使用 TLS 保护通过 Azure 机器学习部署的 Web 服务Use TLS to secure a web service through Azure Machine Learning

本文介绍如何保护通过 Azure 机器学习部署的 Web 服务。This article shows you how to secure a web service that's deployed through Azure Machine Learning.

使用 HTTPS 来限制对 Web 服务的访问并保护客户端提交的数据。You use HTTPS to restrict access to web services and secure the data that clients submit. HTTPS 对客户端和 Web 服务之间的通信进行加密来帮助保护两者之间的通信。HTTPS helps secure communications between a client and a web service by encrypting communications between the two. 加密使用传输层安全性 (TLS)Encryption uses Transport Layer Security (TLS). TLS 有时仍称为安全套接字层 (SSL),这是 TLS 的前身。TLS is sometimes still referred to as Secure Sockets Layer (SSL), which was the predecessor of TLS.

提示

Azure 机器学习 SDK 使用术语“SSL”表示与安全通信相关的属性。The Azure Machine Learning SDK uses the term "SSL" for properties that are related to secure communications. 这并不意味着 Web 服务不会使用 TLS。This doesn't mean that your web service doesn't use TLS. SSL 只是更广泛公认的术语。SSL is just a more commonly recognized term.

具体来说,通过 Azure 机器学习部署的 Web 服务支持 AKS 和 ACI 新部署的 TLS 版本 1.2。Specifically, web services deployed through Azure Machine Learning support TLS version 1.2 for AKS and ACI new deployments. 对于 ACI 部署,如果在用较旧的 TLS 版本,建议重新部署以使用最新 TLS 版本。For ACI deployments, if you are on older TLS version, we recommend re-deploying to get the latest TLS version.

TLS 和 SSL 均依赖数字证书,这有助于加密和身份验证。TLS and SSL both rely on digital certificates, which help with encryption and identity verification. 有关数字证书工作原理的详细信息,请参阅维基百科主题公钥基础结构For more information on how digital certificates work, see the Wikipedia topic Public key infrastructure.

警告

如果 Web 服务未使用 HTTPS,则服务上收发的数据可能对 Internet 上的其他人可见。If you don't use HTTPS for your web service, data that's sent to and from the service might be visible to others on the internet.

HTTPS 还允许客户端验证它连接到的服务器的真实性。HTTPS also enables the client to verify the authenticity of the server that it's connecting to. 此功能可以防止客户端免受中间人攻击。This feature protects clients against man-in-the-middle attacks.

保护 Web 服务的常规过程如下:This is the general process to secure a web service:

  1. 获取域名。Get a domain name.

  2. 获取数字证书。Get a digital certificate.

  3. 在启用 TLS 的情况下部署或更新 Web 服务。Deploy or update the web service with TLS enabled.

  4. 更新 DNS,使其指向该 Web 服务。Update your DNS to point to the web service.

重要

如果要部署到 Azure Kubernetes 服务 (AKS),可以购买属于自己的证书或使用 Microsoft 提供的证书。If you're deploying to Azure Kubernetes Service (AKS), you can purchase your own certificate or use a certificate that's provided by Microsoft. 如果使用 Microsoft 的证书,则无需获取域名或 TLS/SSL 证书。If you use a certificate from Microsoft, you don't need to get a domain name or TLS/SSL certificate. 有关详细信息,请参阅本文的启用 TLS 并进行部署部分。For more information, see the Enable TLS and deploy section of this article.

部署目标进行保护时,步骤稍有不同。There are slight differences when you secure s across deployment targets.

获取域名Get a domain name

如果还没有属于自己的域名,请从域名注册机构购买一个。If you don't already own a domain name, purchase one from a domain name registrar. 各注册机构的购买过程和价格有所不同。The process and price differ among registrars. 注册机构提供管理域名的工具。The registrar provides tools to manage the domain name. 可使用这些工具将完全限定的域名 (FQDN)(如 www.contoso.com)映射到托管 Web 服务的 IP 地址。You use these tools to map a fully qualified domain name (FQDN) (such as www.contoso.com) to the IP address that hosts your web service.

获取 TLS/SSL 证书Get a TLS/SSL certificate

可通过多种方式获取 TLS/SSL 证书(数字证书)。There are many ways to get an TLS/SSL certificate (digital certificate). 最常用的方式是从证书颁发机构 (CA) 购买。The most common is to purchase one from a certificate authority (CA). 无论证书来自哪里,都需要以下文件:Regardless of where you get the certificate, you need the following files:

  • 证书。A certificate. 证书必须包含完整的证书链,并必须使用“PEM 编码”。The certificate must contain the full certificate chain, and it must be "PEM-encoded."
  • 密钥。A key. 密钥也必须使用 PEM 编码。The key must also be PEM-encoded.

