Merge pull request #268523 from Blackmist/201294-secure-project

201294 secure project

Author: Stacyrch140

articles/ai-studio/concepts/architecture.md

@@ -110,5 +110,5 @@ For more information on price and quota, use the following articles:
 Create an AI hub using one of the following methods:
 
 - [Azure AI Studio](../how-to/create-azure-ai-resource.md#create-an-azure-ai-hub-resource-in-ai-studio): Create an AI hub for getting started.
-- [Azure portal](../how-to/create-azure-ai-resource.md#create-a-secure-azure-ai-hub-resource-in-the-azure-portal): Create an AI hub with your own networking, encryption, identity and access management, dependent resources, and resource tag settings.
+- [Azure portal](../how-to/create-secure-ai-hub.md): Create an AI hub with your own networking.
 - [Bicep template](../how-to/create-azure-ai-hub-template.md).

articles/ai-studio/how-to/create-azure-ai-resource.md

@@ -19,7 +19,7 @@ author: Blackmist
 
 As an administrator, you can create and manage Azure AI hub resources. Azure AI hub resources provide a hosting environment for the projects of a team, and help you as an IT admin centrally set up security settings and govern usage and spend. You can create and manage an Azure AI hub resource from the Azure portal or from the Azure AI Studio. 
 
-In this article, you learn how to create and manage an Azure AI hub resource in Azure AI Studio (for getting started) and from the Azure portal (for advanced security setup).
+In this article, you learn how to create and manage an Azure AI hub resource in Azure AI Studio (for getting started).
 
 ## Create an Azure AI hub resource in AI Studio
 
@@ -62,7 +62,7 @@ If your organization is using [Azure Policy](../../governance/policy/overview.md
 
     :::image type="content" source="../media/how-to/resource-create-resources.png" alt-text="Screenshot of the Create an Azure AI hub resource with the option to set resource information." lightbox="../media/how-to/resource-create-resources.png"::: 
 
-1. Set up Network isolation. Read more on [network isolation](configure-managed-network.md).
+1. Set up Network isolation. Read more on [network isolation](configure-managed-network.md). For a walkthrough of creating a secure Azure AI hub resource, see [Create a secure Azure AI hub resource](create-secure-ai-hub.md).
 
     :::image type="content" source="../media/how-to/resource-create-networking.png" alt-text="Screenshot of the Create an Azure AI hub resource with the option to set network isolation information." lightbox="../media/how-to/resource-create-networking.png":::  
 
@@ -82,7 +82,6 @@ If your organization is using [Azure Policy](../../governance/policy/overview.md
 
 1. Select **Review + create**
 
-
 ## Manage your Azure AI hub resource from the Azure portal
 
 ### Azure AI hub resource keys
@@ -111,11 +110,11 @@ To add grant users permissions:
 ### Networking
 Azure AI hub resource networking settings can be set during resource creation or changed in the **Networking** tab in the Azure portal view. Creating a new Azure AI hub resource invokes a Managed Virtual Network. This streamlines and automates your network isolation configuration with a built-in Managed Virtual Network. The Managed Virtual Network settings are applied to all projects created within an Azure AI hub resource. 
 
-At Azure AI hub resource creation, select between the networking isolation modes: **Public**, **Private with Internet Outbound**, and **Private with Approved Outbound**. To secure your resource, select either **Private with Internet Outbound** or Private with Approved Outbound for your networking needs. For the private isolation modes, a private endpoint should be created for inbound access. Read more information on Network Isolation and Managed Virtual Network Isolation [here](../../machine-learning/how-to-managed-network.md). To create a secure Azure AI hub resource, follow the tutorial [here](../../machine-learning/tutorial-create-secure-workspace.md). 
+At Azure AI hub resource creation, select between the networking isolation modes: **Public**, **Private with Internet Outbound**, and **Private with Approved Outbound**. To secure your resource, select either **Private with Internet Outbound** or Private with Approved Outbound for your networking needs. For the private isolation modes, a private endpoint should be created for inbound access. For more information on network isolation, see [Managed virtual network isolation](configure-managed-network.md). To create a secure Azure AI hub resource, see [Create a secure Azure AI hub resource](create-secure-ai-hub.md). 
 
 At Azure AI hub resource creation in the Azure portal, creation of associated Azure AI services, Storage account, Key vault, Application insights, and Container registry is given. These resources are found on the Resources tab during creation. 
 
-To connect to Azure AI services (Azure OpenAI, Azure AI Search, and Azure AI Content Safety) or storage accounts in Azure AI Studio, create a private endpoint in your virtual network. Ensure the PNA (Public Network Access) flag is disabled when creating the private endpoint connection. For more about Azure AI services connections, follow documentation [here](../../ai-services/cognitive-services-virtual-networks.md). You can optionally bring your own (BYO) search, but this requires a private endpoint connection from your virtual network.
+To connect to Azure AI services (Azure OpenAI, Azure AI Search, and Azure AI Content Safety) or storage accounts in Azure AI Studio, create a private endpoint in your virtual network. Ensure the public network access (PNA) flag is disabled when creating the private endpoint connection. For more about Azure AI services connections, follow documentation [here](../../ai-services/cognitive-services-virtual-networks.md). You can optionally bring your own (BYO) search, but this requires a private endpoint connection from your virtual network.
 
