Azure AI Search
An Azure search service with built-in artificial intelligence capabilities that enrich information to help identify and explore relevant content at scale.
cannot access azure ai search after putting it in a private endpoint
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 20%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM7%3C/text%3E%3C/svg%3E)
MarwanSamrout-7915
65
Reputation points
after putting azure ai search in a private endpoint and disabling the public address , my azure app service cannot access ai search anymore , i have azure ai search and app service in the same vnet but different subnets , this is what im getting when calling azure ai search from the app service
"Request is denied as the source is not allowed by applicable rules. The service is set 'publicNetworkAccess: Disabled'. Please review all service's network security settings to ensure the client is allowed."
what can be the issue ?
also this ai search service is related to azure custom qna , do i need to to put it in the same vnet or this option is enough "allow azure services on the trusted services list to access this search service " ?
Azure AI Search
{count} votes
-
Jerald Felix 10,390 Reputation points2026-01-26T08:48:03.9333333+00:00 Hello MarwanSamrout-7915,
Thanks for raising this question in Q&A forum.
Classic private endpoint issue - 3 fixes needed when
publicNetworkAccess: Disabled:- App Service VNet Integration
text App Service → Networking → VNet integration → Add: - VNet: Same as AI Search PE - Subnet: App Service subnet (delegated) - Route All: EnabledVerify: SSH →
nslookup yoursearch.search.windows.net→ Private IP- Private DNS Zone
text Private DNS Zones → + Create: - Name: `privatelink.search.windows.net` - Link to VNet (both App Service + AI Search subnets)A/CNAME record auto-created by PE
- AI Search Networking
text AI Search → Networking: - ✅ Allow trusted Microsoft services (for Custom QnA) - ❌ Public network: Disabled (correct)NSG Check (App Service subnet):
text Allow outbound: Port 443 → search.windows.net (Service Tag)Test: App Service → Kudu/SSH →
curl https://yoursearch.search.windows.net→ Works.Custom QnA: Trusted services = enough (no VNet needed for QnA service itself).
Most likely: Missing VNet integration or DNS zone. Add both → Works in 10 mins. If it helps kindly accept the answer.
Cheers,
Jerald Felix
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 85%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGV%3C/text%3E%3C/svg%3E)
Golla Venkata Pavani 1,415 Reputation points Microsoft External Staff Moderator2026-01-26T09:28:36.04+00:00 Hi @MarwanSamrout-7915,
Thank you for reaching us regarding the issue of accessing Azure AI Search after configuring it with a private endpoint and disabling public access.
When publicNetworkAccess is Disabled, Azure AI Search rejects all traffic sent to its public endpoint, including traffic originating from Azure services.
In this scenario, one or more of the following is true:
- The App Service is not properly VNet‑integrated
- App Service does not live inside the VNet by default.
- Without Regional VNet Integration, outbound traffic goes over the public internet.
- Private DNS is missing or not linked
- Azure AI Search private endpoints require private DNS resolution.
- The service FQDN
https://<search-name>.search.windows.netmust resolve to a private IP, not a Microsoft public IP. - Without correct DNS, the App Service unknowingly calls the public endpoint → request is denied.
- “Allow trusted Azure services” does not apply
- This setting only works when public network access is enabled.
- When
publicNetworkAccess = Disabled, only private endpoint traffic is allowed. - App Service is not exempt.
Recommended actions:
- Create a private endpoint for Azure AI Search.
- Create Private DNS Zone : privatelink.search.windows.net
- DNS zone linked to the same VNet used by the App Service
- DNS record for the search service resolves to a private IP.
- App Service
- Regional VNet Integration enabled.
- Integrated with a subnet in the same VNet as the private endpoint.
- Subnet is delegated to
Microsoft.Web/serverFarms
- Networking
- NSGs allow outbound traffic to the private endpoint subnet
- No UDR forces traffic to the internet or firewall without private routing
Reference:
https://learn.microsoft.com/en-us/azure/search/service-create-private-endpoint
https://learn.microsoft.com/en-us/azure/search/service-configure-firewall
https://learn.microsoft.com/en-us/troubleshoot/azure/app-service/troubleshoot-vnet-integration-apps
Kindly let us know if the above helps or you need further assistance on this issue.Please "upvote" if the information helped you. This will help us and others in the community as well.
- The App Service is not properly VNet‑integrated
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 51%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Aditya N 1,950 Reputation points Microsoft External Staff Moderator2026-01-26T11:25:22.0233333+00:00 Hello @MarwanSamrout-7915
Thank you for reaching out Microsoft Q&A. Please could you let us know from where you're trying to access Azure AI search.
-
MarwanSamrout-7915 65 Reputation points
2026-01-26T11:26:51.1866667+00:00 im trying to access it from azure app service using ai search rest api
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Sina Salam 27,706 Reputation points Volunteer Moderator2026-01-27T15:32:16.8733333+00:00 Hello MarwanSamrout-7915,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you cannot access azure ai search after putting it in a private endpoint.
Since @Jerald Felix checklist is largely answering the issue and maps to Azure’s documented best practices conditionally. For more unresolved issues, follow the steps below:
- Ensure Private Endpoint on AI Search is “Approved” and note its private IP. - https://learn.microsoft.com/en-us/azure/search/service-create-private-endpoint
- Make sure from App Service > VNet Integration
- Integrate with the same VNet (different, dedicated subnet).
