Azure AI Search
An Azure search service with built-in artificial intelligence capabilities that enrich information to help identify and explore relevant content at scale.
1,077 questions
Services Unable to Communicate with Private Endpoints Enabled
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 68%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Sourav Gupta
10
Reputation points
We have deployed a solution using various Azure services, including a Web App, Storage Account, Azure OpenAI, Azure AI Search, Content Safety, Multi-Service Account, and SQL Server. When these services communicate over the public network, they connect without issues. However, once we enable private endpoints for Azure OpenAI, AI Search, Content Safety, SQL Server, and Multi-Service Account, and configure VNet integration for the Function App and Web App, the services can no longer communicate, resulting in errors.
We need a solution to ensure seamless communication between these services with public access disabled and private endpoints enabled, allowing secure and private interactions across all resources.
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 74%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
AshokPeddakotla-MSFT 35,091 Reputation points2024-11-04T05:22:17.8133333+00:00 Sourav Gupta Greetings!
However, once we enable private endpoints for Azure OpenAI, AI Search, Content Safety, SQL Server, and Multi-Service Account, and configure VNet integration for the Function App and Web App, the services can no longer communicate, resulting in errors.
Could you share the error details? How exactly are you connecting these services? Are you following any documentation?
Did you check Securely use Azure OpenAI On Your Data and Create a private endpoint for a secure connection to Azure AI Search already?
-
Sourav Gupta 10 Reputation points
2024-11-04T05:40:38.2066667+00:00 Hi @AshokPeddakotla-MSFT Yes, I've already reviewed both documentation links you shared and configured my services as instructed. However, I'm still encountering the following errors:
"
"One or more errors occurred. (Service request failed.\r\nStatus: 400 (Bad Request)\r\n\r\nContent:\r\n{\"error\": {\"requestid\": \"22902db0-eb15-476c-8e01-962888ec6287\", \"code\": 400, \"message\": \"Invalid AzureCognitiveSearch configuration detected: Call to get Azure Search index failed. Check if you are using the correct Azure Search endpoint and index name. If you are using key based authentication, check if the admin key is correct. If you are using access token authentication or managed identity of Azure OpenAI, check if the Azure Search has enabled RBAC based authentication and if the user identity or Azure OpenAI managed identity has required role assignments to access Azure Search resource [https://aka.ms/aoaioydauthentication]. If the Azure Search resource has no public network access, make sure enable trusted service of Azure Search.\\nAzure Search Error: 403, message='Server responded with status 403. Error message: ', url='https://xxxxxxxxxx.search.windows.net//indexes/xxxxx-test?api-version=2024-03-01-preview'\\nServer responded with status 403. Error message: \"}}\r\n\r\nConnection: keep-alive\r\nskip-error-remapping: REDACTED\r\nx-envoy-upstream-service-time: REDACTED\r\napim-request-id: REDACTED\r\nx-ms-client-request-id: 311bd335-ac5c-4891-97ee-a88fd2e7a7e3\r\nStrict-Transport-Security: REDACTED\r\nX-Content-Type-Options: REDACTED\r\nx-ms-region: REDACTED\r\nx-ratelimit-remaining-requests: REDACTED\r\nx-ratelimit-remaining-tokens: REDACTED\r\nContent-Type: application/json; charset=utf-8\r\nContent-Length: 988\r\n)"
-
AshokPeddakotla-MSFT 35,091 Reputation points
2024-11-05T16:37:17.42+00:00 Sourav Gupta please share more details on when are you seeing this error and in particular which service?
-
Sourav Gupta 10 Reputation points
2024-11-06T06:00:35.9366667+00:00 @AshokPeddakotla-MSFT I've set up private endpoints for several services, including Azure AI Search, OpenAI, Storage Account, Multi-Service Account, Content Safety, and SQL Server, and have configured VNet integration with my App Service. The process involves uploading a document from the App Service, storing it in a Storage Account, and indexing it in Azure AI Search. I created a data source and skillset, linking the Storage Account to the data source. However, when running the indexer, I encounter the error: 'Unexpected error validating provided resource. {"error":{"code":"403","message": "Public access is disabled. Please configure private endpoint."}}'.
Screenshot 2024-11-06 112811.pngI am using the Standard 2-tier for AI Search." -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 67%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
HOLMES Simon 20 Reputation points2024-11-06T17:17:04.8966667+00:00 Hello, I'm so glad to see this question as I was about to post the same. This is a recurrent and very frustrating situation, in which resources are provisioned with private endpoints but cannot communicate with each other. Please support and share the solution - thank you
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 57.00000000000001%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDF%3C/text%3E%3C/svg%3E)
Daniel FANG 885 Reputation points2024-11-14T11:22:04.0866667+00:00 Hi Sourav
[Answer Part I]
If we have a close look at this error message you shared, there are 4 things to check.
Invalid AzureCognitiveSearch configuration detected: Call to get Azure Search index failed.
1- Check if you are using the correct Azure Search endpoint and index name.
2- If you are using key based authentication, check if the admin key is correct.
3- If you are using access token authentication or managed identity of Azure OpenAI,
3a- check if the Azure Search has enabled RBAC based authentication and
3b- if the user identity or Azure OpenAI managed identity has required role assignments to access Azure Search resource [https://aka.ms/aoaioydauthentication].
4- If the Azure Search resource has no public network access, make sure enable trusted service of Azure Search.Probably 1 is correct as you mentioned the public access worked.
Guess you are using managed identity? if public access worked, the RABC should work.
Wonder if theallow trusted serviceis turned on in AI Search?[Answer Part 2]
for the private endpoint bit, the tricky part is that your
App Servicemust need to resolve the AI search endpoint as a private ip address via private dns zone as described in the private endpoint article.To test it out, try to do a nslook in the kudo console of your app service, the lookup should return similar resolve as below. If so, the traffic from the
App servicewill go via private ip (i.e. does not go out to public internet) and be trusted by AI Search. If not, yourApp servicewould still get a public ip for ai search and thus still going out to public internet (will be blocked by AI search). There are a few steps required to allow yourapp serviceutilizeprivate dns zoneprivatelink.search.windows.netServer: UnKnown Address: 168.63.129.16 Non-authoritative answer: Name: [search service name].privatelink.search.windows.net Address: 10.0.0.5 Aliases: [search service name].search.windows.net
Sign in to comment
Sign in to answer