[Cognitive Services] Add: az cognitiveservices account managed-network and outbound-rule commands

src/azure-cli/azure/cli/command_modules/cognitiveservices/_client_factory.py

@@ -93,6 +93,22 @@ def cf_account_connections(cli_ctx, *_):
     return get_cognitiveservices_management_client(cli_ctx).account_connections
 
 
+def cf_managed_network_settings(cli_ctx, *_):
+    return get_cognitiveservices_management_client(cli_ctx).managed_network_settings
+
+
+def cf_managed_network_provisions(cli_ctx, *_):
+    return get_cognitiveservices_management_client(cli_ctx).managed_network_provisions
+
+
+def cf_outbound_rule(cli_ctx, *_):
+    return get_cognitiveservices_management_client(cli_ctx).outbound_rule
+
+
+def cf_outbound_rules(cli_ctx, *_):
+    return get_cognitiveservices_management_client(cli_ctx).outbound_rules
+
+
 def cf_account_capability_hosts(cli_ctx, *_):
     return get_cognitiveservices_management_client(cli_ctx).account_capability_hosts
 

src/azure-cli/azure/cli/command_modules/cognitiveservices/_help.py

@@ -719,6 +719,166 @@
     text: az cognitiveservices agent update --account-name myAccount --project-name myProject --name myAgent --agent-version 1 --min-replicas 1 --max-replicas 2
 """
 
+helps['cognitiveservices account managed-network'] = """
+    type: group
+    short-summary: Manage the managed network settings for an Azure Cognitive Services account.
+    long-summary: >
+        Managed network settings control the network isolation mode and firewall configuration
+        for AI Foundry accounts.
+"""
+
+helps['cognitiveservices account managed-network create'] = """
+    type: command
+    short-summary: Create a managed network for an Azure Cognitive Services account.
+    examples:
+    - name: Create a managed network with internet outbound access.
+      text: >
+        az cognitiveservices account managed-network create
+        --name my-account
+        --resource-group my-resource-group
+        --managed-network allow_internet_outbound
+    - name: Create a managed network with approved outbound only and a standard firewall.
+      text: >
+        az cognitiveservices account managed-network create
+        --name my-account
+        --resource-group my-resource-group
+        --managed-network allow_only_approved_outbound
+        --firewall-sku Standard
+"""
+
+helps['cognitiveservices account managed-network update'] = """
+    type: command
+    short-summary: Update managed network settings for an Azure Cognitive Services account.
+    examples:
+    - name: Update the firewall SKU.
+      text: >
+        az cognitiveservices account managed-network update
+        --name my-account
+        --resource-group my-resource-group
+        --firewall-sku Standard
+    - name: Change the isolation mode.
+      text: >
+        az cognitiveservices account managed-network update
+        --name my-account
+        --resource-group my-resource-group
+        --managed-network allow_only_approved_outbound
+"""
+
+helps['cognitiveservices account managed-network show'] = """
+    type: command
+    short-summary: Show the managed network settings for an Azure Cognitive Services account.
+    examples:
+    - name: Show managed network settings.
+      text: >
+        az cognitiveservices account managed-network show
+        --name my-account
+        --resource-group my-resource-group
+"""
+
+helps['cognitiveservices account managed-network provision-network'] = """
+    type: command
+    short-summary: Provision the managed network for an Azure Cognitive Services account.
+    long-summary: >
+        Triggers provisioning of the managed network. This is a long-running operation.
+    examples:
+    - name: Provision the managed network.
+      text: >
