Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
The information provided in this article is specific to a hub based project, and doesn't apply for a Foundry project. For more information, see Types of projects.
You can secure your Azure AI Foundry hub, projects, and managed resources in a managed virtual network. With a managed virtual network, inbound access is only allowed through a private endpoint for your hub. Outbound access can be configured to allow either all outbound access, or only allowed outbound that you specify. For more information, see Managed virtual network.
Important
The managed virtual network doesn't provide inbound connectivity for your clients. For more information, see the Connect to the hub section.
Prerequisites
- An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
- An Azure Virtual Network that you use to securely connect to Azure services. For example, you might use Azure Bastion, VPN Gateway or ExpressRoute to connect to the Azure Virtual Network from your on-premises network. If you don't have an Azure Virtual Network, you can create one by following the instructions in Create a virtual network.
Create a hub
From the Azure portal, search for
Azure AI Foundry. From the left menu, select AI Hubs, and then select + Create and Hub.
Enter your hub name, subscription, resource group, and ___location details. For Azure AI services base models, select an existing AI services resource or create a new one. Azure AI services include multiple API endpoints for Speech, Content Safety, and Azure OpenAI.
Select the Storage tab. Select an existing Storage account and Credential store resource or create new ones. Optionally, choose an existing Application insights, and Container Registry for logs and docker images.
Select the Inbound access tab to configure network isolation for inbound traffic to the hub. Set Public network access to Disabled, and then use + Add to add a private endpoint for the hub to an Azure Virtual Network that your clients connect to. The private endpoint allows your clients to connect to the hub over a private connection. For more information, see Private endpoints.
Select the Outbound access to configure the managed virtual network that Azure AI Foundry uses to secure its hub and projects. Select Private with Internet Outbound, which allows compute resources to access the public internet for resources such as Python packages.
Tip
To provision the virtual network during hub creation, select Provision managed virtual network. If this option isn't selected, the network isn't provisioned until you create a compute resource. For more information, see Managed virtual network.
Select Review + create, then Create to create the hub. Once the hub is created, any projects or compute instances created from the hub inherit the network configuration.
Connect to the hub
The managed virtual network doesn't directly provide access to your clients. Instead, your clients connect to an Azure Virtual Network that you manage. They can then access the hub using the private endpoint you created in these steps.
There are multiple methods that you might use to connect clients to the Azure Virtual Network. The following table lists the common ways that clients connect to an Azure Virtual Network:
| Method | Description |
|---|---|
| Azure VPN gateway | Connects on-premises networks to an Azure Virtual Network over a private connection. Connection is made over the public internet. |
| ExpressRoute | Connects on-premises networks into the cloud over a private connection. Connection is made using a connectivity provider. |
| Azure Bastion | Connects to a virtual machine inside the Azure Virtual Network using your web browser. |