使用 TLS 保护通过 Azure 机器学习部署的 Web 服务Use TLS to secure a web service through Azure Machine Learning

适用于:是基本版是企业版               (升级到企业版APPLIES TO: yesBasic edition yesEnterprise edition                    (Upgrade to Enterprise edition)

本文介绍如何保护通过 Azure 机器学习部署的 Web 服务。This article shows you how to secure a web service that's deployed through Azure Machine Learning.

使用 HTTPS 来限制对 Web 服务的访问并保护客户端提交的数据。You use HTTPS to restrict access to web services and secure the data that clients submit. HTTPS 对客户端和 Web 服务之间的通信进行加密来帮助保护两者之间的通信。HTTPS helps secure communications between a client and a web service by encrypting communications between the two. 加密使用传输层安全性 (TLS)Encryption uses Transport Layer Security (TLS). TLS 有时仍称为安全套接字层 (SSL),这是 TLS 的前身。TLS is sometimes still referred to as Secure Sockets Layer (SSL), which was the predecessor of TLS.

提示

Azure 机器学习 SDK 使用术语“SSL”表示与安全通信相关的属性。The Azure Machine Learning SDK uses the term "SSL" for properties that are related to secure communications. 这并不意味着 Web 服务不会使用 TLS。This doesn't mean that your web service doesn't use TLS. SSL 只是更广泛公认的术语。SSL is just a more commonly recognized term.

具体来说,通过 Azure 机器学习部署的 Web 服务仅支持 TLS 版本 1.1Specifically, web services deployed through Azure Machine Learning only support TLS version 1.1

TLS 和 SSL 均依赖数字证书,这有助于加密和身份验证。TLS and SSL both rely on digital certificates, which help with encryption and identity verification. 有关数字证书工作原理的详细信息,请参阅维基百科主题公钥基础结构For more information on how digital certificates work, see the Wikipedia topic Public key infrastructure.

警告

如果 Web 服务未使用 HTTPS,则服务上收发的数据可能对 Internet 上的其他人可见。If you don't use HTTPS for your web service, data that's sent to and from the service might be visible to others on the internet.

HTTPS 还允许客户端验证它连接到的服务器的真实性。HTTPS also enables the client to verify the authenticity of the server that it's connecting to. 此功能可以防止客户端免受中间人攻击。This feature protects clients against man-in-the-middle attacks.

保护 Web 服务的常规过程如下:This is the general process to secure a web service:

  1. 获取域名。Get a domain name.

  2. 获取数字证书。Get a digital certificate.

  3. 在启用 TLS 的情况下部署或更新 Web 服务。Deploy or update the web service with TLS enabled.

  4. 更新 DNS,使其指向该 Web 服务。Update your DNS to point to the web service.

重要

如果要部署到 Azure Kubernetes 服务 (AKS),可以购买属于自己的证书或使用 Microsoft 提供的证书。If you're deploying to Azure Kubernetes Service (AKS), you can purchase your own certificate or use a certificate that's provided by Microsoft. 如果使用 Microsoft 的证书,则无需获取域名或 TLS/SSL 证书。If you use a certificate from Microsoft, you don't need to get a domain name or TLS/SSL certificate. 有关详细信息,请参阅本文的启用 TLS 并进行部署部分。For more information, see the Enable TLS and deploy section of this article.

部署目标进行保护时,步骤稍有不同。There are slight differences when you secure s across deployment targets.

获取域名Get a domain name

如果还没有属于自己的域名,请从域名注册机构购买一个。If you don't already own a domain name, purchase one from a domain name registrar. 各注册机构的购买过程和价格有所不同。The process and price differ among registrars. 注册机构提供管理域名的工具。The registrar provides tools to manage the domain name. 可使用这些工具将完全限定的域名 (FQDN)(如 www.contoso.com)映射到托管 Web 服务的 IP 地址。You use these tools to map a fully qualified domain name (FQDN) (such as www.contoso.com) to the IP address that hosts your web service.

获取 TLS/SSL 证书Get a TLS/SSL certificate

可通过多种方式获取 TLS/SSL 证书(数字证书)。There are many ways to get an TLS/SSL certificate (digital certificate). 最常用的方式是从证书颁发机构 (CA) 购买。The most common is to purchase one from a certificate authority (CA). 无论证书来自哪里,都需要以下文件:Regardless of where you get the certificate, you need the following files:

  • 证书。A certificate. 证书必须包含完整的证书链,并必须使用“PEM 编码”。The certificate must contain the full certificate chain, and it must be "PEM-encoded."
  • 密钥。A key. 密钥也必须使用 PEM 编码。The key must also be PEM-encoded.

