Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You can deploy Foundry Local on Azure Local in disconnected environments by using a deployment model that largely matches connected scenarios. However, several key differences exist when internet connectivity isn't available.
This article explains how disconnected deployments of Foundry Local on Azure Local differ from connected deployments, so you can plan secure, offline model operations.
Important
- Foundry Local is available in preview. Preview releases provide early access to features that are in active deployment.
- Features, approaches, and processes can change or have limited capabilities before general availability (GA).
What changes in disconnected deployments
In disconnected environments, extension availability, certificate management, model artifact sourcing, telemetry behavior, identity, and access flows differ from connected deployments.
Extension availability: Before you can install the Foundry Local Azure Arc extension, you must download and import the Foundry Local expansion pack into the disconnected environment.
Model catalog source: Foundry Local pulls model artifacts from the local
edgeartifactscontainer registry. Model expansion packs populate this registry.Certificate management: The
azure-cert-managerextension isn't available in disconnected environments. Instead, you must install:cert-managertrust-managerThese Helm charts and container images are included in the Foundry Local expansion pack.
Telemetry: Telemetry isn't transmitted to Microsoft. To collect diagnostics for support, use the
az k8s-extension troubleshootcommand.Authentication: Authentication doesn't use public Microsoft Entra ID endpoints. Instead, Foundry Local integrates with the Active Directory infrastructure configured in the disconnected Azure Local environment.
Authorization: Authorization uses standard Azure RBAC roles on the Foundry extension resource:
Readeris for read-only operations, such as listing and getting model catalog entries.Contributoris required for control plane write operations (for examplePOST,PUT,PATCH,DELETEfor models and deployments) and for data plane inference operations such aspredictandchat/completions.
This authorization model differs from connected deployments, which typically use roles such as Cognitive Services OpenAI User to grant access to inference endpoints.