Edit

How to create and manage an Azure AI hub resource

  • Article

Note

Azure AI Studio is currently in public preview. This preview is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

As an administrator, you can create and manage Azure AI hub resources. Azure AI hub resources provide a hosting environment for the projects of a team, and help you as an IT admin centrally set up security settings and govern usage and spend. You can create and manage an Azure AI hub resource from the Azure portal or from the Azure AI Studio.

In this article, you learn how to create and manage an Azure AI hub resource in Azure AI Studio (for getting started).

Create an Azure AI hub resource in AI Studio

To create a new Azure AI hub resource, you need either the Owner or Contributor role on the resource group or on an existing Azure AI hub resource. If you're unable to create an Azure AI hub resource due to permissions, reach out to your administrator. If your organization is using Azure Policy, don't create the resource in AI Studio. Create the Azure AI hub resource in the Azure portal instead.

Follow these steps to create a new Azure AI hub resource in AI Studio.

  1. Go to the Manage page in Azure AI Studio.

  2. Select + New AI hub.

  3. Enter your AI hub name, subscription, resource group, and location details.

  4. In the Azure OpenAI dropdown, you can select an existing Azure OpenAI resource to bring all your deployments into AI Studio. If you don't bring one, we'll create one for you.

    Screenshot of the Create an Azure AI hub resource wizard with the option to set basic information.

  5. Optionally, connect an existing Azure AI Search instance to share search indices with all projects in this Azure AI hub resource. An Azure AI Search instance isn't created for you if you don't provide one.

  6. Select Next.

  7. On the Review and finish page, you see the AI Services provider for you to access the Azure AI services such as Azure OpenAI.

    Screenshot of the review and finish page for creating an AI hub.

  8. Select Create.

When the AI hub is created, you can see it on the Manage page in AI Studio. You can see that initially no projects are created in the AI hub. You can create a new project.

Screenshot of the new AI hub overview.

Create a secure Azure AI hub resource in the Azure portal

If your organization is using Azure Policy, set up an Azure AI hub resource that meets your organization's requirements instead of using AI Studio for resource creation.

  1. From the Azure portal, search for Azure AI Studio and create a new resource by selecting + New Azure AI

  2. Enter your AI hub name, subscription, resource group, and location details.

  3. For advanced settings, select Next: Resources to specify resources, networking, encryption, identity, and tags.

    Screenshot of the option to set Azure AI hub resource basic information.

  4. Select an existing Azure AI services resource or create a new one. New Azure AI services include multiple API endpoints for Speech, Content Safety and Azure OpenAI. You can also bring an existing Azure OpenAI resource. Optionally, choose an existing Storage account, Key vault, Container Registry, and Application insights to host artifacts generated when you use AI Studio.

    Screenshot of the Create an Azure AI hub resource with the option to set resource information.

  5. Set up Network isolation. Read more on network isolation. For a walkthrough of creating a secure Azure AI hub resource, see Create a secure Azure AI hub resource.

    Screenshot of the Create an Azure AI hub resource with the option to set network isolation information.

  6. Set up data encryption. You can either use Microsoft-managed keys or enable Customer-managed keys.

    Screenshot of the Create an Azure AI hub resource with the option to select your encryption type.

  7. By default, System assigned identity is enabled, but you can switch to User assigned identity if existing storage, key vault, and container registry are selected in Resources.

    Screenshot of the Create an Azure AI hub resource with the option to select a managed identity.

    Note

    If you select User assigned identity, your identity needs to have the Cognitive Services Contributor role in order to successfully create a new Azure AI hub resource.

  8. Add tags.

    Screenshot of the Create an Azure AI hub resource with the option to add tags.

  9. Select Review + create

Manage your Azure AI hub resource from the Azure portal

Azure AI hub resource keys

View your keys and endpoints for your Azure AI hub resource from the overview page within the Azure portal.

Screenshot of the Azure AI hub resource in the Azure portal showing the keys and endpoints.

Manage access control

Manage role assignments from Access control (IAM) within the Azure portal. Learn more about Azure AI hub resource role-based access control.

To add grant users permissions:

  1. Select + Add to add users to your Azure AI hub resource

  2. Select the Role you want to assign.

    Screenshot of the page to add a role within the Azure AI hub resource Azure portal view.

  3. Select the Members you want to give the role to.

    Screenshot of the add members page within the Azure AI hub resource Azure portal view.

