Details of the scenario you tried and the problem that is occurring
When creating an Azure OpenAI resource with Azure Portal and private endpoint, it registers in the zone "privatelink.openai.azure.com".
However, the built-in policy "Configure Cognitive Services accounts to use private DNS zones" (c4bc6f10-cb41-49eb-b000-d5ab82e2a091) registers it in "privatelink.cognitiveservices.azure.com".
The policy itself only has one zone parameter, so cannot specify both "privatelink.openai.azure.com" and "privatelink.cognitiveservices.azure.com", and Azure OpenAI resource matches the privateLinkServiceId criteria "Microsoft.CognitiveServices/accounts" as most Azure AI services.
The Azure OpenAI resource has a "kind" property that flags the "Microsoft.CognitiveServices/accounts" as OpenAI, but the private endpoint resource does not have any similar property usable in policy to distinguish it from private endpoints for regular cognitive services accounts.
Verbose logs showing the problem
Suggested solution to the issue
Make Azure OpenAI private endpoints distinguishible from regular "Microsoft.CognitiveServices/accounts" and adjust built-in policies to treat them differently, registering each in the correct zone.
If policy is Guest Configuration - details about target node
juanandmsft
commented
6 months ago
Details of the scenario you tried and the problem that is occurring
When creating an Azure OpenAI resource with Azure Portal and private endpoint, it registers in the zone "privatelink.openai.azure.com".
However, the built-in policy "Configure Cognitive Services accounts to use private DNS zones" (c4bc6f10-cb41-49eb-b000-d5ab82e2a091) registers it in "privatelink.cognitiveservices.azure.com".
The policy itself only has one zone parameter, so cannot specify both "privatelink.openai.azure.com" and "privatelink.cognitiveservices.azure.com", and Azure OpenAI resource matches the privateLinkServiceId criteria "Microsoft.CognitiveServices/accounts" as most Azure AI services.
The Azure OpenAI resource has a "kind" property that flags the "Microsoft.CognitiveServices/accounts" as OpenAI, but the private endpoint resource does not have any similar property usable in policy to distinguish it from private endpoints for regular cognitive services accounts.
Verbose logs showing the problem
Suggested solution to the issue
Make Azure OpenAI private endpoints distinguishible from regular "Microsoft.CognitiveServices/accounts" and adjust built-in policies to treat them differently, registering each in the correct zone.
If policy is Guest Configuration - details about target node