-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Optional deployment of Private Networks, Private Endpoints plus optional configuration of an ACL rule for all backend services #864
Merged
mattgotteiner
merged 71 commits into
Azure-Samples:main
from
tonybaloney:private_endpoint
May 15, 2024
Merged
Changes from all commits
Commits
Show all changes
71 commits
Select commit
Hold shift + click to select a range
b28f7a2
Add resources based on GitHub thread
tonybaloney 491b1e1
Make the private endpoints an optional feature
tonybaloney df2fe2b
Use descriptive names
tonybaloney 1125665
Fix provisioning of app service when use PE not enabled
tonybaloney a818b8a
Fix the bicep/ARM resolver order when not using PEs
tonybaloney 6e3ecba
Update the instructions
tonybaloney afa94bb
App Service should go in subnet 2
tonybaloney afbbad4
Propagate tags and set default values for the PE DNS resources
tonybaloney 0c05529
Propagate tags in the VNET
tonybaloney 38a26d4
Work on a refactor closer to the RAG sample
tonybaloney 015c094
Propagate network isolation flag to cog services
tonybaloney f7a2efb
Merge remote-tracking branch 'origin/main' into private_endpoint
tonybaloney 9b882c2
clean up redundant args
tonybaloney f09b354
Merge branch 'main' into private_endpoint
tonybaloney 852014f
Merge remote-tracking branch 'origin/main' into private_endpoint
tonybaloney a3e6ec5
Add an allowed hosts parameter and enable public network access when …
tonybaloney 234d1a6
Update app service as well to have an allowlist setup
tonybaloney 456640f
Add some explanation
tonybaloney 63e5402
Merge branch 'main' into private_endpoint
tonybaloney 16aa92e
Add link to other section
tonybaloney 22ef2fe
Add an explanation about combining the two settings
tonybaloney e3a9708
Update README.md
tonybaloney e7551ac
Update README.md
tonybaloney f0e973f
Update README.md
tonybaloney 644624d
Update README.md
tonybaloney 3920b5e
Update names
tonybaloney 5c3264f
Merge branch 'private_endpoint' of github.com:tonybaloney/azure-searc…
tonybaloney 114adc7
Rename allow host to allow IP addresses
tonybaloney a152b76
Update links in README
tonybaloney fa00b27
Add the DNS zone and PE for CogServices/Form Recognizer
tonybaloney 8f6a9ff
Readme tweaks (add to TOC, colocate)
pamelafox 0bf85a6
Move config to the right location
pamelafox 9b4f73b
Bicep formatting changes
pamelafox a4f44d2
Address Jons comments and change readme to only have vnet option
pamelafox 87cbcea
Merge branch 'main' into private_endpoint
pamelafox 3a06ec2
Check for CIDR for app service IP, alphabetize
pamelafox 575f154
Merge branch 'private_endpoint' of https://github.com/tonybaloney/azu…
pamelafox 180e289
Use lower case for search
tonybaloney d5ff641
Refactor vnet to make the subnets a parameter
tonybaloney fb19ef6
Merge branch 'main' into private_endpoint
pamelafox 5326f84
Resolve some PR feedback
tonybaloney 06ed516
Address outstanding PR feedback,
tonybaloney eca29f3
merge?
414350c
merge?
cb7c05b
update
mattgotteiner 22a2d9c
Merge remote-tracking branch 'upstream/main' into matt/private_endpoint
mattgotteiner 9f38f53
merge + fixes
mattgotteiner 0db69f3
WIP
mattgotteiner 78ac5ea
Merge remote-tracking branch 'upstream/main' into matt/private_endpoint
mattgotteiner 7af5cc6
WIP
mattgotteiner e876449
still working on template
mattgotteiner 3cf7551
remove unused comment; add param
mattgotteiner fdcd72e
fix error on no pe
mattgotteiner c6e9ff6
Merge remote-tracking branch 'origin/main' into private_endpoint
mattgotteiner 8fb9ddd
working
mattgotteiner 0822baa
update
mattgotteiner bd22012
refactoring
mattgotteiner bdeea06
adding docs
mattgotteiner d0d78e5
Conditional fixes
pamelafox 8d01b58
Dont run prepdocs without network access
pamelafox 72b5214
Apply suggestions from code review
pamelafox a464824
Update docs/deploy_private.md
pamelafox 1f2f6e6
Update docs/deploy_private.md
pamelafox d397a20
addressing feedback
mattgotteiner cd09eb9
Merge branch 'private_endpoint' of https://github.com/tonybaloney/azu…
mattgotteiner 7831e20
bicep lint; add os offer / publisher as params
mattgotteiner 253ebb9
merge
mattgotteiner 9e55db0
update docs
mattgotteiner 93bb7a0
fixing bicep deployment
mattgotteiner b2394e3
remove locale
mattgotteiner ab63607
remove slow link
mattgotteiner File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
|
||
# Deploying with private access | ||
|
||
If you want to disable public access when deploying the Chat App, you can do so by setting `azd` environment values. | ||
|
||
## Before you begin | ||
|
||
Deploying with public access disabled adds additional cost to your deployment. Please see pricing for the following products: | ||
|
||
1. [Private Endpoints](https://azure.microsoft.com/pricing/details/private-link/) | ||
1. The exact number of private endpoints created depends on the [optional features](./deploy_features.md) used. | ||
1. [Private DNS Zones](https://azure.microsoft.com/pricing/details/dns/) | ||
1. (Optional, but recommended)[Azure Virtual Machines](https://azure.microsoft.com/pricing/details/virtual-machines/windows/) | ||
1. (Optional, but recommended)[Azure Bastion](https://azure.microsoft.com/pricing/details/azure-bastion/) | ||
|
||
## Environment variables controlling private access | ||
|
||
