Share via

Getting the following when trying to access - Knowledge Base is Foundry

Admin Donald Fortini 0 Reputation points
2026-04-30T21:33:27.5233333+00:00

"Error loading knowledge bases An error occurred while processing your request." We are using a private network.

Azure Private Link
Azure Private Link

An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Karnam Venkata Rajeswari 2,390 Reputation points Microsoft External Staff Moderator
    2026-04-30T22:47:19.64+00:00

    Hello @Admin Donald Fortini

    Welcome to Microsoft Q&A .Thank you for reaching out to us.

    The encountered error generally indicates that the Foundry Knowledge Base layer is unable to retrieve data from its backend services. In Azure AI Foundry, Knowledge Bases rely primarily on Azure AI Search, along with supporting services such as Azure Storage. When communication with these services is disrupted, the portal may return this generic error.

    In a Private Link (private network) setup, such disruptions are most commonly associated with DNS resolution issues, network access restrictions, or service reachability gaps, even when configurations appear correct.

    Please consider the following key Areas to Validate and Troubleshoot

    1. Private Endpoint Configuration Begin by confirming that all dependent services are correctly integrated through Private Endpoints:
      • Ensure Private Endpoint status is Approved and Succeeded
      • Critical services include:
      • Azure AI Search (primary Knowledge Base dependency)
      • Azure Storage
      • Additional services used by the project
      • All endpoints should be deployed within the same virtual network used by the Foundry project.
    2. DNS Resolution for Private Link From a machine inside the same virtual network, 
         nslookup <service-fqdn>
      Expected outcome:
      • Each service should resolve to a private IP address
      • If a public IP is returned:
      • Verify required Private DNS zones exist and are linked correctly:
        • privatelink.search.windows.net
        • privatelink.blob.core.windows.net
      • For custom DNS environments, confirm conditional forwarding to 168.63.129.16
    3. Network Security and Connectivity Ensure that required communication paths are not blocked:
      • Outbound HTTPS (TCP 443) must be allowed
      • Network Security Groups should permit traffic to private endpoint IPs
      • Confirm no firewall or perimeter restrictions
      Connectivity can be validated using 
         Test-NetConnection <fqdn> -Port 443
    4. . Routing and Hybrid Connectivity if applicable For environments using VPN or ExpressRoute:
      • Ensure routing tables include virtual network address ranges
      • Confirm connectivity to private endpoint IP space
    5. Azure AI Search Validation Since Knowledge Bases depend directly on Azure AI Search:
      • Confirm that:
      • Search indexes exist and contain data
      • Queries execute successfully via API or portal tools
      • Azure AI Search is reachable through the configured Private Endpoint
    6. Permissions and Access Control Ensure appropriate access is configured:
      • Azure AI Search > Search Index Data Reader / Contributor
      • Storage > Storage Blob Data Reader
      • Foundry project > appropriate project-level roles
      Missing permissions may prevent Knowledge Base enumeration even if connectivity is correct.

    Important Consideration for Private‑Only Networking - Even when all configurations (Private Endpoints, DNS, and permissions) are correctly set:

    • Requests may successfully reach backend services
    • Yet access may still fail during internal validation

    This behavior can occur due to current service constraints in fully private-only networking scenarios, where certain access paths are restricted.

    To differentiate between configuration issues and network constraints:

    • Temporarily enable public network access on the Azure AI Search resource
    • Retry loading the Knowledge Base

    Result interpretation:

    • If successful - indicates a Private Link access limitation or restriction
    • If still failing - indicates a configuration or permission-related issue

    A hybrid setup (Private Endpoints with controlled public access) is often observed to provide more consistent behavior.

    The following references might be helpful , please check them out

    Thank you

    0 comments
  2. Q&A Assist
    2026-04-30T21:33:45.0833333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error likely stems from private networking or DNS issues preventing Foundry from reaching the knowledge base resources over Private Link.

    Use the following checks for a Foundry project on a private network:

    1. Verify private endpoints for all required services
      Ensure private endpoints exist and are in a Succeeded state for the services backing Foundry IQ/knowledge bases (for example, Azure Cosmos DB, storage, search, etc.) in the same virtual network used by the project and Agent.
    2. Check private endpoint DNS resolution
      From a VM or machine inside the same VNet:
      • Run nslookup <your-foundry-endpoint-hostname> and nslookup <resource-fqdn> for each dependent service.
      • Confirm that each name resolves to a private IP, not a public IP.
      • If DNS returns a public IP, verify that:
        • A private DNS zone exists for the privatelink subdomain.
        • The private DNS zone is linked to the VNet.
        • If using a custom DNS server, conditional forwarders for the privatelink subdomain point to Azure DNS at 168.63.129.16.
    3. Validate NSG and firewall rules
      • Confirm that network security groups allow outbound traffic from the Foundry Agent subnet to the private endpoint IPs on port 443.
      • Ensure no on-premises or perimeter firewall is blocking HTTPS (443) to those private IPs.
    4. Confirm VNet routing and connectivity
      • If accessing from on-premises via VPN/ExpressRoute, verify that routes include the VNet address space and that connectivity to the private endpoint IPs works (for example, ping where allowed, or Test-NetConnection -Port 443).
    5. Check Agent Service in network-isolated projects
      • Ensure the project uses Standard Agent deployment (not Basic) for network-injected scenarios.
      • Confirm the delegated Agent subnet has available IP addresses.
      • If agents or evaluations are used with knowledge bases, verify that all required DNS zones are configured and that the evaluation/agent compute can reach both Foundry and model endpoints via private links.
    6. Validate permissions to the knowledge base
      • If the error only appears when loading knowledge bases (and not the project itself), confirm that the identity used to access Foundry has the required RBAC permissions on the Foundry project and on the backing data sources (for example, search index, storage, or Cosmos DB) so that Foundry IQ can enumerate and query them.

    If, after these checks, private endpoint DNS resolution still fails, explicitly follow the “Private endpoint DNS resolution fails” troubleshooting guidance: verify each private DNS zone is linked to the VNet, confirm conditional forwarders to 168.63.129.16, and re-run nslookup to ensure private IP resolution.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.