In order to deploy resources (workspaces, workspace services, user resources), the resources have to be defined in templates.Ī template contains everything needed to create an instance of the resource. Guacamole VMs can only be deployed to workspaces where the Guacamole workspace service is deployed. User resources can be deployed to workspaces with a compatible workspace service. For example a virtual machine exposed by Guacamole. User ResourceĪ user resource is a resource that is only available to a particular researcher. Some workspace services, such as Guacamole, allow users to add on user-specific resources (user resources)Īll workspace services can be deployed to all workspaces. Unlike shared services, a workspace service is only accessible to the workspace users. Workspace ServiceĪ workspace service is a service, created as a building block, with pre-configured set of resources that can be applied to a workspace. The workspace owner is also considered a workspace researcher. Multiple workspaces can be created within a single Trusted Research Environment to enable the required separation for your projects.Įach workspace has workspace users: a workspace owner (normally only one), and one or more workspace researchers that can access the data and workspace services in the workspace.
to allow functionality such as development of machine learning models, data engineering, data analysis and software development. Workspaces can be enhanced with one or more building blocks called workspace services like Azure ML, Guacamole etc.
The workspace itself contains only the bare essentials to provide this functionality, such as virtual network(s), storage etc. Data transfer is not restricted within a workspace.
The workspace is a security boundary and there should be zero transfer of data out from the workspace unless explicitly configured. These services are created once, when the TRE is deployed and managed by the TRE Administrator.Ī workspace is a set of resources on a network, with inbound traffic restricted to authorised users, and outbound access restricted to defined network locations. Shared Services are services and resource shared by all workspaces. New services can be developed by you and your organization to fit your needs. The types of services required for a research project varies greatly why extensibility is a key aspect of the Azure TRE solution. Depending on the type of the service it is scoped to the environment and shared across all workspaces (Shared Service) or scoped to a specific workspace (Workspace Service). Shared ServicesĪ service provides one or more capabilities to you as a user of the TRE or to the TRE itself. The composition service is fronted by an API that helps the TRE Admin, TRE Workspace Owners and TRE Researchers create and manage the workspaces and workspace services. The Composition Service reconciles the desired state with the actual state by invoking Azure resource deployments. The Composition Service offers an abstraction over the lower-level Azure resources to allow for TRE users to provision resources in terms of workspaces and workspace services. A number of Workspaces, where each workspace is its own security boundary, and in turn contains Workspace Services and User Resources.One set of Shared Services used by all workspaces.used to manage and deploy workspaces, workspace services and user resources) One Composition Service (API, deployment engine etc.Trusted Research Environments (TRE) enforce a secure boundary around distinct workspaces to enable information governance controls to be enforced.Ī Trusted Research Environment (typically one per organization, or one per department in large organizations) consist of: