You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/search/search-security-overview.md
+5-11Lines changed: 5 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,17 +31,17 @@ Azure AI Search has three basic network traffic patterns:
31
31
32
32
Inbound requests that target a search service endpoint include:
33
33
34
-
+ Create or manage objects on the search service (indexes, indexers, data sources, skillsets, synonym maps)
35
-
+ Trigger indexer or skillset execution
36
-
+ Load an index
34
+
+ Create, read, update or delete objects on the search service
35
+
+ Load an index with search documents
37
36
+ Query an index
37
+
+ Trigger indexer or skillset execution
38
38
39
-
You can review the [REST APIs](/rest/api/searchservice/)to understand the full range of inbound requests that are handled by a search service.
39
+
The [REST APIs](/rest/api/searchservice/)describe the full range of inbound requests that are handled by a search service.
40
40
41
41
At a minimum, all inbound requests must be authenticated using either of these options:
42
42
43
43
+ Key-based authentication (default). Inbound requests provide a valid API key.
44
-
+ Role-based access control. Microsoft Entra identities and role assignments authorize access.
44
+
+ Role-based access control. Microsoft Entra identities and role assignments on your Azure AI Search service authorize access.
45
45
46
46
Additionally, you can add [network security features](#service-access-and-authentication) to further restrict access to the endpoint. You can create either inbound rules in an IP firewall, or create private endpoints that fully shield your search service from the public internet.
47
47
@@ -59,12 +59,6 @@ The following list is a full enumeration of the outbound requests that can be ma
59
59
| Indexers and [integrated vectorization](vector-search-integrated-vectorization.md)| Connect to Azure OpenAI and a deployed embedding model, or it goes through a custom skill to connect to an embedding model that you provide. The search service sends text to embedding models for vectorization during indexing or query execution. |
60
60
| Search service | Connect to Azure Key Vault for customer-managed keys, used to encrypt and decrypt sensitive data. |
61
61
62
-
<!-- + Indexers connect to external data sources. For more information, see [Indexer access to content protected by Azure network security](search-indexer-securing-resources.md).
63
-
+ Indexers write to Azure Storage when creating knowledge stores, persisting cached enrichments, and persisting debug sessions.
64
-
+ Custom skills connect to an external Azure function or app to run external code that's hosted off-service. The request for external processing is sent during skillset execution.
65
-
+ During [integrated vectorization](vector-search-integrated-vectorization.md), the search service connects to Azure OpenAI and a deployed embedding model, or it goes through a custom skill to connect to an embedding model that you provide. The search service sends text to embedding models for vectorization during indexing or query execution.
66
-
+ Search services connect to Azure Key Vault for customer-managed keys, used to encrypt and decrypt sensitive data. -->
67
-
68
62
Outbound connections can be made using a resource's full access connection string that includes a key or a database login, or [a managed identity](search-howto-managed-identities-data-sources.md) if you're using Microsoft Entra ID and role-based access.
69
63
70
64
For Azure resources behind a firewall, [create inbound rules that admit search service requests](search-indexer-howto-access-ip-restricted.md).
0 commit comments