Edit

Share via


How to create a secure Azure AI Foundry hub and project with a managed virtual network

Note

The information in this article is specific to a hub-based project, and doesn't apply to a Azure AI Foundry project. See How do I know which type of project I have? and Create a hub-based project.

You can secure your Azure AI Foundry hub, projects, and managed resources in a managed virtual network. With a managed virtual network, inbound access is only allowed through a private endpoint for your hub. Outbound access can be configured to allow either all outbound access, or only allowed outbound that you specify. For more information, see Managed virtual network.

Important

The managed virtual network doesn't provide inbound connectivity for your clients. For more information, see the Connect to the hub section.

Prerequisites

Create a hub

  1. From the Azure portal, search for Azure AI Foundry. From the left menu, select AI Hubs, and then select + Create and Hub.

    Screenshot of the Azure AI Foundry portal.

  2. Enter your hub name, subscription, resource group, and location details. For Azure AI services base models, select an existing AI services resource or create a new one. Azure AI services include multiple API endpoints for Speech, Content Safety, and Azure OpenAI.

    Screenshot of the option to set hub basic information.

  3. Select the Storage tab. Select an existing Storage account and Credential store resource or create new ones. Optionally, choose an existing Application insights, and Container Registry for logs and docker images.

    Screenshot of the Create a hub with the option to set storage resource information.

  4. Select the Inbound access tab to configure network isolation for inbound traffic to the hub. Set Public network access to Disabled, and then use + Add to add a private endpoint for the hub to an Azure Virtual Network that your clients connect to. The private endpoint allows your clients to connect to the hub over a private connection. For more information, see Private endpoints.

    Screenshot of the inbound access tab with public network access disabled.

  5. Select the Outbound access to configure the managed virtual network that Azure AI Foundry uses to secure its hub and projects. Select Private with Internet Outbound, which allows compute resources to access the public internet for resources such as Python packages.

    Tip

    To provision the virtual network during hub creation, select Provision managed virtual network. If this option isn't selected, the network isn't provisioned until you create a compute resource. For more information, see Managed virtual network.

    Screenshot of the Create a hub with the option to set network isolation information.

  6. Select Review + create, then Create to create the hub. Once the hub is created, any projects or compute instances created from the hub inherit the network configuration.

Connect to the hub

The managed virtual network doesn't directly provide access to your clients. Instead, your clients connect to an Azure Virtual Network that you manage. They can then access the hub using the private endpoint you created in these steps.

There are multiple methods that you might use to connect clients to the Azure Virtual Network. The following table lists the common ways that clients connect to an Azure Virtual Network:

Method Description
Azure VPN gateway Connects on-premises networks to an Azure Virtual Network over a private connection. Connection is made over the public internet.
ExpressRoute Connects on-premises networks into the cloud over a private connection. Connection is made using a connectivity provider.
Azure Bastion Connects to a virtual machine inside the Azure Virtual Network using your web browser.

Next steps