英文:
"Public access is disabled. Please configure private endpoint." even though private endpoint configured for Azure OpenAI Service
问题
我正在使用Terraform部署Azure OpenAI服务,想要为其设置一个私有端点。文档和这篇文章建议,除了私有端点之外,我还需要一个包含私有端点A记录的私有DNS区域。
但似乎这还不够,因为当我测试我的GPT-35-turbo模型时,在Azure AI Studio中我收到错误消息“禁用了公共访问。请配置私有端点。”
以下是我的Terraform代码:
main.tf
resource "azurerm_resource_group" "rg" {
location = "westeurope"
name = "test-rg"
}
resource "azurerm_cognitive_account" "openai" {
name = "REDACTED"
location = "westeurope"
resource_group_name = azurerm_resource_group.rg.name
kind = "OpenAI"
sku_name = "S0"
custom_subdomain_name = "REDACTED"
public_network_access_enabled = false
}
resource "azurerm_virtual_network" "vnet" {
name = "test-network"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
address_space = ["10.1.0.0/16"]
}
resource "azurerm_subnet" "private_subnet" {
name = "test-private-subnet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.1.1.0/24"]
private_endpoint_network_policies_enabled = true
}
resource "azurerm_private_endpoint" "private_endpoint" {
name = "test-openai-private-endpoint"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
subnet_id = azurerm_subnet.private_subnet.id
private_service_connection {
name = "test-openai-privconn"
private_connection_resource_id = azurerm_cognitive_account.openai.id
subresource_names = ["account"]
is_manual_connection = false
}
}
resource "azurerm_private_dns_zone" "openai" {
name = "privatelink.openai.azure.com"
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_private_dns_a_record" "openai" {
name = "test-openai-private-endpoint"
zone_name = "privatelink.openai.azure.com"
resource_group_name = azurerm_resource_group.rg.name
ttl = 300
records = [azurerm_private_endpoint.private_endpoint.private_service_connection[0].private_ip_address]
}
resource "azurerm_private_dns_zone_virtual_network_link" "link" {
name = "test-vnet-link"
resource_group_name = azurerm_resource_group.rg.name
private_dns_zone_name = azurerm_private_dns_zone.openai.name
virtual_network_id = azurerm_virtual_network.vnet.id
}
resource "azurerm_cognitive_deployment" "model_gpt_35_turbo" {
name = "test-gpt-35-turbo-model"
cognitive_account_id = azurerm_cognitive_account.openai.id
model {
format = "OpenAI"
name = "gpt-35-turbo"
version = "0301"
}
scale {
type = "Standard"
}
}
providers.tf
terraform {
required_version = ">=0.12"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.64.0"
}
}
}
provider "azurerm" {
features {}
subscription_id = "REDACTED"
}
附加信息:我没有任何DNS服务器(虚拟网络使用Azure的默认DNS服务器)。
英文:
I'm deploying Azure OpenAI Service via Terraform, and I want to set up a private endpoint for it. The docs and this article suggest that, besides a private endpoint, I need a private DNS zone containing an A record for the private endpoint.
It looks like this is not enough because I get the error "Public access is disabled. Please configure private endpoint." in Azure AI Studio when I test my GPT-35-turbo model.
Here's my Terraform code:
main.tf
resource "azurerm_resource_group" "rg" {
location = "westeurope"
name = "test-rg"
}
resource "azurerm_cognitive_account" "openai" {
name = "REDACTED"
location = "westeurope"
resource_group_name = azurerm_resource_group.rg.name
kind = "OpenAI"
sku_name = "S0"
custom_subdomain_name = "REDACTED"
public_network_access_enabled = false
}
resource "azurerm_virtual_network" "vnet" {
name = "test-network"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
address_space = ["10.1.0.0/16"]
}
resource "azurerm_subnet" "private_subnet" {
name = "test-private-subnet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.1.1.0/24"]
private_endpoint_network_policies_enabled = true
}
resource "azurerm_private_endpoint" "private_endpoint" {
name = "test-openai-private-endpoint"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
subnet_id = azurerm_subnet.private_subnet.id
private_service_connection {
name = "test-openai-privconn"
private_connection_resource_id = azurerm_cognitive_account.openai.id
subresource_names = ["account"]
is_manual_connection = false
}
}
resource "azurerm_private_dns_zone" "openai" {
name = "privatelink.openai.azure.com"
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_private_dns_a_record" "openai" {
name = "test-openai-private-endpoint"
zone_name = "privatelink.openai.azure.com"
resource_group_name = azurerm_resource_group.rg.name
ttl = 300
records = [azurerm_private_endpoint.private_endpoint.private_service_connection[0].private_ip_address]
}
resource "azurerm_private_dns_zone_virtual_network_link" "link" {
name = "test-vnet-link"
resource_group_name = azurerm_resource_group.rg.name
private_dns_zone_name = azurerm_private_dns_zone.openai.name
virtual_network_id = azurerm_virtual_network.vnet.id
}
resource "azurerm_cognitive_deployment" "model_gpt_35_turbo" {
name = "test-gpt-35-turbo-model"
cognitive_account_id = azurerm_cognitive_account.openai.id
model {
format = "OpenAI"
name = "gpt-35-turbo"
version = "0301"
}
scale {
type = "Standard"
}
}
providers.tf
terraform {
required_version = ">=0.12"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.64.0"
}
}
}
provider "azurerm" {
features {}
subscription_id = "REDACTED"
}
Additional info: I don't have any DNS server (the virtual network uses the default DNS server by Azure).
答案1
得分: 2
> "Public access is disabled. Please configure private endpoint." 即使为 Azure OpenAI 服务配置了私有端点,仍然显示此消息。
我在我的环境中尝试了相同的情况,并且得到了与您相同的结果,即使我在OpenAI Studio中创建了私有端点。
禁用了所有网络并启用了私有端点。
当我尝试从另一个网络打开OpenAI Studio中的Chat Service时,我也收到相同的消息。
即使在Firewall and Virtual Network设置下禁用了所有网络并在OpenAI Studio中创建了私有端点,仍然会遇到上述错误。这证实了该问题与配置无关。
为了测试连接,我在相同的VNet中创建了一个虚拟机并测试了Chat Service。它按预期工作。
要为OpenAI Studio创建私有端点,您需要根据Microsoft的建议将私有端点集成到Private DNS Zone中。
参考:DNS配置
英文:
> "Public access is disabled. Please configure private endpoint." even though private endpoint configured for Azure OpenAI Service.
I tried the same scenario in my environment and got the same result as you, even though I created the private endpoint in OpenAI Studio.
Disabled all networks and enabled Private Endpoint.
When I try to open the Chat Service in OpenAI Studio from another network, I also receive the same message.
You will encounter the above error even if you disable all networks under the Firewall and Virtual Network settings and create a private endpoint in OpenAI Studio.This confirms that the issue is not related to the configurations.
To test the connection, I created a virtual machine within the same VNet and tested the Chat Service. It is working as expected.
To create a private endpoint for OpenAI Studio, you need to integrate the private endpoint with a Private DNS Zone, as per microsoft's suggestion.
Reference: DNS configuration
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论