How to configure a private link for Microsoft Foundry (classic)

Applies only to: Foundry (classic) portal. This article isn't available for the new Foundry portal. Learn more about the new portal.

Note

Links in this article might open content in the new Microsoft Foundry documentation instead of the Foundry (classic) documentation you're viewing now.

Important

This article provides legacy support for hub-based projects. It will not work for Foundry projects. See How do I know which type of project I have?

SDK compatibility note: Code examples require a specific Microsoft Foundry SDK version. If you encounter compatibility issues, consider migrating from a hub-based to a Foundry project.

Tip

An alternate Foundry project-focused version is available: How to configure a private link for Microsoft Foundry projects.

When you use a hub-based project, consider two network isolation aspects:

• Network isolation to access a Foundry hub: This article focuses on this aspect. It describes how to establish a private connection to your hub and its default resources by using a private link.
• Network isolation of computing resources in your hub and projects: This aspect includes compute instances, serverless, and managed online endpoints. For more information, see the Configure managed networks for Foundry hubs article.

You get several hub default resources in your resource group. You need to configure the following network isolation configurations:

• Disable public network access of hub default resources such as Azure Storage, Azure Key Vault, and Azure Container Registry.
• Establish private endpoint connection to hub default resources. You need to have both a blob and file private endpoint for the default storage account.
• If your storage account is private, assign roles to allow access.

Prerequisites

• An Azure subscription. If you don't have one, create a free account.
• An existing Azure Virtual Network with a subnet for the private endpoint.
• Azure CLI with the ml extension installed. To install the extension, run az extension add --name ml.
• The following Azure RBAC roles on your subscription or resource group:
  • Contributor on the Foundry hub resource
  • Network Contributor on the virtual network (or equivalent permissions to create private endpoints)
• For custom DNS configuration, see DNS configuration.

Important

Don't use the 172.17.0.0/16 IP address range for your VNet. This range is the default subnet range used by the Docker bridge network on-premises.

Securely connect to Foundry

To connect to Foundry secured by a virtual network, use one of these methods:

• Azure VPN Gateway-Connect on-premises networks to the virtual network over a private connection on the public internet. Choose from two VPN gateway types:

  • Point-to-site: Each client computer uses a VPN client to connect to the virtual network.
  • Site-to-site: A VPN device connects the virtual network to your on-premises network.

• ExpressRoute-Connect on-premises networks to Azure over a private connection through a connectivity provider.

• Azure Bastion-Create an Azure virtual machine (a jump box) in the virtual network, then connect to it through Azure Bastion using RDP or SSH from your browser. Use the VM as your development environment. Because it's in the virtual network, it can access the workspace directly.

Create a hub that uses a private endpoint

If you're creating a new hub, use the following methods to create the hub (Azure portal or Azure CLI). Each of these methods requires an existing virtual network:

Azure portal

Note

This article only covers configuring a private link. For a walkthrough of creating a secure hub in the portal, see Create a secure hub in the Azure portal.

1. From the Azure portal, search for Foundry. From the left menu, select AI Hubs, and then select + Create and Hub.

   

2. After configuring the Basics and Storage tabs, select the Inbound access tab and then select + Add. When prompted, enter the data for the Azure Virtual Network and subnet for the private endpoint. When selecting the Region, select the same region as your virtual network.

   

3. Select the Outbound access tab and pick the Network isolation option that best suits your needs.

   

Azure CLI

Note

This section doesn't cover basic hub configuration. For more information, see Create a hub using the Azure CLI.

After creating the hub, use the Azure CLI to create a private link endpoint for the hub. Replace the placeholder values with your resource names.

az network private-endpoint create \
    --name <private-endpoint-name> \
    --vnet-name <vnet-name> \
    --subnet <subnet-name> \
    --private-connection-resource-id "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.MachineLearningServices/workspaces/<workspace-name>" \
    --group-id amlworkspace \
    --connection-name workspace \
    --location <location> \
    --resource-group <resource-group-name>

When successful, the command returns JSON output with "provisioningState": "Succeeded".

