Based on the follow JIRA support ticket (Private DNS zone needed for Azure OpenAI service), it was discovered that even though we have an existing Private DNS Zone for OpenAI, the Configure Azure PaaS services to use private DNS zones policy initiative does not contain a policy to create the DNS A-Record.
Therefore, we will need to create a custom Azure Policy for creating the DNS A-Record for OpenAI services (similar to the work done for SQL Databases).
As an immediate work-around to unblock the user, we can manually create a DNS A-Record in the privatelink.openai.azure.com Private DNS Zone. But this will only resolve the issue for this one user and this one resource. A new Azure Policy will address this issue for all users going forward.
High-Level Steps
Create a branch in the azure-lz-terraform-modules repo, and duplicate the policy_assignment_private_dns_sql_server.json file, located under /caf_cccs_medium/modules/core/lib/policy_assignments/, making applicable changes (ie. names, values, parameters)
Update the archetype_extension_es_root.tmpl.json file as required
Test the changes in FORGE by creating a branch in the azure-lz-core-forge repo, updating the forge module source located under /caf/main.tf, to use the branch in the azure-lz-terraform-modules repo that contains the new policy
Create a Pull Request in the azure-lz-core-forge repo, and review the terraform plan results
If there are no errors with the terraform plan, merge the PR, and review the terraform apply results
After the new policy has been deployed and assigned in FORGE, create an Azure OpenAI resource with a Private Endpoint, and confirm that a DNS A-Record is automatically created in the appropriate Private DNS Zone
After successful testing in FORGE, merge the changes made in the azure-lz-terraform-modules repo, and create a new Release
After the new Release has been created, make the same changes in the LIVE repo (azure-lz-core-live)
Based on the follow JIRA support ticket (Private DNS zone needed for Azure OpenAI service), it was discovered that even though we have an existing Private DNS Zone for OpenAI, the Configure Azure PaaS services to use private DNS zones policy initiative does not contain a policy to create the DNS A-Record.
Therefore, we will need to create a custom Azure Policy for creating the DNS A-Record for OpenAI services (similar to the work done for SQL Databases).
As an immediate work-around to unblock the user, we can manually create a DNS A-Record in the
privatelink.openai.azure.comPrivate DNS Zone. But this will only resolve the issue for this one user and this one resource. A new Azure Policy will address this issue for all users going forward.High-Level Steps
policy_assignment_private_dns_sql_server.jsonfile, located under/caf_cccs_medium/modules/core/lib/policy_assignments/, making applicable changes (ie. names, values, parameters)archetype_extension_es_root.tmpl.jsonfile as requiredforgemodule source located under/caf/main.tf, to use the branch in the azure-lz-terraform-modules repo that contains the new policyterraform planresultsterraform plan, merge the PR, and review theterraform applyresultsA-Recordis automatically created in the appropriate Private DNS Zone