Source from repo

Microsoft Foundry Skill

Deploy, evaluate, and manage AI agents end-to-end on Microsoft Azure AI Foundry

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

546.6 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

resource/private-network/references/end-to-end-test.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown118 linesFree

resource/private-network/references/end-to-end-test.md

1# End-to-End Test (VNet Access Required)
2 
3Continues from [post-deployment-validation.md](post-deployment-validation.md). Steps 1–3 there must be complete first.
4 
5## 4. VNet Access Setup
6 
7> ⚠️ The remaining tests require connectivity to the VNet.
8 
9Use `AskUserQuestion`: **"Steps 1-3 are done. The remaining tests need VNet access. How do you want to proceed?"**
10Options:
11- `I have a Bastion VM / jump box`
12- `Set up a point-to-site VPN for me` — read [vpn-dns-setup.md](vpn-dns-setup.md)
13- `I have VPN / ExpressRoute already`
14- `Skip testing for now`
15 
16**Bastion VM:** User has direct access to all private endpoints from the VM. Setup is complete — do NOT proceed to Step 5.
17 
18---
19 
20## 5. End-to-End Test (VPN users only)
21 
22Three phases:
231. **Network** — DNS resolution + port 443 reachability
242. **Agent Lifecycle** — Create agent, thread, run, verify, cleanup
253. **Isolation Proof** — Repeat with VPN off — expect 403
26 
27> ⚠️ Chromium browsers may bypass VPN DNS via Secure DNS (DoH). If portal shows "Error loading agents" but CLI works, disable Secure DNS.
28 
29### Requirements
30 
31```bash
32pip install azure-ai-projects azure-identity azure-ai-agents
33```
34 
35### Phase 1: Network Validation
36 
37Resolve DNS and test port 443 for all private endpoints. Substitute actual resource names from the deployment.
38 
39PowerShell:
40 
41```powershell
42$endpoints = @(
43  '<ai-account>.services.ai.azure.com',
44  '<ai-account>.openai.azure.com',
45  '<ai-account>.cognitiveservices.azure.com',
46  '<cosmos-account>.documents.azure.com',
47  '<storage-account>.blob.core.windows.net',
48  '<search-service>.search.windows.net'
49)
50foreach ($h in $endpoints) {
51  $ip = (Resolve-DnsName $h | Where-Object {$_.IPAddress}).IPAddress
52  $reach = Test-NetConnection $h -Port 443 -WarningAction SilentlyContinue
53  Write-Host "$h -> $ip (reachable: $($reach.TcpTestSucceeded))"
54}
55```
56 
57Bash:
58 
59```bash
60endpoints=(
61  '<ai-account>.services.ai.azure.com'
62  '<ai-account>.openai.azure.com'
63  '<ai-account>.cognitiveservices.azure.com'
64  '<cosmos-account>.documents.azure.com'
65  '<storage-account>.blob.core.windows.net'
66  '<search-service>.search.windows.net'
67)
68for h in "${endpoints[@]}"; do
69  ip=$(dig +short "$h" | tail -n1)
70  nc -z -w 3 "$h" 443 >/dev/null 2>&1 && reach=yes || reach=no
71  echo "$h -> $ip (reachable: $reach)"
72done
73```
74 
75All should resolve to private IPs and be reachable.
76 
77Report results to the user (✅/❌ per endpoint) before proceeding to Phase 2.
78 
79### Phase 2: Agent Lifecycle Test
80 
81Create agent, thread, send message, verify response, cleanup. This exercises all 4 PEs (AI Services, Cosmos DB, Storage, AI Search).
82 
83```python
84from azure.identity import DefaultAzureCredential
85from azure.ai.projects import AIProjectClient
86 
87endpoint = "https://<ai-account>.services.ai.azure.com/api/projects/<project-name>"
88client = AIProjectClient(endpoint=endpoint, credential=DefaultAzureCredential())
89agents = client.agents
90 
91agent = agents.create_agent(model="<deployment-name>", name="vnet-test", instructions="Reply with 'OK'")
92thread = agents.threads.create()
93agents.messages.create(thread_id=thread.id, role="user", content="test")
94run = agents.runs.create_and_process(thread_id=thread.id, agent_id=agent.id)
95msgs = agents.messages.list(thread_id=thread.id)
96print(f"Response: {msgs.data[0].content[0].text.value}")
97agents.threads.delete(thread.id)
98agents.delete_agent(agent.id)
99```
100 
101Report results to the user (which PEs passed, any failures) before proceeding to Phase 3.
102 
103Ask user to disconnect VPN. Repeat Phase 2 — it should fail with 403. Report whether isolation is confirmed before proceeding to cross-check.
104 
105### Requirements Cross-Check
106 
107After testing, compare each requirement gathered in [intake.md](intake.md) against the deployed state. Flag any mismatches with remediation steps.
108 
109### Cleanup (VPN users only)
110 
111Ask if user wants to delete VPN Gateway (~$140/month) and DNS Resolver (~$180/month), or keep for ongoing access.
112 
113```bash
114az network vnet-gateway delete --resource-group <rg> --name vpn-gateway-<suffix> --no-wait
115az network dns-resolver delete --resource-group <rg> --name dns-resolver-<suffix> --yes
116az network public-ip delete --resource-group <rg> --name vpn-gateway-pip-<suffix>
117```
118

Loading source

Preparing the source view

Pulling the file list, source metadata, and syntax-aware rendering for this listing.

Marketplace

Source from repo

Microsoft Foundry Skill

Deploy, evaluate, and manage AI agents end-to-end on Microsoft Azure AI Foundry

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

546.6 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

resource/private-network/references/end-to-end-test.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown118 linesFree

resource/private-network/references/end-to-end-test.md

1# End-to-End Test (VNet Access Required)
2 
3Continues from [post-deployment-validation.md](post-deployment-validation.md). Steps 1–3 there must be complete first.
4 
5## 4. VNet Access Setup
6 
7> ⚠️ The remaining tests require connectivity to the VNet.
8 
9Use `AskUserQuestion`: **"Steps 1-3 are done. The remaining tests need VNet access. How do you want to proceed?"**
10Options:
11- `I have a Bastion VM / jump box`
12- `Set up a point-to-site VPN for me` — read [vpn-dns-setup.md](vpn-dns-setup.md)
13- `I have VPN / ExpressRoute already`
14- `Skip testing for now`
15 
16**Bastion VM:** User has direct access to all private endpoints from the VM. Setup is complete — do NOT proceed to Step 5.
17 
18---
19 
20## 5. End-to-End Test (VPN users only)
21 
22Three phases:
231. **Network** — DNS resolution + port 443 reachability
242. **Agent Lifecycle** — Create agent, thread, run, verify, cleanup
253. **Isolation Proof** — Repeat with VPN off — expect 403
26 
27> ⚠️ Chromium browsers may bypass VPN DNS via Secure DNS (DoH). If portal shows "Error loading agents" but CLI works, disable Secure DNS.
28 
29### Requirements
30 
31```bash
32pip install azure-ai-projects azure-identity azure-ai-agents
33```
34 
35### Phase 1: Network Validation
36 
37Resolve DNS and test port 443 for all private endpoints. Substitute actual resource names from the deployment.
38 
39PowerShell:
40 
41```powershell
42$endpoints = @(
43  '<ai-account>.services.ai.azure.com',
44  '<ai-account>.openai.azure.com',
45  '<ai-account>.cognitiveservices.azure.com',
46  '<cosmos-account>.documents.azure.com',
47  '<storage-account>.blob.core.windows.net',
48  '<search-service>.search.windows.net'
49)
50foreach ($h in $endpoints) {
51  $ip = (Resolve-DnsName $h | Where-Object {$_.IPAddress}).IPAddress
52  $reach = Test-NetConnection $h -Port 443 -WarningAction SilentlyContinue
53  Write-Host "$h -> $ip (reachable: $($reach.TcpTestSucceeded))"
54}
55```
56 
57Bash:
58 
59```bash
60endpoints=(
61  '<ai-account>.services.ai.azure.com'
62  '<ai-account>.openai.azure.com'
63  '<ai-account>.cognitiveservices.azure.com'
64  '<cosmos-account>.documents.azure.com'
65  '<storage-account>.blob.core.windows.net'
66  '<search-service>.search.windows.net'
67)
68for h in "${endpoints[@]}"; do
69  ip=$(dig +short "$h" | tail -n1)
70  nc -z -w 3 "$h" 443 >/dev/null 2>&1 && reach=yes || reach=no
71  echo "$h -> $ip (reachable: $reach)"
72done
73```
74 
75All should resolve to private IPs and be reachable.
76 
77Report results to the user (✅/❌ per endpoint) before proceeding to Phase 2.
78 
79### Phase 2: Agent Lifecycle Test
80 
81Create agent, thread, send message, verify response, cleanup. This exercises all 4 PEs (AI Services, Cosmos DB, Storage, AI Search).
82 
83```python
84from azure.identity import DefaultAzureCredential
85from azure.ai.projects import AIProjectClient
86 
87endpoint = "https://<ai-account>.services.ai.azure.com/api/projects/<project-name>"
88client = AIProjectClient(endpoint=endpoint, credential=DefaultAzureCredential())
89agents = client.agents
90 
91agent = agents.create_agent(model="<deployment-name>", name="vnet-test", instructions="Reply with 'OK'")
92thread = agents.threads.create()
93agents.messages.create(thread_id=thread.id, role="user", content="test")
94run = agents.runs.create_and_process(thread_id=thread.id, agent_id=agent.id)
95msgs = agents.messages.list(thread_id=thread.id)
96print(f"Response: {msgs.data[0].content[0].text.value}")
97agents.threads.delete(thread.id)
98agents.delete_agent(agent.id)
99```
100 
101Report results to the user (which PEs passed, any failures) before proceeding to Phase 3.
102 
103Ask user to disconnect VPN. Repeat Phase 2 — it should fail with 403. Report whether isolation is confirmed before proceeding to cross-check.
104 
105### Requirements Cross-Check
106 
107After testing, compare each requirement gathered in [intake.md](intake.md) against the deployed state. Flag any mismatches with remediation steps.
108 
109### Cleanup (VPN users only)
110 
111Ask if user wants to delete VPN Gateway (~$140/month) and DNS Resolver (~$180/month), or keep for ongoing access.
112 
113```bash
114az network vnet-gateway delete --resource-group <rg> --name vpn-gateway-<suffix> --no-wait
115az network dns-resolver delete --resource-group <rg> --name dns-resolver-<suffix> --yes
116az network public-ip delete --resource-group <rg> --name vpn-gateway-pip-<suffix>
117```
118