Share via

Connection Timeout Error in Azure OpenAI Studio without public access on search service

Dennis BC 11 Reputation points
2024-06-19T11:02:18.3733333+00:00

We are encountering an error in Azure OpenAI Studio when trying to "Add your data" in the chat playground.

The "crack, chunk and embed data" step finishes without issue, but the "Update ACS index" fails with this error:

[2024-06-18 14:40:30] INFO     azureml.rag.update_acs - Ensuring search index dblist-novector exists (update_acs.py:132)
[2024-06-18 14:49:16] ERROR    azureml.rag.update_acs.update_acs - ActivityCompleted: Activity=update_acs, HowEnded=Failure, Duration=525571.12 [ms], Exception=ServiceRequestError (activity.py:127)
[2024-06-18 14:49:17] ERROR    azureml.rag.update_acs - Failed to update ACS index (update_acs.py:457)
[2024-06-18 14:49:17] ERROR    azureml.rag.update_acs.update_acs - ServiceError: intepreted error = Rag system error, original error = <urllib3.connection.HTTPSConnection object at 0x14a1f76a3de0>: Failed to establish a new connection: [Errno 110] Connection timed out (exceptions.py:124)

It looks like it is unable to access an index object that it just created itself.
This issue occurs as soon as we disable public access for the AI search service, despite enabling "Allow Azure services on the trusted services list to access this search service." All other services has public access enabled.

Azure AI Search
Azure AI Search
An Azure search service with built-in artificial intelligence capabilities that enrich information to help identify and explore relevant content at scale.
Azure OpenAI Service
Azure OpenAI Service
An Azure service that provides access to OpenAI’s GPT-3 models with enterprise capabilities.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 35,926 Reputation points Volunteer Moderator
    2025-07-05T18:37:56.69+00:00

    Hello Dennis !

    Thank you for posting on Microsoft Learn.

    When public access is disabled on your Azure Cognitive Search (ACS) resource, only explicitly allowed networks or trusted Azure services can access it.

    However, Azure OpenAI Studio (the web interface) is not considered a trusted service under “Allow trusted Azure services” for ACS. So:

    • The index creation step (run server-side by Azure OpenAI) might still succeed, depending on timing or caching.
    • But the index update step fails because the backend service running that operation cannot reach ACS if public access is blocked.

    So you need to allow public access just while uploading and indexing data in Azure OpenAI Studio.

    But if you want secure access without public exposure, you need to enable private endpoint on your Azure AI Search resource and verify that your Azure OpenAI resource (or a managed identity used by your backend) is in the same Virtual Network or has access to it.

    Then, update your search index via code, Azure Function, or Azure ML pipeline not via OpenAI Studio, which lacks VNet support.

    Or, simply use the Azure OpenAI REST API or Azure ML pipeline to upload data and update the ACS index from within your VNet.

    0 comments
  2. Vishvani Jilukara 5 Reputation points Microsoft External Staff Moderator
    2025-08-12T09:50:14.8733333+00:00

    Hi Dennis BC,
    To securely manage this without exposing your ACS to the public internet, you should use a private endpoint for Azure Cognitive Search, ensuring that only trusted services or resources within your Virtual Network (VNet) can access it.

    You’ll need to ensure that the Azure OpenAI Studio or any Azure service interacting with ACS has network access to the ACS resource. However, Azure OpenAI Studio itself does not support private endpoint connections directly, so this solution will require you to handle the indexing via code or other Azure services like Azure Functions or Azure ML pipelines.

    Steps:

    Enable Private Endpoint on the Azure Cognitive Search (ACS) resource.

    This ensures that your ACS can only be accessed by resources inside your VNet.

    reference : https://learn.microsoft.com/en-us/azure/search/service-create-private-endpoint

    Set up a Managed Identity or Azure Function/Azure ML Pipeline within the same VNet to interact with the ACS.

    reference : https://learn.microsoft.com/en-us/azure/search/search-how-to-managed-identities?tabs=portal-sys%2Cportal-user

    Use an Azure Function or Azure REST API to handle the embedding and index update tasks instead of relying on Azure OpenAI Studio.

    Azure AD Authentication can be used to secure access between services (Azure Function -> ACS).

    This approach avoids public exposure and ensures that your search service remains securely behind a VNet.

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Vishvani

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.