Configuring Outbound Access Restrictions for Azure AI Service

Question

Configuring Outbound Access Restrictions for Azure AI Service

Mithila Lishan 141

I have created an Azure AI service and need to restrict its outbound access. According to the documentation, the following Azure CLI command must be executed

az rest -m patch -u /subscriptions/{subscription ID}/resourceGroups/{resource group}/providers/Microsoft.CognitiveServices/accounts/{account name}?api-version=2021-04-30 -b '{"properties": { "restrictOutboundNetworkAccess": true, "allowedFqdnList": [ "microsoft.com" ] }}'

Instead of using the CLI command, is it possible to configure the same settings through the Azure portal user interface?

Additionally, if I only want to restrict outbound traffic for app services, should I use "azurewebsites.net" instead of "microsoft.com" in the configuration?

Laxman Reddy Revuri 5,400 Reputation points Microsoft External Staff Moderator

2025-01-15T11:46:11.64+00:00

Hi @Mithila Lishan
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Your answer

Laxman Reddy Revuri 5,400 Reputation points Microsoft External Staff Moderator

2025-01-15T11:46:11.64+00:00

Hi @Mithila Lishan
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Hi @Mithila Lishan
Thanks for the question and using MS Q&A platform.
To configure network rules for Azure AI services through the Azure portal.1.Use the search bar at the top to find your Azure AI service by typing "Azure AI services" and selecting the relevant resource from the results.

2.Once you are on the resource page, look for Networking under the Resource Management section in the left-hand menu.

3.Under Firewalls and virtual networks, you will see options for network access.

4.To restrict access, set the default network rule to Deny (if not already set). This will block all traffic unless explicitly allowed.

5.Choose Selected networks and private endpoints to allow access only from specific virtual networks or IP addresses.

6.Click on Add existing virtual network to specify which virtual networks can access your Azure AI service.

7.If you want to allow access from specific public IP address ranges, you can do so by entering the ranges in CIDR format under the allowed IP address settings.

8.After configuring your settings, click on Save to apply the changes.
Network isolation - Azure AI services | Microsoft Learn

If your AI service only needs to communicate with App Services, then yes, azurewebsites.net would be appropriate

However, the AI service might need to reach other Microsoft endpoints to function properly. For example:

· Model endpoints for inference

· Authentication services

· Telemetry services

Rithik Gangadhara (NON EA SC ALT) 0 Reputation points Microsoft Employee

2025-06-19T07:56:56.7966667+00:00

Hi @Laxman Reddy Revuri , the control is regarding restricting outbound access of an AI service, Do we need Virtual network to execute the command "az rest -m patch -u /subscriptions/{subscription ID}/resourceGroups/{resource group}/providers/Microsoft.CognitiveServices/accounts/{account name}?api-version=2021-04-30 -b '{"properties": { "restrictOutboundNetworkAccess": true, "allowedFqdnList": [ "microsoft.com" ] }}" We don't have any virtual network in place in our subscription we are restricting inbound access via "Choose Selected networks and private endpoints to allow access only from specific virtual networks or IP addresses" By whitelisting IPs. So what should i do to restrict outbound access?

Share via

Configuring Outbound Access Restrictions for Azure AI Service

1 answer

Your answer