Reference: az network private-endpoint create

Next, create the private DNS zone entries for the workspace. These DNS zones enable name resolution for the private endpoint:

# Add privatelink.api.azureml.ms
az network private-dns zone create \
    -g <resource-group-name> \
    --name privatelink.api.azureml.ms

az network private-dns link vnet create \
    -g <resource-group-name> \
    --zone-name privatelink.api.azureml.ms \
    --name <link-name> \
    --virtual-network <vnet-name> \
    --registration-enabled false

az network private-endpoint dns-zone-group create \
    -g <resource-group-name> \
    --endpoint-name <private-endpoint-name> \
    --name myzonegroup \
    --private-dns-zone privatelink.api.azureml.ms \
    --zone-name privatelink.api.azureml.ms

Add a private endpoint to a hub

Use one of the following methods to add a private endpoint to an existing hub:

Azure portal

1. From the Azure portal, select your hub.

2. From the left side of the page, select Settings, Networking, and then select the Private endpoint connections tab. Select + Private endpoint.

   

3. When you create a private endpoint, be sure to:

   • From Basics, select the same Region as your virtual network.
   • From Resource, select amlworkspace as the target sub-resource.
   • From the Virtual Network form, select the virtual network and subnet that you want to connect to.

4. After entering any other network configurations you require, use the Review + create tab to review your settings and select Create to create the private endpoint.

Azure CLI

Use the Azure networking CLI commands to create a private link endpoint for the hub.

az network private-endpoint create \
    --name <private-endpoint-name> \
    --vnet-name <vnet-name> \
    --subnet <subnet-name> \
    --private-connection-resource-id "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.MachineLearningServices/workspaces/<workspace-name>" \
    --group-id amlworkspace \
    --connection-name workspace \
    --location <location> \
    --resource-group <resource-group-name>

To create the private DNS zone entries for the workspace, use the following commands:

# Add privatelink.api.azureml.ms
az network private-dns zone create \
    -g <resource-group-name> \
    --name privatelink.api.azureml.ms

az network private-dns link vnet create \
    -g <resource-group-name> \
    --zone-name privatelink.api.azureml.ms \
    --name <link-name> \
    --virtual-network <vnet-name> \
    --registration-enabled false

az network private-endpoint dns-zone-group create \
    -g <resource-group-name> \
    --endpoint-name <private-endpoint-name> \
    --name myzonegroup \
    --private-dns-zone privatelink.api.azureml.ms \
    --zone-name privatelink.api.azureml.ms

# Add privatelink.notebooks.azure.net
az network private-dns zone create \
    -g <resource-group-name> \
    --name privatelink.notebooks.azure.net

az network private-dns link vnet create \
    -g <resource-group-name> \
    --zone-name privatelink.notebooks.azure.net \
    --name <link-name> \
    --virtual-network <vnet-name> \
    --registration-enabled false

az network private-endpoint dns-zone-group add \
    -g <resource-group-name> \
    --endpoint-name <private-endpoint-name> \
    --name myzonegroup \
    --private-dns-zone privatelink.notebooks.azure.net \
    --zone-name privatelink.notebooks.azure.net

Reference: az network private-dns zone create | az network private-dns link vnet create

Verify the private endpoint

After creating the private endpoint, verify it's provisioned correctly:

az network private-endpoint show \
    --name <private-endpoint-name> \
    --resource-group <resource-group-name> \
    --query "{name:name, provisioningState:provisioningState, privateLinkServiceConnections:privateLinkServiceConnections[0].privateLinkServiceConnectionState.status}"

Expected output shows provisioningState: Succeeded and connection status Approved.

Remove a private endpoint

You can remove one or all private endpoints for a hub. Removing a private endpoint removes the hub from the Azure Virtual Network that the endpoint was associated with. Removing the private endpoint might prevent the hub from accessing resources in that virtual network, or resources in the virtual network from accessing the workspace. For example, if the virtual network doesn't allow access to or from the public internet.

Warning

Removing the private endpoints for a hub doesn't make it publicly accessible. To make the hub publicly accessible, use the steps in the Enable public access section.

To remove a private endpoint, use the following information:

Azure portal

1. From the Azure portal, select your hub.

2. From the left side of the page, select Settings, Networking, and then select the Private endpoint connections tab.

3. Select the endpoint to remove and then select Remove.

   

Azure CLI

When you use the Azure CLI, use the following command to remove the private endpoint:

az network private-endpoint delete \
    --name <private-endpoint-name> \
    --resource-group <resource-group-name>

The command returns no output on success. To verify deletion, run az network private-endpoint show and confirm a ResourceNotFound error.

Reference: az network private-endpoint delete

Enable public access

In some situations, you might want to allow someone to connect to your secured hub over a public endpoint, instead of through the virtual network. Or you might want to remove the workspace from the virtual network and re-enable public access.

Important

Enabling public access doesn't remove any private endpoints that exist. All communications between components behind the virtual network that the private endpoints connect to are still secured. It enables public access only to the hub, in addition to the private access through any private endpoints.

To enable public access, use the following steps:

Azure portal

1. From the Azure portal, select your hub.
2. From the left side of the page, select Networking and then select the Public access tab.
3. Select Enabled from all networks, and then select Save.

Azure CLI

Use the following Azure CLI command to enable public access. Replace <workspace-name> with your hub name and <resource-group-name> with your resource group.

az ml workspace update --set public_network_access=Enabled -n <workspace-name> -g <resource-group-name>

The command returns JSON output showing the updated workspace configuration with "publicNetworkAccess": "Enabled".

Reference: az ml workspace update

Tip

If you receive an error that the ml command isn't found, install the extension: az extension add --name ml

Enable public access only from internet IP ranges (preview)

You can use IP network rules to allow access to your secured hub from specific public internet IP address ranges by creating IP network rules. Each Foundry hub supports up to 200 rules. These rules grant access to specific internet-based services and on-premises networks and block general internet traffic. This feature is currently in preview.

Warning

• Enable your endpoint's public network access flag if you want to allow access to your endpoint from specific public internet IP address ranges.
• You can only use IPv4 addresses.
• If the workspace goes from Enable from selected IPs to Disabled or Enabled, the IP ranges reset.

Portal

1. From the Azure portal, select your Foundry hub.
2. From the left side of the page, select Networking and then select the Public access tab.
3. Select Enabled from selected IP addresses, input address ranges, and then select Save.

Azure CLI

Use the az ml workspace update Azure CLI command to manage public access from an IP address or address range:

Tip

The configurations for the selected IP addresses are stored in the hub's properties, under network_acls:

name: sample_hub
location: centraluseuap
display_name: sample hub
description: desc
public_network_access: enabled
network_acls:
    ip_rules:
        value: "X.X.X.X/X"
        value: "X.X.X.X"
    default_action: Deny

1. Disabled: az ml workspace update -n test-ws -g test-rg --public-network-access Disabled
2. Enabled from selected IP addresses: az ml workspace update -n test-ws -g test-rg --public-network-access Enabled --network-acls "167.220.238.199/32,167.220.238.194/32"
3. Enabled from all networks: az ml workspace update -n test-ws -g test-rg --public-network-access Enabled --network-acls none

You can also use the Workspace class from the Azure Machine Learning Python SDK to define which IP addresses are allowed inbound access:

class Workspace(Resource):
    """Azure ML workspace.
    :param public_network_access: Whether to allow public endpoint connectivity
        when a workspace is private link enabled.
    :type public_network_access: str
    :param network_acls: The network access control list (ACL) settings of the workspace.
    :type network_acls: ~azure.ai.ml.entities.NetworkAcls
 
    def __init__(
        self,
        *,
        public_network_access: Optional[str] = None,
        network_acls: Optional[NetworkAcls] = None,

Restrictions for IP network rules

The following restrictions apply to IP address ranges:

• You can only use public internet IP addresses for IP network rules.

