Merge pull request #4431 from MicrosoftDocs/main

4/30/2025 AM Publish

Author: Taojunshen

articles/ai-foundry/how-to/configure-private-link.md

@@ -6,7 +6,7 @@ manager: scottpolly
 ms.service: azure-ai-foundry
 ms.custom: ignite-2023, devx-track-azurecli, build-2024, ignite-2024
 ms.topic: how-to
-ms.date: 01/15/2025
+ms.date: 04/30/2025
 ms.reviewer: meerakurup
 ms.author: larryfr
 author: Blackmist
@@ -252,8 +252,85 @@ az extension add --name ml
 
 :::zone-end
 
+## Enable Public Access only from internet IP ranges (preview)
+
+You can use IP network rules to allow access to your secured hub from specific public internet IP address ranges by creating IP network rules. Each Azure AI Foundry hub supports up to 200 rules. These rules grant access to specific internet-based services and on-premises networks and block general internet traffic. This feature is currently in preview.
+
+> [!WARNING]
+> * Enable your endpoint's public network access flag if you want to allow access to your endpoint from specific public internet IP address ranges.
+> * You can only use IPv4 addresses.
+> * If the workspace goes from __Enable from selected IPs__ to __Disabled__ or __Enabled__, the IP ranges will be reset.
+
+# [Portal](#tab/azure-portal)
+
+1. From the [Azure portal](https://portal.azure.com), select your Azure Machine AI Foundry hub.
+1. From the left side of the page, select __Networking__ and then select the __Public access__ tab.
+1. Select __Enabled from selected IP addresses__, input address ranges and then select __Save__.
+
+<!-- :::image type="content" source="./media/how-to-configure-private-link/workspace-public-access-ip-ranges.png" alt-text="Screenshot of the UI to enable access from internet IP ranges."::: -->
+
+# [Azure CLI](#tab/cli)
+
+Use the `az ml workspace update` Azure CLI command to manage public access from an IP address or address range:
+
+> [!TIP]
+> The configurations for the selected IP addresses are stored in the hub's properties, under `network_acls`:
+> ```yml
+> name: sample_hub
+> location: centraluseuap
+> display_name: sample hub
+> description: desc
+> public_network_access: enabled
+> network_acls:
+>     ip_rules:
+>         value: "X.X.X.X/X"
+>         value: "X.X.X.X"
+>     default_action: Deny
+> ```
+ 
+1. Disabled:
+`az ml workspace update -n test-ws -g test-rg --public-network-access Disabled`
+1. Enabled from selected IP addresses: 
+`az ml workspace update -n test-ws -g test-rg --public-network-access Enabled --network-acls "167.220.238.199/32,167.220.238.194/32" `
+1. Enabled from all networks: 
+`az ml workspace update -n test-ws -g test-rg --public-network-access Enabled --network-acls none`
+
 ---
 
+You can also use the [Workspace](/python/api/azure-ai-ml/azure.ai.ml.entities.workspace) class from the Azure Machine Learning [Python SDK](/python/api/azure-ai-ml/azure.ai.ml.entities.networkacls) to define which IP addresses are allowed inbound access:
+
+```python
+class Workspace(Resource):
+    """Azure ML workspace.
+    :param public_network_access: Whether to allow public endpoint connectivity
+        when a workspace is private link enabled.
+    :type public_network_access: str
+    :param network_acls: The network access control list (ACL) settings of the workspace.
+    :type network_acls: ~azure.ai.ml.entities.NetworkAcls
+ 
+    def __init__(
+        self,
+        *,
+        public_network_access: Optional[str] = None,
+        network_acls: Optional[NetworkAcls] = None,
+```
+
+### Restrictions for IP network rules
+
+The following restrictions apply to IP address ranges:
+
+- IP network rules are allowed only for _public internet_ IP addresses.
+
+  [Reserved IP address ranges](https://en.wikipedia.org/wiki/Reserved_IP_addresses) aren't allowed in IP rules such as private addresses that start with 10, 172.16 to 172.31, and 192.168.
+
+- You must provide allowed internet address ranges by using [CIDR notation](https://tools.ietf.org/html/rfc4632) in the form 16.17.18.0/24 or as individual IP addresses like 16.17.18.19.
+
+- Only IPv4 addresses are supported for configuration of storage firewall rules.
+
+- When this feature is enabled, you can test public endpoints using any client tool such as Curl, but the Endpoint Test tool in the portal isn't supported.
+
+- You can only set the IP addresses for the AI Foundry hub after the hub has been created.
+
 ## Private storage configuration
 
