Azure AI Search
An Azure search service with built-in artificial intelligence capabilities that enrich information to help identify and explore relevant content at scale.
1,222 questions
Unable to create Azure Search Service in Private network using ARM template API version 2023-11-01
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 26%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERD%3C/text%3E%3C/svg%3E)
Rajkumar Dasari
0
Reputation points
We have tried deploying Azure AI Search resource using ARM templates with API version 2023-11-01, ARM configurations having private network enabled for Azure AI Search, but when deployed resource, it is getting deployed in the public network.
Screenshot after deployment.png
ARM template
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"searchServiceName": {
"metadata": {
"description": "Enter name for the Search Service Name e.g. in-aks-dev-ss"
},
"type": "String"
},
"searchServiceRegion": {
"metadata": {
"description": "Enter region name for the Search Service Name e.g. eastus,westus. Note: this should be other than resource group region."
},
"type": "String"
},
"searchServiceSku": {
"defaultValue": "standard",
"allowedValues": [
"basic",
"standard"
],
"metadata": {
"description": "Select the search service SKU based on requirement, default value is standard"
},
"type": "String"
},
"searchServiceReplicaCount": {
"metadata": {
"description": "provide replica count, range for basic is 1 to 3, range for standard SKU is 1 to 12"
},
"type": "int",
"defaultValue": 1
},
"searchServicePartitionCount": {
"metadata": {
"description": "Provide partition count, max value for basic SKU is 1, range for standard SKU is 1 to 12"
},
"type": "int",
"defaultValue": 1
},
"storageAccountName": {
"metadata": {
"description": "Enter name for the Storage Account e.g. inaksenvdevsa"
},
"type": "String"
},
"vnetName": {
"type": "string",
"metadata": {
"description": "Name of the virtual network"
}
},
"vnetID": {
"type": "string",
"metadata": {
"description": "Enter the virtual nertwork resource ID"
}
},
"vnetSubnetID": {
"type": "string",
"defaultValue": ""
},
"resourceTags": {
"type": "object",
"defaultValue": "",
"metadata": {
"description": "It is a optional parameter, if tags are required provide the value."
}
}
},
"variables": {
"location": "[resourceGroup().location]",
"privateEndpointSStoVnetName": "ss_vnet_pe",
"SearchservicePENicName": "[concat(variables('privateEndpointSStoVnetName'),'_nic')]",
"privateDnsZoneName": "[concat(parameters('searchServiceName'),'.privatelink.search.windows.net')]",
"privateDnsZoneGroupName": "[format('{0}/dnsgroupname', variables('privateEndpointSStoVnetName'))]",
},
"resources": [
{
"condition": "[not(equals(parameters('searchServiceName'), ''))]",
"type": "Microsoft.Search/searchServices",
"apiVersion": "2023-11-01",
"name": "[parameters('searchServiceName')]",
"location": "[parameters('searchServiceRegion')]",
"tags": "[parameters('resourceTags')]",
"sku": {
"name": "[parameters('searchServiceSku')]"
},
"identity": {
"type": "None"
},
"properties": {
"hostingMode": "Default",
"publicNetworkAccess": "disabled",
"partitionCount": "[parameters('searchServicePartitionCount')]",
"replicaCount": "[parameters('searchServiceReplicaCount')]"
}
},
{
"condition": "[not(equals(parameters('searchServiceName'), ''))]",
"type": "Microsoft.Search/searchServices/sharedPrivateLinkResources", // shared private acess from SS to SA
"apiVersion": "2023-11-01",
"name": "[concat(parameters('searchServiceName'), '/pe_ss_sa2')]",
"dependsOn": [
"[resourceId('Microsoft.Search/searchServices', parameters('searchServiceName'))]"
],
"properties": {
"privateLinkResourceId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
"groupId": "blob",
"requestMessage": "request for private connection between SS and SA"
}
},
{
"condition": "[not(equals(parameters('searchServiceName'), ''))]",
"type": "Microsoft.Network/privateDnsZones",
"apiVersion": "2024-06-01",
"name": "[variables('privateDnsZoneName')]",
