How to set up a managed network for Azure AI Foundry hubs

2025-08-27

Note

You must use a hub-based project for this feature. An Azure AI Foundry project isn't supported. See How do I know which type of project I have? and Create a hub-based project.

Network isolation for a hub-based project has two parts: accessing an Azure AI Foundry hub, and isolating the computing resources in your hub and project (like compute instances, serverless, and managed online endpoints). This article covers the latter. The diagram highlights it. Use the hub's built-in network isolation to protect your computing resources.

Set up the following network isolation settings:

Choose a network isolation mode: allow internet outbound or allow only approved outbound.
If you use Visual Studio Code integration in allow only approved outbound mode, create FQDN outbound rules as described in the use Visual Studio Code section.
If you use Hugging Face models in allow only approved outbound mode, create FQDN outbound rules as described in the use Hugging Face models section.
If you use one of the open source models in allow only approved outbound mode, create FQDN outbound rules as described in the Models sold directly by Azure section.

Network isolation architecture and isolation modes

When you enable managed virtual network isolation, a managed virtual network is created for the hub. Managed compute resources you create for the hub automatically use this managed virtual network. The managed virtual network can use private endpoints for Azure resources your hub uses, like Azure Storage, Azure Key Vault, and Azure Container Registry.

Choose one of three outbound modes for the managed virtual network:

Outbound mode	Description	Scenarios
Allow internet outbound	Allow all internet outbound traffic from the managed virtual network.	You want unrestricted access to machine learning resources on the internet, such as Python packages or pretrained models.¹
Allow only approved outbound	Use service tags to allow outbound traffic.	* You want to minimize the risk of data exfiltration, but you need to prepare all required machine learning artifacts in your private environment. * You want to configure outbound access to an approved list of services, service tags, or fully qualified domain names (FQDNs).
Disabled	Inbound and outbound traffic isn't restricted.	You want public inbound and outbound from the hub.

¹ You can use outbound rules with the allow only approved outbound mode to achieve the same result as using allow internet outbound. The differences are:

Always use private endpoints to access Azure resources.
You must add rules for each outbound connection you need to allow.
Adding fully qualified domain name (FQDN) outbound rules increases your costs because this rule type uses Azure Firewall. If you use FQDN outbound rules, charges for Azure Firewall are included in your billing. For more information, see Pricing.
The default rules for allow only approved outbound are designed to minimize the risk of data exfiltration. Any outbound rules you add might increase your risk.

The managed virtual network is preconfigured with required default rules. The hub also configures private endpoint connections to your hub, the hub's default storage account, container registry, and key vault when those resources are set to private or when the isolation mode is set to allow only approved outbound. After you choose an isolation mode, add any other outbound rules you need.

The following diagram shows a managed virtual network configured to allow internet outbound:

The following diagram shows a managed virtual network configured to allow only approved outbound:

Note

In this configuration, the storage, key vault, and container registry that the hub uses are set to private. Because they're private, the hub uses private endpoints to reach them.

Note

To access a private storage account from a public AI Foundry hub, use AI Foundry from within your storage account's virtual network. Accessing AI Foundry from within the virtual network ensures that you can perform actions such as uploading files to the private storage account. The private storage account is independent of your AI Foundry hub's networking settings. See Configure Azure Storage firewalls and virtual networks.

Prerequisites

Before you start, make sure you have these prerequisites:

An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
Register the Microsoft.Network resource provider for your Azure subscription. The hub uses this provider to create private endpoints for the managed virtual network.

For information on registering resource providers, see Resolve errors for resource provider registration.
Use an Azure identity with the following Azure role-based access control (Azure RBAC) actions to create private endpoints for the managed virtual network:
- Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/read
- Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/write

An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
The Microsoft.Network resource provider must be registered for your Azure subscription. This resource provider is used by the hub when creating private endpoints for the managed virtual network.

For information on registering resource providers, see Resolve errors for resource provider registration.
Use an Azure identity with the following Azure role-based access control (Azure RBAC) actions to create private endpoints for the managed virtual network:
- Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/read
- Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/write
Install the Azure CLI and the ml extension for the Azure CLI. For more information, see Install, set up, and use the CLI (v2).
The CLI examples in this article assume that you use a Bash-compatible shell. For example, use a Linux system or Windows Subsystem for Linux.
The Azure CLI examples in this article use ws for the hub name and rg for the resource group name. Change these values as needed when you run the commands in your Azure subscription.

An Azure subscription. If you don't have an Azure subscription, create a free account before you begin. Try the free or paid version.
The Microsoft.Network resource provider must be registered for your Azure subscription. This resource provider is used by the hub when creating private endpoints for the managed virtual network.

