Skip to main content

How to Create an Azure AI Foundry Hub

Set up a centralized hub for managing AI projects, resources, and governance across your organization. This guide shows you how to create and configure a hub that serves as the foundation for your AI development efforts.

Prerequisites

  • An active Azure subscription with Contributor or Owner permissions
  • Basic understanding of Azure resource management
  • Decision on the governance model for your organization

Choose your hub configuration

Before creating your hub, determine the right setup for your needs: Development/Learning Hub:
  • Single region deployment
  • Standard compute configurations
  • Basic networking (public endpoints)
  • Minimal governance policies
Enterprise Production Hub:
  • Multi-region capability
  • Premium compute with dedicated resources
  • Private networking with VPN/ExpressRoute
  • Comprehensive governance and compliance

Create hub via Azure portal

Step 1: Navigate to Azure AI Foundry

  1. Sign in to the Azure portal
  2. Search for “Azure AI Foundry” in the top search bar
  3. Select Azure AI Foundry from the results
  4. Click “Create”“New hub”

Step 2: Configure basic settings

Basic Configuration:
  Subscription: your-subscription-name
  Resource Group: 
    - Use existing: rg-ai-foundry-prod
    - Or create new: rg-ai-foundry-[environment]
  Name: hub-[organization]-[environment]
  Region: East US 2  # Choose based on your location and compliance needs
Naming conventions:
  • Hub name: hub-contoso-prod, hub-fabrikam-dev
  • Resource group: rg-ai-foundry-prod, rg-ai-foundry-staging

Step 3: Configure compute resources

Choose compute configurations based on your workload requirements: For development and testing: 
Compute Configuration:
  Instance Types:
    - Standard_DS3_v2 (CPU workloads)
    - Standard_NC6s_v3 (Light GPU workloads)
  Auto-scaling:
    Min nodes: 0
    Max nodes: 5
  Idle shutdown: 30 minutes
For production workloads: 
Compute Configuration:
  Instance Types:
    - Standard_NC24ads_A100_v4 (Heavy AI workloads)
    - Standard_HB120rs_v3 (HPC requirements)
  Auto-scaling:
    Min nodes: 2
    Max nodes: 20
  Idle shutdown: 120 minutes

Step 4: Configure networking

Public network access (simpler setup): 
Networking:
  Access: Public
  Allowed IP ranges: 
    - Your office IP range: 203.0.113.0/24
    - Development team IPs: specific addresses
  Firewall rules: Azure AI Foundry default
Private network access (enterprise security): 
Networking:
  Access: Private
  Virtual Network: 
    - Use existing: vnet-ai-foundry-prod
    - Or create new with appropriate subnets
  Private endpoints: 
    - Azure AI Foundry: Enabled
    - Storage: Enabled
    - Key Vault: Enabled
  DNS resolution: Azure Private DNS zones

Step 5: Configure security and governance

Security Settings:
  Identity:
    System managed identity: Enabled
    User assigned identities: Configure as needed
  
  Key Management:
    Encryption: Microsoft managed keys (or customer managed)
    Key Vault: kv-ai-foundry-[environment]
  
  Access Control:
    Azure RBAC: Enabled
    Local authentication: Disabled (recommended)
  
  Compliance:
    Diagnostic logging: Enabled
    Audit logging: Enabled
    Data residency: Enforce regional boundaries

Step 6: Review and create

  1. Click “Review + create”
  2. Verify all settings match your requirements
  3. Check the estimated cost
  4. Click “Create”
The deployment typically takes 10-15 minutes.

Create hub via Azure CLI

For automation and infrastructure-as-code scenarios: 
# Set variables
SUBSCRIPTION_ID="your-subscription-id"
RESOURCE_GROUP="rg-ai-foundry-prod"
HUB_NAME="hub-contoso-prod"
LOCATION="eastus2"

# Create resource group
az group create \
  --name $RESOURCE_GROUP \
  --location $LOCATION

# Create the hub
az ml workspace create \
  --resource-group $RESOURCE_GROUP \
  --name $HUB_NAME \
  --location $LOCATION \
  --kind "hub" \
  --display-name "Contoso AI Production Hub" \
  --description "Central hub for Contoso AI initiatives" \
  --public-network-access Enabled \
  --managed-network Disabled
For private networking: 
# Create with private networking
az ml workspace create \
  --resource-group $RESOURCE_GROUP \
  --name $HUB_NAME \
  --location $LOCATION \
  --kind "hub" \
  --public-network-access Disabled \
  --managed-network Enabled \
  --isolation-mode AllowInternetOutbound

Configure hub settings post-creation

Set up role-based access control

# Assign hub administrator role
az role assignment create \
  --assignee user@contoso.com \
  --role "AzureML Data Scientist" \
  --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$HUB_NAME"

# Assign project creator role
az role assignment create \
  --assignee developers@contoso.com \
  --role "AzureML Workspace Connection Secrets Reader" \
  --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP"

