Source from repo

Microsoft Foundry Skill

Build and deploy AI applications on Azure AI Foundry using Microsoft's model catalog and AI services

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

546.7 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

resource/private-network/references/end-to-end-test.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown118 linesFree

resource/private-network/references/end-to-end-test.md

1# End-to-End Test (VNet Access Required)
2 
3Continues from [post-deployment-validation.md](post-deployment-validation.md). Steps 1–3 there must be complete first.
4 
5## 4. VNet Access Setup
6 
7> ⚠️ The remaining tests require connectivity to the VNet.
8 
9Use `AskUserQuestion`: **"Steps 1-3 are done. The remaining tests need VNet access. How do you want to proceed?"**
10Options:
11- `I have a Bastion VM / jump box`
12- `Set up a point-to-site VPN for me` — read [vpn-dns-setup.md](vpn-dns-setup.md)
13- `I have VPN / ExpressRoute already`
14- `Skip testing for now`
15 
16**Bastion VM:** User has direct access to all private endpoints from the VM. Setup is complete — do NOT proceed to Step 5.
17 
18---
19 
20## 5. End-to-End Test (VPN users only)
21 
22Three phases:
231. **Network** — DNS resolution + port 443 reachability
242. **Agent Lifecycle** — Create agent, thread, run, verify, cleanup
253. **Isolation Proof** — Repeat with VPN off — expect 403
26 
27> ⚠️ Chromium browsers may bypass VPN DNS via Secure DNS (DoH). If portal shows "Error loading agents" but CLI works, disable Secure DNS.
28 
29### Requirements
30 
31```bash
32pip install azure-ai-projects azure-identity azure-ai-agents
33```
34 
35### Phase 1: Network Validation
36 
37Resolve DNS and test port 443 for all private endpoints. Substitute actual resource names from the deployment.
38 
39PowerShell:
40 
41```powershell
42$endpoints = @(
43  '<ai-account>.services.ai.azure.com',
44  '<ai-account>.openai.azure.com',
45  '<ai-account>.cognitiveservices.azure.com',
46  '<cosmos-account>.documents.azure.com',
47  '<storage-account>.blob.core.windows.net',
48  '<search-service>.search.windows.net'
49)
50foreach ($h in $endpoints) {
51  $ip = (Resolve-DnsName $h | Where-Object {$_.IPAddress}).IPAddress
52  $reach = Test-NetConnection $h -Port 443 -WarningAction SilentlyContinue
53  Write-Host "$h -> $ip (reachable: $($reach.TcpTestSucceeded))"
54}
55```
56 
57Bash:
58 
59```bash
60endpoints=(
61  '<ai-account>.services.ai.azure.com'
62  '<ai-account>.openai.azure.com'
63  '<ai-account>.cognitiveservices.azure.com'
64  '<cosmos-account>.documents.azure.com'
65  '<storage-account>.blob.core.windows.net'
66  '<search-service>.search.windows.net'
67)
68for h in "${endpoints[@]}"; do
69  ip=$(dig +short "$h" | tail -n1)
70  nc -z -w 3 "$h" 443 >/dev/null 2>&1 && reach=yes || reach=no
71  echo "$h -> $ip (reachable: $reach)"
72done
73```
74 
75All should resolve to private IPs and be reachable.
76 
77Report results to the user (✅/❌ per endpoint) before proceeding to Phase 2.
78 
79### Phase 2: Agent Lifecycle Test
80 
81Create agent, thread, send message, verify response, cleanup. This exercises all 4 PEs (AI Services, Cosmos DB, Storage, AI Search).
82 
83```python
84from azure.identity import DefaultAzureCredential
85from azure.ai.projects import AIProjectClient
86 
87endpoint = "https://<ai-account>.services.ai.azure.com/api/projects/<project-name>"
88client = AIProjectClient(endpoint=endpoint, credential=DefaultAzureCredential())
89agents = client.agents
90 
91agent = agents.create_agent(model="<deployment-name>", name="vnet-test", instructions="Reply with 'OK'")
92thread = agents.threads.create()
93agents.messages.create(thread_id=thread.id, role="user", content="test")
94run = agents.runs.create_and_process(thread_id=thread.id, agent_id=agent.id)
95msgs = agents.messages.list(thread_id=thread.id)
96print(f"Response: {msgs.data[0].content[0].text.value}")
97agents.threads.delete(thread.id)
98agents.delete_agent(agent.id)
99```
100 
101Report results to the user (which PEs passed, any failures) before proceeding to Phase 3.
102 
103Ask user to disconnect VPN. Repeat Phase 2 — it should fail with 403. Report whether isolation is confirmed before proceeding to cross-check.
104 
105### Requirements Cross-Check
106 
107After testing, compare each requirement gathered in [intake.md](intake.md) against the deployed state. Flag any mismatches with remediation steps.
108 
109### Cleanup (VPN users only)
110 
111Ask if user wants to delete VPN Gateway (~$140/month) and DNS Resolver (~$180/month), or keep for ongoing access.
112 
113```bash
114az network vnet-gateway delete --resource-group <rg> --name vpn-gateway-<suffix> --no-wait
115az network dns-resolver delete --resource-group <rg> --name dns-resolver-<suffix> --yes
116az network public-ip delete --resource-group <rg> --name vpn-gateway-pip-<suffix>
117```
118

Loading source

Preparing the source view

Pulling the file list, source metadata, and syntax-aware rendering for this listing.

Marketplace

Source from repo

Microsoft Foundry Skill

Build and deploy AI applications on Azure AI Foundry using Microsoft's model catalog and AI services

microsoftGitHub microsoftOfficialSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

546.7 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

resource/private-network/references/end-to-end-test.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown118 linesFree

resource/private-network/references/end-to-end-test.md

1# End-to-End Test (VNet Access Required)
2 
3Continues from [post-deployment-validation.md](post-deployment-validation.md). Steps 1–3 there must be complete first.
4 
5## 4. VNet Access Setup
6 
7> ⚠️ The remaining tests require connectivity to the VNet.
8 
9Use `AskUserQuestion`: **"Steps 1-3 are done. The remaining tests need VNet access. How do you want to proceed?"**
10Options:
11- `I have a Bastion VM / jump box`
12- `Set up a point-to-site VPN for me` — read [vpn-dns-setup.md](vpn-dns-setup.md)
13- `I have VPN / ExpressRoute already`
14- `Skip testing for now`
15 
16**Bastion VM:** User has direct access to all private endpoints from the VM. Setup is complete — do NOT proceed to Step 5.
17 
18---
19 
20## 5. End-to-End Test (VPN users only)
21 
22Three phases:
231. **Network** — DNS resolution + port 443 reachability
242. **Agent Lifecycle** — Create agent, thread, run, verify, cleanup
253. **Isolation Proof** — Repeat with VPN off — expect 403
26 
27> ⚠️ Chromium browsers may bypass VPN DNS via Secure DNS (DoH). If portal shows "Error loading agents" but CLI works, disable Secure DNS.
28 
29### Requirements
30 
31```bash
32pip install azure-ai-projects azure-identity azure-ai-agents
33```
34 
35### Phase 1: Network Validation
36 
37Resolve DNS and test port 443 for all private endpoints. Substitute actual resource names from the deployment.
38 
39PowerShell:
40 
41```powershell
42$endpoints = @(
43  '<ai-account>.services.ai.azure.com',
44  '<ai-account>.openai.azure.com',
45  '<ai-account>.cognitiveservices.azure.com',
46  '<cosmos-account>.documents.azure.com',
47  '<storage-account>.blob.core.windows.net',
48  '<search-service>.search.windows.net'
49)
50foreach ($h in $endpoints) {
51  $ip = (Resolve-DnsName $h | Where-Object {$_.IPAddress}).IPAddress
52  $reach = Test-NetConnection $h -Port 443 -WarningAction SilentlyContinue
53  Write-Host "$h -> $ip (reachable: $($reach.TcpTestSucceeded))"
54}
55```
56 
57Bash:
58 
59```bash
60endpoints=(
61  '<ai-account>.services.ai.azure.com'
62  '<ai-account>.openai.azure.com'
63  '<ai-account>.cognitiveservices.azure.com'
64  '<cosmos-account>.documents.azure.com'
65  '<storage-account>.blob.core.windows.net'
66  '<search-service>.search.windows.net'
67)
68for h in "${endpoints[@]}"; do
69  ip=$(dig +short "$h" | tail -n1)
70  nc -z -w 3 "$h" 443 >/dev/null 2>&1 && reach=yes || reach=no
71  echo "$h -> $ip (reachable: $reach)"
72done
73```
74 
75All should resolve to private IPs and be reachable.
76 
77Report results to the user (✅/❌ per endpoint) before proceeding to Phase 2.
78 
79### Phase 2: Agent Lifecycle Test
80 
81Create agent, thread, send message, verify response, cleanup. This exercises all 4 PEs (AI Services, Cosmos DB, Storage, AI Search).
82 
83```python
84from azure.identity import DefaultAzureCredential
85from azure.ai.projects import AIProjectClient
86 
87endpoint = "https://<ai-account>.services.ai.azure.com/api/projects/<project-name>"
88client = AIProjectClient(endpoint=endpoint, credential=DefaultAzureCredential())
89agents = client.agents
90 
91agent = agents.create_agent(model="<deployment-name>", name="vnet-test", instructions="Reply with 'OK'")
92thread = agents.threads.create()
93agents.messages.create(thread_id=thread.id, role="user", content="test")
94run = agents.runs.create_and_process(thread_id=thread.id, agent_id=agent.id)
95msgs = agents.messages.list(thread_id=thread.id)
96print(f"Response: {msgs.data[0].content[0].text.value}")
97agents.threads.delete(thread.id)
98agents.delete_agent(agent.id)
99```
100 
101Report results to the user (which PEs passed, any failures) before proceeding to Phase 3.
102 
103Ask user to disconnect VPN. Repeat Phase 2 — it should fail with 403. Report whether isolation is confirmed before proceeding to cross-check.
104 
105### Requirements Cross-Check
106 
107After testing, compare each requirement gathered in [intake.md](intake.md) against the deployed state. Flag any mismatches with remediation steps.
108 
109### Cleanup (VPN users only)
110 
111Ask if user wants to delete VPN Gateway (~$140/month) and DNS Resolver (~$180/month), or keep for ongoing access.
112 
113```bash
114az network vnet-gateway delete --resource-group <rg> --name vpn-gateway-<suffix> --no-wait
115az network dns-resolver delete --resource-group <rg> --name dns-resolver-<suffix> --yes
116az network public-ip delete --resource-group <rg> --name vpn-gateway-pip-<suffix>
117```
118