"tags": "[parameters('resourceTags')]",
"location": "global",
"properties": {}
},
{
"condition": "[not(equals(parameters('searchServiceName'), ''))]",
"type": "Microsoft.Network/privateEndpoints",
"apiVersion": "2024-05-01",
"name": "[variables('privateEndpointSStoVnetName')]",
"tags": "[parameters('resourceTags')]",
"location": "[variables('location')]",
"dependsOn": [
"[resourceId('Microsoft.Search/searchServices', parameters('searchServiceName'))]"
],
"properties": {
"subnet": {
"id": "[parameters('vnetSubnetID')]"
},
"privateLinkServiceConnections": [
{
"name": "[variables('privateEndpointSStoVnetName')]",
"properties": {
"privateLinkServiceId": "[resourceId('Microsoft.Search/searchServices', parameters('searchServiceName'))]",
"groupIds": [
"searchService"
]
}
}
]
}
},
{
"condition": "[not(equals(parameters('searchServiceName'), ''))]",
"type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
"apiVersion": "2024-06-01",
"name": "[format('{0}/{1}', variables('privateDnsZoneName'), format('{0}-link', parameters('vnetName')))]",
"location": "global",
"tags": "[parameters('resourceTags')]",
"dependsOn": [
"[resourceId('Microsoft.Network/privateDnsZones', variables('privateDnsZoneName'))]"
],
"properties": {
"registrationEnabled": false,
"virtualNetwork": {
"id": "[parameters('vnetID')]"
}
}
},
{
"condition": "[not(equals(parameters('searchServiceName'), ''))]",
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"apiVersion": "2024-05-01",
"name": "[variables('privateDnsZoneGroupName')]",
"dependsOn": [
"[resourceId('Microsoft.Network/privateDnsZones', variables('privateDnsZoneName'))]",
"[resourceId('Microsoft.Network/privateEndpoints', variables('privateEndpointSStoVnetName'))]"
],
"properties": {
"privateDnsZoneConfigs": [
{
"name": "config1",
"properties": {
"privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', variables('privateDnsZoneName'))]"
}
}
]
}
}
],
"outputs": {
}
}
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 36%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Shree Hima Bindu Maganti 3,600 Reputation points Microsoft External Staff2025-03-12T09:53:18.1133333+00:00 Hi @Rajkumar Dasari ,
When deploying Azure AI Search with private networking using ARM templates, you may notice that the service still appears on the public network despite setting"publicNetworkAccess": "disabled". To resolve this, first, ensure that the Private Endpoint is successfully created and linked to the Azure AI Search service. You can verify this by runningaz network private-endpoint-connection list --resource-group <your-resource-group>in Azure CLI. Next, check if the Private DNS Zone (privatelink.search.windows.net) correctly resolves to the private IP usingnslookup <your-search-service>.search.windows.net. Also, confirm that your Virtual Network and Subnet (vnetSubnetID) allow private endpoint connections and that there are no restrictive NSG or firewall rules. Additionally, review the Networking settings in the Azure Portal to make sure Public Network Access is disabled. If the issue persists, examine your ARM template deployment logs for misconfigurations, ensuring that all dependencies such asMicrosoft.Network/privateEndpointsandMicrosoft.Network/privateDnsZonesare correctly defined and deployed in the right order. For further troubleshooting, refer to Manage Azure AI Search with PowerShell, Azure Private Endpoint Troubleshooting, and Manage Azure AI Search with Azure CLI.
Let me know if you need any further assistance! -
Rajkumar Dasari 0 Reputation points
2025-03-12T12:48:38.0466667+00:00 We have verified all the configurations that mentioned in the ARM templates, there is no issue with these templates. I tested nslookup for the above created Azure AI Search please refer below attachment. As per our knowledge we are experiencing this issue recently with latest API version 2023-11-01, not with another version 2022-09-01. So please make us to understand this behavior, review our ARM template.
Sign in to comment
Sign in to answer