For information on registering resource providers, see Resolve errors for resource provider registration.
The Azure identity you use when deploying a managed network requires the following Azure role-based access control (Azure RBAC) actions to create private endpoints:
- Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/read
- Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/write
The Azure Machine Learning Python SDK v2. For more information on the SDK, see Install the Python SDK v2 for Azure Machine Learning.

The examples in this article assume that your code begins with the following Python code. It imports the classes required to create a hub with a managed virtual network, sets variables for your Azure subscription and resource group, and creates the ml_client. In the following example, replace the placeholder text <SUBSCRIPTION_ID> and <RESOURCE_GROUP> with your own values:

from azure.ai.ml import MLClient
from azure.ai.ml.entities import (
    Hub,
    ManagedNetwork,
    IsolationMode,
    ServiceTagDestination,
    PrivateEndpointDestination,
    FqdnDestination
)
from azure.identity import DefaultAzureCredential

# Replace with the values for your Azure subscription and resource group.
subscription_id = "<SUBSCRIPTION_ID>"
resource_group = "<RESOURCE_GROUP>"

# get a handle to the subscription
ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group)

Limitations

Azure AI Foundry supports managed virtual network isolation for compute resources. Azure AI Foundry doesn't support bringing your own virtual network for compute isolation. This scenario differs from the Azure Virtual Network required to access Azure AI Foundry from an on-premises network.
After you enable managed virtual network isolation, you can't disable it.
The managed virtual network uses a private endpoint to connect to private resources. You can't use a private endpoint and a service endpoint on the same Azure resource, like a storage account. Use private endpoints for all scenarios.
When you delete Azure AI Foundry, the service deletes the managed virtual network.
With allow only approved outbound, Azure AI Foundry enables data exfiltration protection automatically. If you add other outbound rules, like FQDNs, Microsoft can't guarantee protection against data exfiltration to those destinations.
FQDN outbound rules increase managed virtual network cost because they use Azure Firewall. For more information, see Pricing.
FQDN outbound rules support only ports 80 and 443.
To disable a compute instance's public IP address, add a private endpoint to a hub.
For a compute instance in a managed network, run az ml compute connect-ssh to connect over SSH.
If your managed network is configured to allow only approved outbound, you can't use an FQDN rule to access Azure Storage accounts. Use a private endpoint instead.

Configure a managed virtual network to allow internet outbound

Tip

Azure AI Foundry defers creating the managed virtual network until a compute resource is created or you start provisioning manually. With automatic creation, it can take about 30 minutes to create the first compute resource because it also provisions the network.

Create a new hub:
1. Sign in to the Azure portal, and select Azure AI Foundry from the Create a resource menu.
2. Select + New Azure AI.
3. Enter the required information on the Basics tab.
4. From the Networking tab, select Private with Internet Outbound.
5. To add an outbound rule, select Add user-defined outbound rules from the Networking tab. From the Outbound rules sidebar, enter the following information:
  - Rule name: A name for the rule. The name must be unique for this hub.
  - Destination type: Private Endpoint is the only option when network isolation is Private with Internet Outbound. A hub-managed virtual network doesn't support creating private endpoints for all Azure resource types. For a list of supported resources, see the Private endpoints section.
  - Subscription: The subscription that contains the Azure resource you want to add a private endpoint for.
  - Resource group: The resource group that contains the Azure resource you want to add a private endpoint for.
  - Resource type: The type of the Azure resource.
  - Resource name: The name of the Azure resource.
  - Sub Resource: The subresource of the Azure resource type.
  Select Save. To add more rules, select Add user-defined outbound rules.
6. Continue creating the hub.
Update an existing hub:
1. Sign in to the Azure portal, and select the hub to enable managed virtual network isolation.
2. Select Networking > Private with Internet Outbound.
  - To add an outbound rule, select Add user-defined outbound rules from the Networking tab. From the Outbound rules sidebar, provide the same information as used when creating a hub in the 'Create a new hub' section.
  - To delete an outbound rule, select delete for the rule.
3. Select Save at the top of the page to apply the changes to the managed virtual network.

To configure a managed virtual network that allows internet outbound, use either the --managed-network allow_internet_outbound parameter or a YAML configuration file with the following entries:

managed_network:
  isolation_mode: allow_internet_outbound

Define outbound rules to other Azure services that the hub relies on. These rules define private endpoints that allow an Azure resource to communicate securely with the managed virtual network. The following rule shows how to add a private endpoint to an Azure Blob Storage account. In the following example, replace the placeholder text <SUBSCRIPTION_ID>, <RESOURCE_GROUP>, and <STORAGE_ACCOUNT_NAME> with your own values.

managed_network:
  isolation_mode: allow_internet_outbound
  outbound_rules:
  - name: added-perule
    destination:
      service_resource_id: /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>
      spark_enabled: true
      subresource_target: blob
    type: private_endpoint

Configure a managed virtual network by using either the az ml workspace create or az ml workspace update commands:

Create a new hub:

The following example creates a new hub. The --managed-network allow_internet_outbound parameter configures a managed virtual network for the hub:
```
az ml workspace create --name ws --resource-group rg --kind hub --managed-network allow_internet_outbound
```
To create a hub using a YAML file instead, use the --file parameter and specify the YAML file that contains the configuration settings:
```
az ml workspace create --file hub.yaml --resource-group rg --name ws --kind hub
```
The following YAML example defines a hub with a managed virtual network:
```
name: myhub
location: EastUS
managed_network:
  isolation_mode: allow_internet_outbound
```
Update an existing hub:

Warning

Before updating an existing workspace to use a managed virtual network, you must delete all computing resources for the workspace. This includes compute instance, compute cluster, and managed online endpoints.

The following example updates an existing hub. The --managed-network allow_internet_outbound parameter configures a managed virtual network for the hub:
```
az ml workspace update --name ws --resource-group rg --kind hub --managed-network allow_internet_outbound
```
To update an existing hub using the YAML file, use the --file parameter and specify the YAML file that contains the configuration settings:
```
az ml workspace update --file hub.yaml --name ws --kind hub --resource-group MyGroup
```
The following YAML example defines a managed virtual network for the hub. It also shows how to add a private endpoint connection to a resource that the hub uses. In this example, it adds a private endpoint for an Azure Blob Storage account. In the following example, replace the placeholder text <SUBSCRIPTION_ID>, <RESOURCE_GROUP>, and <STORAGE_ACCOUNT_NAME> with your own values:
```
name: myhub
managed_network:
  isolation_mode: allow_internet_outbound
  outbound_rules:
  - name: added-perule
    destination:
      service_resource_id: /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>
      spark_enabled: true
      subresource_target: blob
    type: private_endpoint
```

To configure a managed virtual network that allows internet outbound, use the ManagedNetwork class with IsolationMode.ALLOW_INTERNET_OUTBOUND. Then use the ManagedNetwork object to create a new hub or update an existing one. To define outbound rules to Azure services that the hub relies on, use the PrivateEndpointDestination class to define a new private endpoint to the service.

Create a new hub:

The following example creates a new hub named myhub, with an outbound rule named myrule that adds a private endpoint for an Azure Blob Storage account. In the following example, replace the placeholder text <SUBSCRIPTION_ID>, <RESOURCE_GROUP>, and <STORAGE_ACCOUNT_NAME> with your own values:

# Basic managed VNet configuration
network = ManagedNetwork(isolation_mode=IsolationMode.ALLOW_INTERNET_OUTBOUND)

# Hub configuration
ws = Hub(
    name="myhub",
    location="eastus",
    managed_network=network
)

# Example private endpoint to Azure Blob Storage
rule_name = "myrule"
service_resource_id = "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>"
subresource_target = "blob"
spark_enabled = True

    # Add the outbound rulerule
ws.managed_network.outbound_rules = [PrivateEndpointDestination(
    name=rule_name, 
    service_resource_id=service_resource_id, 
    subresource_target=subresource_target, 
    spark_enabled=spark_enabled)]

# Create the hub
ws = ml_client.workspaces.begin_create(ws).result()

Update an existing hub:

The following example demonstrates how to create a managed virtual network for an existing hub named myhub:

# Get the existing hub
    ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, "myhub")
ws = ml_client.workspaces.get(name="myhub")

    # Basic managed VNet configuration
ws.managed_network = ManagedNetwork(isolation_mode=IsolationMode.ALLOW_INTERNET_OUTBOUND)

# Example private endpoint outbound to a blob
rule_name = "myrule"
service_resource_id = "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>"
subresource_target = "blob"
spark_enabled = True

# Add the outbound 
ws.managed_network.outbound_rules = [PrivateEndpointDestination(
    name=rule_name, 
    service_resource_id=service_resource_id, 
    subresource_target=subresource_target, 
    spark_enabled=spark_enabled)]

# Update the hub
ml_client.workspaces.begin_update(ws)

Configure a managed virtual network to allow only approved outbound

Tip

Azure sets up the managed VNet automatically when you create a compute resource. If you allow automatic creation, the first compute resource can take about 30 minutes to create because the network also needs to set up. If you configure FQDN outbound rules, the first FQDN rule adds about 10 minutes to the setup time.