请求证书时,必须提供计划用于 Web 服务的地址的 FQDN(例如 www.contoso.com)。When you request a certificate, you must provide the FQDN of the address that you plan to use for the web service (for example, www.contoso.com). 会对比证书上标记的地址和客户端使用的地址,以验证 Web 服务的身份。The address that's stamped into the certificate and the address that the clients use are compared to verify the identity of the web service. 如果这两个地址不匹配,客户端会收到一条错误消息。If those addresses don't match, the client gets an error message.

提示

如果证书颁发机构不能以 PEM 编码文件的方式提供证书和密钥,可使用 OpenSSL 等实用程序来更改格式。If the certificate authority can't provide the certificate and key as PEM-encoded files, you can use a utility such as OpenSSL to change the format.

警告

自签名证书只能用于开发。Use self-signed certificates only for development. 请勿在生产环境中使用这些证书。Don't use them in production environments. 自签名证书可能会导致客户端应用程序出现问题。Self-signed certificates can cause problems in your client applications. 有关详细信息,请参阅客户端应用程序使用的网络库的文档。For more information, see the documentation for the network libraries that your client application uses.

启用 TLS 并进行部署Enable TLS and deploy

对于 AKS 部署,可以在 AML 工作区中创建或附加 AKS 群集时启用 TLS 终止。For AKS deployment, you can enable TLS termination when you create or attach an AKS cluster in AML workspace. 在 AKS 模型部署期间,可以使用部署配置对象来禁用 TLS 终止,否则,默认情况下,在创建或附加 AKS 群集时,所有 AKS 模型部署都将启用 TLS 终止。At AKS model deployment time, you can disable TLS termination with deployment configuration object, otherwise all AKS model deployment by default will have TLS termination enabled at AKS cluster create or attach time.

对于 ACI 部署,可以使用部署配置对象在模型部署期间启用 TLS 终止。For ACI deployment, you can enable TLS termination at model deployment time with deployment configuration object.

在 Azure Kubernetes 服务上部署Deploy on Azure Kubernetes Service

备注

为设计器部署安全的 Web 服务时,此部分中的信息也适用。The information in this section also applies when you deploy a secure web service for the designer. 如果不熟悉如何使用 Python SDK,请参阅什么是适用于 Python 的 Azure 机器学习 SDK?If you aren't familiar with using the Python SDK, see What is the Azure Machine Learning SDK for Python?.

在 AML 工作区中创建或附加 AKS 群集时,可以使用 AksCompute.provisioning_configuration()AksCompute.attach_configuration() 配置对象来启用 TLS 终止 。When you create or attach an AKS cluster in AML workspace, you can enable TLS termination with AksCompute.provisioning_configuration() and AksCompute.attach_configuration() configuration objects. 两种方法都会返回具有 enable_ssl 方法的配置对象,并且你可以使用 enable_ssl 方法来启用 TLS 。Both method return a configuration object that has an enable_ssl method, and you can use enable_ssl method to enable TLS.

可以使用 Microsoft 证书或从 CA 购买的自定义证书来启用 TLS。You can enable TLS either with Microsoft certificate or a custom certificate purchased from CA.

  • 使用 Microsoft 提供的证书时,必须使用 leaf_domain_label 参数。When you use a certificate from Microsoft, you must use the leaf_domain_label parameter. 此参数生成服务的 DNS 名称。This parameter generates the DNS name for the service. 例如,使用值“contoso”将创建域名“contoso<six-random-characters>.<azureregion>.cloudapp.azure.com”,其中 <azureregion> 是包含该服务的区域。For example, a value of "contoso" creates a domain name of "contoso<six-random-characters>.<azureregion>.cloudapp.azure.com", where <azureregion> is the region that contains the service. 或者,可使用 overwrite_existing_domain 参数覆盖现有的 leaf_domain_label 。Optionally, you can use the overwrite_existing_domain parameter to overwrite the existing leaf_domain_label. 下面的示例演示如何创建一个配置,以使用 Microsoft 提供的证书启用 TLS:The following example demonstrates how to create a configuration that enables an TLS with Microsoft certificate:

    from azureml.core.compute import AksCompute
    # Config used to create a new AKS cluster and enable TLS
    provisioning_config = AksCompute.provisioning_configuration()
    # Leaf domain label generates a name using the formula
    #  "<leaf-domain-label>######.<azure-region>.cloudapp.azure.net"
    #  where "######" is a random series of characters
    provisioning_config.enable_ssl(leaf_domain_label = "contoso")
    
    
    # Config used to attach an existing AKS cluster to your workspace and enable TLS
    attach_config = AksCompute.attach_configuration(resource_group = resource_group,
                                          cluster_name = cluster_name)
    # Leaf domain label generates a name using the formula
    #  "<leaf-domain-label>######.<azure-region>.cloudapp.azure.net"
    #  where "######" is a random series of characters
    attach_config.enable_ssl(leaf_domain_label = "contoso")
    

    重要

    如果使用 Microsoft 的证书,则无需购买属于自己的证书或域名。When you use a certificate from Microsoft, you don't need to purchase your own certificate or domain name.

