Merge pull request #275979 from HeidiSteen/heidist-quik

prmerger-automator[bot] · web-flow · commit 7b3e9dfc0afa · 2024-05-22T01:56:43.000Z
[azure search] Updates to shared private link and vectorization
diff --git a/articles/search/search-indexer-howto-access-private.md b/articles/search/search-indexer-howto-access-private.md
@@ -7,15 +7,13 @@ manager: nitinme
 author: mrcarter8
 ms.author: mcarter
 ms.service: cognitive-search
-ms.custom:
-  - ignite-2023
 ms.topic: how-to
-ms.date: 04/03/2024
+ms.date: 05/21/2024
 ---
 
 # Make outbound connections through a shared private link
 
-This article explains how to configure private, outbound calls from Azure AI Search to an Azure PaaS resource that runs within a virtual network.
+This article explains how to configure private, outbound calls from Azure AI Search to an Azure PaaS resource that runs within an Azure virtual network.
 
 Setting up a private connection allows a search service to connect to a virtual network IP address instead of a port that's open to the internet. The object created for the connection is called a *shared private link*. On the connection, the search service uses the shared private link internally to reach an Azure PaaS resource inside the network boundary.
 
@@ -28,8 +26,8 @@ Shared private link is a premium feature that's billed by usage. When you set up
 
 Azure AI Search makes outbound calls to other Azure PaaS resources in the following scenarios:
 
-+ Indexer or search engine connects to Azure OpenAI for text-to-vector embeddings
-+ Indexer connects to supported data sources
++ Indexer or search engine connections to Azure OpenAI for text-to-vector embeddings
++ Indexer connections to supported data sources
 + Indexer (skillset) connections to Azure Storage for caching enrichments, debug session sate, or writing to a knowledge store
 + Encryption key requests to Azure Key Vault
 + Custom skill requests to Azure Functions or similar resource
@@ -56,7 +54,7 @@ There are two scenarios for using [Azure Private Link](../private-link/private-l
 
 Scenario one is covered in this article.
 
-While both scenarios have a dependency on Azure Private Link, they are independent. You can create a shared private link without having to configure your own search service for a private endpoint.
+While both scenarios have a dependency on Azure Private Link, they're independent. You can create a shared private link without having to configure your own search service for a private endpoint.
 
 ### Limitations
 
@@ -72,15 +70,15 @@ When evaluating shared private links for your scenario, remember these constrain
 
 + An Azure PaaS resource from the following list of [supported resource types](#supported-resource-types), configured to run in a virtual network.
 
-
 + Permissions on both Azure AI Search and the data source:
 
   + On the Azure PaaS resource, you must have the permission to approve private endpoint connections. For instance, if you're using an Azure Storage account as your data source (such as Blob container, Azure Files share, Azure table), you need `Microsoft.Storage/storageAccounts/privateEndpointConnectionsApproval/action`.
 
-  + On the search service, you must have read and write permissions on shared private link resources and read operation statuses: 
-     + `Microsoft.Search/searchServices/sharedPrivateLinkResources/write`
-     + `Microsoft.Search/searchServices/sharedPrivateLinkResources/read`
-     + `Microsoft.Search/searchServices/sharedPrivateLinkResources/operationStatuses/read`
+  + On the search service, you must have read and write permissions on shared private link resources and read operation statuses:
+
+    + `Microsoft.Search/searchServices/sharedPrivateLinkResources/write`
+    + `Microsoft.Search/searchServices/sharedPrivateLinkResources/read`
+    + `Microsoft.Search/searchServices/sharedPrivateLinkResources/operationStatuses/read`
 
 <a name="group-ids"></a>
 
@@ -107,7 +105,7 @@ You can create a shared private link for the following resources.
 
 <sup>4</sup> See [Create a shared private link for a SQL Managed Instance](search-indexer-how-to-access-private-sql.md) for instructions.
 
-<sup>5</sup> The `Microsoft.CognitiveServices/accounts` resource type is used for indexer connections to Azure OpenAI when implementing [integrated Vectorization](vector-search-integrated-vectorization.md).
+<sup>5</sup> The `Microsoft.CognitiveServices/accounts` resource type is used for vectorizer and indexer connections to Azure OpenAI when implementing [integrated Vectorization](vector-search-integrated-vectorization.md). There's currently no support for shared private link to embedding models in the Azure AI Studio model catalog or to the Azure AI Vision multimodal API.
 
 ## 1 - Create a shared private link
 
diff --git a/articles/search/vector-search-integrated-vectorization.md b/articles/search/vector-search-integrated-vectorization.md
@@ -102,8 +102,18 @@ Optionally, [create secondary indexes](index-projections-concept-intro.md) for a
 
 > [!TIP]
 > [Try the new **Import and vectorize data** wizard](search-get-started-portal-import-vectors.md) in the Azure portal to explore integrated vectorization before writing any code.
->
-> Or, configure a Jupyter notebook to run the same workflow, cell by cell, to see how each step works.
+
+### Secure connections to vectorizers and models
+
+If your architecture requires private connections that bypass the internet, you can create a [shared private link connection](search-indexer-howto-access-private.md) to the embedding models used by skills during indexing and vectorizers at query time. 
+
+Shared private links only work for Azure-to-Azure connections. If you're connecting to OpenAI or another external model, the connection must be over the public internet.
+
+For vectorization scenarios, you would use:
+
++ `openai_account` for embedding models hosted on an Azure OpenAI resource.
+
++ `sites` for embedding models accessed as a [custom skill](cognitive-search-custom-skill-interface.md) or [custom vectorizer](vector-search-vectorizer-custom-web-api.md). The `sites` group ID is for App services and Azure functions, which you could use to host an embedding model that isn't one of the Azure OpenAI embedding models.
 
 ## Limitations
 
@@ -113,8 +123,6 @@ Azure OpenAI token-per-minute limits are per model, per subscription. Keep this
 
 On Azure AI Search, remember there are [service limits](search-limits-quotas-capacity.md) by tier and workloads. 
 
-If you need a [shared private link connection](search-indexer-howto-access-private.md) from a vectorizer, you must review the supportability of your setup and follow the respective instructions.
-
 Finally, the following features aren't currently supported: 
 
 + [Customer-managed encryption keys](search-security-manage-encryption-keys.md)
