> ## Documentation Index > Fetch the complete documentation index at: https://docs.unstructured.io/llms.txt > Use this file to discover all available pages before exploring further. # Connecting to Azure-managed services This page describes how to establish private connectivity between your dedicated instance and Azure-managed services. For self-hosted applications, see [Connecting to customer-managed services on Azure](/business/azure/azure-privatelink/connect-to-customer-managed-services). ## Azure managed services This section covers Azure-managed services that have service-specific private connectivity requirements. The tables below use **Order** to indicate the general sequence of the information exchange — items with the same Order value can usually be provided at the same stage. Values like `` and `` are placeholders; contact your Unstructured account team or open a ticket in the [Unstructured Support Portal](https://support.unstructured.io/) to get the actual values for your dedicated instance. Each Azure service you connect to via Private Link must be in the same Azure region as your dedicated instance — cross-region Private Link is not supported. The example region codes in the tables below are illustrative; use the region your dedicated instance is deployed in. See [Known limitations](/business/dedicated-instances/requirements#known-limitations). ### Azure Blob Storage This applies to Azure Blob Storage and Azure Data Lake Storage Gen2 (ADLS Gen2). | Order | Information Required | Description | Example | Owner | | ----- | --------------------------------- | ------------------------------------------------------- | ---------------------------------------------------------------------------------- | ------------ | | 1 | Storage Account Name | Name of the Azure Storage Account | `customerstorageacct` | Customer | | 1 | Storage Account Resource ID | Full Azure Resource ID of the storage account | `/subscriptions/…/providers/Microsoft.Storage/storageAccounts/customerstorageacct` | Customer | | 1 | Container Name(s) | Containers Unstructured needs to access | `documents, processed-data` | Customer | | 1 | Storage Account Region | Region where storage account is located | `eastus` | Customer | | 1 | Sub-resource Type | `blob`, `dfs` (for ADLS Gen2), `file`, `table`, `queue` | `blob`, `dfs` | Customer | | 2 | Unstructured Service Principal ID | Service Principal ID for RBAC role assignment | `` | Unstructured | | 2 | Unstructured Subscription ID | Subscription ID for private endpoint approval | `` | Unstructured | For ADLS Gen2, use sub-resource type `dfs` for hierarchical namespace operations. You must approve the private endpoint connection request. To do so, navigate to **Storage Account > Networking > Private endpoint connections**. **Example: Azure role assignment** The following Azure CLI command assigns the **Storage Blob Data Reader** role to Unstructured’s service principal so the platform can read blobs in your storage account. ```bash theme={null} az role assignment create \ --assignee "" \ --role "Storage Blob Data Reader" \ --scope "/subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts/" ``` For **read/write** access, use the **Storage Blob Data Contributor** role instead of **Storage Blob Data Reader**. Replace: * `` — Service principal ID for Unstructured (provided during onboarding) * `` — Your Azure subscription ID * `` — Resource group that contains the storage account * `` — Storage account name *** ### Azure OpenAI Azure OpenAI supports private endpoint access. Unstructured creates a private endpoint in our VNet to access the your Azure OpenAI resource privately. | Order | Information Required | Description | Example | Owner | | ----- | --------------------------------- | --------------------------------------------- | --------------------------------------------------------------------------------- | ------------ | | 1 | Azure OpenAI Resource Name | Name of the Azure OpenAI resource | `customer-openai` | Customer | | 1 | Azure OpenAI Resource ID | Full Azure Resource ID | `/subscriptions/…/providers/Microsoft.CognitiveServices/accounts/customer-openai` | Customer | | 1 | Azure OpenAI Region | Region where the resource is deployed | `eastus` | Customer | | 1 | Deployment Name(s) | Model deployment names to access | `gpt-4-deployment, embedding-deployment` | Customer | | 1 | Sub-resource Type | Always `account` for Azure OpenAI | `account` | Customer | | 2 | Unstructured Service Principal ID | Service Principal ID for RBAC role assignment | `` | Unstructured | | 2 | Unstructured Subscription ID | Subscription ID for private endpoint approval | `` | Unstructured | **Example: Azure role assignment for OpenAI** Use Azure CLI to assign the **Cognitive Services OpenAI User** role to Unstructured’s service principal for your Azure OpenAI resource: ```bash theme={null} az role assignment create \ --assignee "" \ --role "Cognitive Services OpenAI User" \ --scope "/subscriptions//resourceGroups//providers/Microsoft.CognitiveServices/accounts/" ``` Replace: * `` — Service principal ID for Unstructured (provided during onboarding) * `` — Your Azure subscription ID * `` — Resource group that contains the storage account * `` — Your Azure OpenAI Resource ID After the role assignment: 1. **Firewall:** On the Azure OpenAI resource, configure networking so **public access is disabled** and traffic is allowed only as required for your private endpoint design. 