请求证书时,必须提供计划用于 Web 服务的地址的 FQDN(例如 www.contoso.com)。When you request a certificate, you must provide the FQDN of the address that you plan to use for the web service (for example, www.contoso.com). 会对比证书上标记的地址和客户端使用的地址,以验证 Web 服务的身份。The address that's stamped into the certificate and the address that the clients use are compared to verify the identity of the web service. 如果这两个地址不匹配,客户端会收到一条错误消息。If those addresses don't match, the client gets an error message.

提示

如果证书颁发机构不能以 PEM 编码文件的方式提供证书和密钥,可使用 OpenSSL 等实用程序来更改格式。If the certificate authority can't provide the certificate and key as PEM-encoded files, you can use a utility such as OpenSSL to change the format.

警告

自签名证书只能用于开发。Use self-signed certificates only for development. 请勿在生产环境中使用这些证书。Don't use them in production environments. 自签名证书可能会导致客户端应用程序出现问题。Self-signed certificates can cause problems in your client applications. 有关详细信息,请参阅客户端应用程序使用的网络库的文档。For more information, see the documentation for the network libraries that your client application uses.

启用 TLS 并进行部署Enable TLS and deploy

若要部署(或重新部署)启用了 TLS 的服务,请在适当的位置将 ssl_enabled 参数设置为“True”。To deploy (or redeploy) the service with TLS enabled, set the ssl_enabled parameter to "True" wherever it's applicable. 将 ssl_certificate 参数设置为证书文件的值 。Set the ssl_certificate parameter to the value of the certificate file. 将 ssl_key 设置为密钥文件的值 。Set the ssl_key to the value of the key file.

在 AKS 和现场可编程门阵列 (FPGA) 上进行部署Deploy on AKS and field-programmable gate array (FPGA)

备注

为设计器部署安全的 Web 服务时,此部分中的信息也适用。The information in this section also applies when you deploy a secure web service for the designer. 如果不熟悉如何使用 Python SDK,请参阅什么是适用于 Python 的 Azure 机器学习 SDK?If you aren't familiar with using the Python SDK, see What is the Azure Machine Learning SDK for Python?.

部署到 AKS 时,可以创建新的 AKS 群集或附加现有群集。When you deploy to AKS, you can create a new AKS cluster or attach an existing one. 有关创建或附加群集的详细信息,请参阅将模型部署到 Azure Kubernetes 服务群集For more information on creating or attaching a cluster, see Deploy a model to an Azure Kubernetes Service cluster.

enable_ssl 方法可以使用 Microsoft 提供的证书或你购买的证书。The enable_ssl method can use a certificate that's provided by Microsoft or a certificate that you purchase.

  • 使用 Microsoft 的证书时,必须使用 leaf_domain_label 参数。When you use a certificate from Microsoft, you must use the leaf_domain_label parameter. 此参数生成服务的 DNS 名称。This parameter generates the DNS name for the service. 例如,使用值“contoso”将创建域名“contoso<six-random-characters>.<azureregion>.cloudapp.azure.com”,其中 <azureregion> 是包含该服务的区域。For example, a value of "contoso" creates a domain name of "contoso<six-random-characters>.<azureregion>.cloudapp.azure.com", where <azureregion> is the region that contains the service. 或者,可使用 overwrite_existing_domain 参数覆盖现有的 leaf_domain_label 。Optionally, you can use the overwrite_existing_domain parameter to overwrite the existing leaf_domain_label.

    若要部署(或重新部署)启用了 TLS 的服务,请在适当的位置将 ssl_enabled 参数设置为“True”。To deploy (or redeploy) the service with TLS enabled, set the ssl_enabled parameter to "True" wherever it's applicable. 将 ssl_certificate 参数设置为证书文件的值 。Set the ssl_certificate parameter to the value of the certificate file. 将 ssl_key 设置为密钥文件的值 。Set the ssl_key to the value of the key file.

    重要

    如果使用 Microsoft 的证书,则无需购买属于自己的证书或域名。When you use a certificate from Microsoft, you don't need to purchase your own certificate or domain name.

