Edit

Share via

How to create a secure Microsoft Foundry hub and project with a managed virtual network

Note

This document refers to the Microsoft Foundry (classic) portal only.

This document is also specific to a hub-based project, and doesn't apply to a Foundry project. See How do I know which type of project I have? and Create a hub-based project.

You can secure your Microsoft Foundry hub, projects, and managed resources by using a managed virtual network. By using a managed virtual network, you can only allow inbound access through a private endpoint for your hub. You can configure outbound access to allow either all outbound access or only allowed outbound that you specify. For more information, see Managed virtual network.

Important

The managed virtual network doesn't provide inbound connectivity for your clients. Your clients must connect through an Azure Virtual Network that you manage, and then access the hub through the private endpoint you create. For more information, see the Connect to the hub section.

Prerequisites

  • An Azure account with an active subscription. If you don't have one, create a free Azure account, which includes a free trial subscription.
  • RBAC requirements: You must have the Owner or Contributor role on your Azure subscription or resource group to create a hub and configure network settings. To use a private endpoint, you also need Network Contributor or Owner permissions on the Azure Virtual Network.
  • An Azure Virtual Network that you use to securely connect to Azure services. For example, you might use Azure Bastion, VPN Gateway, or ExpressRoute to connect to the Azure Virtual Network from your on-premises network. If you don't have an Azure Virtual Network, you can create one by following the instructions in Create a virtual network.

Create a hub

  1. From the Azure portal, search for Foundry. From the left menu, select AI Hubs, and then select + Create and Hub.

    Screenshot of the Foundry portal.

  2. Enter your hub name, subscription, resource group, and location details. For Azure AI services base models, select an existing Foundry resource or create a new one. Foundry resources include multiple API endpoints for Speech, Content Safety, and Azure OpenAI.

    Screenshot of the option to set hub basic information.

  3. Select the Storage tab. Select an existing Storage account and Credential store resource or create new ones. Optionally, choose an existing Application insights, and Container Registry for logs and docker images.

    Screenshot of the Create a hub with the option to set storage resource information.

  4. Select the Inbound access tab to configure network isolation for inbound traffic to the hub. Set Public network access to Disabled, and then use + Add to add a private endpoint for the hub to an Azure Virtual Network that your clients connect to. The private endpoint allows your clients to connect to the hub over a private connection. For more information, see Private endpoints.

    Screenshot of the inbound access tab with public network access disabled.

  5. Select the Outbound access tab to configure the managed virtual network that Foundry uses to secure its hub and projects. Select Private with Internet Outbound, which allows compute resources to access the public internet for resources such as Python packages.

    Tip

    To provision the virtual network during hub creation, select Provision managed virtual network. If you don't select this option, the network isn't provisioned until you create a compute resource. For more information, see Managed virtual network.

    Screenshot of the Create a hub with the option to set network isolation information.

  6. Select Review + create, and then select Create to create the hub. Once the hub is created, any projects or compute instances created from the hub inherit the network configuration.

Verify your hub is secure

After your hub is created, verify that the network configuration is correct:

  1. In the Azure portal, navigate to your Foundry hub resource.

  2. From the left menu, select Networking.

  3. Verify the following settings:

    • Inbound access: Public network access should be Disabled
    • Inbound access: A private endpoint should exist in your Azure Virtual Network
    • Outbound access: Should show Private with Internet Outbound configuration

If any settings are incorrect, you can modify them by selecting the appropriate tab and updating the configuration.

Connect to the hub

The managed virtual network doesn't directly provide access to your clients. Instead, your clients connect to an Azure Virtual Network that you manage, and then access the hub through the private endpoint you created in the previous steps. This design ensures that hub resources are protected from direct internet access while allowing your secure infrastructure to reach the hub.

You can use multiple methods to connect clients to the Azure Virtual Network. The following table lists common ways that clients connect to an Azure Virtual Network:

Method Description
Azure VPN gateway Connects on-premises networks to an Azure Virtual Network over a private connection. Connection is made over the public internet.
ExpressRoute Connects on-premises networks into the cloud over a private connection. Connection is made using a connectivity provider.
Azure Bastion Connects to a virtual machine inside the Azure Virtual Network by using your web browser.

Next steps

  • Last updated on