Share via

AI Foundry Virtual Network

Abhinava Maddha 105 Reputation points Microsoft Employee
2026-02-13T02:15:35.69+00:00

How to set up azure Virtual network from AI Foundry workspace and ensure credentials match.

Foundry Tools
Foundry Tools

Formerly known as Azure AI Services or Azure Cognitive Services is a unified collection of prebuilt AI capabilities within the Microsoft Foundry platform

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SRILAKSHMI C 18,745 Reputation points Microsoft External Staff Moderator
    2026-02-13T05:12:02.7133333+00:00

    Hello Abhinava Maddha,

    Welcome to Microsoft Q&A and Thank you for reaching out.

    When integrating Azure AI Foundry workspace with an Azure Virtual Network (VNet), the goal is to:

    Secure traffic between Azure resources

    Restrict public network exposure

    Ensure authentication and authorization (credentials) are properly aligned

    Enable secure access to dependent services (Storage, Key Vault, Azure OpenAI, etc.)

    This requires configuring:

    • VNet and subnets
    • Private Endpoints
    • Private DNS
    • Managed Identity + RBAC
    • Network rules on dependent services

    1: Understand Azure Virtual Network Basics

    An Azure Virtual Network (VNet) enables secure communication:

    Between Azure resources

    Between Azure and on-premises environments (via VPN/ExpressRoute)

    Within Azure backbone using Private Endpoints

    If public access is disabled on AI services, traffic must flow through a VNet.

    2: Create the Virtual Network

    In the Azure Portal:

    Go to Create a Resource

    Select Networking → Virtual Network

    Configure:

    Name

      Address space (e.g., 10.0.0.0/16)
  
     Resource group
     
     Create at least one subnet:
     
        Example: `private-endpoints-subnet`
        
           Avoid delegation unless required

    Best practice:

    • Use a dedicated subnet for Private Endpoints.

    3: Configure Networking in AI Foundry Workspace

    In your AI Foundry Workspace:

    Navigate to Networking

    Decide:

    Keep public access enabled (simpler setup)

      OR disable public access for full isolation

    If disabling public access:

    Create a Private Endpoint

    Attach it to your VNet and subnet

    Approve the connection if required

    This ensures traffic flows privately within Azure.

    4: Configure Dependent Resources

    AI Foundry typically relies on:

    Storage Account

    Key Vault

    Azure OpenAI / Azure AI Services

    Container Registry (if applicable)

    For each of these:

    Go to Networking

    Disable Public Network Access (if using private architecture)

    Add a Private Endpoint

    Attach to the same VNet

    Configure Private DNS Zone integration

    If dependent services still allow only public traffic, your workspace may fail to authenticate or access resources.

    5: Configure Private DNS

    Private Endpoints require correct DNS resolution.

    Azure usually creates private DNS zones such as:

    privatelink.openai.azure.com

    privatelink.blob.core.windows.net

    privatelink.vaultcore.azure.net

    Ensure DNS zones are linked to your VNet, Resources resolve to private IP addresses and Name resolution works from inside the VNet

    Without proper DNS configuration, connectivity will fail even if Private Endpoints exist.

    6: Ensure Credentials Match (Authentication & Authorization)

    Network isolation alone is not enough credentials must align correctly.

    There are two main authentication approaches:

    1.Managed Identity (Recommended)

    Enable System-Assigned Managed Identity on:

    AI Foundry Workspace

      Compute resources (App Service, VM, etc.)
  
  Assign proper RBAC roles:
  
     Cognitive Services User (for Azure OpenAI)
     
        Storage Blob Data Contributor
        
           Key Vault Secrets User

    This ensures:

    • Secure token-based authentication
    • No hardcoded keys
    • Role-based authorization
    • Enterprise-grade security

    2.API Keys

    If using API keys:

    Ensure the key belongs to the correct Azure AI resource

    Verify the endpoint matches the correct region

    Confirm network rules allow access from your VNet

    Ensure IP network rules are correctly configured

    Both authentication (valid credential) and authorization (correct RBAC role) must be satisfied.

    7: Validate Connectivity

    From a VM or compute resource inside the VNet:

    Test DNS resolution:

    nslookup <your-openai-endpoint>

    Test HTTPS access:

    curl https://<your-endpoint>

    If it resolves to a private IP, your Private Endpoint is working.

    Considerations

    Communication with resources outside the VNet will be blocked unless explicitly configured.

    Ensure firewall/IP network rules allow necessary service access.

    Region mismatch between services can cause failures.

    Missing RBAC roles will result in 401/403 errors even if networking is correct.

    Please refer this

    I Hope this helps. Do let me know if you have any further queries.

    Thank you!

    Was this answer helpful?

    0 comments
  2. Marcin Policht 90,725 Reputation points MVP Volunteer Moderator
    2026-02-13T02:31:25.5833333+00:00

    Refer to https://learn.microsoft.com/en-us/azure/ai-foundry/how-to/configure-managed-network?view=foundry-classic&tabs=portal or https://learn.microsoft.com/en-us/azure/ai-foundry/how-to/managed-virtual-network?view=foundry (depending on whether you use classic or new Microsoft Foundry)

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.