...
Finally, we have to configure Network Routing when we use Azure Private Endpoints : Network routing preference - Azure Storage | Microsoft Learn
For traffic flowing to private endpoints, you can add a rule to route that traffic through your Network Virtual Appliance (NVA). You can reuse that rule across all your spokes, Virtual Private Network (VPN) gateways, and Azure ExpressRoute gateways : Azure Private Link in a hub-and-spoke network - Azure Architecture Center | Microsoft Learn
We may need to inspect or block traffic from clients to the services exposed via private endpoints : Azure Firewall scenarios to inspect traffic destined to a private endpoint - Azure Private Link | Microsoft Learn
Azure AI Search
- Azure security baseline for Azure Cognitive Search | Microsoft Learn
Inbound connection - IP Firewall or Private endpoint (for Azure AI search - Create a Private Endpoint for a secure connection - Azure AI Search | Microsoft Learn)
Outbound connection - Connect through Firewall (for Azure AI Search - Configure an IP firewall - Azure AI Search | Microsoft Learn)
Configure Azure Storage Firewall (Configure Azure Storage firewalls and virtual networks | Microsoft Learn)
Azure Web apps : Connect privately to an App Service apps using private endpoint - Azure App Service | Microsoft Learn, with NAT GATEWAY (Azure NAT Gateway integration - Azure App Service - Azure App Service | Microsoft Learn), control outbound with App Service outbound traffic control with Azure Firewall - Azure App Service | Microsoft Learn; Integrate your app with an Azure virtual network - Azure App Service | Microsoft Learn, access restriction : App Service Access restrictions - Azure App Service | Microsoft Learn
static IP restrictions : Azure App Service access restrictions - Azure App Service | Microsoft Learn
Control outbound traffic with NSG : App Service outbound traffic control with Azure Firewall - Azure App Service | Microsoft Learn si notre app est intégré à a VNET. On peut aussi le faire de façon centralisée à travers les abonnements Azure (Azure Firewall Standard features | Microsoft Learn)
...
The Network Segmentation boundaries will be established via the deployment of Azure AI Search in a private Virtual Network (VNet) and so, in a specific subnet : Configure Virtual Networks for Azure AI services - Azure AI services | Microsoft Learn
Configuration of Firewalls and Virtual Networks :
No direct connectivity between Azure AI Search and On-Premises Server will be needed. The unique direct connectivity will be implemented between Azure Ai Search and Azure App Service.
The inbound connection should be established through a private endpoint because of the network isolation we want and no Internet traffic will be allowed : Security overview - Azure AI Search | Microsoft Learn
The outbound connection should be established as the following :
Connection as a trusted service for the Storage Account : Connect as trusted service - Azure AI Search | Microsoft Learn
We need to create an outbound connection through a firewall. Here’s the steps to follow : Connect through firewalls - Azure AI Search | Microsoft Learn
| Note |
|---|
Private Endpoints for Azure AI Search allow a client on a virtual network to securely access data in a search index over a Private Link. The private endpoint uses an IP address from the virtual network address space for your search service. Network traffic between the client and the search service traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet. |
Private endpoints for your search service enable you to:
Block all connections on the public endpoint for your search service.
Increase security for the virtual network, by enabling you to block exfiltration of data from the virtual network.
Securely connect to your search service from on-premises networks that connect to the virtual network using VPN or ExpressRoutes with private-peering.