Create a new hub:
1. Sign in to the Azure portal, and choose Azure AI Foundry from Create a resource menu.
2. Select + New Azure AI.
3. Provide the required information on the Basics tab.
4. From the Networking tab, select Private with Approved Outbound.
5. To add an outbound rule, select Add user-defined outbound rules from the Networking tab. From the Outbound rules sidebar, provide the following information:
  - Rule name: A name for the rule. The name must be unique for this hub.
  - Destination type: Private Endpoint, Service Tag, or FQDN. Service Tag and FQDN are only available when the network isolation is private with approved outbound.
  If the destination type is Private Endpoint, enter the following information:
  - Subscription: The subscription that contains the Azure resource you want to add a private endpoint for.
  - Resource group: The resource group that contains the Azure resource you want to add a private endpoint for.
  - Resource type: The type of the Azure resource.
  - Resource name: The name of the Azure resource.
- Sub Resource: The sub resource of the Azure resource type.
Tip

The hub's managed VNet doesn't support private endpoints for all Azure resource types. For a list of supported resources, see the Private endpoints section.

If the destination type is Service Tag, enter the following information:
- Service tag: The service tag to add to the approved outbound rules.
- Protocol: The protocol to allow for the service tag.
- Port ranges: The port ranges to allow for the service tag.
If the destination type is FQDN, enter the following information:
- FQDN destination: The fully qualified domain name to add to the approved outbound rules.
  
  Select Save to save the rule. To add more rules, select Add user-defined outbound rules again.
1. Continue creating the hub as usual.
Update an existing hub:
1. Sign in to the Azure portal, and select the hub that you want to enable managed virtual network isolation for.
2. Select Networking > Private with Approved Outbound.
  - To add an outbound rule, select Add user-defined outbound rules from the Networking tab. From the Outbound rules sidebar, enter the same information as when creating a hub in the previous 'Create a new hub' section.
  - To delete an outbound rule, select delete for the rule.
3. Select Save at the top of the page to save the changes to the managed virtual network.

To configure a managed virtual network that allows only approved outbound communication, use either the --managed-network allow_only_approved_outbound parameter or a YAML configuration file that contains the following entries:

managed_network:
  isolation_mode: allow_only_approved_outbound

You can also define outbound rules for approved outbound communication. Create an outbound rule of type service_tag, fqdn, or private_endpoint. The following example adds a private endpoint to an Azure Blob resource, a service tag for Azure Data Factory, and an FQDN for pypi.org. In the following example, replace the placeholder text <SUBSCRIPTION_ID>, <RESOURCE_GROUP>, and <STORAGE_ACCOUNT_NAME> with your values.

Important

Adding an outbound rule for a service tag or FQDN is valid only when the managed VNet is configured to allow_only_approved_outbound.
If you add outbound rules, Microsoft can't guarantee protection against data exfiltration.

managed_network:
  isolation_mode: allow_only_approved_outbound
  outbound_rules:
  - name: added-servicetagrule
    destination:
      port_ranges: 80, 8080
      protocol: TCP
      service_tag: DataFactory
    type: service_tag
  - name: add-fqdnrule
    destination: 'pypi.org'
    type: fqdn
  - name: added-perule
    destination:
      service_resource_id: /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>
      spark_enabled: true
      subresource_target: blob
    type: private_endpoint

You can configure a managed virtual network using either the az ml workspace create or az ml workspace update commands:

Create a new hub:

The following example uses the --managed-network allow_only_approved_outbound parameter to configure the managed virtual network:

az ml workspace create --name ws --resource-group rg --kind hub --managed-network allow_only_approved_outbound

The following YAML file defines a hub with a managed virtual network:

name: myhub
location: EastUS
managed_network:
  isolation_mode: allow_only_approved_outbound

To create a hub using the YAML file, use the --file parameter:

az ml workspace create --file hub.yaml --resource-group rg --name ws --kind hub

Update an existing hub

Warning

Before updating an existing workspace to use a managed virtual network, you must delete all computing resources for the workspace. This includes compute instance, compute cluster, and managed online endpoints.

