Share via

WebSocket Authentication Error (401) When Using Private Endpoint for Azure Speech Services

Yaraslav Kireyev 0 Reputation points
2025-02-05T07:47:48.99+00:00

Hello,

I am experiencing an authentication issue when attempting to use Azure Cognitive Services Speech-to-Text with a Private Endpoint from an Azure App Service. Below are the details of my configuration and the error message I am receiving.

Issue Description:

My Azure App Service connects to Azure Cognitive Services Speech-to-Text.

Current Behavior (With "Selected Networks and Private Endpoints" Enabled)

  • When I restrict access to "Selected Networks and Private Endpoints", the application fails with a 401 error: 
      CANCELED: ErrorDetails=WebSocket upgrade failed: Authentication error (401).  Please check subscription information and region name.
  • The application uses Managed Identity for authentication. The configuration code is: 
      var config = SpeechConfig.FromAuthorizationToken(authorizationToken, region);
    • This issue only occurs when the Private Endpoint is enabled.

Current Network Configuration

  1. Virtual Network and Subnets
  • VNet Name: my-vnet
  • Subnet for Private Endpoint: cognitive-private-endpoint-subnet
  • Outbound Subnet for App Service: appservice-outbound (10.0.1.240/29)
  1. Private Endpoint Configuration
  • Private Endpoint Name: my-private-endpoint
  • Linked Service: my-speech-service
  • Private IP Assigned: 10.0.0.4
  • DNS Resolution (From App Service): 
      nslookup my-speech-service.privatelink.cognitiveservices.azure.com
    Returns: 
      Name:    my-speech-service.privatelink.cognitiveservices.azure.com
  1. Custom Route Table for App Service Outbound Traffic
  • Route Name: private-speech-route
  • Address Prefix: 10.0.0.4/32
  • Next Hop Type: Virtual Network
  1. IAM Role Assignments (For Managed Identity Authentication)

The App Service has the following IAM role assignments:

  • Cognitive Services Speech Contributor
  • Cognitive Services Speech User
  • Assigned at the resource level for my-speech-service.

Troubleshooting Steps Taken

Verified Private Endpoint DNS Resolution:✅ Successful (nslookup returns private IP)

Checked IAM Role Assignments: ✅ Proper roles assigned

Checked Route Table Configuration: ✅ Custom route configured for private IP

Tested Authentication via Managed Identity: ✅ Works when access is unrestricted

Fails when network access is set to "Selected Networks and Private Endpoints"

Questions to community:

  1. Why does authentication fail with a 401 error when using a Private Endpoint, despite the correct IAM roles being assigned?
  2. Are there any additional permissions required for Managed Identity authentication over a Private Endpoint?
  3. Is there an additional step required for WebSocket-based connections through Private Endpoints?
  4. Are there known limitations for Private Endpoint usage with Speech-to-Text services?

Thank you for your assistance.

Azure AI Speech
Azure AI Speech
An Azure service that integrates speech processing into apps and services.
1,904 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manas Mohanty 295 Reputation points Microsoft Vendor
    2025-02-06T04:57:58.0333333+00:00

    Hi Yaraslav Kireyev !

    Welcome to Azure AI Q and A forum. Thank you for posting your query here.

    401 are authentication issues mostly due to private endpoint/ authentication used in code itself.

    I would suggest you check below steps.

    1. Changing authentication at speech config to endpoint/key instead. Here endpoint refers to private link/custom domain mentioned endpoint

      For example "wss://my-private-link-speech.cognitiveservices.azure.com/stt/speech/recognition/conversation/cognitiveservices/v1?language=en-US"

      Modifying applications using Speech resource with private endpoint Construct endpoint url 
         #endpoint = 
   var config = SpeechConfig.FromEndpoint(endPoint, speechKey);
      Reference on C# SDK Reference on Speech with Private endpoint
    2. You have opted custom domain for Speech service.
    3. You have created Microsoft.CognitiveServices service endpoint for your speech resource.
    4. Check DNS resolution for App Service
    5. Please make sure you have provided outbound connectivity to Microsoft. App service service tag too.

    speech-resource-with-a-custom-domain-name-and-a-private-endpoint-usage-with-the-speech-sdk

    Reference threads

    1

    If the pointers solve your issue, please upvote for this answer.

    Thank you.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.