Изменить

Поделиться через

How to create a secure Azure AI Foundry hub and project with a managed virtual network

  • Статья

You can secure your Azure AI Foundry hub, projects, and managed resources in a managed virtual network. With a managed virtual network, inbound access is only allowed through a private endpoint for your hub. Outbound access can be configured to allow either all outbound access, or only allowed outbound that you specify. For more information, see Managed virtual network.

Important

The managed virtual network doesn't provide inbound connectivity for your clients. For more information, see the Connect to the hub section.

Prerequisites

  • An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
  • An Azure Virtual Network that you use to securely connect to Azure services. For example, you might use Azure Bastion, VPN Gateway or ExpressRoute to connect to the Azure Virtual Network from your on-premises network. If you don't have an Azure Virtual Network, you can create one by following the instructions in Create a virtual network.

Create a hub

  1. From the Azure portal, search for Azure AI Foundry and create a new resource by selecting + New Azure AI.

  2. Enter your hub name, subscription, resource group, and location details. You can also select an existing Azure AI services resource or create a new one.

    Screenshot of the option to set hub basic information.

  3. Select Next: Storage. Select an existing Storage account and Key vault resource or create new ones. Optionally, choose an existing Application insights, and Container Registry for logs and docker images.

    Screenshot of the Create a hub with the option to set resource information.

  4. Select Next: Networking to configure the managed virtual network that Azure AI Foundry uses to secure its hub and projects.

    1. Select Private with Internet Outbound, which allows compute resources to access the public internet for resources such as Python packages.

      Tip

      To provision the virtual network during hub creation, select Provision managed virtual network. If this option isn't selected, the network isn't provisioned until you create a compute resource. For more information, see Managed virtual network.

      Screenshot of the Create a hub with the option to set network isolation information.

    2. To allow your clients to connect through your Azure Virtual Network to the hub, use the following steps to add a private endpoint.

      1. Select + Add from the Workspace inbound access section of the Networking tab. The Create private endpoint form is displayed.

        Screenshot of the workspace inbound access section.

      2. Enter a unique value in the Name field. Select the Virtual network (Azure Virtual Network) that your clients connect to. Select the Subnet that the private endpoint connects to.

        Screenshot of the create private endpoint form.

      3. Select Ok to save the endpoint configuration.

  5. Select Review + create, then Create to create the hub. Once the hub is created, any projects or compute instances created from the hub inherit the network configuration.

Connect to the hub

The managed virtual network doesn't directly provide access to your clients. Instead, your clients connect to an Azure Virtual Network that you manage. There are multiple methods that you might use to connect clients to the Azure Virtual Network. The following table lists the common ways that clients connect to an Azure Virtual Network:

Method Description
Azure VPN gateway Connects on-premises networks to an Azure Virtual Network over a private connection. Connection is made over the public internet.
ExpressRoute Connects on-premises networks into the cloud over a private connection. Connection is made using a connectivity provider.
Azure Bastion Connects to a virtual machine inside the Azure Virtual Network using your web browser.

Next steps