Merge pull request #265466 from Blackmist/201156-architecture

v-dirichards · web-flow · commit e688a098b807 · 2024-02-12T15:14:11.000-06:00
initial writing
diff --git a/articles/ai-studio/concepts/ai-resources.md b/articles/ai-studio/concepts/ai-resources.md
@@ -107,22 +107,11 @@ Connections can be set up as shared with all projects in the same Azure AI hub r
 
 Azure AI Studio layers on top of existing Azure services including Azure AI and Azure Machine Learning services. While this might not be visible on the display names in Azure portal, AI Studio, or when using the SDK or CLI, some of these architectural details become apparent when you work with the Azure REST APIs, use Azure cost reporting, or use infrastructure-as-code templates such as Azure Bicep or Azure Resource Manager. From an Azure Resource Provider perspective, Azure AI Studio resource types map to the following resource provider kinds:
 
-|Resource type|Resource provider|Kind|
-|---|---|---|
-|Azure AI hub resources|Microsoft.MachineLearningServices/workspace|hub|
-|Azure AI project|Microsoft.MachineLearningServices/workspace|project|
-|Azure AI services|Microsoft.CognitiveServices/account|AIServices|
-|Azure AI OpenAI Service|Microsoft.CognitiveServices/account|OpenAI|
-
-When you create a new Azure AI hub resource, a set of dependent Azure resources are required to store data that you upload or get generated when working in AI Studio. If not provided by you, these resources are automatically created.
-
-|Dependent Azure resource|Note|
-|---|---|
-|Azure AI services|Either Azure AI services multi-service provider, or Azure OpenAI Service. Provides API endpoints and keys for prebuilt AI services.|
-|Azure Storage account|Stores artifacts for your projects like flows and evaluations. For data isolation, storage containers are prefixed using the project GUID, and conditionally secured using Azure ABAC for the project identity.|
-|Azure Key Vault| Stores secrets like connection strings for your resource connections. For data isolation, secrets can't be retrieved across projects via APIs.|
-|Azure Container Registry| Stores docker images created when using custom runtime for prompt flow. For data isolation, docker images are prefixed using the project GUID.|
-|Azure Application Insights| Used as log storage when you opt in for application-level logging for your deployed prompt flows.|
+[!INCLUDE [Resource provider kinds](../includes/resource-provider-kinds.md)]
+
+When you create a new Azure AI hub resource, a set of dependent Azure resources are required to store data that you upload or get generated when working in AI studio. If not provided by you, and required, these resources are automatically created.
+
+[!INCLUDE [Dependent Azure resources](../includes/dependent-resources.md)]
 
