Azure ML Studio + CORS: Security vs Flexibility
Updated: Nov 19, 2021
“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”
Stephane Nappo, Global Head Information Security for Société Générale International Banking
One of the most attractive things about Azure ML Studio is the ability to quickly deploy your trained model as a web service. Moreover, a sample code (in C#, Python and R) is provided to call your API from any modern client, which makes it extremely easy to integrate into your website or a desktop application.
Where there is a will there is a way.
Fortunately, there are several workarounds that we are going to discuss now.
Firstly, it is possible to disable the CORS using API Management Service. If you have already faced this issue you have surely seen this post in stackoverflow (https://stackoverflow.com/questions/27987910/azure-machine-learning-cors/52111270#52111270), which says that in order to allow CORS using API Management service you should enable it in the API configuration page. However, as the stackoverflow users have mentioned, it requires paying even more money, as it requires your web service to be wrapped into another web service. Well, that’s true and that’s really disappointing. Hopefully this feature will be added in the nearest future.
Secondly, to conform AML CORSE restrictions, it is possible to host your own web application (instead of having a wrapper service), for instance an ASP.NET webpage, and invoke your web service from there. This solution I have found from the AML Studio official book and this seems much more attractive for me. Ok, I admit, it requires additional development, but at least I do not have to pay extra money for hosting another service.
To sum up, basically we have two solutions to overcome this limitation:
First, host your own web service, providing CORS support, which will invoke your web service. This is faster, allows invoking the service on behalf of different web and mobile clients but requires additional payment.
Second, you may host your own web application and invoke the service from there. This solution is for greedy and hardworking ones but allows making your solution more flexible.
Good luck and keep learning!