![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 67%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Azure AI Document Intelligence
An Azure service that turns documents into usable data. Previously known as Azure Form Recognizer.
Hi ,
Thanks for reaching out to Microsoft Q&A
Suggestions that you can try:
create hybrid connectivity from on-prem to the azure vnet that contains the private endpoint site-to-site vpn (azure vpn gateway) or expressroute with private peering. This ensures your on-prem vm can route to the private endpoint ip.
ensure dns resolution of the document intelligence fqdn to the private endpoint ip from on-prem
you must resolve the resource host name to the private ip. Use an azure private dns zone linked to the vnet and then enable hybrid DNS resolution by either:
- using an azure dns private resolver inbound endpoint and add that inbound ip as a conditional forwarder on your on-prem dns servers, or
- run a DNS forwarder vm in Azure and point your on-prem conditional forwarder to it.
check routing and nsg/udr
ensure your on-prem > azure VPN/ER route includes the private endpoint subnet and no udr/nsg blocks that traffic. Use the private endpoint ip to validate connectivity (ping/tcping if allowed) and nslookup to validate name resolution.
remove client ip from the document intelligence resource access controls
once on-prem resolves and routes to private ip, the request will come from the private network path and the public IP check is not required.
Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.
