The aim of this blog is to simplify the security hardening of your Azure OpenAI infrastructure using private endpoints instead of allowing the OpenAI traffic to traverse the public internet.
A private endpoint is a network interface that uses a private IP address allocated from your target virtual network. This network interface connects you privately and securely over the Azure backbone to an Azure service instead of traversing the public internet.
Azure OpenAI provides private endpoints as a secure and efficient channel for transmitting data between your virtual network infrastructure directly to the OpenAI service.
Deployment Plan
Deployment Steps
Step 1 - Creating your Azure OpenAI Service resource
Azure Portal > search for Azure AI services > Create,
Basics tab:
Complete the subscription, resource group and region fields,
Select a unique name for your openai resource,
Select your pricing tier,
Be aware of the content review policy for good behaviour,
Networks tab:
Select your networks type,
You should begin your initial deployment with disabled – and then configure private endpoints (but for this blog, we will first deploy with All networks and then harden the network),
Tags tab:
Select your tagging convention or use your organisations Azure tagging policies,
Review & Submit,
Verify your configuration,
Create,
Step 2 - A target virtual network
You will have identified your target virtual network from which you need to connect your resouces to the Azure OpenAI service. This may be a single or peered virtual network.
Step 3 - Creating the OpenAI private endpoint
Go to your OpenAI resource > networking > select the 2nd tab Private endpoint connections > + Private endpoint >
Basics tab:
Populate the subscription and resource group fields,
Provide a unique / identifiable name for the private endpoint,
(The private endpoint network interface / ip will be allocated by the target vnet/subnet,
Select the same region for the private endpoint as your target vnet,
Resoure tab:
This tabs details are hardset: subscription, resource group, resource, and the sub-resource has no other option besides account,
Virtual Network tab:
Select your target virtual network and subnet, as per the region you selected,
Select your Private IP configuration allocation method,
Select if you are using an ASG,
DNS tab:
Determine on which private DNS zone you want to deploy the private endpoint to create a DNS record,
The creation of the private endpoint will update your target virtual network’s DNS settings.
Tags tab:
Select your tagging convention or use your organisations Azure tagging policies,
Review & Create,
Verify your configuration,
Create,
Verification
Verify the internal IP address given to the OpenAI private endpoint,
Verify in your private DNS zone if you wish,
You may also continue using the OpenAI endpoint name (instead of the privatelink name) which will correctly resolve to the private endpoint’s internal IP address,
You may need to secure access to your private endpoint by modifying either NSG ingress / egress rules or updating your firewall rules.
As a Newbie, I am continuously searching online for articles that can help me. Thank you
Thanks for posting. I really enjoyed reading it, especially because it addressed my problem. It helped me a lot and I hope it will help others too.
Thank you for writing this post!