    下面的示例演示如何创建一个配置,以启用 Microsoft 提供的 TLS/SSL 证书:The following example demonstrates how to create a configuration that enables an TLS/SSL certificate from Microsoft:

    from azureml.core.compute import AksCompute
    # Config used to create a new AKS cluster and enable TLS
    provisioning_config = AksCompute.provisioning_configuration()
    # Leaf domain label generates a name using the formula
    #  "<leaf-domain-label>######.<azure-region>.cloudapp.azure.net"
    #  where "######" is a random series of characters
    provisioning_config.enable_ssl(leaf_domain_label = "contoso")
    
    
    # Config used to attach an existing AKS cluster to your workspace and enable TLS
    attach_config = AksCompute.attach_configuration(resource_group = resource_group,
                                          cluster_name = cluster_name)
    # Leaf domain label generates a name using the formula
    #  "<leaf-domain-label>######.<azure-region>.cloudapp.azure.net"
    #  where "######" is a random series of characters
    attach_config.enable_ssl(leaf_domain_label = "contoso")
    
  • 使用你购买的证书 时,请使用 ssl_cert_pem_file、ssl_key_pem_file、ssl_cname 参数 。When you use a certificate that you purchased, you use the ssl_cert_pem_file, ssl_key_pem_file, and ssl_cname parameters. 下面的示例演示如何使用 .pem 文件创建使用所购买的 TLS/SSL 证书的配置:The following example demonstrates how to use .pem files to create a configuration that uses a TLS/SSL certificate that you purchased:

    from azureml.core.compute import AksCompute
    # Config used to create a new AKS cluster and enable TLS
    provisioning_config = AksCompute.provisioning_configuration()
    provisioning_config.enable_ssl(ssl_cert_pem_file="cert.pem",
                                        ssl_key_pem_file="key.pem", ssl_cname="www.contoso.com")
    # Config used to attach an existing AKS cluster to your workspace and enable SSL
    attach_config = AksCompute.attach_configuration(resource_group = resource_group,
                                         cluster_name = cluster_name)
    attach_config.enable_ssl(ssl_cert_pem_file="cert.pem",
                                        ssl_key_pem_file="key.pem", ssl_cname="www.contoso.com")
    

有关 enable_ssl 的详细信息,请参阅 AksProvisioningConfiguration.enable_ssl()AksAttachConfiguration.enable_ssl()For more information about enable_ssl, see AksProvisioningConfiguration.enable_ssl() and AksAttachConfiguration.enable_ssl().

在 Azure 容器实例上进行部署Deploy on Azure Container Instances

部署到 Azure 容器实例时,需要为与 TLS 相关的参数提供值,如以下代码片段所示:When you deploy to Azure Container Instances, you provide values for TLS-related parameters, as the following code snippet shows:

from azureml.core.webservice import AciWebservice

aci_config = AciWebservice.deploy_configuration(
    ssl_enabled=True, ssl_cert_pem_file="cert.pem", ssl_key_pem_file="key.pem", ssl_cname="www.contoso.com")

有关详细信息,请参阅 AciWebservice.deploy_configuration()For more information, see AciWebservice.deploy_configuration().

更新 DNSUpdate your DNS

接下来,必须更新 DNS,使其指向该 Web 服务。Next, you must update your DNS to point to the web service.

  • 对于容器实例:For Container Instances:

    使用域名注册机构的工具来更新域名的 DNS 记录。Use the tools from your domain name registrar to update the DNS record for your domain name. 该记录必须指向服务的 IP 地址。The record must point to the IP address of the service.

    可能延迟几分钟到几小时之后客户端才能解析域名,具体取决于注册机构和为域名配置的“生存时间”(TTL)。There can be a delay of minutes or hours before clients can resolve the domain name, depending on the registrar and the "time to live" (TTL) that's configured for the domain name.

  • 对于 AKS:For AKS:

    警告

    如果使用了 leaf_domain_label 通过 Microsoft 的证书创建服务,请不要手动更新群集的 DNS 值。If you used leaf_domain_label to create the service by using a certificate from Microsoft, don't manually update the DNS value for the cluster. 应自动设置该值。The value should be set automatically.

    在左侧窗格中“设置”下的“配置”选项卡上更新 AKS 群集公共 IP 地址 DNS 。Update the DNS of the Public IP Address of the AKS cluster on the Configuration tab under Settings in the left pane. (参看下图。)公共 IP 地址是在包含 AKS 代理节点和其他网络资源的资源组下创建的资源类型。(See the following image.) The Public IP Address is a resource type that's created under the resource group that contains the AKS agent nodes and other networking resources.

