Merge pull request #273978 from Blackmist/vnet-clarification

prmerger-automator[bot] · web-flow · commit 7e4168381246 · 2024-05-02T11:58:02.000Z
highlighting some limitations
diff --git a/articles/ai-studio/how-to/configure-managed-network.md b/articles/ai-studio/how-to/configure-managed-network.md
@@ -43,6 +43,10 @@ There are three different configuration modes for outbound traffic from the mana
 <sup>1</sup> You can use outbound rules with _allow only approved outbound_ mode to achieve the same result as using allow internet outbound. The differences are:
 
 * Always use private endpoints to access Azure resources. 
+
+    > [!IMPORTANT]
+    > While you can create a private endpoint for Azure AI services and Azure AI Search, the connected services must allow public networking. For more information, see [Connectivity to other services](#connectivity-to-other-services).
+
 * You must add rules for each outbound connection you need to allow.
 * Adding FQDN outbound rules __increase your costs__ as this rule type uses Azure Firewall.
 * The default rules for _allow only approved outbound_ are designed to minimize the risk of data exfiltration. Any outbound rules you add might increase your risk.
@@ -60,6 +64,21 @@ The following diagram shows a managed VNet configured to __allow only approved o
 
 :::image type="content" source="../media/how-to/network/only-approved-outbound.svg" alt-text="Diagram of managed VNet isolation configured for allow only approved outbound." lightbox="../media/how-to/network/only-approved-outbound.png":::
 
+## Limitations
+
+* Azure AI Studio currently doesn't support bring your own virtual network, it only supports managed VNet isolation.
+* Once you enable managed VNet isolation of your Azure AI, you can't disable it.
+* Managed VNet uses private endpoint connection to access your private resources. You can't have a private endpoint and a service endpoint at the same time for your Azure resources, such as a storage account. We recommend using private endpoints in all scenarios.
+* The managed VNet is deleted when the Azure AI is deleted. 
+* Data exfiltration protection is automatically enabled for the only approved outbound mode. If you add other outbound rules, such as to FQDNs, Microsoft can't guarantee that you're protected from data exfiltration to those outbound destinations.
+* Using FQDN outbound rules increases the cost of the managed VNet because FQDN rules use Azure Firewall. For more information, see [Pricing](#pricing).
+* When using a compute instance with a managed network, you can't connect to the compute instance using SSH.
+
+### Connectivity to other services
+
+* Azure AI services provisioned with Azure AI hub and Azure AI Search attached with Azure AI hub should be public.
+* The "Add your data" feature in the Azure AI Studio playground doesn't support private storage account.
+
 ## Configure a managed virtual network to allow internet outbound
 
 > [!TIP]
@@ -306,6 +325,9 @@ Private endpoints are currently supported for the following Azure services:
 * Azure Database for MySQL
 * Azure SQL Managed Instance
 
+> [!IMPORTANT]
+> While you can create a private endpoint for Azure AI services and Azure AI Search, the connected services must allow public networking. For more information, see [Connectivity to other services](#connectivity-to-other-services).
+
 When you create a private endpoint, you provide the _resource type_ and _subresource_ that the endpoint connects to. Some resources have multiple types and subresources. For more information, see [what is a private endpoint](/azure/private-link/private-endpoint-overview).
 
 When you create a private endpoint for Azure AI hub dependency resources, such as Azure Storage, Azure Container Registry, and Azure Key Vault, the resource can be in a different Azure subscription. However, the resource must be in the same tenant as the Azure AI hub.
@@ -321,15 +343,3 @@ The Azure AI hub managed VNet feature is free. However, you're charged for the f
 
     > [!IMPORTANT]
     > The firewall isn't created until you add an outbound FQDN rule. If you don't use FQDN rules, you will not be charged for Azure Firewall. For more information on pricing, see [Azure Firewall pricing](https://azure.microsoft.com/pricing/details/azure-firewall/).
-
-## Limitations
-
-* Azure AI Studio currently doesn't support bring your own virtual network, it only supports managed VNet isolation.
-* Azure AI services provisioned with Azure AI hub and Azure AI Search attached with Azure AI hub should be public.
-* The "Add your data" feature in the Azure AI Studio playground doesn't support private storage account.
-* Once you enable managed VNet isolation of your Azure AI, you can't disable it.
-* Managed VNet uses private endpoint connection to access your private resources. You can't have a private endpoint and a service endpoint at the same time for your Azure resources, such as a storage account. We recommend using private endpoints in all scenarios.
-* The managed VNet is deleted when the Azure AI is deleted. 
-* Data exfiltration protection is automatically enabled for the only approved outbound mode. If you add other outbound rules, such as to FQDNs, Microsoft can't guarantee that you're protected from data exfiltration to those outbound destinations.
-* Using FQDN outbound rules increases the cost of the managed VNet because FQDN rules use Azure Firewall. For more information, see [Pricing](#pricing).
-* When using a compute instance with a managed network, you can't connect to the compute instance using SSH.
