Edit

Share via

Troubleshoot connection to a project with a private endpoint

Note

This document refers to the Microsoft Foundry (classic) portal only.

This document is also specific to a hub-based project, and doesn't apply to a Foundry project. See How do I know which type of project I have? and Create a hub-based project.

When you create a project in Microsoft Foundry, secure it with a private endpoint. A private endpoint lets you connect to the project over a private network and protects your data and resources. If you're having trouble connecting to a project that uses a private endpoint, this article lists steps to help you fix the issue.

When you connect to a Foundry project that's set up with a private endpoint, you might see an HTTP 403 error or a message that says access is forbidden. Use this article to check for common configuration issues that cause this error.

Prerequisites

  • Azure role-based access control (RBAC): You need appropriate RBAC roles to troubleshoot and resolve private endpoint issues:
    • Reader role at the subscription level to view Azure Search services and verify DNS configuration
    • Storage Blob Data Reader or Storage Blob Data Contributor role for the storage account associated with your hub (depending on whether you need read-only or read-write access)
    • Storage File Data Privileged Reader or Storage File Data Privileged Contributor role for the storage account
  • Network access: Connection to the virtual network via Azure VPN Gateway, ExpressRoute, or Azure Bastion

Error loading Foundry hub or project

If you get an error when loading your Foundry hub or project, check these two settings.

  • Your hub has public network access set to Disabled.
  • Your hub has public network access set to Enable from selected IPs.

Depending on the public network access setting for your Foundry hub or project, take the matching action:

Public network access setting Action
Disabled Create and approve an inbound private endpoint from your virtual network to your Foundry hub. Connect securely to your hub or project using Azure VPN, ExpressRoute, or Azure Bastion.
Enable from selected IPs Make sure your IP address is listed in the Firewall IP ranges allowed to access Foundry. If you can't add your IP address, contact your IT admin.

Securely connect to your hub or project

To connect to a hub or project secured by a virtual network, use one of these methods:

  • Azure VPN Gateway-Connect on-premises networks to the virtual network over a private connection on the public internet. Choose from two VPN gateway types:

    • Point-to-site: Each client computer uses a VPN client to connect to the virtual network.
    • Site-to-site: A VPN device connects the virtual network to your on-premises network.

  • ExpressRoute-Connect on-premises networks to Azure over a private connection through a connectivity provider.

  • Azure Bastion-Create an Azure virtual machine (a jump box) in the virtual network, then connect to it through Azure Bastion using RDP or SSH from your browser. Use the VM as your development environment. Because it's in the virtual network, it can access the workspace directly.

DNS configuration

Proper DNS configuration is essential for resolving private endpoint addresses. The following steps help you identify whether your virtual network uses Azure DNS or a custom DNS solution, then guide you through the appropriate troubleshooting process.

Troubleshooting steps differ based on whether you use Azure DNS or a custom DNS. Follow these steps to see which one you're using:

  1. In the Azure portal, select the private endpoint resource for your Foundry. If you don't remember the name, select your Foundry resource, Networking, Private endpoint connections, and then select the Private endpoint link.

    Screenshot of the private endpoint connections for the resource.

  2. From the Overview page, select the Network Interface link.

    Screenshot of the private endpoint overview with network interface link highlighted.

  3. Under Settings, select IP Configurations and then select the Virtual network link.

    Screenshot of the IP configuration with virtual network link highlighted.

  4. In Settings, select DNS servers.

    Screenshot of the DNS servers configuration.

    • If this value is Default (Azure-provided), then the virtual network is using Azure DNS. Go to the Azure DNS troubleshooting section.
    • If there's a different IP address listed, then the virtual network is using a custom DNS solution. Go to the Custom DNS troubleshooting section.

Custom DNS troubleshooting

Follow these steps to check whether your custom DNS solution resolves names to IP addresses:

  1. On a VM, laptop, desktop, or other compute resource that connects to the private endpoint, open a web browser. In the browser, go to the URL for your Azure region:

    Azure region URL
    Azure Government https://portal.azure.us/?feature.privateendpointmanagedns=false
    Microsoft Azure operated by 21Vianet https://portal.azure.cn/?feature.privateendpointmanagedns=false
    All other regions https://portal.azure.com/?feature.privateendpointmanagedns=false

  2. In the portal, select the private endpoint for the project. From the DNS configuration section, list the FQDNs for the private endpoint.

