How can we help?

Articles in this section

See more

Choosing the runner AI provider (Foundry or OpenAI)

ServiceAI Orion
  • Updated

A CloudRadial AutomationAI runner calls an AI provider for its AI activities. By default that is the bundled private Azure AI Foundry, but you can point it at the OpenAI public API instead. This article explains both options and how to switch by editing the runner's Key Vault secrets and restarting the Function Apps. It is for the technician operating a runner.

  • Foundry, the Default
  • OpenAI
  • The AI-Provider Key Vault Secrets
  • Switching an Existing Runner

Foundry, the Default

By default the runners call the bundled private Azure AI Foundry account, authenticated by the runner's managed identity. The Foundry account is reachable only through a private endpoint, so all AI traffic stays inside the runner's virtual network with no internet egress, and there is no API key to manage. This is the recommended posture for most installs.

OpenAI

You can instead route the runners at the OpenAI public API. In this mode the runners call api.openai.com (or an endpoint override you supply) rather than the private Foundry endpoint, so if your runner egress is locked down you must allow api.openai.com before switching. There are two ways to select OpenAI:

  • After install — edit the runner's Key Vault secrets and restart the Function Apps. This needs no redeploy
  • From a fresh install — run the underlying runner-sample/Deploy-Runner.ps1 directly with -AiProvider openai, which exposes the OpenAI parameters the installer does not

The AI-Provider Key Vault Secrets

All of the AI-provider configuration lives as plain secrets in the shared runner Key Vault. The Function Apps read them as Key Vault references at startup, so changing a secret value and restarting is all it takes to rotate the key, swap the model, or flip providers:

SecretPurpose
ai-providerThe runtime switch: foundry (default) or openai
openai-api-keyThe OpenAI API key, read only when ai-provider is openai
openai-modelThe OpenAI model id, read only when ai-provider is openai
openai-endpointAn optional base-URL override; empty defaults to https://api.openai.com/v1

The OpenAI configuration lives in its own secrets and never reuses the Foundry endpoint or credentials. To edit these secrets you need the Key Vault Secrets Officer role on the vault and network access to its private endpoint. Because the vault is private, the installer can offer to allow your machine's IP on the vault firewall at the end of a deploy; otherwise edit the secrets from a host on the runner virtual network or a peered network.

Switching an Existing Runner

To switch an already-deployed runner set:

  1. When switching to OpenAI, seed the openai-api-key and openai-model secrets first, so the runners do not restart with openai selected and no key
  2. Set the ai-provider secret to openai or back to foundry
  3. Restart every runner Function App in the resource group so they pick up the new values

No redeploy is needed. The runner's README.md includes the exact PowerShell commands for setting each secret and restarting the apps.

Comments

0 comments

Please sign in to leave a comment.