Merge pull request #17 from Blackmist/245675-data-aoai-sec

secure playground chat

Author: denrea

articles/ai-studio/how-to/configure-managed-network.md

@@ -24,7 +24,6 @@ We have two network isolation aspects. One is the network isolation to access an
 You need to configure following network isolation configurations.
 
 - Choose network isolation mode. You have two options: allow internet outbound mode or allow only approved outbound mode.
-- Create private endpoint outbound rules to your private Azure resources. Private Azure AI Search isn't supported yet. 
 - If you use Visual Studio Code integration with allow only approved outbound mode, create FQDN outbound rules described in the [use Visual Studio Code](#scenario-use-visual-studio-code) section.
 - If you use HuggingFace models in Models with allow only approved outbound mode, create FQDN outbound rules described in the [use HuggingFace models](#scenario-use-huggingface-models) section.
 - If you use one of the open-source models with allow only approved outbound mode, create FQDN outbound rules described in the [curated by Azure AI](#scenario-curated-by-azure-ai) section.
@@ -44,10 +43,6 @@ There are three different configuration modes for outbound traffic from the mana
 <sup>1</sup> You can use outbound rules with _allow only approved outbound_ mode to achieve the same result as using allow internet outbound. The differences are:
 
 * Always use private endpoints to access Azure resources. 
-
-    > [!IMPORTANT]
-    > While you can create a private endpoint for Azure AI Search, the connected services must allow public networking. For more information, see [Connectivity to other services](#connectivity-to-other-services).
-
 * You must add rules for each outbound connection you need to allow.
 * Adding FQDN outbound rules __increase your costs__ as this rule type uses Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](#pricing).
 * The default rules for _allow only approved outbound_ are designed to minimize the risk of data exfiltration. Any outbound rules you add might increase your risk.
@@ -151,15 +146,6 @@ Before following the steps in this article, make sure you have the following pre
 * FQDN outbound rules only support ports 80 and 443.
 * When using a compute instance with a managed network, use the `az ml compute connect-ssh` command to connect to the compute using SSH.
 
-### Connectivity to other services
-
-* Azure AI Search should be public with your provisioned private Azure AI Studio hub.
-* The "Add your data" feature in the Azure AI Studio playground doesn't support using a virtual network or private endpoint on the following resources:
-    * Azure AI Search
-    * Azure OpenAI
-    * Storage resource
-
-
 ## Configure a managed virtual network to allow internet outbound
 
 > [!TIP]
@@ -808,7 +794,7 @@ If you plan to use __HuggingFace models__ with the hub, add outbound _FQDN_ rule
 
 ### Scenario: Curated by Azure AI
 
-These models involve dynamic installation of dependencies at runtime, and reequire outbound _FQDN_ rules to allow traffic to the following hosts:
+These models involve dynamic installation of dependencies at runtime, and require outbound _FQDN_ rules to allow traffic to the following hosts:
 
 *.anaconda.org
 *.anaconda.com
@@ -843,9 +829,6 @@ Private endpoints are currently supported for the following Azure services:
 * Azure Storage (all sub resource types)
 
 
-> [!IMPORTANT]
-> While you can create a private endpoint for Azure AI services and Azure AI Search, the connected services must allow public networking. For more information, see [Connectivity to other services](#connectivity-to-other-services).
-
 When you create a private endpoint, you provide the _resource type_ and _subresource_ that the endpoint connects to. Some resources have multiple types and subresources. For more information, see [what is a private endpoint](/azure/private-link/private-endpoint-overview).
 
 When you create a private endpoint for hub dependency resources, such as Azure Storage, Azure Container Registry, and Azure Key Vault, the resource can be in a different Azure subscription. However, the resource must be in the same tenant as the hub.