2. **Approve the connection:** In the Azure portal, go to the OpenAI resource > **Networking** > **Private endpoint connections**, then approve the pending private endpoint connection from Unstructured. *** ### Azure Databricks Azure Databricks supports Private Link for both front-end (user-to-workspace) and back-end (compute-to-control plane) connectivity. You must have Private Link enabled on your workspace. | Order | Information Required | Description | Example | Owner | | ----- | -------------------------------- | --------------------------------------------- | ------------------------------------------------------------------------------- | ------------ | | 1 | Databricks Workspace URL | The workspace URL | `adb-1234567890123456.12.azuredatabricks.net` | Customer | | 1 | Databricks Workspace Resource ID | Full Azure Resource ID of the workspace | `/subscriptions/…/providers/Microsoft.Databricks/workspaces/customer-workspace` | Customer | | 1 | Databricks Workspace Region | Azure region where workspace is deployed | `eastus` | Customer | | 1 | Sub-resource Type | `databricks_ui_api` for workspace access | `databricks_ui_api` | Customer | | 2 | Unstructured Subscription ID | Subscription ID for private endpoint approval | `` | Unstructured | | 3 | Private endpoint DNS | The private endpoint DNS for the workspace | `adb-1234567890123456.12.privatelink.azuredatabricks.net` | Customer | **Example: Approve the Databricks private endpoint connection** After Unstructured creates the private endpoint toward your workspace, approve the pending connection using Azure CLI: ```bash theme={null} az network private-endpoint-connection approve \ --resource-group "" \ --resource-name "" \ --name "" \ --type Microsoft.Databricks/workspaces ``` You can also approve the same request in the **Azure portal**: open the Databricks workspace resource > **Networking** > **Private endpoint connections**, then approve the pending connection from Unstructured. Replace: * `` — Resource group that contains the Databricks workspace * `` — Name of the Databricks workspace resource * `` — Name of the private endpoint connection (shown in the portal or provided by Unstructured) *** ## Azure Managed Services with private endpoint access This section applies to Azure Managed Services that support private endpoint access, including: **Azure AI Search, Azure SQL Database, Azure SQL Managed Instance, Azure Cosmos DB, Azure Database for PostgreSQL, Azure Database for MySQL,** and **Azure Synapse Analytics**. The **Order** column indicates the general sequence for the information exchange. Items with the same order value can usually be provided at the same stage. | Order | Information Required | Description | Example | Owner | | ----- | --------------------------------- | -------------------------------------------------------- | ---------------------------------------------------------------------- | ------------ | | 1 | Service Type | The Azure managed service being accessed | `Azure AI Search`, `Azure SQL` | Customer | | 1 | Resource Name | Name of the Azure resource | `my-search-service` | Customer | | 1 | Resource ID | Full Azure Resource ID | `/subscriptions/…/providers/Microsoft.Search/searchServices/my-search` | Customer | | 1 | Service Region | Region where the service is hosted | `eastus` | Customer | | 1 | Sub-Resource Type | The sub-resource type for Private Link (see table below) | `searchService`, `sqlServer` | Customer | | 1 | Service Port | Port the service listens on | `443` (AI Search), `1433` (SQL) | Customer | | 2 | Unstructured Service Principal ID | Service Principal ID for RBAC role assignment | `` | Unstructured | | 2 | Unstructured Subscription ID | Subscription ID to approve for private endpoint | `` | Unstructured | **Sub-resource types by service:** | Service | Sub-Resource Type | | ----------------------------- | --------------------------- | | AI Search | `searchService` | | Azure SQL Database | `sqlServer` | | Azure SQL Managed Instance | `managedInstance` | | Azure Cosmos DB (SQL API) | `Sql` | | Azure Cosmos DB (MongoDB API) | `MongoDB` | | Azure Database for PostgreSQL | `postgresqlServer` | | Azure Database for MySQL | `mysqlServer` | | Azure Synapse Analytics | `Sql`, `SqlOnDemand`, `Dev` |