 ## Managing cost
 
diff --git a/articles/ai-studio/concepts/architecture.md b/articles/ai-studio/concepts/architecture.md
@@ -0,0 +1,107 @@
+---
+title: Architecture
+titleSuffix: Azure AI Studio
+description: Learn about the architecture of Azure AI Studio.
+manager: scottpolly
+ms.service: azure-ai-studio
+ms.topic: conceptual
+ms.date: 02/06/2024
+ms.reviewer: deeikele
+ms.author: larryfr
+author: Blackmist
+---
+
+# Azure AI Studio architecture 
+    
+[!INCLUDE [Azure AI Studio preview](../includes/preview-ai-studio.md)]
+
+AI Studio provides a unified experience for AI developers and data scientists to build, evaluate, and deploy AI models through a web portal, SDK, or CLI. It's built on capabilities and services provided by other Azure services.
+
+The top level AI Studio resources (AI hub and AI projects) are based on Azure Machine Learning. Other resources, such as Azure OpenAI, Azure AI Services, and Azure AI Search, are used by the AI hub and AI project.
+
+- **AI hub**: The AI hub is the top-level resource in AI Studio. The Azure resource provider for an AI hub is `Microsoft.MachineLearningServices/workspaces`, and the kind of resource is `Hub`. It provides the following features:
+    - Data upload and artifact storage.
+    - Hub-scoped connections to Azure services such as Azure OpenAI, Azure AI Services, and Azure AI Search.
+    - Base model endpoints for Azure OpenAI, Speech, and Vision.
+    - Compute resources.
+    - Security and governance.
+- **AI project**: An AI project is a child resource of the AI hub. The Azure resource provider for an AI project is `Microsoft.MachineLearningServices/workspaces`, and the kind of resource is `Project`. It inherits the AI hub's connections, and compute resources. When a new AI project is created from the AI hub, the security settings of the AI hub are applied to it. The AI project provides the following features:
+    - Groups of components such as datasets, models, and indexes.
+    - An isolated data container (within the storage inherited from the AI hub).
+    - Project-scoped connections. For example, a project might need access to data stored in a separate Azure Storage account.
+    - Open source model deployments from catalog and fine-tuned model endpoints.
+ 
+An AI hub can have multiple child AI projects. Each AI project can have its own set of project-scoped connections.
+
+:::image type="content" source="../media/concepts/azureai-hub-project-relationship.png" alt-text="Diagram of the relationship between AI Studio resources." lightbox="../media/concepts/azureai-hub-project-relationship.png":::
+
+### Tenant separation
+
+While most of the resources used by Azure AI Studio live in your Azure subscription, some resources exist in the Azure AI Studio tenant. The Azure AI Studio tenant is a separate Microsoft Entra ID tenant that provides some of the services used by Azure AI Studio. The following resources are in the Azure AI Studio tenant:
+
+- **Managed compute resources**: Provided by Azure Batch resources in the Azure AI Studio tenant.
+- **Managed virtual network**: Provided by Azure Virtual Network resources in the Azure AI Studio tenant. If FQDN rules are enabled, an Azure Firewall (standard) is added and charged to your subscription. For more information, see [Configure a managed virtual network for Azure AI Studio](../how-to/configure-managed-network.md).
+- **Metadata storage**: Provided by Azure Cosmos DB, Azure AI Search, and Azure Storage Account in the Azure AI Studio tenant. If you use customer-managed keys, these resources are created in your subscription. For more information, see [Customer-managed keys](../../ai-services/encryption/cognitive-services-encryption-keys-portal.md?context=/azure/ai-studio/context/context).
+ 
+## Azure resource providers
+
+Since Azure AI Studio is built from other Azure services, the resource providers for these services must be registered in your Azure subscription. The following table lists the resource, provider, and resource provider kinds:
+
+[!INCLUDE [Resource provider kinds](../includes/resource-provider-kinds.md)]
+
+When you create a new Azure AI hub resource, a set of dependent Azure resources are required to store data, manage security, and provide compute resources. The following table lists the dependent Azure resources and their resource providers:
+
+> [!TIP]
+> If you don't provide a dependent resource when creating an AI hub, and it's a required dependency, AI Studio creates the resource for you.
+
+[!INCLUDE [Dependent Azure resources](../includes/dependent-resources.md)]
+
+For information on registering resource providers, see [Register an Azure resource provider](/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider).
+
+## Role-based access control and control plane proxy
+
+Azure AI Services and Azure OpenAI provide control plane endpoints for operations such as listing model deployments. These endpoints are secured using a separate Azure role-based access control (RBAC) configuration than the one used for Azure AI hub. 
+
+To reduce the complexity of Azure RBAC management, AI Studio provides a *control plane proxy* that allows you to perform operations on connected Azure AI Services and Azure OpenAI resources. Performing operations on these resources through the control plane proxy only requires Azure RBAC permissions on the AI hub. The Azure AI Studio service then performs the call to the Azure AI Services or Azure OpenAI control plane endpoint on your behalf.
+
+For more information, see [Role-based access control in Azure AI Studio](rbac-ai-studio.md).
+
+## Encryption
+
+Azure AI Studio uses encryption to protect data at rest and in transit. By default, Microsoft-managed keys are used for encryption, however you can use your own encryption keys. For more information, see [Customer-managed keys](../../ai-services/encryption/cognitive-services-encryption-keys-portal.md?context=/azure/ai-studio/context/context).
+
+## Virtual network
+
+Azure AI hub can be configured to use a *managed* virtual network. The managed virtual network secures communications between the AI hub, AI projects, and managed resources such as computes. If your dependency services (Azure Storage, Key Vault, and Container Registry) have public access disabled, a private endpoint for each dependency service is created to secure communication between the AI hub/project and the dependency service.
+
+> [!NOTE]
+> If you want to use a virtual network to secure communications between your clients and the AI hub or AI project, you must use an Azure Virtual Network that you create and manage. For example, an Azure Virtual Network that uses a VPN or ExpressRoute connection to your on-premises network.
+
+For more information on how to configure a managed virtual network, see [Configure a managed virtual network for Azure AI Studio](../how-to/configure-managed-network.md).
+
+## Azure Monitor
+
+Azure monitor and Azure Log Analytics provide monitoring and logging for the underlying resources used by Azure AI Studio. Since Azure AI Studio is built on Azure Machine Learning, Azure OpenAI, Azure AI Services, and Azure AI Search, use the following articles to learn how to monitor the services:
+
+| Resource | Monitoring and logging |
+| --- | --- |
+| Azure AI hub and AI project | [Monitor Azure Machine Learning](/azure/machine-learning/monitor-azure-machine-learning) |
+| Azure OpenAI | [Monitor Azure OpenAI](/azure/ai-services/openai/how-to/monitoring) |
+| Azure AI Services | [Monitor Azure AI (training)](/training/modules/monitor-ai-services/) |
+| Azure AI Search | [Monitor Azure AI Search](/azure/search/monitor-azure-cognitive-search) |
+
+## Price and quota
+
+For more information on price and quota, use the following articles:
+
+- [Plan and manage costs](../how-to/costs-plan-manage.md)
+- [Commitment tier pricing](../how-to/commitment-tier.md)
+- [Quota management](../how-to/quota.md)
+
+## Next steps
+
+Create an AI hub using one of the following methods:
+
+- [Azure AI Studio](../how-to/create-azure-ai-resource.md#create-an-azure-ai-hub-resource-in-ai-studio): Create an AI hub for getting started.
+- [Azure portal](../how-to/create-azure-ai-resource.md#create-a-secure-azure-ai-hub-resource-in-the-azure-portal): Create an AI hub with your own networking, encryption, identity and access management, dependent resources, and resource tag settings.
+- [Bicep template](../how-to/create-azure-ai-hub-template.md).
diff --git a/articles/ai-studio/includes/dependent-resources.md b/articles/ai-studio/includes/dependent-resources.md
@@ -0,0 +1,20 @@
+---
+ title: include file
+ description: include file
+ author: Blackmist
+ ms.reviewer: larryfr
+ms.author: larryfr
+ ms.service: azure-ai-studio
+ ms.topic: include
+ ms.date: 02/09/2024
+ ms.custom: include
+---
+
+|Dependent Azure resource|Resource provider|Optional|Note|
+|---|---|:---:|---|
+| Azure AI Search|`Microsoft.Search/searchServices`|✔|Provides search capabilities for your projects.|
+|Azure Storage account|`Microsoft.Storage/storageAccounts`||Stores artifacts for your projects like flows and evaluations. For data isolation, storage containers are prefixed using the project GUID, and conditionally secured using Azure ABAC for the project identity.|
+|Azure Key Vault|`Microsoft.KeyVault/vaults`||Stores secrets like connection strings for your resource connections. For data isolation, secrets can't be retrieved across projects via APIs.|
+|Azure Container Registry|`Microsoft.ContainerRegistry/registries`|✔|Stores docker images created when using custom runtime for prompt flow. For data isolation, docker images are prefixed using the project GUID.|
+|Azure Application Insights &<br>Log Analytics Workspace| `Microsoft.Insights/components`<br>`Microsoft.OperationalInsights/workspaces` ||Used as log storage when you opt in for application-level logging for your deployed prompt flows.|
+
diff --git a/articles/ai-studio/includes/resource-provider-kinds.md b/articles/ai-studio/includes/resource-provider-kinds.md
@@ -0,0 +1,16 @@
+---
+ title: include file
+ description: include file
+ author: Blackmist
+ ms.reviewer: larryfr
+ms.author: larryfr
+ ms.service: azure-ai-studio
+ ms.topic: include
+ ms.date: 02/09/2024
+ ms.custom: include
+---
+
+|Resource type|Resource provider|Kind|
+|---|---|---|
+|Azure AI hub resource and</br>Azure AI project|`Microsoft.MachineLearningServices/workspace`|`hub`</br>`project`|
+|Azure AI services *or*</br>Azure AI OpenAI Service|`Microsoft.CognitiveServices/account`|`AIServices`</br>`OpenAI`|
diff --git a/articles/ai-studio/media/concepts/azureai-hub-project-relationship.png b/articles/ai-studio/media/concepts/azureai-hub-project-relationship.png
diff --git a/articles/ai-studio/toc.yml b/articles/ai-studio/toc.yml
@@ -8,6 +8,8 @@
   - name: What are AI services?
     href: ../ai-services/what-are-ai-services.md?context=/azure/ai-studio/context/context
     displayName: applied, cognitive, form recognizer
+  - name: Azure AI Studio architecture
+    href: concepts/architecture.md
   - name: Region support
     href: reference/region-support.md
   - name: What's new in Azure AI Studio?