Configure compute resources

# Create a CPU compute cluster
az ml compute create \
  --resource-group $RESOURCE_GROUP \
  --workspace-name $HUB_NAME \
  --name "cpu-cluster-general" \
  --type AmlCompute \
  --min-instances 0 \
  --max-instances 10 \
  --size Standard_DS3_v2 \
  --idle-time-before-scale-down 1800

# Create a GPU compute cluster for AI workloads
az ml compute create \
  --resource-group $RESOURCE_GROUP \
  --workspace-name $HUB_NAME \
  --name "gpu-cluster-ai" \
  --type AmlCompute \
  --min-instances 0 \
  --max-instances 5 \
  --size Standard_NC24ads_A100_v4 \
  --idle-time-before-scale-down 3600

Set up connections to external services

# Create connection to Azure OpenAI
az ml connection create \
  --resource-group $RESOURCE_GROUP \
  --workspace-name $HUB_NAME \
  --file connection-openai.yaml

# Create connection to Azure Cognitive Search
az ml connection create \
  --resource-group $RESOURCE_GROUP \
  --workspace-name $HUB_NAME \
  --file connection-search.yaml
Example connection-openai.yaml: 
name: azure-openai-connection
type: azure_open_ai
target: https://your-openai-service.openai.azure.com/
auth_type: api_key
credentials:
  key: your-api-key

Configure governance policies

Set up Azure Policy for compliance

{
  "properties": {
    "displayName": "AI Foundry Governance Policy",
    "policyType": "Custom",
    "mode": "All",
    "description": "Enforce governance standards for AI Foundry resources",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.MachineLearningServices/workspaces"
          },
          {
            "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

Configure cost management

# Set up budget alerts
az consumption budget create \
  --resource-group $RESOURCE_GROUP \
  --budget-name "ai-foundry-monthly-budget" \
  --amount 1000 \
  --time-grain Monthly \
  --time-period start-date="2024-01-01" \
  --category Cost \
  --contact-emails admin@contoso.com

Organize with tags and metadata

Apply consistent tagging for governance: 
# Apply tags to the hub
az resource tag \
  --resource-group $RESOURCE_GROUP \
  --name $HUB_NAME \
  --resource-type "Microsoft.MachineLearningServices/workspaces" \
  --tags \
    Environment=Production \
    Owner=AITeam \
    CostCenter=IT \
    Project=EnterpriseAI \
    Compliance=Required

Validate your hub setup

Test connectivity and access

# Test CLI access
az ml workspace show \
  --resource-group $RESOURCE_GROUP \
  --name $HUB_NAME

# Test compute access
az ml compute list \
  --resource-group $RESOURCE_GROUP \
  --workspace-name $HUB_NAME

Verify security configuration

# Check private endpoint status
az network private-endpoint list \
  --resource-group $RESOURCE_GROUP

# Verify RBAC assignments
az role assignment list \
  --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$HUB_NAME"

Set up monitoring and alerts

Configure diagnostic logs

# Enable diagnostic logging
az monitor diagnostic-settings create \
  --resource "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$HUB_NAME" \
  --name "hub-diagnostics" \
  --storage-account "storageaccountname" \
  --logs '[
    {
      "category": "AmlComputeClusterEvent",
      "enabled": true
    },
    {
      "category": "AmlComputeJobEvent", 
      "enabled": true
    }
  ]'

Set up performance alerts

# Create alert for high compute usage
az monitor metrics alert create \
  --name "high-compute-usage" \
  --resource-group $RESOURCE_GROUP \
  --scopes "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.MachineLearningServices/workspaces/$HUB_NAME" \
  --condition "avg ActiveCores > 80" \
  --description "Alert when active cores exceed 80% of capacity"

Troubleshoot common issues

Hub creation fails with permissions error

# Check required permissions
az role assignment list --assignee $(az account show --query user.name -o tsv)

# Required roles for hub creation:
# - Contributor or Owner on subscription/resource group
# - User Access Administrator (for RBAC setup)

Private endpoint connectivity issues

# Check private endpoint configuration
az network private-endpoint show \
  --resource-group $RESOURCE_GROUP \
  --name "pe-aifoundry"

# Verify DNS resolution
nslookup your-hub-name.api.azureml.ms

Compute provisioning failures

# Check quota limits
az vm list-usage --location $LOCATION

# Request quota increase if needed
az support tickets create \
  --ticket-name "GPU quota increase" \
  --severity "minimal" \
  --issue-type "quota"

Next steps

With your hub created and configured:
  1. Create your first project: How to Create Projects
  2. Set up compute resources: Configure Compute
  3. Establish connections: Configure Connections
  4. Implement security: Configure Security

Hub management best practices

  • Regular reviews: Quarterly access reviews and permission audits
  • Cost optimization: Monitor compute usage and implement auto-scaling
  • Security updates: Keep up with Azure security recommendations
  • Backup strategy: Implement data and configuration backup procedures
  • Disaster recovery: Plan for regional outages and failover scenarios