+        az cognitiveservices account managed-network provision-network
+        --name my-account
+        --resource-group my-resource-group
+"""
+
+helps['cognitiveservices account managed-network outbound-rule'] = """
+    type: group
+    short-summary: Manage outbound rules for the managed network of an Azure Cognitive Services account.
+    long-summary: >
+        Outbound rules control egress traffic from the managed network. Rules can be
+        of type FQDN, PrivateEndpoint, or ServiceTag.
+"""
+
+helps['cognitiveservices account managed-network outbound-rule list'] = """
+    type: command
+    short-summary: List all outbound rules for the managed network.
+    examples:
+    - name: List all outbound rules.
+      text: >
+        az cognitiveservices account managed-network outbound-rule list
+        --name my-account
+        --resource-group my-resource-group
+"""
+
+helps['cognitiveservices account managed-network outbound-rule show'] = """
+    type: command
+    short-summary: Show details of an outbound rule.
+    examples:
+    - name: Show an outbound rule.
+      text: >
+        az cognitiveservices account managed-network outbound-rule show
+        --name my-account
+        --resource-group my-resource-group
+        --rule my-rule
+"""
+
+helps['cognitiveservices account managed-network outbound-rule remove'] = """
+    type: command
+    short-summary: Remove an outbound rule from the managed network.
+    examples:
+    - name: Remove an outbound rule.
+      text: >
+        az cognitiveservices account managed-network outbound-rule remove
+        --name my-account
+        --resource-group my-resource-group
+        --rule my-rule
+"""
+
+helps['cognitiveservices account managed-network outbound-rule set'] = """
+    type: command
+    short-summary: Create or update a single outbound rule for the managed network.
+    long-summary: >
+        Creates or updates an outbound rule of the specified type (FQDN, PrivateEndpoint, or ServiceTag).
+    examples:
+    - name: Create an FQDN outbound rule.
+      text: >
+        az cognitiveservices account managed-network outbound-rule set
+        --name my-account
+        --resource-group my-resource-group
+        --rule my-fqdn-rule
+        --type fqdn
+        --destination "*.example.com"
+    - name: Create a ServiceTag outbound rule.
+      text: >
+        az cognitiveservices account managed-network outbound-rule set
+        --name my-account
+        --resource-group my-resource-group
+        --rule my-servicetag-rule
+        --type servicetag
+        --category UserDefined
+        --destination '{"serviceTag": "Storage", "protocol": "TCP", "portRanges": "443"}'
+    - name: Create a PrivateEndpoint outbound rule.
+      text: >
+        az cognitiveservices account managed-network outbound-rule set
+        --name my-account
+        --resource-group my-resource-group
+        --rule my-pe-rule
+        --type privateendpoint
+        --destination /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount
+        --subresource-target blob
+"""
+
+helps['cognitiveservices account managed-network outbound-rule bulk-set'] = """
+    type: command
+    short-summary: Bulk create or update outbound rules from a YAML or JSON file.
+    long-summary: >
+        Reads outbound rules from a YAML or JSON file and creates or updates them in bulk.
+    examples:
+    - name: Bulk set outbound rules from a YAML file.
+      text: >
+        az cognitiveservices account managed-network outbound-rule bulk-set
+        --name my-account
+        --resource-group my-resource-group
+        --file rules.yaml
+"""
+
 helps['cognitiveservices account connection'] = """
     type: group
     short-summary: Manage Azure Cognitive Services connection and its more specific derivatives.

