Azure-Samples
diff --git a/Diff for: ‎README.md
+4 b/Diff for: ‎README.md
+4
diff --git a/Diff for: ‎azure.yaml
+2-2 b/Diff for: ‎azure.yaml
+2-2
diff --git a/Diff for: ‎docs/enhance-security.md
+28 b/Diff for: ‎docs/enhance-security.md
+28
diff --git a/Diff for: ‎infra/abbreviations.json
+135-134 b/Diff for: ‎infra/abbreviations.json
+135-134
diff --git a/Diff for: ‎infra/app/api.bicep
+67 b/Diff for: ‎infra/app/api.bicep
+67
@@ -136,6 +136,10 @@ The deployment process will take a few minutes. Once it's done, you'll see the U
 
 You can now open the web app in your browser and start chatting with the bot.
 
+##### Enhance security
+
+When deploying the sample in an enterprise context, you may want to enforce tighter security restrictions to protect your data and resources. See the [enhance security](./docs/enhance-security.md) guide for more information.
+
 #### Clean up
 
 To clean up all the Azure resources created by this sample:
 
@@ -35,7 +35,7 @@ hooks:
   postup:
     windows:
       shell: pwsh
-      run: node scripts/upload-documents.js "$env:API_URL"
+      run: node scripts/upload-documents.js "$env:UPLOAD_URL"
     posix:
       shell: sh
-      run: node scripts/upload-documents.js "$API_URL"
+      run: node scripts/upload-documents.js "$UPLOAD_URL"
@@ -0,0 +1,28 @@
+# Enhance security
+
+To achieve enterprise grade security we've ensured you can leverage the features below through an opt-in flag:
+
+- **Deploy in a [virtual network](https://learn.microsoft.com/azure/virtual-network/virtual-networks-overview)**, to restrict access to the resources including the Azure Functions API and the Azure Storage where the documents are stored.
+
+- **Leverage [Azure Entra managed identity](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)** to disable all local authentication methods (ie API keys) and rely [Role-based Access Control (RBAC)](https://learn.microsoft.com/azure/role-based-access-control/overview).
+
+You can enable these features when deploying this sample by following these steps:
+
+1. Create a new environment for your deployment (you cannot update an existing one):
+   ```bash
+   azd env create my-secure-env
+   ```
+2. Enable the virtual network feature and disable local authentication:
+   ```bash
+   azd env set USE_VNET true
+   ```
+3. Deploy the sample to the new environment:
+   ```bash
+   azd up
+   ```
+
+Note that enabling virtual network will induce additional costs, as it requires the deployment of extra resources and needs to switch to paid plans for the Azure Functions and Azure Static Web App.
+
+> [!IMPORTANT]
+> When VNET is enabled, you will lose the ability to run the sample locally while connected to Azure resources.
+> You can always fall back to using a local AI model and database for development purposes, by deleting the `api/.env` file
@@ -1,136 +1,137 @@
 {
-  "analysisServicesServers": "as",
-  "apiManagementService": "apim-",
-  "appConfigurationConfigurationStores": "appcs-",
-  "appManagedEnvironments": "cae-",
-  "appContainerApps": "ca-",
-  "authorizationPolicyDefinitions": "policy-",
-  "automationAutomationAccounts": "aa-",
-  "blueprintBlueprints": "bp-",
-  "blueprintBlueprintsArtifacts": "bpa-",
-  "cacheRedis": "redis-",
-  "cdnProfiles": "cdnp-",
-  "cdnProfilesEndpoints": "cdne-",
-  "cognitiveServicesAccounts": "cog-",
-  "cognitiveServicesFormRecognizer": "cog-fr-",
-  "cognitiveServicesTextAnalytics": "cog-ta-",
-  "computeAvailabilitySets": "avail-",
-  "computeCloudServices": "cld-",
-  "computeDiskEncryptionSets": "des",
-  "computeDisks": "disk",
-  "computeDisksOs": "osdisk",
-  "computeGalleries": "gal",
-  "computeSnapshots": "snap-",
-  "computeVirtualMachines": "vm",
-  "computeVirtualMachineScaleSets": "vmss-",
-  "containerInstanceContainerGroups": "ci",
-  "containerRegistryRegistries": "cr",
-  "containerServiceManagedClusters": "aks-",
-  "databricksWorkspaces": "dbw-",
-  "dataFactoryFactories": "adf-",
-  "dataLakeAnalyticsAccounts": "dla",
-  "dataLakeStoreAccounts": "dls",
-  "dataMigrationServices": "dms-",
-  "dBforMySQLServers": "mysql-",
-  "dBforPostgreSQLServers": "psql-",
-  "devicesIotHubs": "iot-",
-  "devicesProvisioningServices": "provs-",
-  "devicesProvisioningServicesCertificates": "pcert-",
-  "documentDBDatabaseAccounts": "cosmos-",
-  "eventGridDomains": "evgd-",
-  "eventGridDomainsTopics": "evgt-",
-  "eventGridEventSubscriptions": "evgs-",
-  "eventHubNamespaces": "evhns-",
-  "eventHubNamespacesEventHubs": "evh-",
-  "hdInsightClustersHadoop": "hadoop-",
-  "hdInsightClustersHbase": "hbase-",
-  "hdInsightClustersKafka": "kafka-",
-  "hdInsightClustersMl": "mls-",
-  "hdInsightClustersSpark": "spark-",
-  "hdInsightClustersStorm": "storm-",
-  "hybridComputeMachines": "arcs-",
-  "insightsActionGroups": "ag-",
-  "insightsComponents": "appi-",
-  "keyVaultVaults": "kv-",
-  "kubernetesConnectedClusters": "arck",
-  "kustoClusters": "dec",
-  "kustoClustersDatabases": "dedb",
-  "loadTesting": "lt-",
-  "logicIntegrationAccounts": "ia-",
-  "logicWorkflows": "logic-",
-  "machineLearningServicesWorkspaces": "mlw-",
-  "managedIdentityUserAssignedIdentities": "id-",
-  "managementManagementGroups": "mg-",
-  "migrateAssessmentProjects": "migr-",
-  "networkApplicationGateways": "agw-",
-  "networkApplicationSecurityGroups": "asg-",
-  "networkAzureFirewalls": "afw-",
-  "networkBastionHosts": "bas-",
-  "networkConnections": "con-",
-  "networkDnsZones": "dnsz-",
-  "networkExpressRouteCircuits": "erc-",
-  "networkFirewallPolicies": "afwp-",
-  "networkFirewallPoliciesWebApplication": "waf",
-  "networkFirewallPoliciesRuleGroups": "wafrg",
-  "networkFrontDoors": "fd-",
-  "networkFrontdoorWebApplicationFirewallPolicies": "fdfp-",
-  "networkLoadBalancersExternal": "lbe-",
-  "networkLoadBalancersInternal": "lbi-",
-  "networkLoadBalancersInboundNatRules": "rule-",
-  "networkLocalNetworkGateways": "lgw-",
-  "networkNatGateways": "ng-",
-  "networkNetworkInterfaces": "nic-",
-  "networkNetworkSecurityGroups": "nsg-",
-  "networkNetworkSecurityGroupsSecurityRules": "nsgsr-",
-  "networkNetworkWatchers": "nw-",
-  "networkPrivateDnsZones": "pdnsz-",
-  "networkPrivateLinkServices": "pl-",
-  "networkPublicIPAddresses": "pip-",
-  "networkPublicIPPrefixes": "ippre-",
-  "networkRouteFilters": "rf-",
-  "networkRouteTables": "rt-",
-  "networkRouteTablesRoutes": "udr-",
-  "networkTrafficManagerProfiles": "traf-",
-  "networkVirtualNetworkGateways": "vgw-",
-  "networkVirtualNetworks": "vnet-",
-  "networkVirtualNetworksSubnets": "snet-",
-  "networkVirtualNetworksVirtualNetworkPeerings": "peer-",
-  "networkVirtualWans": "vwan-",
-  "networkVpnGateways": "vpng-",
-  "networkVpnGatewaysVpnConnections": "vcn-",
-  "networkVpnGatewaysVpnSites": "vst-",
-  "notificationHubsNamespaces": "ntfns-",
-  "notificationHubsNamespacesNotificationHubs": "ntf-",
-  "operationalInsightsWorkspaces": "log-",
-  "portalDashboards": "dash-",
-  "powerBIDedicatedCapacities": "pbi-",
-  "purviewAccounts": "pview-",
-  "recoveryServicesVaults": "rsv-",
-  "resourcesResourceGroups": "rg-",
-  "searchSearchServices": "srch-",
-  "serviceBusNamespaces": "sb-",
-  "serviceBusNamespacesQueues": "sbq-",
-  "serviceBusNamespacesTopics": "sbt-",
-  "serviceEndPointPolicies": "se-",
-  "serviceFabricClusters": "sf-",
-  "signalRServiceSignalR": "sigr",
-  "sqlManagedInstances": "sqlmi-",
-  "sqlServers": "sql-",
-  "sqlServersDataWarehouse": "sqldw-",
-  "sqlServersDatabases": "sqldb-",
-  "sqlServersDatabasesStretch": "sqlstrdb-",
-  "storageStorageAccounts": "st",
-  "storageStorageAccountsVm": "stvm",
-  "storSimpleManagers": "ssimp",
-  "streamAnalyticsCluster": "asa-",
-  "synapseWorkspaces": "syn",
