Share via

Secure Open AI model and connect via Azure VPN only

Sreeni Chozhankandath 0 Reputation points
2025-11-14T08:53:41.73+00:00

I have an issue to securely connect Azure Open AI Model from Azure VPN Client. The model should not be accessible from all networks. I created the infra for this but not able to connect securely through Azure VPN as I always get Public IP during validation.

  • Configured a VPN Gateway and setup P2S connection
  • Created DNS private Resolver for the VNet
  • Created a Private Endpoint and private link (private DNS Zone)
  • Set the DNS configuration for Private Endpoint
  • Configured the Inbound Endpoint for DNS private resolver within a separate subnet under VNet. Though I have VPNClientConfiguration is there for VPNGateway, I don't find vpnClientDnsServers or customDnsServers configuration and I'm not able to set it manually as well.

I tried to reach the Open AI resource by nslookup, I always get Public IP of my ISP which is not expected.

Please suggest and guide if anyone had this scenario before or can help with the solution or work around to handle this issue.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-14T08:54:06.1733333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To securely connect to your Azure OpenAI model via Azure VPN and ensure it is not accessible from all networks, follow these steps:

    1. VPN Gateway Configuration: Ensure your VPN Gateway is correctly set up for Point-to-Site (P2S) connections. You should have the VPN Client configuration ready.
    2. Private Endpoint: You've already created a Private Endpoint and linked it to a Private DNS Zone. This is essential for ensuring that the Azure OpenAI resource is only accessible through the private network.
    3. DNS Configuration: Make sure that your DNS settings are correctly configured. The DNS private resolver should be able to resolve the private endpoint's DNS name to its private IP address. You mentioned that when you perform an nslookup, you receive the public IP instead of the private IP. This indicates that the DNS resolution is not correctly pointing to the private endpoint.
    4. Custom DNS Servers: If you are unable to set vpnClientDnsServers or customDnsServers configurations manually, ensure that your VPN Gateway is configured to use the DNS servers of your virtual network. You may need to check the settings in the Azure portal under your VPN Gateway's configuration.
    5. Hosts File Configuration: As a workaround, you can manually configure the hosts file on your local machine to point the Azure OpenAI resource's hostname to its private IP address. This can help in bypassing the DNS resolution issue temporarily.
    6. Testing Connectivity: After making these changes, test the connection again using nslookup to ensure it resolves to the private IP. If it still resolves to the public IP, double-check the DNS settings and the private endpoint configuration.

    If the problem persists, consider reviewing the Azure documentation or reaching out to Azure support for more tailored assistance regarding your specific setup and configurations.

    0 comments
  2. Praveen Bandaru 9,245 Reputation points Microsoft External Staff Moderator
    2025-11-14T10:03:28.5666667+00:00

    Hello Sreeni Chozhankandath

    I see that you're attempting to establish a secure connection to the Azure OpenAI model but are experiencing difficulties.

    First, test the nslookup on the source machine to see if it resolves privately. If it doesn't, check if the Private Endpoint VNET and DNS resolver VNET is linked to the private DNS zone. And also, please test it form the inside azure VM and see it is working or not. Share the nslookup results with us.

    If you're using custom DNS in the private endpoint VNET, set a forwarder in the custom DNS server to point to the Azure DNS IP (168.63.129.16). Also, verify if the custom DNS and private endpoint are in the same VNET or different VNETs. If they are in different VNETs, you need to link both VNETs in the private DNS zone.

    Additionally, test psping on the source machine to check if connectivity is working.

    Command: [ psping privateIp:portno ]

    Refer to the following public document for Psping

    Check the below document for more understanding:

    https://github.com/msrini-MSFT/Troubleshooting-Private-Link-DNS-Scenarios?tab=readme-ov-file#scenario-1--source-machine-deployed-in-azure

    Also, please delete the P2S VPN gateway client file from your source machine, reinstall it, and then try configuring a record in the client file. Make sure to add the Private DNS resolver inbound IP to the VPN gateway client file and test it.

    Please try to check the below reference documents:
    https://learn.microsoft.com/en-us/answers/questions/2259152/how-can-i-test-connection-to-azure-ai-foundry-priv

    https://learn.microsoft.com/en-us/answers/questions/2245617/cannot-connect-to-the-private-endpoint-of-an-azure

    Hope the above answer helps!

    Please let us know do you have any further queries. Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.