Tutorial part 5: Add network isolation¶
In this tutorial, you lock down the solution with private endpoints, VNet integration, and Private DNS Zones so no data traverses the public internet.
Prerequisites: Tutorial part 4 completed, Azure subscription with permissions to create VNets and private endpoints
Skills¶
Run these skills in Copilot Chat:
| Skill | What it does |
|---|---|
/miq-5a-enable-network-isolation |
Deploy private endpoints and VNet integration |
/miq-5b-verify-endpoints |
Validate that public access is blocked and private traffic flows |
What's happening in this module
Enable network isolation -- Private endpoints assign private IPs to Microsoft Foundry, AI Search, and Key Vault. VNet integration routes App Service outbound traffic through a subnet. Private DNS Zones handle name resolution automatically.
Verify endpoints -- Public access is confirmed blocked and all traffic flows over the Microsoft backbone through private links.
Supporting documentation¶
- Azure Private Link overview
- Private endpoints
- VNet integration for App Service
- Azure Private DNS Zones
- Network security for AI Services
Next steps¶
You have completed the tutorial series. Review the Architecture reference for a full diagram of every component.