Can't connect to Azure OpenAI service via Private Endpoints

Question

We have followed best practices to use Private endpoints to access Azure OpenAI service in an Azure Foundry project. In the UI all connection works so we grab the sample code and test the connection in Visual Studio so we can use the code to automate the training processes. When we added the private endpoints via key-based auth, we have the error:

raise mapped_exc(message) from exc httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for '[XXX.privatelink.openai.azure.com]'. (_ssl.c:1007).

For this error, I have checked our Private link configuration (the correct URL is shown in the error message) and is correctly configured. DNS resolves the URL successfully. I don't know where to look for "mismatch" and where the Cert is. One of the similar post has the answer said we shouldn't use Private link URL because Auzre will handle that by default. Is this true? Any suggestions?

When we try to use Entra auth, this is another error:

raise self._make_status_error_from_response(err.response) from None openai.AuthenticationError: Error code: 401 - {'error': {'code': 'PermissionDenied', 'message': 'Principal does not have access to API/Operation.'}}

Does this mean we need to provision an App and use Managed Identity with role assigned to access OpenAI API?

I only found high level instructions and best practices of how to set up Azure OpenAI service with Private Endpoints so not sure where to validate my configuration nor troubleshoot the errors. Any information/suggestions the community can provide would be greatly appreciated! Thanks in advance.

Sally

Answer 1

Thanks for posting your question in the Microsoft Q&A forum.

These issues are common and can be resolved with a few adjustments.

The error message you're receiving indicates a mismatch between the hostname in the SSL certificate and the private link URL, this error occurs because the SSL certificate is still associated with the public endpoint, not the private one. To resolve this :

• Use the public endpoint URL in your code, not the private link URL
• Azure will automatically route the traffic through the private endpoint if it's configured correctly

To resolve the error message you're seeing with Entra ID authentication suggests a permissions:

• You need to provision an App Registration and use Managed Identity with the appropriate role assigned to access the OpenAI API
• Ensure that the managed identity has the Cognitive Services OpenAI User role assigned to it for the Azure OpenAI resource

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

Answer 2

Hi hossein jalilian,

Thank you for answering my inquiry. We did try to use public endpoint URL without any luck. Double Thank you for addressing my inquiry. We attempted using the public endpoint URL but, unfortunately, had no success. We also double-checked the private endpoint and confirmed that the DNS resolves correctly, yet the issue persists, and we're still unsure of the cause.

Regarding Entra ID authentication, that explanation makes complete sense. Thank you for confirming it.

If you have any additional suggestions for troubleshooting this issue, please feel free to share them.

Regards,

Sally

Answer 3

HI Manas Mohanty (Quadrant Resource LLC),

Thanks for the following up post and providing Entra Auth information. We are still troubleshooting the connection/PEP issue, but the provided information does help us working in the right direction. Really appreciate all the help!

Sally