 If your storage account is private (uses a private endpoint to communicate with your project), you perform the following steps:

articles/ai-foundry/how-to/troubleshoot-secure-connection-project.md

@@ -7,7 +7,7 @@ ms.service: azure-ai-foundry
 ms.custom:
   - build-2024
 ms.topic: how-to
-ms.date: 02/21/2025
+ms.date: 04/30/2025
 ms.reviewer: meerakurup
 ms.author: larryfr
 author: Blackmist
@@ -17,9 +17,23 @@ author: Blackmist
 
 When connecting to an [Azure AI Foundry](https://ai.azure.com) project configured with a private endpoint, you might encounter a 403 or a messaging saying that access is forbidden. Use the information in this article to check for common configuration problems that can cause this error.
 
-## Securely connect to your project
+## Error loading Azure AI Hub or Project
 
-To connect to a project secured behind a virtual network, use one of the following methods:
+If you recieved an error loading your Azure AI hub or project, there may be one of two causes. 
+
+1) You set public network access to __Disabled__ on your hub.
+2) You set public network access to __Enable from selected IPs__ on your hub.
+
+Depending on which setting you have selected for Public access to your Azure AI hub and projects, ensure the following: 
+
+| Public Network Access Setting | Action |
+| ----- | ----- |
+| Disabled | Ensure an inbound private endpoint is created and approved from your virtual network to your Azure AI Foundry hub. Ensure you are securely connection to your hub or project using an Azure VPN, ExpressRoute, or Azure Bastion. |
+| Enable from selected IPs | Ensure your IP address is listed in the Firewall IP ranges allowed access Azure AI Foundry. If you cannot add your IP address, talk to your IT admin. |
+
+## Securely connect to your hub or project
+
+To connect to a hub or project secured behind a virtual network, use one of the following methods:
 
 * [Azure VPN gateway](/azure/vpn-gateway/vpn-gateway-about-vpngateways) - Connects on-premises networks to the virtual network over a private connection. Connection is made over the public internet. There are two types of VPN gateways that you might use:
 

articles/ai-services/agents/overview.md

@@ -81,10 +81,10 @@ At Microsoft, we're committed to the advancement of AI driven by principles that
 
 ## Get started with Azure AI Agent Service
 
-To get started with Azure AI Agent Service, you need to create an Azure AI Foundry hub and an Agent project in your Azure subscription. 
+To get started with Azure AI Agent Service, you need to create an Azure AI Foundry project in your Azure subscription. 
 
 Start with the [quickstart](./quickstart.md) guide if it's your first time using the service.
-1. You can create a AI hub and project with the required resources. 
+1. You can create a project with the required resources. 
 1. After you create a project, you can deploy a compatible model such as GPT-4o.
 1. When you have a deployed model, you can also start making API calls to the service using the SDKs.
 

articles/ai-services/computer-vision/quickstarts-sdk/client-library.md

@@ -36,7 +36,7 @@ Get started with the Azure AI Vision Read REST API or client libraries. The Read
 
 ::: zone pivot="programming-language-javascript"
 
-[!INCLUDE [NodeJS SDK quickstart](../includes/quickstarts-sdk/node-sdk.md)]
+[!INCLUDE [Node.js SDK quickstart](../includes/quickstarts-sdk/node-sdk.md)]
 
 ::: zone-end
 

articles/ai-services/computer-vision/quickstarts-sdk/image-analysis-client-library.md

