Network isolation and private endpoints

The steps below describe how to restrict public access to custom question answering resources as well as how to enable Azure Private Link. Protect an Azure AI services resource from public access by configuring the virtual network.

Private Endpoints

Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Custom question answering provides you support to create private endpoints to the Azure Search Service.

Private endpoints are provided by Azure Private Link, as a separate service. For more information about costs, see the pricing page.

Steps to enable private endpoint

  1. Assign Contributer role to language resource (Depending on the context this may appear as a Text Analytics resource) in the Azure Search Service instance. This operation requires Owner access to the subscription. Go to Identity tab in the service resource to get the identity.

Text Analytics Identity

  1. Add the above identity as Contributer by going to Azure Search Service IAM tab.

Managed service IAM

  1. Select on Add role assignments, add the identity and select Save.

Managed role assignment

  1. Now, go to Networking tab in the Azure Search Service instance and switch Endpoint connectivity data from Public to Private. This operation is a long running process and can take up to 30 mins to complete.

Managed Azure search networking

  1. Go to Networking tab of language resource and under the Allow access from, select the Selected Networks and private endpoints option and select save.

Text Analytics networking

This will establish a private endpoint connection between language resource and Azure AI Search service instance. You can verify the Private endpoint connection on the Networking tab of the Azure AI Search service instance. Once the whole operation is completed, you are good to use your language resource with question answering enabled.

Managed Networking Service

Support details

  • We don't support changes to Azure AI Search service once you enable private access to your language resources. If you change the Azure AI Search service via 'Features' tab after you have enabled private access, the language resource will become unusable.

  • After establishing Private Endpoint Connection, if you switch Azure AI Search Service Networking to 'Public', you won't be able to use the language resource. Azure Search Service Networking needs to be 'Private' for the Private Endpoint Connection to work.

Restrict access to Azure AI Search resource

Follow the steps below to restrict public access to custom question answering language resources. Protect an Azure AI services resource from public access by configuring the virtual network.

After restricting access to an Azure AI services resource based on VNet, To browse projects on Language Studio from your on-premises network or your local browser.

  • Grant access to on-premises network.

  • Grant access to your local browser/machine.

  • Add the public IP address of the machine under the Firewall section of the Networking tab. By default portal.azure.com shows the current browsing machine's public IP (select this entry) and then select Save.

    Screenshot of firewall and virtual networks configuration UI