There are two changes in this PR:

Introduction of an ALLOWED_IP parameter. If set, this will set an ACL rule for all backend services, those are:

Azure Storage
Web Apps
Form Recognizer
Azure Open AI
Cognitive Search

Introduction of an AZURE_USE_PRIVATE_ENDPOINT environment variable, which when set to true will configure VNETs, Domains and Private Endpoints for the backend services.

These settings can also be combined, if AZURE_USE_PRIVATE_ENDPOINT is true and ALLOWED_IP is true, it will configure all of the private network infrastructure but allow the backend services to be connected to from a public network (but only to the address specified).

Oct 26 '23 00:10 tonybaloney

I tested this for the ENABLE_ALLOWED_IP option without the VNet option. It did deploy and run prepdocs locally successfully. However:

On the deployed app, it is unable to communicate with OpenAI. I believe that's because the app only allows the user IP, and not the app service IP. I don't see any option in Cognitive Service to allow all Azure services, like we have for PostgresSQL, it seems to only be compatible with VNets, unless I missed something.
I didn't see a firewall wall for the App Service itself. I do see it in appservice.bicep but in the deployed app, it only shows the rule with priority 2147483647. I'm not sure if it ignored the one with priority 100 or what.

I wonder if we can only use the ENABLE_ALLOWED_IP in conjunction with the VNet option

Nov 09 '23 19:11 pamelafox

I pushed some README tweaks - adding these sections to TOC and making sure auth/ACLs were colocated.

Nov 09 '23 22:11 pamelafox

I have now tried to deploy this with the private endpoint option in GitHub Codespaces, determining the IP address with hostname -I | awk '{print $1}'.

So I did:

azd auth login azd env set AZURE_USE_PRIVATE_ENDPOINT true azd env set ALLOWED_IP 172.16.5.4 azd up

That failed to provision due to:

  (✓) Done: Resource group: rg-privend
  (✓) Done: App Service plan: plan-2cb5fvo6nwqac
  (x) Failed: Search service: gptkb-2cb5fvo6nwqac
  (x) Failed: Storage account: st2cb5fvo6nwqac
  (✓) Done: Form recognizer: cog-fr-2cb5fvo6nwqac
  (✓) Done: Azure OpenAI: cog-2cb5fvo6nwqac

ERROR: deployment failed: failing invoking action 'provision', error deploying infrastructure: deploying to subscription:

Deployment Error Details:
BadRequest: The following IP address is not allowed because it is in private space, IP addresses for special uses, loopback addresses or link-local addresses: 172.16.5.4.
InvalidValuesForRequestParameters: Values for request parameters are invalid: networkAcls.ipRule[*].value. For more information, see - https://aka.ms/storagenetworkruleset

TraceID: 1138e3395adfb8f85ec3baffaff7560c

Not sure if there's a non-172 IP address for my Codespace, or if this just won't work. I'll try it locally.

Nov 14 '23 00:11 pamelafox

I have now tried to deploy this with the private endpoint option in GitHub Codespaces, determining the IP address with hostname -I | awk '{print $1}'.

So I did:

azd auth login azd env set AZURE_USE_PRIVATE_ENDPOINT true azd env set ALLOWED_IP 172.16.5.4 azd up

That failed to provision due to:
  (✓) Done: Resource group: rg-privend
  (✓) Done: App Service plan: plan-2cb5fvo6nwqac
  (x) Failed: Search service: gptkb-2cb5fvo6nwqac
  (x) Failed: Storage account: st2cb5fvo6nwqac
  (✓) Done: Form recognizer: cog-fr-2cb5fvo6nwqac
  (✓) Done: Azure OpenAI: cog-2cb5fvo6nwqac

ERROR: deployment failed: failing invoking action 'provision', error deploying infrastructure: deploying to subscription:

Deployment Error Details:
BadRequest: The following IP address is not allowed because it is in private space, IP addresses for special uses, loopback addresses or link-local addresses: 172.16.5.4.
InvalidValuesForRequestParameters: Values for request parameters are invalid: networkAcls.ipRule[*].value. For more information, see - https://aka.ms/storagenetworkruleset

TraceID: 1138e3395adfb8f85ec3baffaff7560c
Not sure if there's a non-172 IP address for my Codespace, or if this just won't work. I'll try it locally.

@pamelafox - if I run curl http://ifconfig.me/ip from my Codespaces, I get a 20...* address.

Nov 14 '23 00:11 charris-msft

@charris-msft Oo that does give me a different address. So yeah I'm not so good at getting IP addresses, that's why we should link to docs. :) Trying the new address now.

Nov 14 '23 00:11 pamelafox

@tonybaloney I discovered ipSecurityRestrictions was being configured at the wrong level, inside properties instead of properties/siteConfig. Also, it requires "/32" (CIDR notation) when specifying a single IP address. I concatenated it for now but there should be logic that only does that if no slash is in the address.

Now when I provision I can see the expected rules:

Nov 14 '23 05:11 pamelafox

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed.

Jan 24 '24 01:01 github-actions[bot]

I'm bumping this PR, hopefully this can be integrated. This would probably solve my ticket #1361.

Mar 02 '24 20:03 DuboisABB

We are still doing additional testing of this PR, sorry for the delay - it's important that we get this right, given this impacts security.

Mar 05 '24 01:03 pamelafox

We are still doing additional testing of this PR, sorry for the delay - it's important that we get this right, given this impacts security.

I understand the importance of testing in this case. In the mean time however, could you perhaps write some documentation on how to manually set everything up to use private endpoints instead of public access? It seems like it should be fairly straightforward, but for someone new to the Azure platform like me, it proved to be much more challenging than I thought. I'm closer to a working solution every day, but time is running out for our hackathon. I tried to fall back on the simpler Azure AI Studio solution, but I'm still bogged down by all the security restrictions that are present in our tenant.

Mar 05 '24 01:03 DuboisABB

@DuboisABB It's challenging for us as well, which is why we're trying to get the changes in the Bicep. The Azure docs does have some documentation, like: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/ https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview https://learn.microsoft.com/en-us/azure/dns/private-dns-overview We're consulting the docs as we make this change. Sorry it was frustrating! It's not just you- it's not straightforward to set up for most folks.

Mar 06 '24 17:03 pamelafox

This similar project integrates an optional "zero trust" deployment: https://github.com/Azure/GPT-RAG Perhaps it might be useful to look at their bicep files.

Mar 09 '24 19:03 DuboisABB

Check Country Locale in URLs

We have automatically detected added country locale to URLs in your files. Review and remove country-specific locale from URLs to resolve this issue.