The following example uses the --managed-network allow_only_approved_outbound parameter to configure the managed virtual network for an existing hub:

az ml workspace update --name ws --resource-group rg --kind hub --managed-network allow_only_approved_outbound

The following YAML file defines a managed virtual network for the hub and shows how to add approved outbound rules. In this example, outbound rules are added for a service tag, an FQDN, and a private endpoint:

name: myhub_dep
managed_network:
  isolation_mode: allow_only_approved_outbound
  outbound_rules:
  - name: added-servicetagrule
    destination:
      port_ranges: 80, 8080
      protocol: TCP
      service_tag: DataFactory
    type: service_tag
  - name: add-fqdnrule
    destination: 'pypi.org'
    type: fqdn
  - name: added-perule
    destination:
      service_resource_id: /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>
      spark_enabled: true
      subresource_target: blob
    type: private_endpoint

To configure a managed virtual network that allows only approved outbound communication, use the ManagedNetwork class to define a network with IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND. You can then use the ManagedNetwork object to create a new hub or update an existing one. To define outbound rules, use the following classes:

Destination	Class
Azure service that the hub relies on	`PrivateEndpointDestination`
Azure service tag	`ServiceTagDestination`
Fully qualified domain name (FQDN)	`FqdnDestination`

Create a new hub:

The following example creates a new hub named myhub, with several outbound rules:

myrule - Adds a private endpoint for an Azure Blob store.
datafactory - Adds a service tag rule to communicate with Azure Data Factory.

Important

Adding an outbound rule for a service tag or FQDN is valid only when the managed VNet is configured to IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND.
If you add outbound rules, Microsoft can't guarantee protection against data exfiltration.

# Basic managed VNet configuration
network = ManagedNetwork(isolation_mode=IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND)

# Hub configuration
ws = Hub(
    name="myhub",
    location="eastus",
    managed_network=network
)

# Append some rules
ws.managed_network.outbound_rules = []
# Example private endpoint outbound to a blob
rule_name = "myrule"
service_resource_id = "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>"
subresource_target = "blob"
spark_enabled = True
ws.managed_network.outbound_rules.append(
    PrivateEndpointDestination(
        name=rule_name, 
        service_resource_id=service_resource_id, 
        subresource_target=subresource_target, 
        spark_enabled=spark_enabled
    )
)

# Example service tag rule
rule_name = "datafactory"
service_tag = "DataFactory"
protocol = "TCP"
port_ranges = "80, 8080-8089"
ws.managed_network.outbound_rules.append(
    ServiceTagDestination(
        name=rule_name, 
        service_tag=service_tag, 
        protocol=protocol, 
        port_ranges=port_ranges
    )
)

# Example FQDN rule
ws.managed_network.outbound_rules.append(
    FqdnDestination(
        name="fqdnrule", 
        destination="pypi.org"
    )
)

# Create the hub
ws = ml_client.workspaces.begin_create(ws).result()

Update an existing hub:

The following example shows how to configure a managed virtual network for an existing hub named myhub. It also adds several outbound rules:

myrule - Adds a private endpoint for an Azure Blob store.
datafactory - Adds a service tag rule to communicate with Azure Data Factory.

Tip

Adding an outbound for a service tag or FQDN is only valid when the managed VNet is configured to IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND.

# Get the existing hub
ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, "myhub")
ws = ml_client.workspaces.get()

# Basic managed VNet configuration
ws.managed_network = ManagedNetwork(isolation_mode=IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND)

# Append some rules
ws.managed_network.outbound_rules = []
# Example private endpoint outbound to a blob
rule_name = "myrule"
service_resource_id = "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE_ACCOUNT_NAME>"
subresource_target = "blob"
spark_enabled = True
ws.managed_network.outbound_rules.append(
    PrivateEndpointDestination(
        name=rule_name, 
        service_resource_id=service_resource_id, 
        subresource_target=subresource_target, 
        spark_enabled=spark_enabled
    )
)

# Example service tag rule
rule_name = "datafactory"
service_tag = "DataFactory"
protocol = "TCP"
port_ranges = "80, 8080-8089"
ws.managed_network.outbound_rules.append(
    ServiceTagDestination(
        name=rule_name, 
        service_tag=service_tag, 
        protocol=protocol, 
        port_ranges=port_ranges
    )
)

# Example FQDN rule
ws.managed_network.outbound_rules.append(
    FqdnDestination(
        name="fqdnrule", 
        destination="pypi.org"
    )
)

# Update the hub
ml_client.workspaces.begin_update(ws)

Manually provision a managed VNet

The managed virtual network is automatically provisioned when you create a compute instance. When you rely on automatic provisioning, it can take around 30 minutes to create the first compute instance as it is also provisioning the network. If you configured FQDN outbound rules (only available with allow only approved mode), the first FQDN rule adds around 10 minutes to the provisioning time. If you have a large set of outbound rules to be provisioned in the managed network, it can take longer for provisioning to complete. The increased provisioning time can cause your first compute instance creation to time out.

