Recommended settings for network isolation

Follow the steps below to restrict public access to QnA Maker resources. Protect a Cognitive Services resource from public access by configuring the virtual network.

Restrict access to App Service (QnA runtime)

You can use the ServiceTag CognitiveServicesMangement to restrict inbound access to App Service or ASE (App Service Environment) network security group in-bound rules. Check out more information about service tags in the virtual network service tags article.

Regular App Service

  1. Open the Cloud Shell (PowerShell) from the Azure portal.
  2. Run the following command in the PowerShell window at the bottom of the page:
Add-AzWebAppAccessRestrictionRule -ResourceGroupName "<resource group name>" -WebAppName "<app service name>" -Name "cognitive services Tag" -Priority 100 -Action Allow -ServiceTag "CognitiveServicesManagement" 
  1. Verify the added access rule is present in the Access Restrictions section of the Networking tab:

  2. To access the Test pane on the https://qnamaker.ai portal, add the Public IP address of the machine from where you want to access the portal. From the Access Restrictions page select Add Rule, and allow access to your client IP.

Configure App Service Environment to host QnA Maker App Service

The App Service Environment (ASE) can be used to host the QnA Maker App Service instance. Follow the steps below:

  1. Create a new Azure Cognitive Search Resource.

  2. Create an external ASE with App Service.

    • Follow this App Service quickstart for instructions. This process can take up to 1-2 hours.
    • Finally, you will have an App Service endpoint that will appear similar to: https://<app service name>.<ASE name>.p.azurewebsite.net .
    • Example: https:// mywebsite.myase.p.azurewebsite.net
  3. Add the following App service configurations:

    Name Value
    PrimaryEndpointKey <app service name>-PrimaryEndpointKey
    AzureSearchName <Azure Cognitive Search Resource Name from step #1>
    AzureSearchAdminKey <Azure Cognitive Search Resource admin Key from step #1>
    QNAMAKER_EXTENSION_VERSION latest
    DefaultAnswer no answer found
  4. Add CORS origin "*" on the App Service to allow access to https://qnamaker.ai portal Test pane. CORS is located under the API header in the App Service pane.

  5. Create a QnA Maker Cognitive Services instance (Microsoft.CognitiveServices/accounts) using Azure Resource Manager. The QnA Maker endpoint should be set to the App Service Endpoint created above (https:// mywebsite.myase.p.azurewebsite.net). Here is a sample Azure Resource Manager template you can use for reference.

Can QnA Maker be deployed to an internal ASE?

The main reason for using an external ASE is so the QnAMaker service backend (authoring apis) can reach the App Service via the Internet. However, you can still protect it by adding inbound access restriction to allow only connections from addresses associated with the CognitiveServicesManagement service tag.

If you still want to use an internal ASE, you need to expose that specific QnA Maker app in the ASE on a public domain via the app gateway DNS TLS/SSL cert. For more information, see this article on Enterprise deployment of App Services.

Restrict access to Cognitive Search resource

The Cognitive Search instance can be isolated via a private endpoint after the QnA Maker resources have been created. Use the following steps to lock down access:

  1. Create a new virtual network (VNet) or use existing VNet of ASE (App Service Environment).

  2. Open the VNet resource, then under the Subnets tab create two subnets. One for the App Service (appservicesubnet) and another subnet (searchservicesubnet) for the Cognitive Search resource without delegation.

  3. In the Networking tab in the Cognitive Search service instance switch endpoint connectivity data from public to private. This operation is a long running process and can take up to 30 minutes to complete.

  4. Once the Search resource is switched to private, select add private endpoint.

    • Basics tab: make sure you are creating your endpoint in the same region as search resource.
    • Resource tab: select the required search resource of type Microsoft.Search/searchServices.
    • Configuration tab: use the VNet, subnet (searchservicesubnet) created in step 2. After that, in section Private DNS integration select the corresponding subscription and create a new private DNS zone called privatelink.search.windows.net.
  5. Enable VNET integration for the regular App Service. You can skip this step for ASE, as that already has access to the VNET.

    • Go to App Service Networking section, and open VNet Integration.
    • Link to the dedicated App Service VNet, Subnet (appservicevnet) created in step 2.