1. `AZURE_PUBLIC_NETWORK_ACCESS`: Controls the value of public network access on supported Azure resources. Valid values are 'Enabled' or 'Disabled'. | ||
1. When public network access is 'Enabled', Azure resources are open to the internet. | ||
1. When public network access is 'Disabled', Azure resources are only accessible over a virtual network. | ||
1. `AZURE_USE_PRIVATE_ENDPOINT`: Controls deployment of [private endpoints](https://learn.microsoft.com/azure/private-link/private-endpoint-overview) which connect Azure resources to the virtual network. | ||
1. When set to 'true', ensures private endpoints are deployed for connectivity even when `AZURE_PUBLIC_NETWORK_ACCESS` is 'Disabled'. | ||
1. Note that private endpoints do not make the chat app accessible from the internet. Connections must be initiated from inside the virtual network. | ||
1. `AZURE_PROVISION_VM`: Controls deployment of a [virtual machine](https://learn.microsoft.com/azure/virtual-machines/overview) and [Azure Bastion](https://learn.microsoft.com/azure/bastion/bastion-overview). Azure Bastion allows you to securely connect to the virtual machine, without being connected virtual network. Since the virtual machine is connected to the virtual network, you are able to access the chat app. | ||
1. You must set `AZURE_VM_USERNAME` and `AZURE_VM_PASSWORD` to provision the built-in administrator account with the virtual machine so you can log in through Azure Bastion. | ||
1. By default, a server version of Windows is used for the VM. If you need to [enroll your device in Microsoft Intune](https://learn.microsoft.com/mem/intune/user-help/enroll-windows-10-device), you should use a desktop version of Windows by setting the following environment variables: | ||
* `azd env set AZURE_VM_OS_PUBLISHER MicrosoftWindowsDesktop` | ||
* `azd env set AZURE_VM_OS_OFFER Windows-11` | ||
* `azd env set AZURE_VM_OS_VERSION win11-23h2-pro` | ||
|
||
## Recommended deployment strategy for private access | ||
|
||
1. Deploy the app with private endpoints enabled and public access enabled. | ||
``` | ||
azd env set AZURE_USE_PRIVATE_ENDPOINT true | ||
azd env set AZURE_PUBLIC_NETWORK_ACCESS Enabled | ||
azd up | ||
``` | ||
2. Validate that you can connect to the chat app and it's working as expected from the internet. | ||
3. Re-provision the app with public access disabled. | ||
``` | ||
azd env set AZURE_PUBLIC_NETWORK_ACCESS Disabled | ||
azd env set AZURE_PROVISION_VM true # Optional but recommended | ||
azd env set AZURE_VM_USERNAME myadminusername # https://learn.microsoft.com/azure/virtual-machines/windows/faq#what-are-the-username-requirements-when-creating-a-vm- | ||
azd env set AZURE_VM_PASSWORD mypassword # https://learn.microsoft.com/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm- | ||
azd provision | ||
``` | ||
4. Log into your new VM using [Azure Bastion](https://learn.microsoft.com/azure/bastion/tutorial-create-host-portal#connect). Validate the chat app is accessible from the virtual machine using a web browser. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
param name string | ||
param location string | ||
param vmSize string = 'Standard_DS1_v2' | ||
param adminUsername string | ||
@secure() | ||
param adminPassword string | ||
param osVersion string = '2022-datacenter-azure-edition' | ||
param osPublisher string = 'MicrosoftWindowsServer' | ||
param osOffer string = 'WindowsServer' | ||
param nicId string | ||
param securityType string = 'TrustedLaunch' | ||
|
||
var securityProfileJson = { | ||
uefiSettings: { | ||
secureBootEnabled: true | ||
vTpmEnabled: true | ||
} | ||
securityType: securityType | ||
} | ||
|
||
resource vm 'Microsoft.Compute/virtualMachines@2022-03-01' = { | ||
name: name | ||
location: location | ||
properties: { | ||
hardwareProfile: { | ||
vmSize: vmSize | ||
} | ||
osProfile: { | ||
computerName: name | ||
adminUsername: adminUsername | ||
adminPassword: adminPassword | ||
} | ||
storageProfile: { | ||
imageReference: { | ||
publisher: osPublisher | ||
offer: osOffer | ||
sku: osVersion | ||
version: 'latest' | ||
} | ||
osDisk: { | ||
createOption: 'FromImage' | ||
managedDisk: { | ||
storageAccountType: 'StandardSSD_LRS' | ||
} | ||
} | ||
dataDisks: [ | ||
{ | ||
diskSizeGB: 1023 | ||
lun: 0 | ||
createOption: 'Empty' | ||
} | ||
] | ||
} | ||
networkProfile: { | ||
networkInterfaces: [ | ||
{ | ||
id: nicId | ||
} | ||
] | ||
} | ||
diagnosticsProfile: { | ||
bootDiagnostics: { | ||
enabled: true | ||
} | ||
} | ||
securityProfile: ((securityType == 'TrustedLaunch') ? securityProfileJson : null) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this have to be uppercase? Is it case sensitive? (I was surprised to see the capitalization, but I'm guessing it's because youre matching to an ARM value)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is case sensitive
https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?pivots=deployment-language-bicep
What we can do is accept a lower-cased "enabled" and fix it later (toUpper first letter and strcat it back?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not positive we should do this, since there's an advantage of matching the Bicep expectations, but we'll see if developers mess this up frequently.