search

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.69k stars 958 forks source link

Bug Report: Policy initiative for private endpoints registers Azure OpenAI resources in wrong zone #1489

Closed juanandmsft closed 9 months ago

juanandmsft commented 9 months ago

Describe the bug

The ALZ policy initiative definition at [modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json] leverages the built-in policy "Configure Cognitive Services accounts to use private DNS zones" (c4bc6f10-cb41-49eb-b000-d5ab82e2a091) registers it in "privatelink.cognitiveservices.azure.com". However, when creating an Azure OpenAI resource it should go under zone "privatelink.openai.azure.com".

The policy itself only has one zone parameter, so cannot specify both "privatelink.openai.azure.com" and "privatelink.cognitiveservices.azure.com", and Azure OpenAI resource matches the privateLinkServiceId criteria "Microsoft.CognitiveServices/accounts" as most Azure AI services.

The Azure OpenAI resource has a "kind" property that flags the "Microsoft.CognitiveServices/accounts" as OpenAI, but the private endpoint resource does not have any similar property usable in policy to distinguish it from private endpoints for regular cognitive services accounts.

Steps to reproduce

  1. Create an Azure OpenAI resource with private endpoint without DNS integration.
  2. Built-in policy runs over it and registers in the wrong zone.

Screenshots image

Opened a bug for built-in policy definition here.

Springstone commented 9 months ago

Hi @juanandmsft, thanks for raising this issue. May I kindly ask that you open an Azure support ticket for this issue so that it can be prioritized by engineering based on customer impact. This will be far more effective than our team tracking down owners and asking for them to address this (which we will do anyway).

Springstone commented 9 months ago

Hi @juanandmsft! We've reached out to PG to address this issue and are tracking it in the backlog. As this is a built-in policy, there isn't much the ALZ team can do to resolve the issue. I highly recommend asking customers impacted by this to open support tickets to increase visibility and help PG validate impact - which will help them prioritize. I'll be closing the issue here, but feel free to re-open or create a new issue should you need to.

Springstone commented 9 months ago

@juanandmsft PG have acknowledged the issue and have suggested the following workaround: https://github.com/microsoft/industry/issues/380