feat: Disable private networking for OpenAI with integrated vectorization support

Author: Pavan-Microsoft

infra/main.bicep

@@ -842,6 +842,8 @@ var openAiDeployments = concat(
     : []
 )
 
+// Keep private networking disabled for OpenAI when using integrated vectorization in Azure Cognitive Search, as indexer requires it.
+var enablePrivateNetworkingForOpenAI = enablePrivateNetworking && azureSearchUseIntegratedVectorization == false
 module openai 'modules/core/ai/cognitiveservices.bicep' = {
   name: azureOpenAIResourceName
   scope: resourceGroup()
@@ -858,13 +860,13 @@ module openai 'modules/core/ai/cognitiveservices.bicep' = {
       '${storageAccountName}.blob.${environment().suffixes.storage}'
       '${storageAccountName}.queue.${environment().suffixes.storage}'
     ]
-    enablePrivateNetworking: enablePrivateNetworking
-    subnetResourceId: enablePrivateNetworking ? network!.outputs.subnetPrivateEndpointsResourceId : null
+    enablePrivateNetworking: enablePrivateNetworkingForOpenAI
+    subnetResourceId: enablePrivateNetworkingForOpenAI ? network!.outputs.subnetPrivateEndpointsResourceId : null
 
     logAnalyticsWorkspaceId: enableMonitoring ? monitoring!.outputs.logAnalyticsWorkspaceId : null
 
     // align with AVM conventions
-    privateDnsZoneResourceId: enablePrivateNetworking ? avmPrivateDnsZones[dnsZoneIndex.openAI]!.outputs.resourceId : ''
+    privateDnsZoneResourceId: enablePrivateNetworkingForOpenAI ? avmPrivateDnsZones[dnsZoneIndex.openAI]!.outputs.resourceId : ''
     roleAssignments: concat([
       {
         roleDefinitionIdOrName: 'a97b65f3-24c7-4388-baec-2e87135dc908' //Cognitive Services User
@@ -890,7 +892,7 @@ module openai 'modules/core/ai/cognitiveservices.bicep' = {
       }
     ] : [])
   }
-  dependsOn: enablePrivateNetworking ? avmPrivateDnsZones : []
+  dependsOn: enablePrivateNetworkingForOpenAI ? avmPrivateDnsZones : []
 }
 
 module computerVision 'modules/core/ai/cognitiveservices.bicep' = if (useAdvancedImageProcessing) {

infra/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.37.4.10188",
-      "templateHash": "16084976593064189931"
+      "templateHash": "3641818015648077245"
     }
   },
   "parameters": {
@@ -699,6 +699,7 @@
       }
     ],
     "openAiDeployments": "[concat(variables('defaultOpenAiDeployments'), if(parameters('useAdvancedImageProcessing'), createArray(createObject('name', parameters('azureOpenAIVisionModel'), 'model', createObject('format', 'OpenAI', 'name', parameters('azureOpenAIVisionModelName'), 'version', parameters('azureOpenAIVisionModelVersion')), 'sku', createObject('name', 'GlobalStandard', 'capacity', parameters('azureOpenAIVisionModelCapacity')))), createArray()))]",
+    "enablePrivateNetworkingForOpenAI": "[and(parameters('enablePrivateNetworking'), equals(parameters('azureSearchUseIntegratedVectorization'), false()))]",
     "webServerFarmResourceName": "[variables('hostingPlanName')]",
     "azureOpenAIModelInfo": "[string(createObject('model', parameters('azureOpenAIModel'), 'model_name', parameters('azureOpenAIModelName'), 'model_version', parameters('azureOpenAIModelVersion')))]",
     "azureOpenAIEmbeddingModelInfo": "[string(createObject('model', parameters('azureOpenAIEmbeddingModel'), 'model_name', parameters('azureOpenAIEmbeddingModelName'), 'model_version', parameters('azureOpenAIEmbeddingModelVersion')))]",
@@ -14292,11 +14293,11 @@
             ]
           },
           "enablePrivateNetworking": {
-            "value": "[parameters('enablePrivateNetworking')]"
+            "value": "[variables('enablePrivateNetworkingForOpenAI')]"
           },
-          "subnetResourceId": "[if(parameters('enablePrivateNetworking'), createObject('value', reference('network').outputs.subnetPrivateEndpointsResourceId.value), createObject('value', null()))]",
+          "subnetResourceId": "[if(variables('enablePrivateNetworkingForOpenAI'), createObject('value', reference('network').outputs.subnetPrivateEndpointsResourceId.value), createObject('value', null()))]",
           "logAnalyticsWorkspaceId": "[if(parameters('enableMonitoring'), createObject('value', reference('monitoring').outputs.logAnalyticsWorkspaceId.value), createObject('value', null()))]",
-          "privateDnsZoneResourceId": "[if(parameters('enablePrivateNetworking'), createObject('value', reference(format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)).outputs.resourceId.value), createObject('value', ''))]",
+          "privateDnsZoneResourceId": "[if(variables('enablePrivateNetworkingForOpenAI'), createObject('value', reference(format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)).outputs.resourceId.value), createObject('value', ''))]",
           "roleAssignments": {
             "value": "[concat(createArray(createObject('roleDefinitionIdOrName', 'a97b65f3-24c7-4388-baec-2e87135dc908', 'principalId', reference('managedIdentityModule').outputs.principalId.value, 'principalType', 'ServicePrincipal'), createObject('roleDefinitionIdOrName', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd', 'principalId', reference('managedIdentityModule').outputs.principalId.value, 'principalType', 'ServicePrincipal')), if(not(empty(parameters('principalId'))), createArray(createObject('roleDefinitionIdOrName', 'a97b65f3-24c7-4388-baec-2e87135dc908', 'principalId', parameters('principalId'), 'principalType', 'User'), createObject('roleDefinitionIdOrName', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd', 'principalId', parameters('principalId'), 'principalType', 'User')), createArray()))]"
           }
@@ -48286,9 +48287,9 @@
         }
       },
       "dependsOn": [
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageQueue)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageFile)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageQueue)]",
         "managedIdentityModule",
         "network"
       ]