0

I developed Chat bot using Microsoft bot framework and my client want to keep all services inside vNet but we are not able to access cognitive services after assigning inside vNet.

Can someone help me here to achieve it and make my client happy ?

Thanks,

Upendra
  • 53
  • 1
  • 8
  • What's the error? Code? Anything you've tried? We need more information about what's happening – Mohamad Mousheimish Feb 05 '21 at 08:07
  • 1
    Hi @MohamadMousheimish thanks for replying, Error is getting ip blocking, there is no error code, yes , I tried multiple options one of them is It is below mentioned url. https://learn.microsoft.com/en-us/azure/cognitive-services/cognitive-services-virtual-networks?tabs=portal – Upendra Feb 05 '21 at 13:45

2 Answers2

1

I am not familiar with cognitive services. If you have configured Azure Cognitive Services virtual networks, this blocks incoming requests for data by default.

In order to allow requests through, one of the following conditions needs to be met:

  • The request should originate from a service operating within an Azure Virtual Network (VNet) on the allowed subnet list of the target Cognitive Services account. The endpoint in requests originated from VNet needs to be set as the custom subdomain of your Cognitive Services account.
  • Or the request should originate from an allowed list of IP addresses.

In this case, you need to make your clients in the allowed VNet or add the clients' internet-facing IP addresses in the firewall of cognitive services.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Hi @Nancy Xiong I followed same documents but getting, cognitive service is not responding from vNet, It is blocking request – Upendra Feb 05 '21 at 13:43
  • Hi, Have you added your client IP to your firewall of cognitive services? You can find it with the websites https://www.whatsmyip.org/ on the client. – Nancy Feb 08 '21 at 02:38
  • Yes, I did and also added NSG with inbound and outbound rules but still getting 403 forbidden error to access LUIS and Bot web APP service in Vnet – Upendra Feb 08 '21 at 09:42
  • Where is your client? Why do you add NSG? Do you configure your app service with VNet integration like [this](https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#enable-vnet-integration)? Could you describe the workflow process from your client to yoursserver? – Nancy Feb 08 '21 at 09:55
  • yes , same think we need to implement and also followed same document the only thing is getting forbidden error while accessing Cognitive services from VM, We have Created One VNet and assigned all services inside same vNet and One Virtual machine . Client IP is added in cognitive service i.e. LUIS and Qna maker. Also as suggested by MS Cognitive and Bot team we have added NSG (in bound and outbound rules) but it is not working and getting 403 forbidden error. I hope you can help me here. – Upendra Feb 09 '21 at 07:17
  • If the error incurs while accessing Cognitive services from VM, have you added the subnet where VM located into the Cognitive services virtual networks? What's the configuration of NSG rules? – Nancy Feb 09 '21 at 08:00
  • Yes, I have add subnet and below are inbound rules which i used for cognitive servicesIf you're using LUIS, the CognitiveServicesManagement tag only enables you use the service using the SDK or REST API. To access and use LUIS portal from a virtual network, you will need to use the following tags: AzureActiveDirectory AzureFrontDoor.Frontend AzureResourceManager CognitiveServicesManagement – Upendra Feb 09 '21 at 08:33
  • and outbound for bot service from below url https://learn.microsoft.com/en-us/azure/bot-service/bot-service-channel-directline-extension-vnet?view=azure-bot-service-4.0#configure-the-vnet-network-security-groups-nsg – Upendra Feb 09 '21 at 08:33
  • Do you have app services hosting in ASE? I guess the traffic flow is like Azure VM in a subnet1--->app service---> integrated subnet2--->cognitive services, am I right? If you don't configure the firewall in cognitive services(allow from any network), Can you access cognitive services from your Azure VM? – Nancy Feb 09 '21 at 08:43
  • ASE--> No, traffic flow is same as you defined, yes, If i disabled it from vNet it is accessible from VM . – Upendra Feb 09 '21 at 10:44
  • 1
    Do you add the app setting `WEBSITE_VNET_ROUTE_ALL` with the value `1` From the app service side? Do you have added this app integrated subnet in the allowed VNet of cognitive services? From the document "The endpoint in requests originated from VNet needs to be set as the custom subdomain of your Cognitive Services account." What's endpoint do you request from your client. Have you tried the [troubleshooting methods](https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#troubleshooting)? Does the app service and Cognitive Services are in the same region? – Nancy Feb 10 '21 at 04:37
  • 1
    thanks @Nancy for helping me, the issue which we are facing is related to custom endpoint, the thing is we need to write in configuration new property as customEndpoint, rest of all your suggestion are good and helpful – Upendra Feb 10 '21 at 13:34
1

I have faced the same issue and able to resolve it. You can add customendpoint setting in cognitivemodel.json file.

"languageModels": [
    
    {
            "id": ""
            "appid": ""
            "customendpoint": ""
            "region": ""
    }

]

In customendpoint you can use your luis endpoint url:
https://"luis-service-name".cognitiveservices.azure.com Follow this document for more info: https://github.com/microsoft/botbuilder-dotnet/pull/3754/files

zhisme
  • 2,368
  • 2
  • 19
  • 28
Gary
  • 11
  • 2