    Screenshot of the private endpoint with custom DNS settings highlighted.

  3. Open a command prompt, PowerShell, or other command line and run the following command for each FQDN returned from the previous step. Each time you run the command, verify that the IP address returned matches the IP address listed in the portal for the FQDN:

    In the following command, replace the placeholder text <fqdn> with an FQDN from your list.

    nslookup <fqdn>

    For example:

    nslookup df33e049-7c88-4953-8939-aae374adbef9.workspace.eastus2.api.azureml.ms

    Example output:

    Server: yourdnsserver
Address: yourdnsserver-IP-address

Name:   df33e049-7c88-4953-8939-aae374adbef9.workspace.eastus2.api.azureml.ms
Address: 10.0.0.4

  4. If the nslookup command returns an error or a different IP address than the portal shows, your custom DNS solution isn't configured correctly.

Azure DNS troubleshooting

When you use Azure DNS for name resolution, follow these steps to check that Private DNS integration is configured correctly:

  1. On the private endpoint, select DNS configuration.

    Screenshot of the DNS configuration with Private DNS zone and group highlighted.

    • If there's a Private DNS zone entry, but no DNS zone group entry, delete and recreate the private endpoint. When recreating the private endpoint, enable Private DNS zone integration.

    • If DNS zone group isn't empty, select the link for the Private DNS zone entry.

      From the Private DNS zone, select Virtual network links. There should be a link to the virtual network. If there isn't one, then delete and recreate the private endpoint. When recreating it, select a Private DNS zone linked to the virtual network, or create a new one and link it.

      Screenshot of the virtual network links for the Private DNS zone.

  2. Repeat the previous steps for the rest of the Private DNS zone entries.

Browser configuration (DNS over HTTPS)

Browser DNS settings can interfere with private endpoint resolution. If DNS over HTTPS is enabled, your browser bypasses the network DNS configuration and might fail to resolve private endpoint addresses.

Check if DNS over HTTPS is enabled in your web browser. DNS over HTTPS can prevent Azure DNS from responding with the IP address of the private endpoint.

  • Mozilla Firefox: More about Disable DNS over HTTPS in Firefox.
  • Microsoft Edge:

    1. In Microsoft Edge, select ... and then select Settings.

    2. In Settings, search for DNS and then disable Use secure DNS to specify how to look up the network address for websites.

      Screenshot of the Use secure DNS setting in Microsoft Edge.

Proxy configuration

Proxy servers can interfere with private endpoint connectivity by blocking or modifying network traffic. The following options help you determine if proxy settings are causing connection issues.

If you're using a proxy, it might block access to a secured project. To test, try one of these options:

  • Temporarily disable the proxy setting, then try to connect.
  • Create a Proxy auto-config (PAC) file that allows direct access to the fully qualified domain names (FQDNs) listed on the private endpoint, and to the FQDN for any compute instances.
  • Set up your proxy server to forward DNS requests to Azure DNS.
  • Make sure the proxy lets connections to Azure Machine Learning (AML) APIs, such as *.<region>.api.azureml.ms and *.instances.azureml.ms.

Troubleshoot storage connection issues

Storage connectivity is critical for Foundry projects. When you disable public network access on the storage account, you need proper private endpoint configuration and managed identity permissions.

When you create a project, Azure Storage creates several connections for data upload and artifact storage, including prompt flow. If you set the public network access on your hub's associated Azure Storage account to Disabled, these storage connections can take longer to create.

Try these steps to troubleshoot:

  1. In the Azure portal, check the network settings of the storage account that's associated with your hub.
    • If you set public network access to Enabled from selected virtual networks and IP addresses, make sure you add the correct IP address ranges to allow access to your storage account.
    • If you set public network access to Disabled, make sure you configure a private endpoint from your Azure virtual network to your storage account with Target sub-resource set to blob. Also, grant the Reader role for the storage account private endpoint to the managed identity.
  2. In the Azure portal, go to your Foundry hub. Make sure the managed virtual network is provisioned and the outbound private endpoint to blob storage is Active. For more information, see How to configure a managed network for Foundry hubs.
  3. Go to Foundry > your project > project settings.
  4. Refresh the page. Several connections appear, including workspaceblobstore.
  • Last updated on