- Route all outbound (Application routing; optionally
outboundVnetRouting.allTrafficfor full coverage, or legacyWEBSITE_VNET_ROUTE_ALL=1) - https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-routing and https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/app-service/configure-vnet-integration-routing.md gives you more insight.
- On private DNS:
- Create
privatelink.search.windows.net. - Link it to the App Service VNet.
- Verify the A‑record for your Search service exists and points to the PE private IP. -https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns
- In your AI Search > Networking, ensure Public network access = Disabled. Enable Trusted Services (needed for Azure OpenAI/Custom ). - https://learn.microsoft.com/en-us/azure/search/service-configure-firewall and https://stackoverflow.com/questions/77861840/how-do-i-make-a-secure-connection-from-azure-openai-to-an-azure-search-instance gives more insight.
- Also, validate from Kudu
- Linux:
nslookup <name>.search.windows.net→ private IP +privatelinkalias. - Windows:
nameresolver.exe <name>.search.windows.netandtcpping.exe <name>.search.windows.net 443. - If not private, fix Step 3; if TCP fails, review NSG/UDR/firewall on the App Service integration subnet. - https://learn.microsoft.com/en-us/troubleshoot/azure/app-service/troubleshoot-vnet-integration-apps - and - https://blog.zuehlke.cloud/2022/10/app-services-with-private-endpoint-and-outbound-routing/ is more detailed.
I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
-
Golla Venkata Pavani 1,415 Reputation points Microsoft External Staff Moderator
2026-01-28T12:30:09.7966667+00:00 Hi @MarwanSamrout-7915,
I'm just reaching out to see if your issue has been resolved or if you've had a chance to review my previous comment?
-
MarwanSamrout-7915 65 Reputation points
2026-02-04T07:21:44.8066667+00:00 i still get this "Request is denied as the source is not allowed by applicable rules. The service is set 'publicNetworkAccess: Disabled'. Please review all service's network security settings to ensure the client is allowed." in the app service , in terminal when i run nslookup i get the private ip address 10.x.x.x
but i think it's wrong because the dns ip address for azure ai search is different than the one is returning from the nslookup command.note : i have custom dns in my VNET
-
Golla Venkata Pavani 1,415 Reputation points Microsoft External Staff Moderator
2026-02-04T20:23:22.6166667+00:00 Hi @MarwanSamrout-7915,
Thanks for the update and details that's really useful.
The fact that nslookup in the terminal is returning a private IP (10.x.x.x) is a good sign, but since you mentioned it's different from what you expect and the error still points to the public endpoint being blocked ("publicNetworkAccess: Disabled"), it tells us the App Service runtime is likely resolving <your-search-name>.search.windows.net to the public IP (or an incorrect private one) at runtime.
This is a classic symptom with custom DNS on the VNet: the App Service uses your VNet's DNS servers for name resolution after Regional VNet Integration, so it doesn't automatically pick up the linked private DNS zone override. nslookup in Kudu can sometimes behave differently from the actual app resolver (especially on Windows plans), which is why we're seeing the mismatch.
The "Allow trusted Azure services" option won't help here either, when publicNetworkAccess is fully Disabled, only private endpoint traffic is allowed, full stop.
Resolution Path:
The key is to make sure your custom DNS servers forward queries for the public zone to Azure DNS so it can apply the private override.
- Confirm the target private IP In the portal: Private Link center > Private endpoints > your AI Search endpoint > Network interface (NIC) > IP configurations. Copy the private IP, this is what we want resolution to return.
- Check the private DNS zone Private DNS zones > privatelink.search.windows.net (ensure it's linked to your VNet). Verify the A record for your search service name points to the IP from step 1.
- Test resolution the way your app sees it (critical step)
App Service > Development Tools > Advanced Tools > Go (Kudu). Open Debug console > CMD (Windows) or Bash (Linux).- Windows: nameresolver.exe <your-search-name>.search.windows.net
- Linux: nslookup <your-search-name>.search.windows.net or just curl -v https://<your-search-name>.search.windows.net (look at the IP in the output).
If it returns a public IP (or wrong private IP) > DNS forwarding is the culprit.
- Set up conditional forwarding on your custom DNS servers Add a conditional forwarder:
- Forward zone: search.windows.net
- Forwarder IP: 168.63.129.16 (Azure DNS)
This sends queries for search.windows.net to Azure DNS, which sees the query from your VNet and returns the private IP via the linked privatelink zone. After the change, flush DNS on your servers (ipconfig /flushdns or equivalent), then re-test in Kudu.
5. Other things to double-check
- Private endpoint connection state is "Approved".
- NSGs on both subnets allow outbound TCP 443 to the private endpoint IP/subnet.
- No user-defined routes (UDRs) forcing traffic elsewhere.
Once nameresolver (or equivalent) returns the correct private IP, restart your app or wait a few minutes for any caching, and the requests should succeed privately.
References that cover this:
- Create a private endpoint for Azure AI Search (DNS setup): https://learn.microsoft.com/en-us/azure/search/service-create-private-endpoint
- Private endpoint DNS zone values (privatelink.search.windows.net): https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns
- DNS integration scenarios & forwarding: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration
- App Service VNet integration (DNS behavior): https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration
- VNet integration troubleshooting (includes nameresolver): https://learn.microsoft.com/en-us/troubleshoot/azure/app-service/troubleshoot-vnet-integration-apps
Kindly let us know if the above helps or you need further assistance on this issue.
Please "upvote" if the information helped you. This will help us and others in the community as well.
Sign in to comment
Sign in to answer