Create a private endpoint for a secure connection to Azure AI Search
This article explains how to configure a private connection to Azure AI Search so that it admits requests from clients in a virtual network instead of over a public internet connection:
- Create an Azure virtual network, or use an existing one
- Configure a search service to use a private endpoint
- Create an Azure virtual machine in the same virtual network
- Test using a browser session on the virtual machine
Other Azure resources that might privately connect to Azure AI Search include Azure OpenAI for "use your own data" scenarios. Azure AI Studio doesn't run in a virtual network, but it can be configured on the backend to send requests over the Microsoft backbone network. Configuration for this traffic pattern is enabled by Microsoft when your request is submitted and approved. For this scenario:
- Follow the instructions in this article to set up the private endpoint.
- Enable trusted service of your search resource from the Azure portal.
- Optionally, disable public network access if connections should only originate from clients in virtual network or from Azure OpenAI over a private endpoint connection.
Key points about private endpoints
Private endpoints are provided by Azure Private Link, as a separate billable service. For more information about costs, see Azure Private Link pricing.
Once a search service has a private endpoint, portal access to that service must be initiated from a browser session on a virtual machine inside the virtual network. See this step for details.
You can create a private endpoint for a search service in the Azure portal, as described in this article. Alternatively, you can use the Management REST API, Azure PowerShell, or the Azure CLI.
Why use a private endpoint?
Private endpoints for Azure AI Search allow a client on a virtual network to securely access data in a search index over a Private Link. The private endpoint uses an IP address from the virtual network address space for your search service. Network traffic between the client and the search service traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet. For a list of other PaaS services that support Private Link, check the availability section in the product documentation.
Private endpoints for your search service allow you to:
- Block all connections on the public endpoint for your search service.
- Increase security for the virtual network, by letting you block exfiltration of data from the virtual network.
- Securely connect to your search service from on-premises networks that connect to the virtual network using VPN or ExpressRoutes with private-peering.
Create the virtual network
In this section, you create a virtual network and subnet to host the VM that will be used to access your search service's private endpoint.
From the Azure portal home tab, select Create a resource > Networking > Virtual network.
In Create virtual network, enter or select the following values:
Setting Value Subscription Select your subscription Resource group Select Create new, enter a name, such as myResourceGroup, then select OK Name Enter a name, such as MyVirtualNetwork Region Select a region Accept the defaults for the rest of the settings. Select Review + create and then Create.
Create a search service with a private endpoint
In this section, you create a new Azure AI Search service with a private endpoint.
On the upper-left side of the screen in the Azure portal, select Create a resource > AI + machine learning > AI Search.
In Create a search service - Basics, enter or select the following values:
Setting Value PROJECT DETAILS Subscription Select your subscription Resource group Use the resource group that you created in the previous step INSTANCE DETAILS URL Enter a unique name Location Select your region Pricing tier Select Change Pricing Tier and choose your desired service tier. Private endpoints aren't supported on the Free tier. You must select Basic or higher. Select Next: Scale.
Accept the defaults and select Next: Networking.
In Create a search service - Networking, select Private for Endpoint connectivity (data).
Select + Add under Private endpoint.
In Create private endpoint, enter or select values that associate your search service with the virtual network you created:
Setting Value Subscription Select your subscription Resource group Use the resource group that you created in the previous step Location Select a region Name Enter a name, such as myPrivateEndpoint Target subresource Accept the default searchService NETWORKING Virtual network Select the virtual network you created in the previous step Subnet Select the default PRIVATE DNS INTEGRATION Enable Private DNS Integration Select the checkbox Private DNS zone Accept the default (New) privatelink.search.windows.net Select Add.
Select Review + create. You're taken to the Review + create page where Azure validates your configuration.
When you see the Validation passed message, select Create.
Once provisioning of your new service is complete, browse to the resource that you created.
Select Settings > Keys from the left content menu.
Copy the Primary admin key for later, when connecting to the service.
Create a virtual machine
On the upper-left side of the screen in the Azure portal, select Create a resource > Compute > Virtual machine.