  Reserved IP address ranges aren't allowed in IP rules. These reserved ranges include private addresses that start with 10, 172.16 to 172.31, and 192.168.

• You must provide allowed internet address ranges by using CIDR notation in the form 16.17.18.0/24 or as individual IP addresses like 16.17.18.19.

• Only IPv4 addresses are supported for configuration of storage firewall rules.

• When you enable this feature, you can test public endpoints by using any client tool such as Curl, but the Endpoint Test tool in the portal isn't supported.

• You can set the IP addresses for the Foundry hub only after you create the hub.

Private storage configuration

If your storage account is private (uses a private endpoint to communicate with your project), complete the following steps:

1. Our services need to read and write data in your private storage account by using Allow Azure services on the trusted services list to access this storage account with the following managed identity configurations. Enable the system assigned managed identity of Foundry Tool and Azure AI Search, and then configure role-based access control for each managed identity.

   Role	Managed Identity	Resource	Purpose	Reference
   Reader	Foundry project	Private endpoint of the storage account	Read data from the private storage account.
   Storage File Data Privileged Contributor	Foundry project	Storage Account	Read and write prompt flow data.	Prompt flow doc
   Storage Blob Data Contributor	Foundry Tool	Storage Account	Read from input container, write to preprocess result to output container.	Azure OpenAI Doc
   Storage Blob Data Contributor	Azure AI Search	Storage Account	Read blob and write knowledge store	Search doc.

   Tip

   Your storage account might have multiple private endpoints. You need to assign the Reader role to each private endpoint for your Foundry project managed identity.

2. Assign the Storage Blob Data reader role to your developers. This role allows them to read data from the storage account.

3. Verify that the project's connection to the storage account uses Microsoft Entra ID for authentication. To view the connection information, go to the Management center, select Connected resources, and then select the storage account connections. If the credential type isn't Entra ID, select the pencil icon to update the connection and set the Authentication method to Microsoft Entra ID.

For information on securing playground chat, see Securely use playground chat.

DNS configuration

For DNS forwarding configurations, see Azure Machine Learning custom DNS.

If you need to configure a custom DNS server without DNS forwarding, use the following patterns for the required A records.

• <AI-HUB-GUID>.workspace.<region>.cert.api.azureml.ms

• <AI-HUB-GUID>.workspace.<region>.api.azureml.ms

• ml-<workspace-name, truncated>-<region>-<AI-HUB-GUID>.<region>.notebooks.azure.net

  Note

  The workspace name for this FQDN might be truncated. Truncation is done to keep ml-<workspace-name, truncated>-<region>-<workspace-guid> at 63 characters or less.

• <instance-name>.<region>.instances.azureml.ms

  Note

  • You can access compute instances only from within the virtual network.
  • The IP address for this FQDN isn't the IP of the compute instance. Instead, use the private IP address of the workspace private endpoint (the IP of the *.api.azureml.ms entries).

• <instance-name>-22.<region>.instances.azureml.ms - Only used by the az ml compute connect-ssh command to connect to computers in a managed virtual network. You don't need it if you aren't using a managed network or SSH connections.

• <managed online endpoint name>.<region>.inference.ml.azure.com - Used by managed online endpoints.

• models.ai.azure.com - Used for serverless API deployment.

To find the private IP addresses for your A records, see the Azure Machine Learning custom DNS article.

Note

Project workspaces reuse the FQDNs of the associated hub workspaces. There's no reason to configure separate entries for the project workspace GUIDs.

Limitations

• If you use Mozilla Firefox, you might encounter problems when trying to access the private endpoint for your hub. This problem might be related to DNS over HTTPS in Mozilla Firefox. Use Microsoft Edge or Google Chrome.

Next steps

• Configure a private link for a Foundry project
• Create a Foundry project
• Learn more about Foundry
• Learn more about Foundry hubs
• Troubleshoot secure connectivity to a project