 ### Encryption
 Projects that use the same Azure AI hub resource, share their encryption configuration. Encryption mode can be set only at the time of Azure AI hub resource creation between Microsoft-managed keys and Customer-managed keys. 

articles/ai-studio/how-to/create-secure-ai-hub.md

@@ -0,0 +1,73 @@
+---
+title: Create a secure AI hub
+titleSuffix: Azure AI Studio
+description: Create an Azure AI hub inside a managed virtual network. The managed virtual network secures access to managed resources such as computes.
+ms.service: azure-ai-studio
+ms.reviewer: jhirono
+ms.author: larryfr
+author: Blackmist
+ms.date: 03/22/2024
+ms.topic: how-to
+# Customer intent: As an administrator, I want to create a secure AI hub and project with a managed virtual network so that I can secure access to the AI hub and project resources.
+---
+
+# How to create a secure AI hub and project with a managed virtual network
+
+[!INCLUDE [Azure AI Studio preview](../includes/preview-ai-studio.md)]
+
+You can secure your AI hub, AI projects, and managed resources in a managed virtual network. With a managed virtual network, inbound access is only allowed through a private endpoint for your AI hub resource. Outbound access can be configured to allow either all outbound access, or only allowed outbound that you specify. For more information, see [Managed virtual network](configure-managed-network.md).
+
+> [!IMPORTANT]
+> The managed virtual network doesn't provide inbound connectivity for your clients. For more information, see the [Connect to the AI hub](#connect-to-the-ai-hub) section. 
+
+## Prerequisites
+
+- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free) before you begin.
+- An Azure Virtual Network that you use to securely connect to Azure services. For example, you might use [Azure Bastion](/azure/bastion/bastion-overview), [VPN Gateway](/azure/vpn-gateway/vpn-gateway-about-vpngateways) or [ExpressRoute](/azure/expressroute/expressroute-introduction) to connect to the Azure Virtual Network from your on-premises network. If you don't have an Azure Virtual Network, you can create one by following the instructions in [Create a virtual network](/azure/virtual-network/quick-create-portal).
+
+## Create an AI hub
+
+1. From the Azure portal, search for `Azure AI Studio` and create a new resource by selecting **+ New Azure AI**.
+1. Enter your AI hub name, subscription, resource group, and location details.
+
+    :::image type="content" source="../media/how-to/network/ai-hub-basics.png" alt-text="Screenshot of the option to set Azure AI hub resource basic information." lightbox="../media/how-to/network/ai-hub-basics.png":::
+
+1. Select **Next: Resources** to specify resources. Select an existing **Azure AI services** resource or create a new one. New Azure AI services include multiple API endpoints for Speech, Content Safety, and Azure OpenAI. You can also bring an existing Azure OpenAI resource. Optionally, choose an existing **Storage account**, **Key vault**, **Container Registry**, and **Application insights** to host artifacts generated when you use AI Studio.
+
+    :::image type="content" source="../media/how-to/network/ai-hub-resources.png" alt-text="Screenshot of the Create an Azure AI hub resource with the option to set resource information." lightbox="../media/how-to/network/ai-hub-resources.png"::: 
+
+1. Select **Next: Networking** to configure the managed virtual network that AI Studio uses to secure its AI hub and AI project resources.
+    
+    1. Select **Private with Internet Outbound**, which allows compute resources to access the public internet for resources such as Python packages.
+
+        :::image type="content" source="../media/how-to/network/ai-hub-networking.png" alt-text="Screenshot of the Create an Azure AI hub resource with the option to set network isolation information." lightbox="../media/how-to/network/ai-hub-networking.png":::
+
+    1. To allow your clients to connect through your Azure Virtual Network to the AI hub, use the following steps to add a private endpoint.
+    
+        1. Select **+ Add** from the **Workspace inbound access** section of the **Networking** tab. The **Create private endpoint** form is displayed.
+        
+            :::image type="content" source="../media/how-to/network/workspace-inbound-access.png" alt-text="Screenshot of the workspace inbound access section." lightbox="../media/how-to/network/workspace-inbound-access.png":::
+
+        1. Enter a unique value in the **Name** field. Select the **Virtual network** (Azure Virtual Network) that your clients connect to. Select the **Subnet** that the private endpoint connects to.
+        
+            :::image type="content" source="../media/how-to/network/ai-hub-create-private-endpoint.png" alt-text="Screenshot of the create private endpoint form." lightbox="../media/how-to/network/ai-hub-create-private-endpoint.png":::
+
+        1. Select **Ok** to save the endpoint configuration.
+
+1. Select **Review + create**, then **Create** to create the AI hub. Once the AI hub has been created, any AI projects or compute instances created from the AI hub inherit the network configuration.
+
+## Connect to the AI hub
+
+The managed virtual network doesn't directly provide access to your clients. Instead, your clients connect to an Azure Virtual Network that *you* manage. There are multiple methods that you might use to connect clients to the Azure Virtual Network. The following table lists the common ways that clients connect to an Azure Virtual Network:
+
+| Method | Description |
+| ----- | ----- |
+| [Azure VPN gateway](/azure/vpn-gateway/vpn-gateway-about-vpngateways) | Connects on-premises networks to an Azure Virtual Network over a private connection. Connection is made over the public internet. |
+| [ExpressRoute](https://azure.microsoft.com/services/expressroute/) | Connects on-premises networks into the cloud over a private connection. Connection is made using a connectivity provider. |
+| [Azure Bastion](/azure/bastion/bastion-overview) | Connects to a virtual machine inside the Azure Virtual Network using your web browser. |
+
+## Next steps
+
+- [Create a project](create-projects.md)
+- [Learn more about Azure AI Studio](../what-is-ai-studio.md)
+- [Learn more about Azure AI hub resources](../concepts/ai-resources.md)