Speech Services- Restrict Outbound Access

What is Speech Service

 

The Speech service provides speech to text and text to speech capabilities with a Speech resource

 

It is one of the types of Cognitive Accounts i.e.- type": "Microsoft.CognitiveServices/accounts and “kind": "SpeechServices",

 

What is restrictOutboundNetworkAccess property and why do we use it?

 

restrictOutboundNetworkAccess property is used in speech services to enable data loss prevention. When this property is enabled, the Speech service will connect only to the allowed endpoints as specified in the list of FQDN allowed endpoints. For e.g.-> if you need to transcribe data which comes from a blob, the FQDN of your storage account should be in this list. If this property  is not set as true, Speech service won’t be able to access your storage account.

Reference document which explains about this property- https://learn.microsoft.com/en-us/azure/ai-services/cognitive-services-data-loss-prevention?tabs=azure-cli

 

How to enable/Disable restrictOutboundNetworkAccess for Speech Services?

 

You cannot deploy your speech service manually from Azure Portal with “restrictOutboundNetworkAccess” property as true or false.

We can deploy Speech Services using ARM/PowerShell/terraform with property restrictOutboundNetworkAccess set as true or false

Using CLI/powershell, reference:- Data loss prevention - Azure AI services | Microsoft Learn

Using ARM template, reference: Microsoft.CognitiveServices/accounts - Bicep, ARM template & Terraform AzAPI reference | Microsoft Learn

 

Sample Code for Deploying Speech Service with restrictOutboundNetworkAccess as true and list of allowed FQDN using custom template deployment from Azure Portal

 

Please note that with restrictOutboundNetworkAccess property, we are also using allowedFqdnList which will include list of URL’s that can be accessible by Speech Services

 

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01 deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "cognitiveServiceName": {
            "type": "String",
            "metadata": {
                "description": "Name of the Cognitive Service account"
            }
        },
        "location": {
            "defaultValue": "[resourceGroup().location]",
            "type": "String",
            "metadata": {
                "description": "Location for the Cognitive Service account"
            }
        },
        "sku": {
            "defaultValue": "F0",
            "allowedValues": [
                "F0",
                "S0"
            ],
            "type": "String",
            "metadata": {
                "description": "The pricing tier of the Cognitive Service account"
            }
        }
    },
    "resources": [
        {
            "type": "Microsoft.CognitiveServices/accounts",
            "apiVersion": "2022-12-01",
            "name": "[parameters('cognitiveServiceName')]",
            "location": "[parameters('location')]",
            "sku": {
                "name": "[parameters('sku')]"
            },
            "kind": "SpeechServices",
            "properties": {
                "restrictOutboundNetworkAccess": true,
                "disableLocalAuth": true,
                "allowedFqdnList": [
                    "microsoft.com"
                ]
            }
        }
    ]
}

 

Above code will deploy your speech service with restrictOutboundNetworkAccess as “true”

 

How to check whether restrictOutboundNetworkAccess is enabled/disabled for Speech Services

 

We can go to JSON view of Deployed Resource and check if the property is set as “true” or “false”

 

 

Reference document for Use Cases of testing can be found here - Use Cases for Testing Restrictoutboundnetworkaccess for Speech Service - Microsoft Community Hub