Olli-Pekka Heinisuo
Perustaja, Senior Software Architect
icon

Unlocking Qdrant + Python on Azure: A Guide to Deployment and Authentication

We have been using Qdrant, a vector search engine and embedding store with advanced filtering capabilities, here at Softlandia for LLM-related tasks for some time now. It's easy to use locally, but how about the cloud? We want to deploy it to Azure, secure it, and set up access control so only authorized users can use it. No worries, that's exactly what we'll cover today!

On Github, Qdrant’s developers have provided several approaches to deploying the database to Azure. To complement their excellent work, we will add a new approach. So, let's tackle this from a different angle. We will use Azure Web App for Containers and set up secure access control with Azure's built-in app service authentication.

This guide will walk you through deploying Qdrant with an Azure Resource Manager (ARM) template, setting up authentication with Azure's app service, and validating the setup with a Python script.

Are you ready to start? Excellent!

Step 1: Deploying Qdrant Using the ARM Template

We'll begin by deploying Qdrant to Azure App Service using an ARM template, a blueprint that simplifies deploying multiple resources to Azure. Our ARM template will handle the App Service Plan and the Linux container application. You will need an Azure account to use the template. The Qdrant Docker image is pre-configured into the template and will be fetched from Docker Hub. Remember that the App Service Plan SKU needs to be at least B1 because shared plans are unsuitable for Linux workloads.

You can find the ARM template from Softlandia GitHub. To deploy it, click the "Deploy to Azure" button on the README or this deploy link. Fill in the required fields and let Azure do its magic. We'll use the Azure Portal for this guide instead of the command line interface for clarity.

ARM template deployment in Azure

Once ready to deploy, click “Review and Create” and then “Create.” The deployment process should take about a minute to complete.

Step 2: Setting up App Service Authentication

With Qdrant set up, it's time to secure it. In your Azure portal, navigate to the App Service you created. Here's how to enable authentication:

  1. Enable Authentication: From the left side menu, under "Settings," click on "Authentication."

  2. Configure Identity Provider: Next, click "Add identity provider."

  3. Configure Settings: Replace the “GetStartedWebApp” in the example below with your app's name in the setup wizard.

App Service authentication configuration

Remember to save your changes. Now, your Qdrant service is secured! To confirm, try accessing the app in an incognito browser. You should be redirected to the Microsoft login page.

Next, locate the application registration ID, the App (client) ID, on the Authentication page. You'll need this for the next step. Check out the image below for the ID location.

App ID location in the Authentication page

Step 3: Accessing the Qdrant Database

Now, we'll test the secured Qdrant service with a Python script. We'll simulate two scenarios: a developer accesses Qdrant in a shared Azure environment, and another service inside the Azure cloud accesses Qdrant.

Before proceeding, ensure the Azure Identity and Qdrant Client Python libraries are installed. You can install these with the command: pip install azure-identity qdrant-client.

Here's a Python script that accesses the Qdrant database from the developer's local environment:

from qdrant_client import QdrantClient

from azure.identity import ManagedIdentityCredential, DefaultAzureCredential

QDRANT_APP_ID = "your_qdrant_app_id"
QDRANT_APP_NAME = "your_web_app_name"

def get_user_token():
    credential = DefaultAzureCredential(exclude_interactive_browser_credential=False)
    result = credential.get_token(f"api://{QDRANT_APP_ID}/user_impersonation")
    return result.token

client = QdrantClient(
    url=f"https://{QDRANT_APP_NAME}.azurewebsites.net",
    port=443,
    metadata={"Authorization": f"Bearer {get_user_token()}"},
)

result = client.get_collections()
print(result.collections)

Replace your_qdrant_app_id with the App ID from the previous step and your_web_app_name with your app name. You'll be prompted to log in to your Microsoft account upon running this script. This retrieves a token that is passed to the Qdrant client API. The Azure App Service’s built-in authentication checks this token before granting access to the Qdrant API.

Managed Identity -based Access

If your database client code runs within Azure, you can leverage Azure's 'managed identity' feature, which gives your app secure access to other Azure services. To use managed identity, enable 'system assigned managed identity' in the Azure resource running your client code. Then, you can use ManagedIdentityCredential instead of DefaultAzureCredential to fetch the token.

def get_managed_identity_token():
    credential = ManagedIdentityCredential()
    result = credential.get_token(f"api://{QDRANT_APP_ID}/.default")
    return result.token

Summary

Congratulations, you've successfully deployed Qdrant on Azure Web App for Containers and added an extra layer of security with Azure's built-in app service authentication! The fantastic thing is that you don't need to share any secrets with your development team if they want to use a shared QDrant development instance. The same applies to Azure - no need to pass secrets to the client service due to the excellent managed identity feature.

Remember, you'll likely need additional security measures for a production environment. Similarly, App Service -based deployment should cover basic vector database needs, but it won't scale for the most demanding workloads.

Here, at Softlandia we take data privacy and security issues very seriously, especially when it comes to handling corporate information. That is why we just have launched a Generative AI solution YOKOT.AI designed specifically for Enterprise use with strict data privacy governance in mind.

Also, be sure to check out the Qdrant documentation for more information on how to use your newly-deployed tool. Feel free to reach out if you need assistance with cloud-native development in Azure.