Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
The information in this article is specific to a hub-based project, and doesn't apply to a Azure AI Foundry project. See How do I know which type of project I have? and Create a hub-based project.
When you create a project in Azure AI Foundry, secure it with a private endpoint. A private endpoint lets you connect to the project over a private network and protects your data and resources. If you're having trouble connecting to a project that uses a private endpoint, this article lists steps to help you fix the issue.
When you connect to an Azure AI Foundry project that's set up with a private endpoint, you might see an HTTP 403 error or a message that says access is forbidden. Use this article to check for common configuration issues that cause this error.
Error loading Azure AI Foundry hub or project
If you get an error when loading your Azure AI Foundry hub or project, check these two settings.
- Your hub has public network access set to Disabled.
- Your hub has public network access set to Enable from selected IPs.
Depending on the public network access setting for your Azure AI Foundry hub or project, take the matching action:
| Public network access setting | Action |
|---|---|
| Disabled | Create and approve an inbound private endpoint from your virtual network to your Azure AI Foundry hub. Connect securely to your hub or project using Azure VPN, ExpressRoute, or Azure Bastion. |
| Enable from selected IPs | Make sure your IP address is listed in the Firewall IP ranges allowed to access Azure AI Foundry. If you can't add your IP address, contact your IT admin. |
Securely connect to your hub or project
To connect to a hub or project secured by a virtual network, use one of these methods:
Azure VPN Gateway-Connect on-premises networks to the virtual network over a private connection on the public internet. Choose from two VPN gateway types:
- Point-to-site: Each client computer uses a VPN client to connect to the virtual network.
- Site-to-site: A VPN device connects the virtual network to your on-premises network.
ExpressRoute-Connect on-premises networks to Azure over a private connection through a connectivity provider.
Azure Bastion-Create an Azure virtual machine (a jump box) in the virtual network, then connect to it through Azure Bastion using RDP or SSH from your browser. Use the VM as your development environment. Because it's in the virtual network, it can access the workspace directly.
DNS configuration
Troubleshooting steps differ based on whether you use Azure DNS or a custom DNS. Follow these steps to see which one you're using:
In the Azure portal, select the private endpoint resource for your Azure AI Foundry. If you don't remember the name, select your Azure AI Foundry resource, Networking, Private endpoint connections, and then select the Private endpoint link.
From the Overview page, select the Network Interface link.
Under Settings, select IP Configurations and then select the Virtual network link.
In Settings, select DNS servers.
- If this value is Default (Azure-provided), then the virtual network is using Azure DNS. Skip to the Azure DNS troubleshooting section.
- If there's a different IP address listed, then the virtual network is using a custom DNS solution. Skip to the Custom DNS troubleshooting section.
Custom DNS troubleshooting
Follow these steps to check whether your custom DNS solution resolves names to IP addresses:
On a VM, laptop, desktop, or other compute resource that connects to the private endpoint, open a web browser. In the browser, go to the URL for your Azure region:
Azure region URL Azure Government https://portal.azure.us/?feature.privateendpointmanagedns=false Microsoft Azure operated by 21Vianet https://portal.azure.cn/?feature.privateendpointmanagedns=false All other regions https://portal.azure.com/?feature.privateendpointmanagedns=false In the portal, select the private endpoint for the project. From the DNS configuration section, list the FQDNs for the private endpoint.
Open a command prompt, PowerShell, or other command line and run the following command for each FQDN returned from the previous step. Each time you run the command, verify that the IP address returned matches the IP address listed in the portal for the FQDN:
In the following command, replace the placeholder text
<fqdn>with an FQDN from your list.nslookup <fqdn>
For example:
nslookup df33e049-7c88-4953-8939-aae374adbef9.workspace.eastus2.api.azureml.ms
Example output:
Server: yourdnsserver
Address: yourdnsserver-IP-address
Name: df33e049-7c88-4953-8939-aae374adbef9.workspace.eastus2.api.azureml.ms
Address: 10.0.0.4
- If the
nslookupcommand returns an error or a different IP address than the portal shows, your custom DNS solution isn't configured correctly.
Azure DNS troubleshooting
When you use Azure DNS for name resolution, follow these steps to check that Private DNS integration is configured correctly:
On the private endpoint, select DNS configuration.
If there's a Private DNS zone entry, but no DNS zone group entry, delete and recreate the Private Endpoint. When recreating the private endpoint, enable Private DNS zone integration.
If DNS zone group isn't empty, select the link for the Private DNS zone entry.
From the Private DNS zone, select Virtual network links. There should be a link to the virtual network. If there isn't one, then delete and recreate the private endpoint. When recreating it, select a Private DNS zone linked to the virtual network, or create a new one and link it.
Repeat the previous steps for the rest of the Private DNS zone entries.
Browser configuration (DNS over HTTPS)
Check if DNS over HTTPS is enabled in your web browser. DNS over HTTPS can prevent Azure DNS from responding with the IP address of the private endpoint.
- Mozilla Firefox: More about Disable DNS over HTTPS in Firefox.
- Microsoft Edge:
In Microsoft Edge, select ... and then select Settings.
In Settings, search for DNS and then disable Use secure DNS to specify how to look up the network address for websites.
Proxy configuration
If you're using a proxy, it might block access to a secured project. To test, try one of these options:
- Temporarily disable the proxy setting, and then try to connect.
- Create a Proxy auto-config (PAC) file that allows direct access to the fully qualified domain names (FQDNs) listed on the private endpoint, and to the FQDN for any compute instances.
- Set up your proxy server to forward DNS requests to Azure DNS.
- Make sure the proxy lets connections to Azure Machine Learning (AML) APIs, such as
*.<region>.api.azureml.msand*.instances.azureml.ms.
Troubleshoot storage connection issues
When you create a project, Azure Storage creates several connections for data upload and artifact storage, including prompt flow. If your hub's associated Azure Storage account has public network access set to Disabled, these storage connections can take longer to create.
Try these steps to troubleshoot:
- In the Azure portal, check the network settings of the storage account that's associated with your hub.
- If public network access is set to Enabled from selected virtual networks and IP addresses, make sure the correct IP address ranges are added to allow access to your storage account.
- If public network access is set to Disabled, make sure a private endpoint from your Azure virtual network to your storage account is configured with Target sub-resource set to blob. Also, grant the Reader role for the storage account private endpoint to the managed identity.
- In the Azure portal, go to your Azure AI Foundry hub. Make sure the managed virtual network is provisioned and the outbound private endpoint to blob storage is Active. Learn more in How to configure a managed network for Azure AI Foundry hubs.
- Go to Azure AI Foundry > your project > project settings.
- Refresh the page. Several connections appear, including
workspaceblobstore.