src/azure-cli/azure/cli/command_modules/cognitiveservices/_params.py

@@ -688,6 +688,71 @@ def load_arguments(self, _):
         c.argument('next_count', help='Cognitive Services account commitment plan next commitment period count.')
         c.argument('next_tier', help='Cognitive Services account commitment plan next commitment period tier.')
 
+    with self.argument_context('cognitiveservices account managed-network') as c:
+        c.argument('managed_network_name',
+                   options_list=['--managed-network-name'],
+                   help='Name of the managed network. Only "default" is supported.',
+                   default='default')
+
+    with self.argument_context('cognitiveservices account managed-network create') as c:
+        c.argument('managed_network',
+                   options_list=['--managed-network'],
+                   arg_type=get_enum_type(['allow_internet_outbound', 'allow_only_approved_outbound']),
+                   help='Isolation mode for the managed network.',
+                   required=True)
+        c.argument('firewall_sku',
+                   options_list=['--firewall-sku'],
+                   arg_type=get_enum_type(['Basic', 'Standard']),
+                   help='Firewall SKU for the managed network.')
+
+    with self.argument_context('cognitiveservices account managed-network update') as c:
+        c.argument('managed_network_name', default=None)
+        c.argument('managed_network',
+                   options_list=['--managed-network'],
+                   arg_type=get_enum_type(['allow_internet_outbound', 'allow_only_approved_outbound']),
+                   help='Isolation mode for the managed network.')
+        c.argument('firewall_sku',
+                   options_list=['--firewall-sku'],
+                   arg_type=get_enum_type(['Basic', 'Standard']),
+                   help='Firewall SKU for the managed network.')
+
+    with self.argument_context('cognitiveservices account managed-network outbound-rule') as c:
+        c.argument('managed_network_name',
+                   options_list=['--managed-network-name'],
+                   help='Name of the managed network. Only "default" is supported.',
+                   default='default',
+                   required=False)
+        c.argument('rule_name',
+                   options_list=['--rule'],
+                   help='Name of the outbound rule.')
+
+    with self.argument_context('cognitiveservices account managed-network outbound-rule set') as c:
+        c.argument('rule_type',
+                   options_list=['--type'],
+                   arg_type=get_enum_type(['fqdn', 'privateendpoint', 'servicetag']),
+                   help='Type of the outbound rule.',
+                   required=True)
+        c.argument('category',
+                   options_list=['--category'],
+                   arg_type=get_enum_type(['Required', 'Recommended', 'UserDefined', 'Dependency']),
+                   help='Category of the outbound rule.')
+        c.argument('destination',
+                   options_list=['--destination'],
+                   help='Destination for the outbound rule. '
+                        'For FQDN rules, this is the FQDN string. '
+                        'For PrivateEndpoint rules, this is the service resource ID. '
+                        'For ServiceTag rules, provide a JSON string or @file path.')
+        c.argument('subresource_target',
+                   options_list=['--subresource-target'],
+                   help='Subresource target for PrivateEndpoint outbound rules '
+                        '(e.g. blob, table, queue, file, web, dfs).')
+
+    with self.argument_context('cognitiveservices account managed-network outbound-rule bulk-set') as c:
+        c.argument('file',
+                   options_list=['--file'],
+                   help='Path to a YAML or JSON file containing outbound rules definition.',
+                   required=True)
+
     with self.argument_context('cognitiveservices account project') as c:
         c.argument('project_name', help='Cognitive Services account project name')
         c.argument('location', arg_type=get_location_type(self.cli_ctx),

src/azure-cli/azure/cli/command_modules/cognitiveservices/commands.py

@@ -6,7 +6,8 @@
 from azure.cli.core.commands import CliCommandType
 from azure.cli.command_modules.cognitiveservices._client_factory import cf_accounts, cf_resource_skus, \
     cf_deleted_accounts, cf_deployments, cf_commitment_plans, cf_commitment_tiers, cf_models, cf_usages, \
-    cf_ai_projects, cf_account_connections, cf_projects, cf_project_connections
+    cf_ai_projects, cf_account_connections, cf_projects, cf_project_connections, \
+    cf_managed_network_settings, cf_managed_network_provisions, cf_outbound_rule
 
 
 def load_command_table(self, _):
@@ -134,6 +135,34 @@ def load_command_table(self, _):
     with self.command_group('cognitiveservices agent logs', client_factory=cf_ai_projects, is_preview=True) as g:
         g.custom_show_command('show', 'agent_logs_show')
 
+    managed_network_settings_type = CliCommandType(
+        operations_tmpl='azure.mgmt.cognitiveservices.operations#ManagedNetworkSettingsOperations.{}',
+        client_factory=cf_managed_network_settings
+    )
+
+    outbound_rule_type = CliCommandType(
+        operations_tmpl='azure.mgmt.cognitiveservices.operations#OutboundRuleOperations.{}',
+        client_factory=cf_outbound_rule
+    )
+
+    with self.command_group(
+            'cognitiveservices account managed-network', managed_network_settings_type,
+            client_factory=cf_managed_network_settings, is_preview=True) as g:
+        g.custom_command('create', 'managed_network_create')
+        g.custom_command('update', 'managed_network_update')
+        g.custom_show_command('show', 'managed_network_show')
+        g.custom_command('provision-network', 'managed_network_provision',
+                         client_factory=cf_managed_network_provisions)
+
+    with self.command_group(
+            'cognitiveservices account managed-network outbound-rule', outbound_rule_type,
+            client_factory=cf_outbound_rule, is_preview=True) as g:
+        g.command('list', 'list')
+        g.show_command('show', 'get')
+        g.custom_command('remove', 'outbound_rule_remove', confirmation=True)
+        g.custom_command('set', 'outbound_rule_set')
+        g.custom_command('bulk-set', 'outbound_rule_bulk_set')
+
     with self.command_group(
             'cognitiveservices account project', projects_type,
             client_factory=cf_projects) as g: