Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Build and deploy AI applications on Azure AI Foundry using Microsoft's model catalog and AI services
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
resource/private-network/references/post-deployment-validation.md
1# Post-Deployment Validation2Run after deployment succeeds. Steps 1-3 can run from anywhere (management plane). Steps 4-5 require VNet access.4## 1. Infrastructure Verification6### 1.1 Resource State8Verify all resources are in `Succeeded` state:10```bash12az deployment operation group list \13--resource-group <rg> --name <deployment-name> \14--query "[].{resource:properties.targetResource.resourceType,state:properties.provisioningState}" -o table15```16### 1.2 Private Endpoint Connections18Verify all PE connections are `Approved`:20```bash22az network private-endpoint list \23--resource-group <rg> \24--query "[].{name:name,status:privateLinkServiceConnections[0].privateLinkServiceConnectionState.status,resource:privateLinkServiceConnections[0].groupIds[0]}" -o table25```26### 1.3 Public Network Access Audit28Verify all resources have public access disabled:30```bash32az cognitiveservices account show --name <ai-account> --resource-group <rg> \33--query "properties.publicNetworkAccess" -o tsv34az cosmosdb show --name <cosmos-account> --resource-group <rg> \36--query "publicNetworkAccess" -o tsv37az storage account show --name <storage-account> --resource-group <rg> \39--query "publicNetworkAccess" -o tsv40az search service show --name <search-service> --resource-group <rg> \42--query "publicNetworkAccess" -o tsv43```44All should return `Disabled`.46> **T10 (Private Basic):** Steps 2-5 below do not apply — T10 has no agents, no capability host, and no BYO resources. Setup is complete after Step 1.48## 2. RBAC Role Assignment (no VNet required)50The template does not assign data-plane roles automatically.52Assign `Azure AI Developer` at the **account** scope (management-plane):54```bash56az role assignment create \57--role "Azure AI Developer" \58--assignee <your-object-id-or-email> \59--scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<ai-account-name>60```61Assign `Azure AI User` at the **project** scope (data-plane — required for `agents/read`, `agents/write`):63```bash65az role assignment create \66--role "Azure AI User" \67--assignee <your-object-id-or-email> \68--scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<ai-account-name>/projects/<project-name>69```70> ⚠️ RBAC propagation can take 1–5 minutes.72## 3. Deploy a Model (no VNet required)74```bash76az cognitiveservices account deployment create \77--resource-group <rg> \78--name <ai-account-name> \79--deployment-name <deployment-name> \80--model-name <modelName> \81--model-version <modelVersion> \82--model-format <format> \83--sku-name GlobalStandard \84--sku-capacity 5085```86Fall back to `Standard` SKU if `GlobalStandard` quota is exhausted.88---90## 4. VNet Access & End-to-End Test92For the remaining steps (VNet access setup, DNS resolution, agent lifecycle test, isolation proof, cleanup), read [end-to-end-test.md](end-to-end-test.md).94