-  "synapseWorkspacesAnalyticsWorkspaces": "synw",
-  "synapseWorkspacesSqlPoolsDedicated": "syndp",
-  "synapseWorkspacesSqlPoolsSpark": "synsp",
-  "timeSeriesInsightsEnvironments": "tsi-",
-  "webServerFarms": "plan-",
-  "webSitesAppService": "app-",
-  "webSitesAppServiceEnvironment": "ase-",
-  "webSitesFunctions": "func-",
-  "webStaticSites": "stapp-"
+    "analysisServicesServers": "as",
+    "apiManagementService": "apim-",
+    "appConfigurationStores": "appcs-",
+    "appManagedEnvironments": "cae-",
+    "appContainerApps": "ca-",
+    "authorizationPolicyDefinitions": "policy-",
+    "automationAutomationAccounts": "aa-",
+    "blueprintBlueprints": "bp-",
+    "blueprintBlueprintsArtifacts": "bpa-",
+    "cacheRedis": "redis-",
+    "cdnProfiles": "cdnp-",
+    "cdnProfilesEndpoints": "cdne-",
+    "cognitiveServicesAccounts": "cog-",
+    "cognitiveServicesFormRecognizer": "cog-fr-",
+    "cognitiveServicesTextAnalytics": "cog-ta-",
+    "cognitiveServicesSpeech": "cog-sp-",
+    "computeAvailabilitySets": "avail-",
+    "computeCloudServices": "cld-",
+    "computeDiskEncryptionSets": "des",
+    "computeDisks": "disk",
+    "computeDisksOs": "osdisk",
+    "computeGalleries": "gal",
+    "computeSnapshots": "snap-",
+    "computeVirtualMachines": "vm",
+    "computeVirtualMachineScaleSets": "vmss-",
+    "containerInstanceContainerGroups": "ci",
+    "containerRegistryRegistries": "cr",
+    "containerServiceManagedClusters": "aks-",
+    "databricksWorkspaces": "dbw-",
+    "dataFactoryFactories": "adf-",
+    "dataLakeAnalyticsAccounts": "dla",
+    "dataLakeStoreAccounts": "dls",
+    "dataMigrationServices": "dms-",
+    "dBforMySQLServers": "mysql-",
+    "dBforPostgreSQLServers": "psql-",
+    "devicesIotHubs": "iot-",
+    "devicesProvisioningServices": "provs-",
+    "devicesProvisioningServicesCertificates": "pcert-",
+    "documentDBDatabaseAccounts": "cosmos-",
+    "eventGridDomains": "evgd-",
+    "eventGridDomainsTopics": "evgt-",
+    "eventGridEventSubscriptions": "evgs-",
+    "eventHubNamespaces": "evhns-",
+    "eventHubNamespacesEventHubs": "evh-",
+    "hdInsightClustersHadoop": "hadoop-",
+    "hdInsightClustersHbase": "hbase-",
+    "hdInsightClustersKafka": "kafka-",
+    "hdInsightClustersMl": "mls-",
+    "hdInsightClustersSpark": "spark-",
+    "hdInsightClustersStorm": "storm-",
+    "hybridComputeMachines": "arcs-",
+    "insightsActionGroups": "ag-",
+    "insightsComponents": "appi-",
+    "keyVaultVaults": "kv-",
+    "kubernetesConnectedClusters": "arck",
+    "kustoClusters": "dec",
+    "kustoClustersDatabases": "dedb",
+    "loadTesting": "lt-",
+    "logicIntegrationAccounts": "ia-",
+    "logicWorkflows": "logic-",
+    "machineLearningServicesWorkspaces": "mlw-",
+    "managedIdentityUserAssignedIdentities": "id-",
+    "managementManagementGroups": "mg-",
+    "migrateAssessmentProjects": "migr-",
+    "networkApplicationGateways": "agw-",
+    "networkApplicationSecurityGroups": "asg-",
+    "networkAzureFirewalls": "afw-",
+    "networkBastionHosts": "bas-",
+    "networkConnections": "con-",
+    "networkDnsZones": "dnsz-",
+    "networkExpressRouteCircuits": "erc-",
+    "networkFirewallPolicies": "afwp-",
+    "networkFirewallPoliciesWebApplication": "waf",
+    "networkFirewallPoliciesRuleGroups": "wafrg",
+    "networkFrontDoors": "fd-",
+    "networkFrontdoorWebApplicationFirewallPolicies": "fdfp-",
+    "networkLoadBalancersExternal": "lbe-",
+    "networkLoadBalancersInternal": "lbi-",
+    "networkLoadBalancersInboundNatRules": "rule-",
+    "networkLocalNetworkGateways": "lgw-",
+    "networkNatGateways": "ng-",
+    "networkNetworkInterfaces": "nic-",
+    "networkNetworkSecurityGroups": "nsg-",
+    "networkNetworkSecurityGroupsSecurityRules": "nsgsr-",
+    "networkNetworkWatchers": "nw-",
+    "networkPrivateDnsZones": "pdnsz-",