    Azure 机器学习:使用 TLS 保护 Web 服务Azure Machine Learning: Securing web services with TLS

更新 TLS/SSL 证书Update the TLS/SSL certificate

TLS/SSL 证书已过期,必须续订。TLS/SSL certificates expire and must be renewed. 通常每年都会发生这种情况。Typically this happens every year. 使用以下部分中的信息为部署到 Azure Kubernetes 服务的模型更新和续订证书:Use the information in the following sections to update and renew your certificate for models deployed to Azure Kubernetes Service:

更新 Microsoft 生成的证书Update a Microsoft generated certificate

如果证书最初由 Microsoft 生成(使用 leaf_domain_label 创建服务),请使用以下某个示例更新证书:If the certificate was originally generated by Microsoft (when using the leaf_domain_label to create the service), use one of the following examples to update the certificate:

重要

  • 如果现有证书仍然有效,请使用 renew=True (SDK) 或 --ssl-renew (CLI) 强制执行配置以续订该证书。If the existing certificate is still valid, use renew=True (SDK) or --ssl-renew (CLI) to force the configuration to renew it. 例如,如果现有证书在 10 天内仍然有效,并且你不使用 renew=True,则可能不会续订该证书。For example, if the existing certificate is still valid for 10 days and you don't use renew=True, the certificate may not be renewed.
  • 最初部署服务时,使用了 leaf_domain_label,目的是使用模式 <leaf-domain-label>######.<azure-region>.cloudapp.azure.net 来创建 DNS 名称。When the service was originally deployed, the leaf_domain_label is used to create a DNS name using the pattern <leaf-domain-label>######.<azure-region>.cloudapp.azure.net. 若要保留现有名称(包括最初生成的 6 位数字),请使用原始 leaf_domain_label 值。To preserve the existing name (including the 6 digits originally generated), use the original leaf_domain_label value. 不包括生成的 6 位数字。Do not include the 6 digits that were generated.

使用 SDKUse the SDK

from azureml.core.compute import AksCompute
from azureml.core.compute.aks import AksUpdateConfiguration
from azureml.core.compute.aks import SslConfiguration

# Get the existing cluster
aks_target = AksCompute(ws, clustername)

# Update the existing certificate by referencing the leaf domain label
ssl_configuration = SslConfiguration(leaf_domain_label="myaks", overwrite_existing_domain=True, renew=True)
update_config = AksUpdateConfiguration(ssl_configuration)
aks_target.update(update_config)

使用 CLIUse the CLI

az ml computetarget update aks -g "myresourcegroup" -w "myresourceworkspace" -n "myaks" --ssl-leaf-domain-label "myaks" --ssl-overwrite-domain True --ssl-renew

有关详细信息,请参阅以下参考文档:For more information, see the following reference docs:

更新自定义证书Update custom certificate

如果证书最初由证书颁发机构生成,请使用以下步骤:If the certificate was originally generated by a certificate authority, use the following steps:

  1. 使用证书颁发机构提供的文档来续订证书。Use the documentation provided by the certificate authority to renew the certificate. 此过程将创建新的证书文件。This process creates new certificate files.

  2. 使用 SDK 或 CLI 通过新证书更新服务:Use either the SDK or CLI to update the service with the new certificate:

    使用 SDKUse the SDK

    from azureml.core.compute import AksCompute
    from azureml.core.compute.aks import AksUpdateConfiguration
    from azureml.core.compute.aks import SslConfiguration
    
    # Read the certificate file
    def get_content(file_name):
        with open(file_name, 'r') as f:
            return f.read()
    
    # Get the existing cluster
    aks_target = AksCompute(ws, clustername)
    
    # Update cluster with custom certificate
    ssl_configuration = SslConfiguration(cname="myaks", cert=get_content('cert.pem'), key=get_content('key.pem'))
    update_config = AksUpdateConfiguration(ssl_configuration)
    aks_target.update(update_config)
    

    使用 CLIUse the CLI

    az ml computetarget update aks -g "myresourcegroup" -w "myresourceworkspace" -n "myaks" --ssl-cname "myaks"--ssl-cert-file "cert.pem" --ssl-key-file "key.pem"
    

有关详细信息,请参阅以下参考文档:For more information, see the following reference docs:

禁用 TLSDisable TLS

若要为部署到 Azure Kubernetes 服务的模型禁用 TLS,请创建 SslConfiguration 并设置 status="Disabled",然后执行更新:To disable TLS for a model deployed to Azure Kubernetes Service, create an SslConfiguration with status="Disabled", then perform an update:

from azureml.core.compute import AksCompute
from azureml.core.compute.aks import AksUpdateConfiguration
from azureml.core.compute.aks import SslConfiguration

# Get the existing cluster
aks_target = AksCompute(ws, clustername)

# Disable TLS
ssl_configuration = SslConfiguration(status="Disabled")
update_config = AksUpdateConfiguration(ssl_configuration)
aks_target.update(update_config)

后续步骤Next steps

了解如何:Learn how to: