Merge pull request #51222 from MicrosoftDocs/EW-prevent-azure-machine-learning-data-exfiltration

New Module: prevent azure machine learning data exfiltration

Author: AnnaMHuff

learn-pr/advocates/prevent-azure-machine-learning-data-exfiltration/1-prevent-data-exfiltration-azure-ai-workloads.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.prevent-data-exfiltration-azure-ai-workloads.prevent-data-exfiltration-azure-ai-workloads
+title: Prevent data exfiltration from Azure AI Workloads
+metadata:
+  title: Prevent Data Exfiltration From Azure AI Workloads
+  description: Understand data exfiltration risks in Azure AI workloads and how to mitigate them.
+  ms.date: 07/01/2025
+  author: Orin-Thomas
+  ms.author: viniap
+  ms.topic: unit
+durationInMinutes: 2
+content: |
+  [!include[](includes/1-prevent-data-exfiltration-azure-ai-workloads.md)]

learn-pr/advocates/prevent-azure-machine-learning-data-exfiltration/2-exfiltration-prevention-azure-ai-services.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.prevent-data-exfiltration-azure-ai-workloads.exfiltration-prevention-azure-ai-services
+title: Exfiltration prevention for Azure AI services
+metadata:
+  title: Exfiltration Prevention for Azure AI Services
+  description: Prevent data exfiltration in Azure AI services by implementing best practices and security measures.
+  ms.date: 07/01/2025
+  author: Orin-Thomas
+  ms.author: viniap
+  ms.topic: unit
+durationInMinutes: 5
+content: |
+  [!include[](includes/2-exfiltration-prevention-azure-ai-services.md)]

learn-pr/advocates/prevent-azure-machine-learning-data-exfiltration/3-azure-machine-learning-data-exfiltration-prevention.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.prevent-data-exfiltration-azure-ai-workloads.azure-machine-learning-data-exfiltration-prevention
+title: Azure Machine Learning data exfiltration prevention
+metadata:
+  title: Azure Machine Learning Data Exfiltration Prevention
+  description: Prevent data exfiltration in Azure Machine Learning by implementing best practices and security measures.
+  ms.date: 07/01/2025
+  author: Orin-Thomas
+  ms.author: viniap
+  ms.topic: unit
+durationInMinutes: 6
+content: |
+  [!include[](includes/3-azure-machine-learning-data-exfiltration-prevention.md)]

learn-pr/advocates/prevent-azure-machine-learning-data-exfiltration/4-knowledge-check.yml

@@ -0,0 +1,47 @@
+### YamlMime:ModuleUnit
+uid: learn.prevent-data-exfiltration-azure-ai-workloads.knowledge-check
+title: Knowledge check
+metadata:
+  title: Knowledge Check
+  description: Check your knowledge.
+  ms.date: 07/01/2025
+  author: Orin-Thomas
+  ms.author: viniap
+  ms.topic: unit
+durationInMinutes: 4
+content: Choose the best response for each question.
+quiz:
+  questions:
+    - content: "You're tasked with enabling data exfiltration prevention for an Azure OpenAI service in your organization. You want to restrict outbound traffic to avoid data being sent to unauthorized locations. What do you need to configure?"
+      choices:
+        - content: "Disable outbound traffic and allow for in-Azure communication only."
+          isCorrect: false
+          explanation: "Disabling outbound traffic will completely shut off the Azure AI service affected."
+        - content: "Enable the restriction for outbound traffic and configure the list of approved FQDNs."
+          isCorrect: true
+          explanation: "Disabling outbound traffic and configuring the allowed FQDNs allow the service to function properly while limiting the ability of a malicious individual to extract data."
+        - content: "Configure the list of approved FQDNs so data can only be sent to those."
+          isCorrect: false
+          explanation: "The list of allowed FQDNs has no effect if the outbound traffic hasn't been disabled previously."
+    - content: "How can you restrict Inbound traffic for compute instances or clusters using a public IP address in Azure Machine Learning?"
+      choices:
+        - content: "Restrict traffic using a network security group (NSG) and service tags."
+          isCorrect: true
+          explanation: "NSGs can block unauthorized traffic while allowing for legitimate requests to go through."
+        - content: "Block port 44224 for the compute or cluster instance."
+          isCorrect: false
+          explanation: "Blocking port 44224 prevents Azure Machine Learning from responding to requests and shut off the service."
+        - content: "Allow only HTTPS traffic (port 443) for the compute or cluster instance."
+          isCorrect: false
+          explanation: "Azure Machine Learning doesn't, by default, respond to traffic on port 443 for HTTPS requests."
+    - content: "You want to add another security layer to prevent data exfiltration on an Azure Machine Learning environment. How can you control the outbound traffic to allowed storage accounts only?"
+      choices:
+        - content: "Use 3rd party storage accounts only."
+          isCorrect: false
+          explanation: "The usage of 3rd party storage accounts by itself doesn't prevent data exfiltration."
+        - content: "Use Storage accounts on different Azure subscriptions."
+          isCorrect: false
+          explanation: "Storage accounts on different Azure subscriptions still allow unchecked outbound traffic."
+        - content: "Use Service endpoint policies."
+          isCorrect: true
+          explanation: "Service endpoint policies let you filter outbound network traffic to specific Azure Storage accounts, limiting data exfiltration."

learn-pr/advocates/prevent-azure-machine-learning-data-exfiltration/5-summary.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.prevent-data-exfiltration-azure-ai-workloads.summary
+title: Summary
+metadata:
+  title: Summary
+  description: Module summary.
+  ms.date: 07/01/2025
+  author: Orin-Thomas
+  ms.author: viniap
+  ms.topic: unit
+durationInMinutes: 1
+content: |
+  [!include[](includes/5-summary.md)]

learn-pr/advocates/prevent-azure-machine-learning-data-exfiltration/includes/1-prevent-data-exfiltration-azure-ai-workloads.md

@@ -0,0 +1,7 @@
+Exfiltration is a specific form of data loss where data is deliberately transferred to an external destination by a malicious actor. AI workloads, like any other workload running in the cloud, are potential avenues of data loss through exfiltration.
+
+Exfiltration poses significant risks to organizations, including potential breaches of privacy, financial losses, and damage to reputation. Implementing robust exfiltration prevention measures is essential to protect sensitive data from leaving the secure environment.
+
+A strategy to prevent data exfiltration involves applying security controls to all resources in an AI workload. In this module we focus specifically on the security controls and configuration you can apply to Azure AI services and Azure Machine Learning to address attempts at exfiltration.
+
+[![Diagram of a high security tenant transferring data to a low security tenant that then has access to output data to untrusted data sources.](../media/exfiltration-inbound-outbound.svg)](../media/exfiltration-inbound-outbound-big.png#lightbox)

learn-pr/advocates/prevent-azure-machine-learning-data-exfiltration/includes/2-exfiltration-prevention-azure-ai-services.md

@@ -0,0 +1,64 @@
+Azure AI services exfiltration prevention capabilities allow you to configure a list of outbound URLs your Azure AI services resources are permitted to access. In limiting outbound traffic to authorized URLs only, you can reduce the chance a malicious actor transmits data outside of your organization.
+
+The following services support data loss prevention configuration:
+
+- Azure OpenAI
+- Azure AI Vision
+- Content Moderator
+- Custom Vision
+- Face
+- Document Intelligence
+- Speech Service
+- QnA Maker
+
+To enable exfiltration prevention for an AI service, you need to complete two steps. The first step is to set the property restrictOutboundNetworkAccess on the AI service resource to true. You then need to provide a list of approved URLs you wish to allow the AI service to access by adding those URLs to the allowedFqdnList property. This property supports up to 1,000 URLs, including both IPv4 addresses and fully qualified domain names.
+
+You can use Cloud Shell to configure exfiltration protection for Azure AI services by performing the following steps.
+
+1. In the Azure portal, select the Cloud Shell icon on the top-right corner of the portal to start a session.
+1. Select Bash.
+1. List all cognitive service accounts using the following command:
+
+    ```azurecli
+       az cognitiveservices account list -output table
+    ```
+
+1. Find out if network access outbound is allowed on the account in use using the following command:
+
+    ```azurecli
+       az cognitiveservices account show -g "myResourceGroup" -n "Account Name" | grep Network Access
+    ```
+
+   [![Screenshot that displays output of command checking status of cognitive services.](../media/show-exfiltration-configuration.svg)](../media/show-exfiltration-configuration-big.png#lightbox)
+
+1. The result of this command informs you if public network access is enabled for the service and if any outbound restrictions are set.
+1. Check to see if there's a Fully Qualified Domain Name list of allowed addresses.
+
+    ```azurecli
+       az cognitive services account show -g "myResourceGroup" -n "AccountName" | grep Fqdn
+    ```
+
+1. The next command uses the rest protocol to patch the Azure OpenAI instance so that network access will be restricted and the allowed FQDN list will be set to "microsoft.com".
+
+    ```azurecli
+       az rest -m patch -u /subscriptions/{subscription ID}/resourceGroups/{resource group}/providers/Microsoft.CognitiveServices/accounts/{account name}?api-version=2024-10-01 -b '{"properties": { "restrictOutboundNetworkAccess": true, "allowedFqdnList": [ "microsoft.com" ] }}'
+    ```
+
+1. After issuing the command, wait up to 15 minutes for settings to take effect.
+1. Check if outbound access is restricted using the command we used previously.
+
+    ```azurecli
+       az cognitiveservices account show -g "myResourceGroup" -n "Account Name" | grep Network Access
+    ```
+
+1. Restrict Outbound Network access is now set to true.
+1. The next command we'll send to a text file so that we can edit the file using nano.
+
+    ```azurecli
+       az cognitiveseervices account show -g "MyResourceGroup" -n "accountName' > "myfile".txt
+       nano "myfile".txt
+    ```
+
+1. The output shows Microsoft.com in the allowed FQDN list.
+
+   [![Screenshot showing the contents of the output text file in the editor.](../media/editor-list.svg)](../media/editor-list-big.png#lightbox)

learn-pr/advocates/prevent-azure-machine-learning-data-exfiltration/includes/3-azure-machine-learning-data-exfiltration-prevention.md

@@ -0,0 +1,69 @@
+Azure Machine Learning relies on multiple inbound and outbound dependencies. Some of these dependencies can expose a data exfiltration risk by malicious agents within your organization.
+
+If your compute instance or cluster uses a public IP address, you have an inbound on the _azuremachinelearning_ service tag (port 44224). You can control this inbound traffic by using a network security group (NSG) and service tags.
+
+Outbound traffic is the most common route for data exfiltration. When storage outbound and Azure Front Door outbound traffic is not configured properly, it can lead to exfiltration.  However, storage outbound traffic is a requirement for compute instances and compute clusters in an Azure Machine Learning deployment.
+
+- A malicious agent can use this outbound rule by provisioning and saving data in their own storage account. You can remove these risks by using an Azure Service Endpoint policy and Azure Batch’s simplified node communication architecture.
+- Azure Front door is used by the Azure Machine Learning studio UI and AutoML. Instead of allowing outbound to the service tag (AzureFrontDoor.frontend), switch to the following fully qualified domain names (FQDN):
+
+  - ml.azure.com
+  - automlresources-prod-d0eaehh7g8andvav.b02.azurefd.net
+
+Switching to these FQDNS removes unnecessary outbound traffic
+
+## Service endpoint policies
+
+Service endpoint policies let you filter virtual network traffic to specific Azure Storage accounts, limiting data exfiltration. Azure Machine Learning compute instances and clusters need access to Microsoft-managed storage for provisioning. The service endpoint policies' Azure Machine Learning alias includes these accounts to prevent data exfiltration or control destination storage accounts. To configure Service Endpoint policies:
+
+1. **From the Azure portal, search for Service Endpoint Policy and click + Create to start.**
+1. **On the Basics tab, provide the required fields and then select Next.**
+1. On the Policy definitions tab, select** +Add a resource** and then provide the following information:
+   - **Service**: Microsoft.Storage
+   - **Scope**: Select the scope as a Single Account to limit the network traffic to one storage account.
+   - **Subscription**: The Azure subscription that contains the storage account.
+   - **Resource Group**: The Resource Group that contains the storage account
+   - **Resource**: The default storage account of the workspace
+1. Select **Add** to add the resource information.
+1. Select **+Add an alias** and then select _/services/Azure/MachineLearning_ as the Server Alias value.  Select **Add** to add the alias.
+
+    [![A screenshot showing the configuration of a service endpoint policy in the Azure portal.](../media/service-endpoint-policy.svg)](../media/service-endpoint-policy-big.png#lightbox)
+
+1. Select **Review + Create, then Create**
+
+## Inbound and outbound network traffic
+
+When using Azure Machine Learning **compute instance** _with a public IP address_, allow inbound traffic from Azure Batch management (service tag BatchNodeManagement.\<region>). A compute instance _with no public IP_ **doesn't** require this inbound communication.
+
+For outbound traffic, there are two options customers might be using:
+
+- Service tag/NSG: Allow outbound traffic to the following **service tags**. Replace \<region> with the Azure region that contains your compute cluster or instance:
+
+| **Service tag** | **Protocol** | **Port** |
+|---|---|---|
+| **BatchNodeManagement.\<region>** | ANY | 443 |
+| **AzureMachineLearning** | TCP | 443 |
+| **Storage.\<region>** | TCP | 443 |
+
+- Firewall: Allow outbound traffic over **ANY port 443** to the following FQDNs. Replace instances of \<region> with the Azure region that contains your compute cluster or instance:
+
+  - *.\<region>.batch.azure.com
+  - *.\<region>.service.batch.azure.com
+
+> [!NOTE]
+> If you enable the service endpoint on the subnet used by your firewall, you must open outbound traffic to the following hosts over **TCP port 443**:
+> 
+> - *.blob.core.windows.net
+> - *.queue.core.windows.net
+> - *.table.core.windows.net
+
+## Enable storage endpoint for the subnet
+
+Use the following steps to enable a storage endpoint for the subnet that contains your Azure Machine Learning compute clusters and compute instances:
+
+1. From the Azure portal, select the **Azure Virtual Network** for your Azure Machine Learning workspace.
+1. From the left of the page, select **Subnets** and then select the subnet that contains your compute cluster and compute instance.
+1. In the form that appears, expand the **Services** dropdown and then enable **Microsoft.Storage**. Select **Save** to save these changes.
+1. Apply the service endpoint policy to your workspace subnet.
+
+[![A screenshot showing the edit subnet option in the Azure Portal.](../media/edit-subnet.svg)](../media/edit-subnet-big.png#lightbox)

learn-pr/advocates/prevent-azure-machine-learning-data-exfiltration/includes/5-summary.md

@@ -0,0 +1,8 @@
+In this module, you learned about mechanisms to prevent data exfiltration for AI workloads on Azure and how to configure exfiltration prevention for Azure Machine Learning workloads.
+
+## Learn more
+
+For more information about how to prevent data loss and exfiltration for AI workloads on Azure, see the following article:
+
+- [Configure data loss prevention for Azure AI services](/azure/ai-services/cognitive-services-data-loss-prevention)
+- [Azure Machine Learning data exfiltration prevention](/azure/machine-learning/how-to-prevent-data-loss-exfiltration)

learn-pr/advocates/prevent-azure-machine-learning-data-exfiltration/index.yml

@@ -0,0 +1,37 @@
+### YamlMime:Module
+uid: learn.prevent-data-exfiltration-azure-ai-workloads
+metadata:
+  ms.author: viniap
+  author: Orin-Thomas
+  ms.date: 07/01/2025
+  title: Prevent data exfiltration from Azure AI workloads
+  description: Overview of how to prevent data exfiltration for AI workloads running on Microsoft Azure.
+  ms.topic: module
+  ms.service: azure-machine-learning
+  ms.collection: ce-advocates-ai-copilot
+title: Prevent data exfiltration from Azure AI Workloads
+summary: Learn how to configure Azure Machine Learning and Azure AI services workloads to prevent data exfiltration.
+abstract: |
+    After completing this module, you will be able to: 
+    - Understand mechanisms to prevent data exfiltration for AI workloads on Azure
+    - Configure exfiltration prevention for Azure AI services and Azure Machine Learning
+prerequisites: |
+    To get the most out of this module, you should have:
+    - Fundamental security concepts 
+    - Fundamental AI concepts 
+    - Fundamental Azure Machine Learning concepts
+iconUrl: /learn/achievements/generic-badge.svg
+levels:
+- beginner
+roles:
+- developer
+products:
+- azure
+units:
+- learn.prevent-data-exfiltration-azure-ai-workloads.prevent-data-exfiltration-azure-ai-workloads
+- learn.prevent-data-exfiltration-azure-ai-workloads.exfiltration-prevention-azure-ai-services
+- learn.prevent-data-exfiltration-azure-ai-workloads.azure-machine-learning-data-exfiltration-prevention
+- learn.prevent-data-exfiltration-azure-ai-workloads.knowledge-check
+- learn.prevent-data-exfiltration-azure-ai-workloads.summary
+badge:
+  uid: learn.prevent-data-exfiltration-azure-ai-workloads-badge