+    "networkPrivateLinkServices": "pl-",
+    "networkPublicIPAddresses": "pip-",
+    "networkPublicIPPrefixes": "ippre-",
+    "networkRouteFilters": "rf-",
+    "networkRouteTables": "rt-",
+    "networkRouteTablesRoutes": "udr-",
+    "networkTrafficManagerProfiles": "traf-",
+    "networkVirtualNetworkGateways": "vgw-",
+    "networkVirtualNetworks": "vnet-",
+    "networkVirtualNetworksSubnets": "snet-",
+    "networkVirtualNetworksVirtualNetworkPeerings": "peer-",
+    "networkVirtualWans": "vwan-",
+    "networkVpnGateways": "vpng-",
+    "networkVpnGatewaysVpnConnections": "vcn-",
+    "networkVpnGatewaysVpnSites": "vst-",
+    "notificationHubsNamespaces": "ntfns-",
+    "notificationHubsNamespacesNotificationHubs": "ntf-",
+    "operationalInsightsWorkspaces": "log-",
+    "portalDashboards": "dash-",
+    "powerBIDedicatedCapacities": "pbi-",
+    "purviewAccounts": "pview-",
+    "recoveryServicesVaults": "rsv-",
+    "resourcesResourceGroups": "rg-",
+    "searchSearchServices": "srch-",
+    "serviceBusNamespaces": "sb-",
+    "serviceBusNamespacesQueues": "sbq-",
+    "serviceBusNamespacesTopics": "sbt-",
+    "serviceEndPointPolicies": "se-",
+    "serviceFabricClusters": "sf-",
+    "signalRServiceSignalR": "sigr",
+    "sqlManagedInstances": "sqlmi-",
+    "sqlServers": "sql-",
+    "sqlServersDataWarehouse": "sqldw-",
+    "sqlServersDatabases": "sqldb-",
+    "sqlServersDatabasesStretch": "sqlstrdb-",
+    "storageStorageAccounts": "st",
+    "storageStorageAccountsVm": "stvm",
+    "storSimpleManagers": "ssimp",
+    "streamAnalyticsCluster": "asa-",
+    "synapseWorkspaces": "syn",
+    "synapseWorkspacesAnalyticsWorkspaces": "synw",
+    "synapseWorkspacesSqlPoolsDedicated": "syndp",
+    "synapseWorkspacesSqlPoolsSpark": "synsp",
+    "timeSeriesInsightsEnvironments": "tsi-",
+    "webServerFarms": "plan-",
+    "webSitesAppService": "app-",
+    "webSitesAppServiceEnvironment": "ase-",
+    "webSitesFunctions": "func-",
+    "webStaticSites": "stapp-"
 }
@@ -0,0 +1,67 @@
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param appServicePlanId string
+param storageAccountName string
+param virtualNetworkSubnetId string
+param applicationInsightsName string
+param allowedOrigins array
+param appSettings object
+param staticWebAppName string = ''
+
+var useVnet = !empty(virtualNetworkSubnetId)
+var finalApi = useVnet ? apiFlex : api
+
+module apiFlex '../core/host/functions-flex.bicep' = if (useVnet) {
+  name: 'api-flex'
+  scope: resourceGroup()
+  params: {
+    name: name
+    location: location
+    tags: tags
+    allowedOrigins: allowedOrigins
+    alwaysOn: false
+    runtimeName: 'node'
+    runtimeVersion: '20'
+    appServicePlanId: appServicePlanId
+    storageAccountName: storageAccountName
+    applicationInsightsName: applicationInsightsName
+    virtualNetworkSubnetId: virtualNetworkSubnetId
+    appSettings: appSettings
+  }
+}
+
+module api '../core/host/functions.bicep' = if (!useVnet) {
+  name: 'api'
+  scope: resourceGroup()
+  params: {
+    name: name
+    location: location
+    tags: tags
+    allowedOrigins: allowedOrigins
+    alwaysOn: false
+    runtimeName: 'node'
+    runtimeVersion: '20'
+    appServicePlanId: appServicePlanId
+    storageAccountName: storageAccountName
+    applicationInsightsName: applicationInsightsName
+    managedIdentity: true
+    appSettings: appSettings
+  }
+}
+
+// Link the Function App to the Static Web App
+module linkedBackend './linked-backend.bicep' = if (useVnet) {
+  name: 'linkedbackend'
+  scope: resourceGroup()
+  params: {
+    staticWebAppName: staticWebAppName
+    backendResourceId: finalApi.outputs.id
+    backendLocation: location
+  }
+}
+
+output identityPrincipalId string = finalApi.outputs.identityPrincipalId
+output name string = finalApi.outputs.name
+output uri string = finalApi.outputs.uri