two ways of creating a BYOS-enabled Speech resource:
- With Azure portal.
- With Cognitive Services API (PowerShell, Azure CLI, REST request).
Azure portal option has tighter requirements:
- Account used for the BYOS-enabled Speech resource provisioning should have a right of the Subscription Owner.
- BYOS-associated Storage account should only be located in the same region as the Speech resource.
If any of these extra requirements don't fit your scenario, use Cognitive Services API option (PowerShell, Azure CLI, REST request).
To use any of the methods above, you need an Azure account that is assigned a role allowing to create resources in your subscription, like Subscription Contributor.
Note
If you use Azure portal to create a BYOS-enabled Speech resource, we recommend selecting the option of creating a new Storage account.
To create a BYOS-enabled Speech resource with Azure portal, you need to access some portal preview features. Perform the following steps:
- Navigate to Create Speech page using this link.
- Note the Storage account section at the bottom of the page.
- Select Yes for Bring your own storage option.
- Configure the required Storage account settings and proceed with the Speech resource creation.
If you used Azure portal for creating a BYOS-enabled Speech resource, it's fully ready to use. If you used any other method, you need to perform the role assignment for the Speech resource managed identity within the scope of the associated Storage account. In all cases, you also need to review different Storage account settings related to data security. See this section.
(Optional) Verify Speech resource BYOS configuration
You can always check, whether any given Speech resource is BYOS enabled, and what is the associated Storage account. You can do it either via Azure portal, or via Cognitive Services API.
To check BYOS configuration of a Speech resource with Azure portal, you need to access some portal preview features. Perform the following steps:
- Navigate to Create Speech page using this link.
- Close Create Speech screen by pressing X in the right upper corner.
- If asked agree to discard unsaved changes.
- Navigate to the Speech resource you want to check.
- Select Storage menu in the Resource Management group.
- Check that:
- Attached storage field contains the Azure resource ID of the BYOS-associated Storage account.
- Identity type has System Assigned selected.
If Storage menu item is missing in the Resource Management group, the selected Speech resource isn't BYOS-enabled.
Configure BYOS-associated Storage account
To achieve high security and privacy of your data, you need to properly configure the settings of the BYOS-associated Storage account. In case you didn't use Azure portal to create your BYOS-enabled Speech resource, you also need to perform a mandatory step of role assignment.
Assign resource access role
This step is mandatory if you didn't use Azure portal to create your BYOS-enabled Speech resource.
BYOS uses the Blob storage of a Storage account. Because of this, BYOS-enabled Speech resource managed identity needs Storage Blob Data Contributor role assignment within the scope of BYOS-associated Storage account.
Caution
Don't use custom role assignments instead of built-in Storage Blob Data Contributor role.
Failure to do so very likely will result in hard to debug service errors and issues related to accessing BYOS-associated Storage account.
If you used Azure portal to create your BYOS-enabled Speech resource, you can skip the rest of this subsection. Your role assignment is already done. Otherwise, follow these steps.
Important
You need to be assigned the Owner role of the Storage account or higher scope (like Subscription) to perform the operation in the next steps. This is because only the Owner role can assign roles to others. See details here.
- Go to the Azure portal and sign in to your Azure account.
- Select the Storage account.
- Select Access Control (IAM) menu in the left pane.
- Select Add role assignment in the Grant access to this resource tile.
- Select Storage Blob Data Contributor under Role and then select Next.
- Select Managed identity under Members > Assign access to.
- Assign the managed identity of your Speech resource and then select Review + assign.
- After confirming the settings, select Review + assign.
Configure Storage account security settings for Speech to text
This section describes how to set up Storage account security settings, if you intend to use BYOS-associated Storage account only for Speech to text scenarios. In case you use the BYOS-associated Storage account for Text to speech or a combination of both Speech to text and Text to speech, use this section.
For Speech to text BYOS is using the trusted Azure services security mechanism to communicate with Storage account. The mechanism allows setting restricted storage account data access rules.
If you perform all actions in the section, your Storage account is in the following configuration:
- Access to all external network traffic is prohibited.
- Access to Storage account using Storage account key is prohibited.
- Access to Storage account blob storage using shared access signatures (SAS) is prohibited. (Except for User delegation SAS)
- Access to the BYOS-enabled Speech resource is allowed using the resource system assigned managed identity.
So in effect your Storage account becomes completely "locked" and can only be accessed by your Speech resource, which will be able to:
- Write artifacts of your Speech data processing (see details in the correspondent articles),
- Read the files that were already present by the time the new configuration was applied. For example, source audio files for the Batch transcription or Dataset files for Custom model training and testing.
You should consider this configuration as a model as far as the security of your data is concerned and customize it according to your needs.
