Speech Services- Restrict Outbound Access
What is Speech Service
The Speech service provides speech to text and text to speech capabilities with a Speech resource
It is one of the types of Cognitive Accounts i.e.- type": "Microsoft.CognitiveServices/accounts and “kind": "SpeechServices",
What is restrictOutboundNetworkAccess property and why do we use it?
restrictOutboundNetworkAccess property is used in speech services to enable data loss prevention. When this property is enabled, the Speech service will connect only to the allowed endpoints as specified in the list of FQDN allowed endpoints. For e.g.-> if you need to transcribe data which comes from a blob, the FQDN of your storage account should be in this list. If this property is not set as true, Speech service won’t be able to access your storage account.
Reference document which explains about this property- https://learn.microsoft.com/en-us/azure/ai-services/cognitive-services-data-loss-prevention?tabs=azure-cli
How to enable/Disable restrictOutboundNetworkAccess for Speech Services?
You cannot deploy your speech service manually from Azure Portal with “restrictOutboundNetworkAccess” property as true or false.
We can deploy Speech Services using ARM/PowerShell/terraform with property restrictOutboundNetworkAccess set as true or false
Using CLI/powershell, reference:- Data loss prevention - Azure AI services | Microsoft Learn
Using ARM template, reference: Microsoft.CognitiveServices/accounts - Bicep, ARM template & Terraform AzAPI reference | Microsoft Learn
Sample Code for Deploying Speech Service with restrictOutboundNetworkAccess as true and list of allowed FQDN using custom template deployment from Azure Portal
Please note that with restrictOutboundNetworkAccess property, we are also using allowedFqdnList which will include list of URL’s that can be accessible by Speech Services
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01 deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"cognitiveServiceName": {
"type": "String",
"metadata": {
"description": "Name of the Cognitive Service account"
}
},
"location": {
"defaultValue": "[resourceGroup().location]",
"type": "String",
"metadata": {
"description": "Location for the Cognitive Service account"
}
},
"sku": {
"defaultValue": "F0",
"allowedValues": [
"F0",
"S0"
],
"type": "String",
"metadata": {
"description": "The pricing tier of the Cognitive Service account"
}
}
},
"resources": [
{
"type": "Microsoft.CognitiveServices/accounts",
"apiVersion": "2022-12-01",
"name": "[parameters('cognitiveServiceName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('sku')]"
},
"kind": "SpeechServices",
"properties": {
"restrictOutboundNetworkAccess": true,
"disableLocalAuth": true,
"allowedFqdnList": [
"microsoft.com"
]
}
}
]
}
Above code will deploy your speech service with restrictOutboundNetworkAccess as “true”
How to check whether restrictOutboundNetworkAccess is enabled/disabled for Speech Services
We can go to JSON view of Deployed Resource and check if the property is set as “true” or “false”
Reference document for Use Cases of testing can be found here - Use Cases for Testing Restrictoutboundnetworkaccess for Speech Service - Microsoft Community Hub
Published on:
Learn more