You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
## Simultaneous use of private endpoints and VNet service endpoints
11
+
12
+
[Private endpoints](../speech-services-private-link.md) and [VNet service endpoints](../speech-service-vnet-service-endpoint.md) can be used to access to the same Speech resource simultaneously. However, to enable private endpoint(s) and VNet service endpoint(s) simultaneously you need to use the **Selected Networks and Private Endpoints** option in the networking settings of the Speech resource in the Azure portal. All other options are not supported for this scenario.
Azure offers private endpoints and VNet service endpoints for traffic tunneling using the [private Azure backbone network](https://azure.microsoft.com/global-infrastructure/global-network/). These endpoint types are similar in the purpose, and the technologies they are based on. However there are differences between the two technologies, and we recommend learning more about the pros and cons of each before designing your network.
13
+
14
+
These are a few things that you should consider when making a choice:
15
+
- Both technologies ensure the traffic between the VNet and the Speech resource is *not* going through the public internet.
16
+
- A private endpoint provides a dedicated private IP address for your Speech resource. This IP address is accessible only within a specific VNet and subnet. You have full control of the access to this IP address within your network infrastructure.
17
+
- VNet service endpoints do *not* provide a dedicated private IP address for the Speech resource, but instead encapsulate all packets sent to the Speech resource and deliver them directly through the Azure backbone network.
18
+
- Both technologies support on-premises scenarios. By default, when using VNet service endpoints Azure service resources secured to virtual networks aren't reachable from on-premises networks, but this [can be set up](../../../virtual-network/virtual-network-service-endpoints-overview.md#secure-azure-service-access-from-on-premises).
19
+
- VNet service points are often used when you want to restrict the access for your Speech resource based on the VNet(s) where the traffic originates from.
20
+
- In case of Cognitive Services, enabling the VNet service endpoint forces the traffic for **all** Cognitive Services resources to go through the private backbone network. That requires explicit network access configuration (see details [here](../speech-service-vnet-service-endpoint.md#configure-vnets-and-the-speech-resource-networking-settings)). Private endpoints do not have this limitation and provide more flexibility for your network configuration - you can access one resource through the private backbone and another through the public internet using the same subnet of the same VNet.
21
+
- Private endpoints incur [extra costs](https://azure.microsoft.com/pricing/details/private-link). VNet service endpoints are free.
22
+
- Private endpoints require [extra DNS configuration](../speech-services-private-link.md#turn-on-private-endpoints).
23
+
- One Speech resource may simultaneously work with both private endpoints and VNet service endpoints.
24
+
25
+
We recommend that you try both endpoint types before deciding on your production design.
26
+
27
+
-[Private Link and private endpoint documentation](../../../private-link/private-link-overview.md)
28
+
-[VNet service endpoint documentation](../../../virtual-network/virtual-network-service-endpoints-overview.md)
title: How to use VNet service endpoints with Speech service
3
+
titleSuffix: Azure Cognitive Services
4
+
description: Learn how to use Speech service with Virtual Network service endpoints
5
+
services: cognitive-services
6
+
author: alexeyo26
7
+
manager: nitinme
8
+
ms.service: cognitive-services
9
+
ms.subservice: speech-service
10
+
ms.topic: conceptual
11
+
ms.date: 03/19/2021
12
+
ms.author: alexeyo
13
+
---
14
+
15
+
# Use Speech service through a Virtual Network service endpoint
16
+
17
+
[Virtual Network](../../virtual-network/virtual-networks-overview.md) (VNet) [service endpoint](../../virtual-network/virtual-network-service-endpoints-overview.md) provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
18
+
19
+
This article explains how to set up and use VNet service endpoints with Speech service in Azure Cognitive Services.
20
+
21
+
> [!NOTE]
22
+
> Before you proceed, review [how to use virtual networks with Cognitive Services](../cognitive-services-virtual-networks.md).