To reduce wait time and avoid timeouts, manually set up the managed network. Wait for provisioning to complete before you create a compute instance.

Alternatively, use the provision_network_now flag to set up the managed network during hub creation.

Note

To deploy a model to managed compute, you must manually provision the managed network, or create a compute instance first. Creating a compute instance automatically provisions it.

During workspace creation, select Provision managed network proactively at creation to set up the managed network. Billing starts for network resources, like private endpoints, after the virtual network is set up. This option is available only during workspace creation.

The following example shows how to provision a managed virtual network during hub creation.

az ml workspace create -n my_ai_hub_name -g my_resource_group --kind hub --managed-network AllowInternetOutbound --provision-network-now true

The following example shows how to provision a managed virtual network.

az ml workspace provision-network -g my_resource_group -n my_ai_hub_name

To check that provisioning is complete, run the following command:

az ml workspace show -n my_ai_hub_name -g my_resource_group --query managed_network

Use the SDK to provision a managed virtual network, then check its status.

from azure.identity import DefaultAzureCredential
from azure.ai.ml import MLClient

subscription_id = "00000000-0000-0000-0000-000000000000"
resource_group = "my_resource_group"
workspace_name = "my_ai_hub_name"

ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace_name=workspace_name)

# Start provisioning the managed network for the workspace.
provision_result = ml_client.workspaces.begin_provision_network(workspace_name=workspace_name).result()

# Check the managed network status.
ws = ml_client.workspaces.get(name=workspace_name)
print(ws.managed_network.status)

Manage outbound rules

Sign in to the Azure portal, and select the hub that you want to enable managed virtual network isolation for.
Select Networking. The Azure AI Outbound access section lets you manage outbound rules.

To add an outbound rule, select Add user-defined outbound rules from the Networking tab. From the Azure AI outbound rules sidebar, enter the required values.
To enable or disable a rule, use the toggle in the Active column.
To delete an outbound rule, select delete for the rule.

In the following commands, replace the placeholder text <workspace-name>, <resource-group>, and <rule-name> with your values. To list managed virtual network outbound rules for a hub, run:

az ml workspace outbound-rule list --workspace-name <workspace-name> --resource-group <resource-group>

To view the details of a managed virtual network outbound rule, run:

az ml workspace outbound-rule show --rule <rule-name> --workspace-name <workspace-name> --resource-group <resource-group>

To remove an outbound rule from the managed virtual network, run:

az ml workspace outbound-rule remove --rule <rule-name> --workspace-name <workspace-name> --resource-group <resource-group>

The following example shows how to manage outbound rules for a hub named myhub. In the example, replace the placeholder text <some-rule-name> with your rule name:

# Connect to the hub
ws_name = "myhub"
ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace_name=ws_name)

# Specify the rule name
rule_name = "<some-rule-name>"

# Get a rule by name
rule = ml_client._workspace_outbound_rules.get(resource_group, ws_name, rule_name)

# List rules for a hub
rule_list = ml_client._workspace_outbound_rules.list(resource_group, ws_name)

# Delete a rule from a hub
ml_client._workspace_outbound_rules.begin_remove(resource_group, ws_name, rule_name).result()

List of required rules

Tip

These rules are automatically added to the managed virtual network (VNet).

Private endpoints:

When the isolation mode for the managed virtual network is Allow internet outbound, Azure AI Foundry automatically creates required private endpoint outbound rules from the managed virtual network for the hub and associated resources with public network access disabled (Azure Key Vault, storage account, Azure Container Registry, and hub).
When the isolation mode for the managed virtual network is Allow only approved outbound, Azure AI Foundry automatically creates required private endpoint outbound rules from the managed virtual network for the hub and associated resources regardless of the public network access setting for those resources (Azure Key Vault, storage account, Azure Container Registry, and hub).

Azure AI Foundry requires a set of service tags for private networking. Don't replace the required service tags. The following table describes each required service tag and its purpose within Azure AI Foundry.

