VPN Gateway to access AI Hub & AI Project in Azure AI Foundry / Studio

Question

Hi!

I am testing access to Azure AI resources behind a v-net for learning purposes.

I am trying to access resources (i.e. Azure AI Hub and later on Project) which is behind a v-net that I created on Azure, namely test-network.

My first approach was to deploy a VM to test-network, access it via Bastion and then access the Hub. This worked good and was quite simple to set up.

However, I wanted to try to set up a VPN Gateway to access the resources from my machine, i.e. not via a jumpbox VM + Bastion. The VPN Gateway is up and running but it seems like I have missed some kind of connection, since I can not access the Hub.

I have made sure that:

• The VPN Gateway is connected to the test-network: under settings for test-network -> network -> I created a Gateway Subnet. I can also see the AzureBastionSubnet here

• Point-To-Site is set up in the VPN Gateway following this guide: Configure P2S VPN gateway for Microsoft Entra ID authentication: Microsoft-registered client - Azure VPN Gateway | Microsoft Learn
• Installed the Azure VPN Client and imported the configurations from the previous step accordingly. The connection is up and running as I type this.

My conclusion is that since it is working with Bastion + VM, there is some configuration step for the VPN Gateway missing. And I have a knowledge gap here and can not seem to find the issue. I am getting the following error when I try to open the Hub using VPN Gateway:

Error loading Azure AI hub. You are attempting to access a restricted resource from an unauthorized network location. Please contact your administrator or follow the troubleshooting instructions here.

I followed the steps mentioned under "Azure DNS troubleshoot" on the previous link and made sure the private links for my Hub: privatelink.api.azureml.ms & privatelink.notebooks.azure.net indeed are linked to test-network.

I still get the same error and the following details:

DNS resolution

Code: ARecordNotFound

Message: You do not have the following required DNS records to access your workspace. ARecords 'aaaaa-bbbb-ccccc-dddd.workspace.swedencentral -> xx.y.x.z,aaaaa-bbbb-ccccc-dddd.workspace.swedencentral.cert -> xx.y.x.z,.aaaaa-bbbb-ccccc-dddd.inference.swedencentral -> xx.y.x.z,.aaaaa-bbbb-ccccc-dddd.models.swedencentral -> xx.y.x.z' are missing in private Dns zone /subscriptions/aaaaa-bbbb-ccccc-dddd/resourceGroups/DefaultResourceGroup-CCAN/providers/Microsoft.Network/privateDnsZones/privatelink.api.azureml.ms.You need to configure your private dns zone and/or DNS server to resolve workspace FQDNs with the private IP of your private endpoint. See https://docs.microsoft.com/azure/machine-learning/how-to-custom-dns.

So, DNS records problem. I feel a confused on this topic and I appreciate any help. Especially why it works with the Bastion VM but not my computer. All the best!

Answer 1

@Aksel Uhr

Thank you for reaching out. I went through your question above and the error faced.

Based on the error I think you might need to update the local machine's host file to point your resources host names to the private IPs in your virtual network. The hosts file is located at C:\Windows\System32\drivers\etc for Windows, and at /etc/hosts on Linux.

This is currently documented here

Based on your question above

Especially why it works with the Bastion VM but not my computer

When you connect via bastion, you log-in into a machine which is already in Azure network where DNS resolution will work based on configurations you have already done.

When you connect via VPN, you basically need to configure your local machine to use private IP of the resources for DNS resolution.

Additional reference:
https://techcommunity.microsoft.com/blog/azurearchitectureblog/azure-openai-private-endpoints-connecting-across-vnet%e2%80%99s/3913325

Hope this helps! Please let us know if the issue still persists. Thank you!