![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 37%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,572 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 75%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Hi,
Thanks for reaching out to Microsoft Q&A.
There are two mechanisms for restricting access to the public endpoint:
- Inbound rules listing the IP addresses, ranges, or subnets from which requests are admitted
- Exceptions to network rules, where requests are admitted with no checks, as long as the request originates from a trusted service
Network rules aren't required, but it's a security best practice to add them if you use Azure AI Search for surfacing private or internal corporate content.
Network rules are scoped to data plane operations against the search service's public endpoint. Data plane operations include creating or querying indexes, and all other actions described by the Search REST APIs. Control plane operations target service administration. Those operations specify resource provider endpoints, which are subject to the network protections supported by Azure Resource Manager.
Limitations
There are a few drawbacks to locking down the public endpoint.
- It takes time to fully identify IP ranges and set up firewalls, and if you're in early stages of proof-of-concept testing and investigation and using sample data, you might want to defer network access controls until you actually need them.
- Some workflows require access to a public endpoint. Specifically, the import wizards in the Azure portal connect to built-in (hosted) sample data and embedding models over the public endpoint. You can switch to code or script to complete the same tasks when firewall rules in place, but if you want to run the wizards, the public endpoint must be available. For more information, see Secure connections in the import wizards.There are two mechanisms for restricting access to the public endpoint:
- Inbound rules listing the IP addresses, ranges, or subnets from which requests are admitted
- Exceptions to network rules, where requests are admitted with no checks, as long as the request originates from a trusted service
- It takes time to fully identify IP ranges and set up firewalls, and if you're in early stages of proof-of-concept testing and investigation and using sample data, you might want to defer network access controls until you actually need them.
- Some workflows require access to a public endpoint. Specifically, the import wizards in the Azure portal connect to built-in (hosted) sample data and embedding models over the public endpoint. You can switch to code or script to complete the same tasks when firewall rules in place, but if you want to run the wizards, the public endpoint must be available. For more information, see Secure connections in the import wizards.
Please follow this document for step by step guidance: https://learn.microsoft.com/en-us/azure/search/service-configure-firewall
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.