    警告

    如果为 AKS 群集配置了内部负载均衡器,则不支持使用 Microsoft 提供的证书,并且你必须使用自定义证书启用 TLS。If your AKS cluster is configured with an internal load balancer, using a Microsoft provided certificate is not supported and you must use custom certificate to enable TLS.

  • 使用你购买的自定义证书时,请使用 ssl_cert_pem_file、ssl_key_pem_file 和 ssl_cname 参数 。When you use a custom certificate that you purchased, you use the ssl_cert_pem_file, ssl_key_pem_file, and ssl_cname parameters. 下面的示例演示如何使用 .pem 文件创建使用所购买的 TLS/SSL 证书的配置:The following example demonstrates how to use .pem files to create a configuration that uses a TLS/SSL certificate that you purchased:

    from azureml.core.compute import AksCompute
    # Config used to create a new AKS cluster and enable TLS
    provisioning_config = AksCompute.provisioning_configuration()
    provisioning_config.enable_ssl(ssl_cert_pem_file="cert.pem",
                                        ssl_key_pem_file="key.pem", ssl_cname="www.contoso.com")
    # Config used to attach an existing AKS cluster to your workspace and enable SSL
    attach_config = AksCompute.attach_configuration(resource_group = resource_group,
                                         cluster_name = cluster_name)
    attach_config.enable_ssl(ssl_cert_pem_file="cert.pem",
                                        ssl_key_pem_file="key.pem", ssl_cname="www.contoso.com")
    

有关 enable_ssl 的详细信息,请参阅 AksProvisioningConfiguration.enable_ssl()AksAttachConfiguration.enable_ssl()For more information about enable_ssl, see AksProvisioningConfiguration.enable_ssl() and AksAttachConfiguration.enable_ssl().

在 Azure 容器实例上进行部署Deploy on Azure Container Instances

部署到 Azure 容器实例时,需要为与 TLS 相关的参数提供值,如以下代码片段所示:When you deploy to Azure Container Instances, you provide values for TLS-related parameters, as the following code snippet shows:

from azureml.core.webservice import AciWebservice

aci_config = AciWebservice.deploy_configuration(
    ssl_enabled=True, ssl_cert_pem_file="cert.pem", ssl_key_pem_file="key.pem", ssl_cname="www.contoso.com")

有关详细信息,请参阅 AciWebservice.deploy_configuration()For more information, see AciWebservice.deploy_configuration().

更新 DNSUpdate your DNS

对于使用自定义证书进行的 AKS 部署,或者对于 ACI 部署,你必须更新 DNS 记录,使其指向评分终结点的 IP 地址。For either AKS deployment with custom certificate or ACI deployment, you must update your DNS record to point to the IP address of scoring endpoint.

重要

将 Microsoft 提供的证书用于 AKS 部署时,无需手动更新群集的 DNS 值。When you use a certificate from Microsoft for AKS deployment, you don't need to manually update the DNS value for the cluster. 应自动设置该值。The value should be set automatically.

可以按照以下步骤更新自定义域名的 DNS 记录:You can follow following steps to update DNS record for your custom domain name:

  • 从评分终结点 URI(其格式通常为 http://104.214.29.152:80/api/v1/service//score )获取评分终结点 IP 地址。Get scoring endpoint IP address from scoring endpoint URI, which is usually in the format of http://104.214.29.152:80/api/v1/service//score.
  • 使用域名注册机构的工具来更新域名的 DNS 记录。Use the tools from your domain name registrar to update the DNS record for your domain name. 该记录必须指向评分终结点的 IP 地址。The record must point to the IP address of scoring endpoint.
  • DNS 记录更新之后,可以使用 nslookup custom-domain-name 命令验证 DNS 解析。After DNS record update, you can validate DNS resolution using nslookup custom-domain-name command. 如果 DNS 记录已正确更新,自定义域名将指向评分终结点的 IP 地址。If DNS record is correctly updated, the custom domain name will point to the IP address of scoring endpoint.
  • 可能延迟几分钟到几小时之后客户端才能解析域名,具体取决于注册机构和为域名配置的“生存时间”(TTL)。There can be a delay of minutes or hours before clients can resolve the domain name, depending on the registrar and the "time to live" (TTL) that's configured for the domain name.