23
+
24
+
This article also describes [how to remove VNet service endpoints later, but still use the Speech resource](#use-a-speech-resource-with-a-custom-domain-name-and-without-allowed-vnets).
25
+
26
+
Setting up a Speech resource for the VNet service endpoint scenarios requires performing the following tasks:
1.[Configure VNet(s) and the Speech resource networking settings](#configure-vnets-and-the-speech-resource-networking-settings)
29
+
1.[Adjust existing applications and solutions](#adjust-existing-applications-and-solutions)
30
+
31
+
> [!NOTE]
32
+
> Setting up and using VNet service endpoints for Speech service is very similar to setting up and using the private endpoints. In this article we reference the correspondent sections of the [article on using private endpoints](speech-services-private-link.md), when the content is equivalent.
This article describes the usage of the VNet service endpoints with Speech service. Usage of the private endpoints is described [here](speech-services-private-link.md).
37
+
38
+
## Create a custom domain name
39
+
40
+
VNet service endpoints require a [custom subdomain name for Cognitive Services](../cognitive-services-custom-subdomains.md). Create a custom domain referring to [this section](speech-services-private-link.md#create-a-custom-domain-name) of the private endpoint article. Note, that all warnings in the section are also applicable to the VNet service endpoint scenario.
41
+
42
+
## Configure VNet(s) and the Speech resource networking settings
43
+
44
+
You need to add all Virtual networks that are allowed access via the service endpoint to the Speech resource networking properties.
45
+
46
+
> [!NOTE]
47
+
> To access a Speech resource via the VNet service endpoint you need to enable `Microsoft.CognitiveServices` service endpoint type for the required subnet(s) of your VNet. This in effect will route **all** subnet Cognitive Services related traffic via the private backbone network. If you intend to access any other Cognitive Services resources from the same subnet, make sure these resources are configured to allow your VNet. See next Note for the details.
48
+
49
+
> [!NOTE]
50
+
> If a VNet is not added as allowed to the Speech resource networking properties, it will **not** have access to this Speech resource via the service endpoint, even if the `Microsoft.CognitiveServices` service endpoint is enabled for the VNet. Moreover, if the service endpoint is enabled, but the VNet is not allowed, the Speech resource will be unaccessible for this VNet through a public IP address as well, no matter what the Speech resource other network security settings are. The reason is that enabling `Microsoft.CognitiveServices` endpoint routes **all** Cognitive Services related traffic through the private backbone network, and in this case the VNet should be explicitly allowed to access the resource. This is true not only for Speech but for all other Cognitive Services resources (see the previous Note).
51
+
52
+
1. Go to the [Azure portal](https://portal.azure.com/) and sign in to your Azure account.
53
+
1. Select the required Speech resource.
54
+
1. In the **Resource Management** group on the left pane, select **Networking**.
55
+
1. On the **Firewalls and virtual networks** tab, select **Selected Networks and Private Endpoints**.
56
+
57
+
> [!NOTE]
58
+
> To use VNet service endpoints you need to select **Selected Networks and Private Endpoints** network security option. No other options are supported. If your scenario requires **All networks** option, consider using the [private endpoints](speech-services-private-link.md), which support all three network security options.
59
+
60
+
5. Select **Add existing virtual network** or **Add new virtual network**, fill in the required parameters, and select **Add** for the existing or **Create** for the new virtual network. Note, that if you add an existing virtual network then the `Microsoft.CognitiveServices` service endpoint will be automatically enabled for the selected subnet(s). This operation can take up to 15 minutes. Also do not forget to consider the Notes in the beginning of this section.
61
+
62
+
### Enabling service endpoint for an existing VNet
63
+
64
+
As described in the previous section when you add a VNet as allowed for the speech resource the `Microsoft.CognitiveServices` service endpoint is automatically enabled. However, if later you disable it for whatever reason, you need to re-enable it manually to restore the service endpoint access to the Speech resource (as well as other Cognitive Services resources):
65
+
66
+
1. Go to the [Azure portal](https://portal.azure.com/) and sign in to your Azure account.
67
+
1. Select the required VNet.
68
+
1. In the **Settings** group on the left pane, select **Subnets**.
69
+
1. Select the required subnet.
70
+
1. A new right panel appears. In this panel in the **Service Endpoints** section select `Microsoft.CognitiveServices` from the **Services** drop-down list.