  4. Review + assign. It can take up to an hour for permissions to be applied to users.

Networking

Azure AI hub resource networking settings can be set during resource creation or changed in the Networking tab in the Azure portal view. Creating a new Azure AI hub resource invokes a Managed Virtual Network. This streamlines and automates your network isolation configuration with a built-in Managed Virtual Network. The Managed Virtual Network settings are applied to all projects created within an Azure AI hub resource.

At Azure AI hub resource creation, select between the networking isolation modes: Public, Private with Internet Outbound, and Private with Approved Outbound. To secure your resource, select either Private with Internet Outbound or Private with Approved Outbound for your networking needs. For the private isolation modes, a private endpoint should be created for inbound access. For more information on network isolation, see Managed virtual network isolation. To create a secure Azure AI hub resource, see Create a secure Azure AI hub resource.

At Azure AI hub resource creation in the Azure portal, creation of associated Azure AI services, Storage account, Key vault, Application insights, and Container registry is given. These resources are found on the Resources tab during creation.

To connect to Azure AI services (Azure OpenAI, Azure AI Search, and Azure AI Content Safety) or storage accounts in Azure AI Studio, create a private endpoint in your virtual network. Ensure the public network access (PNA) flag is disabled when creating the private endpoint connection. For more about Azure AI services connections, follow documentation here. You can optionally bring your own (BYO) search, but this requires a private endpoint connection from your virtual network.

Encryption

Projects that use the same Azure AI hub resource, share their encryption configuration. Encryption mode can be set only at the time of Azure AI hub resource creation between Microsoft-managed keys and Customer-managed keys.

From the Azure portal view, navigate to the encryption tab, to find the encryption settings for your Azure AI hub resource. For Azure AI hub resources that use CMK encryption mode, you can update the encryption key to a new key version. This update operation is constrained to keys and key versions within the same Key Vault instance as the original key.

Screenshot of the Encryption page of the Azure AI hub resource in the Azure portal.

Update Azure Application Insights and Azure Container Registry

To use custom environments for Prompt Flow, you're required to configure an Azure Container Registry for your AI hub. To use Azure Application Insights for Prompt Flow deployments, a configured Azure Application Insights resource is required for your AI hub.

You can configure your AI hub for these resources during creation or update after creation. To update Azure Application Insights from the Azure portal, navigate to the Properties for your Azure AI hub resource in the Azure portal, then select Change Application Insights. You can also use the Azure SDK/CLI options or infrastructure-as-code templates to update both Azure Application Insights and Azure Container Registry for the AI Hub.

Screenshot of the properties page of the Azure AI resource in the Azure portal.

Manage your Azure AI hub resource from the Manage tab within the AI Studio

Getting started with the AI Studio

On the Manage page in Azure AI Studio, you have the options to create a new Azure AI hub resource, manage an existing Azure AI hub resource, or view your quota.

Screenshot of the Manage page of the Azure AI Studio.

Managing an Azure AI hub resource

When you manage a resource, you see an Overview page that lists Projects, Description, Resource Configuration, Connections, and Permissions. You also see pages to further manager Permissions, Compute instances, Connections, Policies, and Billing.

You can view all Projects that use this Azure AI hub resource. Be linked to the Azure portal to manage the Resource Configuration. Manage who has access to this Azure AI hub resource. View all of the connections within the resource. Manage who has access to this Azure AI hub resource.

Screenshot of the Details page of the Azure AI Studio showing an overview of the resource.

Permissions

Within Permissions you can view who has access to the Azure AI hub resource and also manage permissions. Learn more about permissions. To add members:

  1. Select + Add member
  2. Enter the member's name in Add member and assign a Role. For most users, we recommend the AI Developer role. This permission applies to the entire Azure AI hub resource. If you wish to only grant access to a specific Project, manage permissions in the Project

Compute instances

View and manage computes for your Azure AI hub resource. Create computes, delete computes, and review all compute resources you have in one place.

Connections

From the Connections page, you can view all Connections in your Azure AI hub resource by their Name, Authentication method, Category type, if the connection is shared to all projects in the resource or specifically to a Project, Target, Owner, and Provisioning state.

You can also add a connection through + Connection

Learn more on how to create and manage Connections. Connections created in the Azure AI hub resource Manage page are automatically shared across all projects. If you want to make a project specific connection, make that within the Project.

Policies

View and configure policies for your Azure AI hub resource. See all the policies you have in one place. Policies are applied across all Projects.

Billing

Here you're linked to the Azure portal to review the cost analysis information for your Azure AI hub resource.

Next steps