For example, you can allow traffic from selected public IP addresses and Azure Virtual networks. You can also set up access to your Storage account using private endpoints (see as well this tutorial), re-enable access using Storage account key, allow access to other Azure trusted services, etc.
Note
Using private endpoints for Speech isn't required to secure the Storage account. Private endpoints for Speech secure the channels for Speech API requests, and can be used as an extra component in your solution.
Restrict access to the Storage account
- Go to the Azure portal and sign in to your Azure account.
- Select the Storage account.
- In the Settings group in the left pane, select Configuration.
- Select Disabled for Allow Blob public access.
- Select Disabled for Allow storage account key access
- Select Save.
For more information, see Prevent anonymous public read access to containers and blobs and Prevent Shared Key authorization for an Azure Storage account.
Configure Azure Storage firewall
Having restricted access to the Storage account, you need to grant networking access to your Speech resource managed identity. Follow these steps to add access for the Speech resource.
Go to the Azure portal and sign in to your Azure account.
Select the Storage account.
In the Security + networking group in the left pane, select Networking.
In the Firewalls and virtual networks tab, select Enabled from selected virtual networks and IP addresses.
Deselect all check boxes.
Make sure Microsoft network routing is selected.
Under the Resource instances section, select Microsoft.CognitiveServices/accounts as the resource type and select your Speech resource as the instance name.
Select Save.
Note
It may take up to 5 minutes for the network changes to propagate.
Configure Storage account security settings for Text to Speech
This section describes how to set up Storage account security settings, if you intend to use BYOS-associated Storage account for Text to speech or a combination of both Speech to text and Text to speech. In case you use the BYOS-associated Storage account for Speech to text only, use this section.
Note
Text to speech requires more relaxed settings of Storage account firewall, compared to Speech to text. If you use both Speech to text and Text to speech, and need maximally restricted Storage account security settings to protect your data, you can consider using different Storage accounts and the corresponding Speech resources for Speech to Text and Text to speech tasks.
If you perform all actions in the section, your Storage account is in the following configuration:
- External network traffic is allowed.
- Access to Storage account using Storage account key is prohibited.
- Access to Storage account blob storage using shared access signatures (SAS) is prohibited. (Except for User delegation SAS)
- Access to the BYOS-enabled Speech resource is allowed using the resource system assigned managed identity and User delegation SAS.
These are the most restricted security settings possible for the text to speech scenario. You can further customize them according to your needs.
Restrict access to the Storage account
- Go to the Azure portal and sign in to your Azure account.
- Select the Storage account.
- In the Settings group in the left pane, select Configuration.
- Select Disabled for Allow Blob public access.
- Select Disabled for Allow storage account key access
- Select Save.
For more information, see Prevent anonymous public read access to containers and blobs and Prevent Shared Key authorization for an Azure Storage account.
Configure Azure Storage firewall
- Go to the Azure portal and sign in to your Azure account.
- Select the Storage account.
- In the Security + networking group in the left pane, select Networking.
- In the Firewalls and virtual networks tab, select Enabled from all networks.
- Select Save.
Configure BYOS-associated Storage account for use with Speech Studio
Many Speech Studio operations like dataset upload, or custom model training and testing don't require any special configuration of a BYOS-enabled Speech resource.
However, if you need to read data stored withing BYOS-associated Storage account through Speech Studio Web interface, you need to configure more settings of your BYOS-associated Storage account. For example, it's required to view the contents of a dataset.
Configure Cross-Origin Resource Sharing (CORS)
Speech Studio needs permission to make requests to the Blob storage of the BYOS-associated Storage account. To grant such permission, you use Cross-Origin Resource Sharing (CORS). Follow these steps.
- Go to the Azure portal and sign in to your Azure account.
- Select the Storage account.
- In the Settings group in the left pane, select Resource sharing (CORS).
- Ensure, that Blob storage tab is selected.
- Configure the following record:
- Allowed origins:
https://speech.azure.cn
- Allowed methods:
GET
,OPTIONS
- Allowed headers:
*
- Exposed headers:
*
- Max age:
1000
- Allowed origins:
- Select Save.
Warning
Allowed origins field should contain URL without trailing slash. That is it should be https://speech.azure.cn
, and not https://speech.azure.cn/
. Adding trailing slash will result in Speech Studio not showing the details of datasets and model tests.
Configure Azure Storage firewall
You need to allow access for the machine, where you run the browser using Speech Studio. If your Storage account firewall settings allow public access from all networks, you can skip this subsection. Otherwise, follow these steps.
- Go to the Azure portal and sign in to your Azure account.
- Select the Storage account.
- In the Security + networking group in the left pane, select Networking.
- In the Firewall section, enter either IP address of the machine where you run the web browser or IP subnet, to which the IP address of the machine belongs.
- Select Save.