更新 TLS/SSL 证书Update the TLS/SSL certificate

TLS/SSL 证书已过期,必须续订。TLS/SSL certificates expire and must be renewed. 通常每年都会发生这种情况。Typically this happens every year. 使用以下部分中的信息为部署到 Azure Kubernetes 服务的模型更新和续订证书:Use the information in the following sections to update and renew your certificate for models deployed to Azure Kubernetes Service:

更新 Microsoft 生成的证书Update a Microsoft generated certificate

如果该证书最初是由 Microsoft 生成的(在使用 leaf_domain_label 来创建服务时),它将会在需要时自动续订。If the certificate was originally generated by Microsoft (when using the leaf_domain_label to create the service), it will automatically renew when needed. 如果需要手动续订,请使用以下示例之一来更新该证书:If you want to manually renew it, use one of the following examples to update the certificate:

重要

  • 如果现有证书仍然有效,请使用 renew=True (SDK) 或 --ssl-renew (CLI) 强制执行配置以续订该证书。If the existing certificate is still valid, use renew=True (SDK) or --ssl-renew (CLI) to force the configuration to renew it. 例如,如果现有证书在 10 天内仍然有效,并且你不使用 renew=True,则可能不会续订该证书。For example, if the existing certificate is still valid for 10 days and you don't use renew=True, the certificate may not be renewed.
  • 最初部署服务时,使用了 leaf_domain_label,目的是使用模式 <leaf-domain-label>######.<azure-region>.cloudapp.azure.net 来创建 DNS 名称。When the service was originally deployed, the leaf_domain_label is used to create a DNS name using the pattern <leaf-domain-label>######.<azure-region>.cloudapp.azure.net. 若要保留现有名称(包括最初生成的 6 位数字),请使用原始 leaf_domain_label 值。To preserve the existing name (including the 6 digits originally generated), use the original leaf_domain_label value. 不包括生成的 6 位数字。Do not include the 6 digits that were generated.

使用 SDKUse the SDK

from azureml.core.compute import AksCompute
from azureml.core.compute.aks import AksUpdateConfiguration
from azureml.core.compute.aks import SslConfiguration

# Get the existing cluster
aks_target = AksCompute(ws, clustername)

# Update the existing certificate by referencing the leaf domain label
ssl_configuration = SslConfiguration(leaf_domain_label="myaks", overwrite_existing_domain=True, renew=True)
update_config = AksUpdateConfiguration(ssl_configuration)
aks_target.update(update_config)

使用 CLIUse the CLI

az ml computetarget update aks -g "myresourcegroup" -w "myresourceworkspace" -n "myaks" --ssl-leaf-domain-label "myaks" --ssl-overwrite-domain True --ssl-renew

有关详细信息,请参阅以下参考文档:For more information, see the following reference docs:

更新自定义证书Update custom certificate

如果证书最初由证书颁发机构生成,请使用以下步骤:If the certificate was originally generated by a certificate authority, use the following steps:

  1. 使用证书颁发机构提供的文档来续订证书。Use the documentation provided by the certificate authority to renew the certificate. 此过程将创建新的证书文件。This process creates new certificate files.

  2. 使用 SDK 或 CLI 通过新证书更新服务:Use either the SDK or CLI to update the service with the new certificate:

    使用 SDKUse the SDK

    from azureml.core.compute import AksCompute
    from azureml.core.compute.aks import AksUpdateConfiguration
    from azureml.core.compute.aks import SslConfiguration
    
    # Read the certificate file
    def get_content(file_name):
        with open(file_name, 'r') as f:
            return f.read()
    
    # Get the existing cluster
    aks_target = AksCompute(ws, clustername)
    
    # Update cluster with custom certificate
    ssl_configuration = SslConfiguration(cname="myaks", cert=get_content('cert.pem'), key=get_content('key.pem'))
    update_config = AksUpdateConfiguration(ssl_configuration)
    aks_target.update(update_config)
    

    使用 CLIUse the CLI

    az ml computetarget update aks -g "myresourcegroup" -w "myresourceworkspace" -n "myaks" --ssl-cname "myaks"--ssl-cert-file "cert.pem" --ssl-key-file "key.pem"
    

有关详细信息,请参阅以下参考文档:For more information, see the following reference docs:

禁用 TLSDisable TLS

若要为部署到 Azure Kubernetes 服务的模型禁用 TLS,请创建 SslConfiguration 并设置 status="Disabled",然后执行更新:To disable TLS for a model deployed to Azure Kubernetes Service, create an SslConfiguration with status="Disabled", then perform an update:

from azureml.core.compute import AksCompute
from azureml.core.compute.aks import AksUpdateConfiguration
from azureml.core.compute.aks import SslConfiguration

# Get the existing cluster
aks_target = AksCompute(ws, clustername)

# Disable TLS
ssl_configuration = SslConfiguration(status="Disabled")
update_config = AksUpdateConfiguration(ssl_configuration)
aks_target.update(update_config)

后续步骤Next steps

了解如何:Learn how to: