Post

Azure Policy to block public access to AI Foundry

Posted Updated
Preview Image
By Otto Gudszent
1 min read
Azure Policy to block public access to AI Foundry

Corrected policy

The original logic had two issues. First, ipRangeContains cannot be used as a policy operator here, it must be evaluated as a function inside a value expression. Second, the current IP rule item must be referenced with current(...) instead of field(...).

This is also an important security control in real environments. An API key alone is not a strong enough protection boundary for AI services, because key-based access still leaves the service reachable from unwanted networks if public access remains too broad. Network separation adds another control layer and reduces exposure.

Allowing only known corporate public IP ranges is also practical. If you already know the company’s outbound IP ranges, you can keep access available for internal users without forcing every scenario through a more complex connectivity pattern immediately. That usually improves user experience while still significantly reducing the public attack surface.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.CognitiveServices/accounts"
        },
        {
          "anyOf": [
            {
              "field": "Microsoft.CognitiveServices/accounts/networkAcls.defaultAction",
              "notEquals": "Deny"
            },
            {
              "count": {
                "field": "Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]",
                "where": {
                  "value": "[ipRangeContains(parameters('allowedIpRange'), current('Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*].value'))]",
                  "equals": false
                }
              },
              "greater": 0
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "allowedIpRange": {
      "type": "String",
      "metadata": {
        "displayName": "Allowed IP Range",
        "description": "The corporate authorized network range in CIDR format (for example 78.131.0.0/16)."
      }
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Set to Deny to block non-compliant deployments."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Deny"
    }
  }
}

This version reports non-compliance when networkAcls.defaultAction is not set to Deny, or when the networkAcls.ipRules array contains at least one IP or CIDR range outside the approved corporate range.

Azure, AI, Security
Azure Policy Azure OpenAI Azure AI Foundry Data Residency Europe
This post is licensed under CC BY 4.0 by the author.
The information on this site is provided as-is, without warranty of any kind. Use it at your own risk.