Service tag rule	Inbound or outbound	Purpose
`AzureMachineLearning`	Inbound	Create, update, and delete Azure AI Foundry compute instances and clusters.
`AzureMachineLearning`	Outbound	Using Azure Machine Learning services. Python IntelliSense in notebooks uses port 18881. Creating, updating, and deleting an Azure Machine Learning compute instance uses port 5831.
`AzureActiveDirectory`	Outbound	Authentication using Microsoft Entra ID.
`BatchNodeManagement.region`	Outbound	Communication with the Azure Batch back end for Azure AI Foundry compute instances and clusters.
`AzureResourceManager`	Outbound	Create Azure resources by using Azure AI Foundry, Azure CLI, and the Azure AI Foundry SDK.
`AzureFrontDoor.FirstParty`	Outbound	Access Docker images provided by Microsoft.
`MicrosoftContainerRegistry`	Outbound	Access Docker images provided by Microsoft. Set up the Azure AI Foundry router for Azure Kubernetes Service.
`AzureMonitor`	Outbound	Send logs and metrics to Azure Monitor. Only needed if you haven't secured Azure Monitor for the workspace. This outbound rule also logs information for support incidents.
`VirtualNetwork`	Outbound	Required when private endpoints are present in the virtual network or peered virtual networks.

List of scenario-specific outbound rules

Scenario: Access public machine learning packages

To install Python packages for training and deployment, add outbound FQDN rules to allow traffic to the following host names:

Note

This list covers common hosts for Python resources on the internet. If you need access to a GitHub repository or another host, identify and add the hosts required for your scenario.

Host name	Purpose
`anaconda.com` `*.anaconda.com`	Used to install default packages.
`*.anaconda.org`	Used to get repo data.
`pypi.org`	Lists dependencies from the default index if user settings don't overwrite it. If you overwrite the index, also allow `*.pythonhosted.org`.
`pytorch.org` `*.pytorch.org`	Used by some examples based on PyTorch.
`*.tensorflow.org`	Used by some examples based on TensorFlow.

Scenario: Use Visual Studio Code

Visual Studio Code relies on specific hosts and ports to establish a remote connection.

Hosts

Use these hosts to install Visual Studio Code packages and establish a remote connection to your project's compute instances.

Note

This isn't a complete list of the hosts required for all Visual Studio Code resources on the internet, only the most commonly used. For example, if you need access to a GitHub repository or other host, you must identify and add the required hosts for that scenario. For a complete list of host names, see Network Connections in Visual Studio Code.

Host name	Purpose
`.vscode.dev` `.vscode-unpkg.net` `.vscode-cdn.net` `.vscodeexperiments.azureedge.net` `default.exp-tas.com`	Required to access VS Code for the Web (vscode.dev).
`code.visualstudio.com`	Required to download and install VS Code desktop. This host isn't required for VS Code Web.
`update.code.visualstudio.com` `*.vo.msecnd.net`	Downloads VS Code Server components to the compute instance during setup scripts.
`marketplace.visualstudio.com` `vscode.blob.core.windows.net` `*.gallerycdn.vsassets.io`	Required to download and install VS Code extensions. These hosts enable the remote connection to compute instances. Learn more in Get started with Azure AI Foundry projects in VS Code.
`vscode.download.prss.microsoft.com`	Serves as the Visual Studio Code download CDN.

Ports

Allow network traffic to ports 8704 to 8710. The VS Code Server selects the first available port in this range.

Scenario: Use Hugging Face models

To use Hugging Face models with the hub, add outbound FQDN rules to allow traffic to the following hosts:

docker.io
*.docker.io
*.docker.com
production.cloudflare.docker.com
cdn.auth0.com
cdn-lfs.huggingface.co

Scenario: Models sold directly by Azure

These models install dependencies at runtime and require outbound FQDN rules to allow traffic to the following hosts:

*.anaconda.org
*.anaconda.com
anaconda.com
pypi.org
*.pythonhosted.org
*.pytorch.org
pytorch.org

Private endpoints

Private endpoints are currently supported for the following Azure services:

Azure AI Foundry hub
Azure AI Search
Azure AI services
Azure API Management
- Supports only the Classic tier without VNet injection and the Standard V2 tier with virtual network integration. For more on API Management virtual networks, see Virtual Network Concepts.
Azure Container Registry
Azure Cosmos DB (all subresource types)
Azure Data Factory
Azure Database for MariaDB
Azure Database for MySQL
Azure Database for PostgreSQL Single Server
Azure Database for PostgreSQL Flexible Server
Azure Databricks
Azure Event Hubs
Azure Key Vault
Azure Machine Learning
Azure Machine Learning registries
Azure Cache for Redis
Azure SQL Server
Azure Storage (all subresource types)
Application Insights (through PrivateLinkScopes)

When you create a private endpoint, you provide the resource type and subresource that the endpoint connects to. Some resources have multiple types and subresources. For more information, see what is a private endpoint.

When you create a private endpoint for hub dependency resources, such as Azure Storage, Azure Container Registry, and Azure Key Vault, the resource can be in a different Azure subscription. However, the resource must be in the same tenant as the hub.