In Create a virtual machine - Basics, enter or select the following values:
Setting Value PROJECT DETAILS Subscription Select your subscription Resource group Use the resource group that you created in the previous section INSTANCE DETAILS Virtual machine name Enter a name, such as my-vm Region Select your region Availability options You can choose No infrastructure redundancy required, or select another option if you need the functionality Image Select Windows Server 2022 Datacenter: Azure Edition - Gen2 VM architecture Accept the default x64 Size Accept the default Standard D2S v3 ADMINISTRATOR ACCOUNT Username Enter the user name of the administrator. Use an account that's valid for your Azure subscription. Sign in to the Azure portal from the VM so that you can manage your search service. Password Enter the account password. The password must be at least 12 characters long and meet the defined complexity requirements. Confirm Password Reenter password INBOUND PORT RULES Public inbound ports Accept the default Allow selected ports Select inbound ports Accept the default RDP (3389) Select Next: Disks.
In Create a virtual machine - Disks, accept the defaults and select Next: Networking.
In Create a virtual machine - Networking, provide the following values:
Setting Value Virtual network Select the virtual network you created in a previous step Subnet Accept the default 10.1.0.0/24 Public IP Accept the default NIC network security group Accept the default Basic Public inbound ports Select the default Allow selected ports Select inbound ports Select HTTP 80, HTTPS (443), and RDP (3389) Select Review + create for a validation check.
When you see the Validation passed message, select Create.
Connect to the VM
Download and then connect to the virtual machine as follows:
In the portal's search bar, search for the virtual machine created in the previous step.
Select Connect. After selecting the Connect button, Connect to virtual machine opens.
Select Download RDP File. Azure creates a Remote Desktop Protocol (.rdp) file and downloads it to your computer.
Open the downloaded .rdp file.
If prompted, select Connect.
Enter the username and password you specified when creating the VM.
Note
You might need to select More choices > Use a different account, to specify the credentials you entered when you created the VM.
Select OK.
You might receive a certificate warning during the sign-in process. If you receive a certificate warning, select Yes or Continue.
Once the VM desktop appears, minimize it to go back to your local desktop.
Test connections
In this section, you verify private network access to the search service and connect privately to the using the Private Endpoint.
When the search service endpoint is private, some portal features are disabled. You can view and manage service level settings, but portal access to index data and various other components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons.
In the Remote Desktop of myVM, open PowerShell.
Enter
nslookup [search service name].search.windows.net.You'll receive a message similar to this:
Server: UnKnown Address: 168.63.129.16 Non-authoritative answer: Name: [search service name].privatelink.search.windows.net Address: 10.0.0.5 Aliases: [search service name].search.windows.netFrom the VM, connect to the search service and create an index. You can follow this quickstart to create a new search index in your service using the REST API. Setting up requests from a Web API test tool requires the search service endpoint
(https://[search service name].search.windows.net)and the admin api-key you copied in a previous step.Completing the quickstart from the VM is your confirmation that the service is fully operational.
Close the remote desktop connection to myVM.
To verify that your service isn't accessible on a public endpoint, open a REST client on your local workstation and attempt the first several tasks in the quickstart. If you receive an error that the remote server doesn't exist, you successfully configured a private endpoint for your search service.
Use the Azure portal to access a private search service
When the search service endpoint is private, some portal features are disabled. You can view and manage service level information, but index, indexer, and skillset information are hidden for security reasons.
To work around this restriction, connect to Azure portal from a browser on a virtual machine inside the virtual network. The portal uses the private endpoint on the connection and gives you visibility into content and operations.
Follow the steps to provision a VM that can access the search service through a private endpoint.
On a virtual machine in your virtual network, open a browser and sign in to the Azure portal. The portal uses the private endpoint attached to the virtual machine to connect to your search service.
Disable public network access
You can lock down a search service to prevent it from admitting any request from the public internet. You can use the Azure portal for this step.
In the Azure portal, on the leftmost pane of your search service page, select Networking.
Select Disabled on the Firewalls and virtual networks tab.
You can also use the Azure CLI, Azure PowerShell, or the Management REST API, by setting public-access or public-network-access to disabled.
Clean up resources
When you're working in your own subscription, it's a good idea at the end of a project to identify whether you still need the resources you created. Resources left running can cost you money.
You can delete individual resources or the resource group to delete everything you created in this exercise. Select the resource group on any resource's overview page, and then select Delete.
Next step
In this article, you created a VM on a virtual network and a search service with a private endpoint. You connected to the VM from the internet and securely communicated to the search service using Private Link. To learn more about private endpoints, see What is a private endpoint?