@@ -40,7 +40,7 @@ This article explains how to set up a basic image tagging script by using the Im
 
 ::: zone pivot="programming-language-javascript"
 
-[!INCLUDE [NodeJS SDK quickstart](../includes/quickstarts-sdk/image-analysis-node-sdk.md)]
+[!INCLUDE [Node.js SDK quickstart](../includes/quickstarts-sdk/image-analysis-node-sdk.md)]
 
 ::: zone-end
 

articles/ai-services/content-understanding/media/quickstarts/foundry-architecture.png

@@ -22,21 +22,17 @@ To get started, make sure you have the following resources and permissions:
 
 * An Azure subscription. If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
 
-* An Azure AI Foundry hub is required to manage the resources provisioned in your Content Understanding project, and it must be created in one of the following supported regions: westus, swedencentral, or australiaeast. If you're creating a hub for the first time, *see* [How to create and manage an Azure AI Foundry hub](../../../ai-foundry/how-to/create-azure-ai-resource.md?tabs=portal) to learn more. It's important to note you need the proper permissions to create a hub, or your admin may create one for you.
-
-  * If your role is **Contributor** or **Owner**, you can proceed with creating your own hub.
-
-  * If your role is **Azure AI Developer**, the hub must already be created before you can complete this quickstart. Your user role must be **Azure AI Developer**, **Contributor**, or **Owner** on the hub. For more information, see [hubs](../../../ai-foundry/concepts/ai-resources.md) and [Azure AI roles](../../../ai-foundry/concepts/rbac-azure-ai-foundry.md).
+* An Azure AI Foundry project created in one of the following supported regions: westus, swedencentral, or australiaeast. If you're creating a project for the first time, *see* [How to create an Azure AI Foundry project](../../../ai-foundry/how-to/create-projects.md) to learn more. It's important to note you need the proper permissions to create a project, or your admin may create one for you.
 
 > [!IMPORTANT]
-> If your organization requires you to customize the security of storage resources, the AI Foundry doesn't currently expose all the features that can be configured. Refer to [Azure AI services API access keys](../../../ai-foundry/concepts/encryption-keys-portal.md) to create resources that meet your organizations requirements through the Azure portal. Policy enforced in Azure on the hub scope applies to all projects managed under it. To learn how to utilize customer managed keys, refer to [(Preview) Service-side storage of encrypted data when using customer-managed keys](../../../ai-foundry/concepts/encryption-keys-portal.md#preview-service-side-storage-of-encrypted-data-when-using-customer-managed-keys). Return here when you have resources created.
+> If your organization requires you to customize the security of storage resources, refer to [Azure AI services API access keys](../../../ai-foundry/concepts/encryption-keys-portal.md) to create resources that meet your organizations requirements through the Azure portal. To learn how to utilize customer managed keys, refer to [(Preview) Service-side storage of encrypted data when using customer-managed keys](../../../ai-foundry/concepts/encryption-keys-portal.md#preview-service-side-storage-of-encrypted-data-when-using-customer-managed-keys). 
 
-## Create your first Content Understanding project in the AI Foundry
+## Create your first Content Understanding project in the AI Foundry portal
 
 > [!NOTE]
-> The Content Understanding project type is separate from the Generative AI project type, also available in the AI Foundry.
+> The Content Understanding project type is separate from the Generative AI project type, also available in the AI Foundry portal.
 
-In order to try out [the Content Understanding service in the AI Foundry](https://aka.ms/cu-landing), you have to create a Content Understanding project. You can access Content Understanding from:
+In order to try out [the Content Understanding service in the AI Foundry portal](https://aka.ms/cu-landing), you have to create a Content Understanding project. You can access Content Understanding from:
 
 * The [AI Foundry home page](https://ai.azure.com/)
 
@@ -51,13 +47,9 @@ Once on the Content Understanding page, select `Create a new Content Understandi
 
    :::image type="content" source="../media/quickstarts/cu-landing-page.png" lightbox="../media/quickstarts/cu-landing-page.png" alt-text="Screenshot of Content Understanding page.":::
 
- Follow the steps in the project creation wizard, and start by selecting the hub that you already created. When the hub was created, it should provision an AI Services resource and a blob storage container which are selected by default. You can alternatively create one using the wizard, or the [Azure portal](../how-to/create-multi-service-resource.md). The following diagram illustrates the role of hubs, resources, and projects in the AI Foundry.
-
-   :::image type="content" source="../media/quickstarts/foundry-architecture.png" alt-text="Diagram of hub, project, and resource architecture.":::
-
- Once you complete the setup steps, select `Create project`.
+Follow the steps in the project creation wizard. Once you complete the setup steps, select `Create project`.
 
- ## Sharing your content understanding project
+## Sharing your content understanding project
 
 In order to share and manage access to the Content Understanding project you created, navigate to the Management Center, found at the bottom of the navigation for your project:
 

articles/ai-services/content-understanding/quickstart/use-ai-foundry.md

@@ -94,12 +94,12 @@ Choose from the following Document Intelligence models and analyze and extract d
 ::: zone pivot="programming-language-javascript"
 
 ::: moniker range="doc-intel-4.0.0"
-[!INCLUDE [NodeJS SDK quickstart](includes/v4-0/javascript-sdk.md)]
+[!INCLUDE [Node.js SDK quickstart](includes/v4-0/javascript-sdk.md)]
 ::: moniker-end
 
 ::: moniker range="doc-intel-3.1.0 || doc-intel-3.0.0"
 
-[!INCLUDE [NodeJS SDK quickstart](includes/v3-0/javascript-sdk.md)]
+[!INCLUDE [Node.js SDK quickstart](includes/v3-0/javascript-sdk.md)]
 ::: moniker-end
 
 ::: zone-end
@@ -176,7 +176,7 @@ You use the following APIs to extract structured data from forms and documents:
 ::: zone pivot="programming-language-javascript"
 
 ::: moniker range="doc-intel-2.1.0"
-[!INCLUDE [NodeJS SDK quickstart](includes/v2-1/javascript-sdk.md)]
+[!INCLUDE [Node.js SDK quickstart](includes/v2-1/javascript-sdk.md)]
 ::: moniker-end
 
 ::: zone-end

articles/ai-services/document-intelligence/how-to-guides/use-sdk-rest-api.md

@@ -76,7 +76,7 @@ To learn more about the API features and development options, visit our [Overvie
 ::: zone pivot="programming-language-javascript"
 
 ::: moniker range="doc-intel-4.0.0 || doc-intel-3.1.0 || doc-intel-3.0.0"
-[!INCLUDE [NodeJS SDK](includes/javascript-sdk.md)]
+[!INCLUDE [Node.js SDK](includes/javascript-sdk.md)]
 ::: moniker-end
 
 ::: zone-end
@@ -150,7 +150,7 @@ To learn more about Document Intelligence features and development options, visi
 ::: zone pivot="programming-language-javascript"
 
 ::: moniker range="doc-intel-2.1.0"
-[!INCLUDE [NodeJS SDK](includes/v2-1/javascript.md)]
+[!INCLUDE [Node.js SDK](includes/v2-1/javascript.md)]
 ::: moniker-end
 
 ::: zone-end

articles/ai-services/document-intelligence/quickstarts/get-started-sdks-rest-api.md

@@ -27,7 +27,7 @@ In this tutorial, you learn how to:
 
 * An Azure subscription. If you don't have one, create a [free account](https://azure.microsoft.com/free/ai-services).
 * A single Immersive Reader resource configured for Microsoft Entra authentication. Follow [these instructions](how-to-create-immersive-reader.md) to get set up.
-* A [NodeJS web app](quickstarts/client-libraries.md?pivots=programming-language-nodejs) that launches Immersive Reader.
+* A [Node.js web app](quickstarts/client-libraries.md?pivots=programming-language-nodejs) that launches Immersive Reader.
 
 ## Create multiple resources