The service automatically creates a private endpoint for a connection if the target resource is one of the Azure resources listed earlier. Provide a valid target ID for the private endpoint. For a connection, the target ID can be the Azure Resource Manager ID of a parent resource. Include the target ID in the connection's target or in metadata.resourceid. For more on connections, see How to add a new connection in Azure AI Foundry portal.

Approval of private endpoints

To establish private endpoint connections in managed virtual networks by using Azure AI Foundry, the workspace managed identity (system-assigned or user-assigned) and the user identity that creates the private endpoint must have permission to approve the private endpoint connections on the target resources. Previously, the Azure AI Foundry service granted this through automatic role assignments. Because of security concerns with automatic role assignments, starting April 30, 2025, the service discontinues this automatic permission grant logic. Assign the Azure AI Enterprise Network Connection Approver role or a custom role with the necessary private endpoint connection permissions on the target resource types, and grant this role to the Foundry hub's managed identity to let Azure AI Foundry approve private endpoint connections to the target Azure resources.

Here's the list of private endpoint target resource types covered by the Azure AI Enterprise Network Connection Approver role:

Azure Application Gateway
Azure Monitor
Azure AI Search
Azure Event Hubs
Azure SQL Database
Azure Storage
Azure Machine Learning workspace
Azure Machine Learning registry
Azure AI Foundry
Azure Key Vault
Azure Cosmos DB
Azure Database for MySQL
Azure Database for PostgreSQL
Azure AI services
Azure Cache for Redis
Azure Container Registry
Azure API Management

To create private endpoint outbound rules for target resource types not covered by the Azure AI Enterprise Network Connection Approver role, such as Azure Data Factory, Azure Databricks, and Azure Function Apps, use a custom, scoped-down role defined only by the actions necessary to approve private endpoint connections on the target resource types.

To create private endpoint outbound rules for default workspace resources, workspace creation grants the required permissions through role assignments, so you don't need to take any additional action.

Select an Azure Firewall version for allow only approved outbound

Azure Firewall deploys when you add an outbound FQDN rule in the allow only approved outbound mode. Azure Firewall charges are added to your bill. By default, a Standard version of Azure Firewall is created. Or select the Basic version. Change the firewall version at any time. To learn which version fits your needs, go to Choose the right Azure Firewall version.

Important

Azure Firewall isn't created until you add an outbound FQDN rule. For pricing details, see Azure Firewall pricing and view prices for the Standard version.

Use these tabs to see how to select the firewall version for your managed virtual network.

After you select the allow only approved outbound mode, the option to select the Azure Firewall version (SKU) appears. Select Standard or Basic. Select Save.

To set the firewall version by using Azure CLI, use a YAML file and specify firewall_sku. The following example sets the firewall SKU to basic:

name: test-ws
resource_group: test-rg
location: eastus2 
managed_network:
  isolation_mode: allow_only_approved_outbound
  outbound_rules:
  - category: required
    destination: 'contoso.com'
    name: contosofqdn
    type: fqdn
  firewall_sku: basic
tags: {}

To set the firewall version by using the Python SDK, set the firewall_sku property of the ManagedNetwork object. The following example sets the firewall SKU to basic:

network = ManagedNetwork(isolation_mode=IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND,
                         firewall_sku='basic')

Pricing

The hub managed virtual network feature is free, but you're charged for the following resources the managed virtual network uses:

Azure Private Link—Private endpoints that secure communication between the managed virtual network and Azure resources use Azure Private Link. For pricing, see Azure Private Link pricing.
FQDN outbound rules—Azure Firewall enforces these rules. If you use outbound FQDN rules, Azure Firewall charges appear on your bill. The Standard version of Azure Firewall is used by default. To select the Basic version, see Select an Azure Firewall version. Azure Firewall is provisioned per hub.

Important

Azure Firewall isn't created until you add an outbound FQDN rule. If you don't use FQDN rules, you won't be charged for Azure Firewall. For pricing, see Azure Firewall pricing.

Share via

How to set up a managed network for Azure AI Foundry hubs

Network isolation architecture and isolation modes

Prerequisites

Limitations

Configure a managed virtual network to allow internet outbound

Configure a managed virtual network to allow only approved outbound

Manually provision a managed VNet

Manage outbound rules

List of required rules

List of scenario-specific outbound rules

Scenario: Access public machine learning packages

Scenario: Use Visual Studio Code

Hosts

Ports

Scenario: Use Hugging Face models

Scenario: Models sold directly by Azure

Private endpoints

Approval of private endpoints

Select an Azure Firewall version for allow only approved outbound

Pricing

Related content

Feedback

Additional resources