microsoft · Vemarthula-Microsoft · Dec 3, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -282,6 +282,7 @@ module cognitiveServices 'modules/cognitive-services/cognitiveServices.bicep' =
     name: name
     resourceToken: resourceToken
     location: aiDeploymentsLocation
+    virtualNetworkLocation: location
     networkIsolation: networkIsolation
     networkAcls: networkAcls
     virtualNetworkResourceId: networkIsolation ? network.outputs.resourceId : ''

@@ -8,6 +8,8 @@ param resourceToken string
 
 @description('Specifies the location for all the Azure resources. Defaults to the location of the resource group.')
 param location string
+@description('Location of the virtual network (must match VNet region for private endpoints).')
+param virtualNetworkLocation string
 
 @description('Specifies whether network isolation is enabled. When true, Foundry and related components will be deployed, network access parameters will be set to Disabled.')
 param networkIsolation bool
@@ -116,14 +118,15 @@ module aiServices 'service.bicep' = {
   params: {
     name: 'cog${name}${resourceToken}'
     location: location
+    virtualNetworkLocation: virtualNetworkLocation
     kind: 'AIServices'
     category: 'AIServices'
     networkIsolation: networkIsolation
     networkAcls: networkAcls
     virtualNetworkSubnetResourceId: networkIsolation ? virtualNetworkSubnetResourceId : ''
     privateDnsZonesResourceIds: networkIsolation ? [ 
-      cognitiveServicesPrivateDnsZone.outputs.resourceId
-      openAiPrivateDnsZone.outputs.resourceId
+      cognitiveServicesPrivateDnsZone.outputs.?resourceId
+      openAiPrivateDnsZone.outputs.?resourceId
     ] : []
     logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
 
@@ -140,12 +143,13 @@ module contentSafety 'service.bicep' = if (contentSafetyEnabled) {
   params: {
     name: 'safety${name}${resourceToken}'
     location: location
+    virtualNetworkLocation: virtualNetworkLocation
     kind: 'ContentSafety'
     networkIsolation: networkIsolation
     networkAcls: networkAcls
     virtualNetworkSubnetResourceId: networkIsolation ? virtualNetworkSubnetResourceId : ''
     privateDnsZonesResourceIds: networkIsolation ? [ 
-      cognitiveServicesPrivateDnsZone.outputs.resourceId
+      cognitiveServicesPrivateDnsZone.outputs.?resourceId
     ]: []
     logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
     roleAssignments: allRoleAssignments
@@ -160,13 +164,14 @@ module vision 'service.bicep' = if (visionEnabled) {
   params: {
     name: 'vision${name}${resourceToken}'
     location: location
+    virtualNetworkLocation: virtualNetworkLocation
     kind: 'ComputerVision'
     sku: 'S1'
     networkIsolation: networkIsolation
     networkAcls: networkAcls
     virtualNetworkSubnetResourceId: networkIsolation ? virtualNetworkSubnetResourceId : ''
     privateDnsZonesResourceIds: networkIsolation ? [ 
-      cognitiveServicesPrivateDnsZone.outputs.resourceId
+      cognitiveServicesPrivateDnsZone.outputs.?resourceId
     ] : []
     logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
     roleAssignments: allRoleAssignments
@@ -181,13 +186,14 @@ module language 'service.bicep' = if (languageEnabled) {
   params: {
     name: 'lang${name}${resourceToken}'
     location: location
+    virtualNetworkLocation: virtualNetworkLocation
     kind: 'TextAnalytics'
     sku: 'S'
     networkIsolation: networkIsolation
     networkAcls: networkAcls
     virtualNetworkSubnetResourceId: networkIsolation ? virtualNetworkSubnetResourceId : ''
     privateDnsZonesResourceIds: networkIsolation ? [ 
-      cognitiveServicesPrivateDnsZone.outputs.resourceId
+      cognitiveServicesPrivateDnsZone.outputs.?resourceId
     ] : []
     logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
     roleAssignments: allRoleAssignments
@@ -202,12 +208,13 @@ module speech 'service.bicep' = if (speechEnabled) {
   params: {
     name: 'speech${name}${resourceToken}'
     location: location
+    virtualNetworkLocation: virtualNetworkLocation
     kind: 'SpeechServices'
     networkIsolation: networkIsolation
     networkAcls: networkAcls
     virtualNetworkSubnetResourceId: networkIsolation ? virtualNetworkSubnetResourceId : ''
     privateDnsZonesResourceIds: networkIsolation ? [ 
-      cognitiveServicesPrivateDnsZone.outputs.resourceId
+      cognitiveServicesPrivateDnsZone.outputs.?resourceId
     ] : []
     logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
     roleAssignments: allRoleAssignments
@@ -222,13 +229,14 @@ module translator 'service.bicep' = if (translatorEnabled) {
   params: {
     name: 'translator${name}${resourceToken}'
     location: location
+    virtualNetworkLocation: virtualNetworkLocation
     kind: 'TextTranslation'
     sku: 'S1'
     networkIsolation: networkIsolation
     networkAcls: networkAcls
     virtualNetworkSubnetResourceId: networkIsolation ? virtualNetworkSubnetResourceId : ''
     privateDnsZonesResourceIds: networkIsolation ? [ 
-      cognitiveServicesPrivateDnsZone.outputs.resourceId
+      cognitiveServicesPrivateDnsZone.outputs.?resourceId
     ] : []
     logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
     roleAssignments: allRoleAssignments
@@ -243,6 +251,7 @@ module documentIntelligence 'service.bicep' = if (documentIntelligenceEnabled) {
   params: {
     name: 'docintel${name}${resourceToken}'
     location: location
+    virtualNetworkLocation: virtualNetworkLocation
     kind: 'FormRecognizer'
     networkIsolation: networkIsolation
     virtualNetworkSubnetResourceId: networkIsolation ? virtualNetworkSubnetResourceId : ''
@@ -265,9 +274,9 @@ output aiServicesSystemAssignedMIPrincipalId string = aiServices.outputs.?system
 
 output connections array = union(
   [aiServices.outputs.foundryConnection], 
-  contentSafetyEnabled ? [contentSafety.outputs.foundryConnection] : [],
-  visionEnabled ? [vision.outputs.foundryConnection] : [],
-  languageEnabled ? [language.outputs.foundryConnection] : [],
-  speechEnabled ? [speech.outputs.foundryConnection] : [],
-  translatorEnabled ? [translator.outputs.foundryConnection] : [],
-  documentIntelligenceEnabled ? [documentIntelligence.outputs.foundryConnection] : [])
+  contentSafetyEnabled ? [contentSafety.outputs.?foundryConnection] : [],
+  visionEnabled ? [vision.outputs.?foundryConnection] : [],
+  languageEnabled ? [language.outputs.?foundryConnection] : [],
+  speechEnabled ? [speech.outputs.?foundryConnection] : [],
+  translatorEnabled ? [translator.outputs.?foundryConnection] : [],
+  documentIntelligenceEnabled ? [documentIntelligence.outputs.?foundryConnection] : [])
@@ -1,8 +1,7 @@
 @description('Name of the Cognitive Services resource. Must be unique in the resource group.')
 param name string
 
-@description('The location of the Cognitive Services resource.')
-param location string
+// Location is derived from the current resource group's region; no explicit param needed.
 
 @description('Required. Kind of the Cognitive Services account. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'SKU\' for your Azure region.')
 @allowed([
@@ -59,6 +58,8 @@ param privateDnsZonesResourceIds string[] = []
 
 @description('Resource ID of the subnet for the private endpoint.')
 param virtualNetworkSubnetResourceId string
+@description('Location of the virtual network hosting the private endpoint subnet. Must match the subnet region for private endpoint creation.')
+param virtualNetworkLocation string = resourceGroup().location
 
 @description('The resource ID of the Log Analytics workspace to use for diagnostic settings.')
 param logAnalyticsWorkspaceResourceId string
@@ -85,7 +86,7 @@ module cognitiveService 'br/public:avm/res/cognitive-services/account:0.11.0' =
   name: take('cog-${kind}-${name}-deployment', 64)
   params: {
     name: nameFormatted
-    location: location
+    location: resourceGroup().location
     tags: tags
     sku: sku
     kind: kind
@@ -114,7 +115,8 @@ module cognitiveServicePrivateEndpoint 'br/public:avm/res/network/private-endpoi
   name: take('pep-${name}-deployment', 64)
   params: {
     name: 'pep-${nameFormatted}-cognitiveservices'
-    location: location
+    // Private endpoint must be in same region as the target subnet/VNet
+    location: virtualNetworkLocation
     tags: tags
     privateLinkServiceConnections: [
       {