diff --git a/infra/core/networking/private-endpoint.bicep b/infra/core/networking/private-endpoint.bicep
index 07178d6675..8bce328aa2 100644
--- a/infra/core/networking/private-endpoint.bicep
+++ b/infra/core/networking/private-endpoint.bicep
@@ -47,7 +47,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-02-01' = {
     properties: {
       privateDnsZoneConfigs: !empty(dnsZoneId) ? [
         {
-          name: 'config1'
+          name: 'config-${name}-${dnsZoneId}'
           properties: {
             privateDnsZoneId: dnsZoneId
           }
diff --git a/infra/main.bicep b/infra/main.bicep
index 146ba32ff4..91af1d8420 100644
--- a/infra/main.bicep
+++ b/infra/main.bicep
@@ -1212,8 +1212,9 @@ var cognitiveServicesPrivateEndpointConnection = (usePrivateEndpoint && (!useLoc
       {
         groupId: 'account'
         dnsZoneName: 'privatelink.cognitiveservices.azure.com'
+        // Only include generic Cognitive Services-based resources (Form Recognizer / Vision / Content Understanding)
+        // Azure OpenAI uses its own privatelink.openai.azure.com zone and already has a separate private endpoint above.
         resourceIds: concat(
-          [openAi.outputs.resourceId],
           !useLocalPdfParser ? [documentIntelligence.outputs.resourceId] : [],
           useMultimodal ? [vision.outputs.resourceId] : [],
           useMediaDescriberAzureCU ? [contentUnderstanding.outputs.resourceId] : []
diff --git a/infra/private-endpoints.bicep b/infra/private-endpoints.bicep
index 9037fcd274..16289e4a5e 100644
--- a/infra/private-endpoints.bicep
+++ b/infra/private-endpoints.bicep
@@ -52,8 +52,9 @@ var privateEndpointInfo = [
     resourceId: resourceId
   })
 ]
-module privateEndpoints './core/networking/private-endpoint.bicep' = [for privateEndpointInfo in flatten(privateEndpointInfo): {
-  name: '${privateEndpointInfo.name}-privateendpoint'
+
+module privateEndpoints './core/networking/private-endpoint.bicep' = [for (privateEndpointInfo, i) in flatten(privateEndpointInfo): {
+  name: '${privateEndpointInfo.name}-${i}-privateendpoint'
   params: {
     location: location
     name: '${privateEndpointInfo.name}${abbrs.privateEndpoint}${resourceToken}'
@@ -82,6 +83,7 @@ module monitorDnsZones './core/networking/private-dns-zones.bicep' = [for monito
     virtualNetworkName: vnetName
   }
 }]
+
 // Get blob DNS zone index for monitor private link
 var blobEndpointInfo = filter(flatten(privateEndpointInfo), info => info.groupId == 'blob')
 // Assert that blob endpoints exist (required for this application)