71
+
1. Select **Save**.
72
+
73
+
## Adjust existing applications and solutions
74
+
75
+
A Speech resource with a custom domain enabled uses a different way to interact with Speech Services. This is true for a custom-domain-enabled Speech resource both with and without service endpoints configured. Information in this section applies to both scenarios.
76
+
77
+
### Use a Speech resource with a custom domain name and allowed VNet(s) configured
78
+
79
+
This is the case when **Selected Networks and Private Endpoints** option is selected in networking settings of the Speech resource **AND** at least one VNet is allowed. The usage is equivalent to [using a Speech resource with a custom domain name and a private endpoint enabled](speech-services-private-link.md#adjust-an-application-to-use-a-speech-resource-with-a-private-endpoint).
80
+
81
+
82
+
### Use a Speech resource with a custom domain name and without allowed VNet(s)
83
+
84
+
This is the case when private endpoints are **not** enabled, and any of the following is true:
85
+
86
+
-**Selected Networks and Private Endpoints** option is selected in networking settings of the Speech resource, but **no** allowed VNet(s) are configured
87
+
-**All networks** option is selected in networking settings of the Speech resource
88
+
89
+
The usage is equivalent to [using a Speech resource with a custom domain name and without private endpoints](speech-services-private-link.md#adjust-an-application-to-use-a-speech-resource-without-private-endpoints).
Copy file name to clipboardExpand all lines: articles/cognitive-services/Speech-Service/speech-services-private-link.md
+23-11Lines changed: 23 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,18 +1,18 @@
1
1
---
2
-
title: How to use private endpoints with Speech Services
2
+
title: How to use private endpoints with Speech service
3
3
titleSuffix: Azure Cognitive Services
4
-
description: Learn how to use Speech Services with private endpoints provided by Azure Private Link
4
+
description: Learn how to use Speech service with private endpoints provided by Azure Private Link
5
5
services: cognitive-services
6
6
author: alexeyo26
7
7
manager: nitinme
8
8
ms.service: cognitive-services
9
9
ms.subservice: speech-service
10
10
ms.topic: conceptual
11
-
ms.date: 02/04/2021
11
+
ms.date: 04/07/2021
12
12
ms.author: alexeyo
13
13
---
14
14
15
-
# Use Speech Services through a private endpoint
15
+
# Use Speech service through a private endpoint
16
16
17
17
[Azure Private Link](../../private-link/private-link-overview.md) lets you connect to services in Azure by using a [private endpoint](../../private-link/private-endpoint-overview.md). A private endpoint is a private IP address that's accessible only within a specific [virtual network](../../virtual-network/virtual-networks-overview.md) and subnet.
18
18
@@ -24,14 +24,22 @@ This article then describes how to remove private endpoints later, but still use
24
24
25
25
26
26
27
+
Setting up a Speech resource for the private endpoint scenarios requires performing the following tasks:
28
+
1.[Create a custom domain name](#create-a-custom-domain-name)
29
+
1.[Turn on private endpoints](#turn-on-private-endpoints)
30
+
1.[Adjust existing applications and solutions](#adjust-an-application-to-use-a-speech-resource-with-a-private-endpoint)
This article describes the usage of the private endpoints with Speech service. Usage of the VNet service endpoints is described [here](speech-service-vnet-service-endpoint.md).
35
+
36
+
27
37
## Create a custom domain name
28
38
29
39
Private endpoints require a [custom subdomain name for Cognitive Services](../cognitive-services-custom-subdomains.md). Use the following instructions to create one for your Speech resource.
30
40
31
41
> [!WARNING]
32
-
> A Speech resource that uses a custom domain name interacts with Speech Services in a different way.
33
-
> You might have to adjust your application code to use a Speech resource with a private endpoint, and also to use a Speech resource with _no_ private endpoint.
34
-
> Both scenarios may be needed because the switch to custom domain name is _not_ reversible.
42
+
> A Speech resource with a custom domain name enabled uses a different way to interact with Speech service. You might have to adjust your application code for both of these scenarios: [with private endpoint](#adjust-an-application-to-use-a-speech-resource-with-a-private-endpoint) and [*without* private endpoint](#adjust-an-application-to-use-a-speech-resource-without-private-endpoints).
35
43
>
36
44
> When you turn on a custom domain name, the operation is [not reversible](../cognitive-services-custom-subdomains.md#can-i-change-a-custom-domain-name). The only way to go back to the [regional name](../cognitive-services-custom-subdomains.md#is-there-a-list-of-regional-endpoints) is to create a new Speech resource.
37
45
>
@@ -294,7 +302,7 @@ A Speech resource with a custom domain name and a private endpoint turned on use
294
302
295
303
We'll use `my-private-link-speech.cognitiveservices.azure.com` as a sample Speech resource DNS name (custom domain) for this section.
296
304
297
-
Speech Services has REST APIs for [Speech-to-text](rest-speech-to-text.md) and [Text-to-speech](rest-text-to-speech.md). Consider the following information for the private-endpoint-enabled scenario.
305
+
Speech service has REST APIs for [Speech-to-text](rest-speech-to-text.md) and [Text-to-speech](rest-text-to-speech.md). Consider the following information for the private-endpoint-enabled scenario.
298
306
299
307
Speech-to-text has two REST APIs. Each API serves a different purpose, uses different endpoints, and requires a different approach when you're using it in the private-endpoint-enabled scenario.
300
308
@@ -390,7 +398,7 @@ An example DNS name is:
390
398
391
399
`westeurope.stt.speech.microsoft.com`
392
400
393
-
All possible values for the region (first element of the DNS name) are listed in [Speech service supported regions](regions.md). (See [this article](sovereign-clouds.md) for Azure Government and Azure China endpoints.) The following table presents the possible values for the Speech Services offering (second element of the DNS name):
401
+
All possible values for the region (first element of the DNS name) are listed in [Speech service supported regions](regions.md). (See [this article](sovereign-clouds.md) for Azure Government and Azure China endpoints.) The following table presents the possible values for the Speech service offering (second element of the DNS name):
@@ -403,7 +411,7 @@ All possible values for the region (first element of the DNS name) are listed in
403
411
404
412
So the earlier example (`westeurope.stt.speech.microsoft.com`) stands for a Speech-to-text endpoint in West Europe.
405
413
406
-
Private-endpoint-enabled endpoints communicate with Speech Services via a special proxy. Because of that, *you must change the endpoint connection URLs*.
414
+
Private-endpoint-enabled endpoints communicate with Speech service via a special proxy. Because of that, *you must change the endpoint connection URLs*.
407
415
408
416
A "standard" endpoint URL looks like: <p/>`{region}.{speech service offering}.speech.microsoft.com/{URL path}`
409
417
@@ -504,7 +512,7 @@ After this modification, your application should work with the private-endpoint-
504
512
505
513
## Adjust an application to use a Speech resource without private endpoints
506
514
507
-
Inthisarticle, we've pointed out several times that enabling a custom domain for a Speech resource is *irreversible*. Such a resource will use a different way of communicating with Speech Services, compared to the ones that are using [regional endpoint names](../cognitive-services-custom-subdomains.md#is-there-a-list-of-regional-endpoints).
515
+
Inthisarticle, we've pointed out several times that enabling a custom domain for a Speech resource is *irreversible*. Such a resource will use a different way of communicating with Speech service, compared to the ones that are using [regional endpoint names](../cognitive-services-custom-subdomains.md#is-there-a-list-of-regional-endpoints).
0 commit comments