OpenAI Studio doesn't work when Cognitive Services is deployed behind VNET

Caza, Ion 5 Reputation points
2023-05-16T16:26:11.7266667+00:00

Hey there,

Could use your help here. I'm deploying Cognitive Services | OpenAI behind a VNET. Anything from within the VNET can access it. However, when attempting to use OpenAI Studio under the Chat Playground, I get an error: "Access denied due to Virtual Network/Firewall rules."

Any idea what additional connectivity/networking/whitelisting setup needs to be performed?

Thank you!

Azure OpenAI Service
Azure OpenAI Service
An Azure service that provides access to OpenAI’s GPT-3 models with enterprise capabilities.
2,462 questions
Azure AI services
Azure AI services
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.
2,520 questions
{count} votes

6 answers

Sort by: Most helpful
  1. Mingjun Cao 5 Reputation points
    2023-06-21T06:38:34.66+00:00

    Hi, I also encountered this issue today and solved it. I'm here to provide my solution to help anyone who encounters the same problem.

    When you access Azure OpenAI Studio, your browser sends requests to the Endpoint of your Azure Openai instance, specifically https://${customDomainName}.openai.azure.com/openai/fine-tunes/?api-version=2022-12-01 and https://${customDomainName}.openai.azure.com/openai/files/?api-version=2022-12-01. You can find your Endpoint in the Azure portal.

    If your device's IP address is not on the vnet or firewall whitelist, your access will be denied. Therefore, you can add your device's IP address to the whitelist or use a device that is in vnet (or on the whitelist) for proxy.

    1 person found this answer helpful.
    0 comments No comments

  2. Martyn Taylor 5 Reputation points
    2023-07-26T03:25:24.32+00:00

    I had this issue, and managed to fix it while trying to solve another.

    You need to add the azure portal traffic manager IP address to the allowed list of IPs.

    You can find the IP address you need to add by following "Allow access from the Azure portal IP address" at the following link:

    https://learn.microsoft.com/en-us/azure/search/service-configure-firewall

    1 person found this answer helpful.
    0 comments No comments

  3. AirGordon 7,030 Reputation points
    2023-05-16T17:31:48.0766667+00:00

    There is an extensive article around OpenAI VNET scenarios here : https://learn.microsoft.com/en-us/azure/cognitive-services/cognitive-services-virtual-networks?context=%2Fazure%2Fcognitive-services%2Fopenai%2Fcontext%2Fcontext&tabs=portal

    The article is headlined with this Important Note (usually these signify common configuration mistakes);

    Important

    Turning on firewall rules for your Cognitive Services account blocks incoming requests for data by default. In order to allow requests through, one of the following conditions needs to be met:

    • The request should originate from a service operating within an Azure Virtual Network (VNet) on the allowed subnet list of the target Cognitive Services account. The endpoint in requests originated from VNet needs to be set as the custom subdomain of your Cognitive Services account.
    • Or the request should originate from an allowed list of IP addresses.

    I hope this helps 👍


  4. VasimTamboli 4,785 Reputation points
    2023-05-16T17:33:54.9066667+00:00

    When deploying Cognitive Services (including OpenAI) behind a VNET, you need to configure additional connectivity and network settings to allow access from external resources such as OpenAI Studio. Here are some steps you can take to address the "Access denied due to Virtual Network/Firewall rules" error:

    Virtual Network Integration: Ensure that the Cognitive Services | OpenAI resource is deployed within a Virtual Network (VNET) and is properly integrated with it. You can configure VNET integration during the deployment process or by modifying the existing Cognitive Services resource.

    Network Security Group (NSG) Rules: Review the Network Security Group rules associated with your VNET. NSGs act as firewalls and control inbound and outbound traffic. Make sure you have appropriate inbound rules that allow the necessary communication between OpenAI Studio and the Cognitive Services resource.

    • Open the NSG associated with the subnet where Cognitive Services is deployed.
    • Create inbound security rules that allow the required ports and protocols for communication with OpenAI Studio. This could include HTTP (port 80), HTTPS (port 443), or any other custom ports or protocols used by the Cognitive Services resource.
    • Ensure that the rules allow traffic from the IP ranges or specific IP addresses used by OpenAI Studio or the Chat Playground.

    Private Endpoint (Optional): Consider using Private Endpoints to securely access the Cognitive Services | OpenAI resource over a private IP address. Private Endpoints provide secure connectivity within the VNET without exposing public endpoints. With Private Endpoints, you can access the Cognitive Services resource securely even when it is behind a VNET.

    • Create a Private Endpoint for the Cognitive Services resource.
    • Update the NSG rules to allow traffic from the Private Endpoint IP address or range.
    • Configure OpenAI Studio or the Chat Playground to connect to the Cognitive Services resource using the Private Endpoint.

    By configuring the appropriate network settings, including NSG rules and possibly Private Endpoints, you should be able to resolve the "Access denied due to Virtual Network/Firewall rules" error and allow OpenAI Studio or the Chat Playground to access the Cognitive Services | OpenAI resource deployed behind the VNET.


  5. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-25T21:00:45.2933333+00:00

    Hello @Caza, Ion !

    From the OpenAI Networking TAB

    εικόνα

    When you open the Playground from the Local PC , it should either reside into the VNET , OR your Client IP Address the Public IP of your PC should be also in the allowed list

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards