Could you please provide details on how Azure OpenAI Service behaves when Data Loss Prevention (DLP) is enabled?

Question

Could you please provide details on how Azure OpenAI Service behaves when Data Loss Prevention (DLP) is enabled?

My understanding is that setting "restrictOutboundNetworkAccess" to True and specifying allowed FQDNs or IP addresses in "allowedFqdnList" enables DLP.

I have reviewed the following documentation, but I couldn't find detailed information on how Azure OpenAI Service and DLP function with these settings applied. Could you provide more details?

Reference documentation: https://learn.microsoft.com/en-us/azure/ai-services/cognitive-services-data-loss-prevention?tabs=azure-cli

Answer 1

Hello,

There are certain ways to use Open AI with DLP. i am listing couple of those here :-

1. Sensitive Data Handling:
   • When DLP is enabled, Azure OpenAI Service ensures that sensitive information (such as personal identifiable information or confidential business data) is not leaked through any network requests. By restricting outbound access to only approved destinations (via allowedFqdnList), you ensure that even if an external service or API is used during the processing, it is only one you explicitly trust.
2. Communication with External Resources:
   • If your Azure OpenAI deployment is designed to call other services or APIs (for example, calling a database or an external service during model execution), the outbound traffic must be restricted to known, authorized endpoints. This ensures no unintended exposure of data to external, possibly untrusted, services.
   • The allowedFqdnList configuration would typically include FQDNs of other Azure services or trusted third-party services that the OpenAI Service might need to communicate with. For example, if your deployment needs to call a specific API to process or retrieve some information, the FQDN of that API must be added to this list.
3. Data Ingress and Egress:
   • Data that enters (ingress) and leaves (egress) your environment via Azure OpenAI Service is filtered by the DLP controls. By restricting egress traffic, DLP prevents potential leakage of sensitive data that may result from API calls to external, unapproved destinations.
   • In addition, all data passed to and from the OpenAI service via API calls can be subject to monitoring and logging for compliance and security auditing, depending on your Azure configuration.

Regards

Rahul

Microsoft Customer Support

Answer 2

Hello @佐々木　孝太郎,

Enabling Data Loss Prevention (DLP) in Azure AI services involves configuring specific settings to control outbound network access. When DLP is enabled for Azure OpenAI Service, the restrictOutboundNetworkAccess property is set to true, restricting the service from making outbound network calls except to approved destinations. To allow necessary external access, the allowedFqdnList property can be defined, specifying up to 1,000 fully qualified domain names (FQDNs) or IPv4 addresses that the service is permitted to communicate with.

By implementing these configurations, organizations gain greater control over the data accessed by Azure OpenAI Service, ensuring a secure environment where only authorized outbound connections are allowed. This helps prevent unauthorized data exfiltration and strengthens data security measures. While restrictOutboundNetworkAccess is supported via the REST API, its impact may vary depending on the service some, like Azure OpenAI, do not perform outbound requests by default, making this setting less critical in certain cases.

These network restrictions align with broader data security strategies, ensuring sensitive information remains protected and is not inadvertently transmitted to unapproved destinations.I Hope this helps. Do let me know if you have any further queries.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful.

Thank you!