Network Isolation

Network Isolation

Author: cherchyk

infra/main.bicep

@@ -2,10 +2,13 @@ param managedIdentityPrincipalId string
 
 param suffix string = uniqueString(resourceGroup().id)
 
+@description('The tags to be assigned to the created resources.')
+param tags object
+
 @description('Service name must only contain lowercase letters, digits or dashes, cannot use dash as the first two or last one characters, cannot contain consecutive dashes, and is limited between 2 and 60 characters in length.')
 @minLength(2)
 @maxLength(60)
-param name string
+param name string = 'km-search-${suffix}'
 
 @allowed([
   'free'
@@ -45,22 +48,87 @@ param hostingMode string = 'default'
 @description('Location for all resources.')
 param location string = resourceGroup().location
 
+param vnetId string
+param privateEndpointSubnetId string
+
 resource search 'Microsoft.Search/searchServices@2023-11-01' = {
   name: name
   location: location
+  tags: tags
   sku: {
     name: sku
   }
   properties: {
     replicaCount: replicaCount
     partitionCount: partitionCount
     hostingMode: hostingMode
+
+    // bohdan Check `disableLocalAuth: true`
     authOptions: {
       aadOrApiKey: {}
     }
+
+    publicNetworkAccess: 'disabled'
+  }
+}
+
+////////////////////////// Private endpoint
+
+// resource privateEndpoint 'Microsoft.Network/privateEndpoints@2024-01-01' = {
+//   name: 'km-search-pe-${suffix}'
+//   location: location
+//   tags: tags
+//   properties: {
+//     subnet: {
+//       id: privateEndpointSubnetId
+//     }
+//     privateLinkServiceConnections: [
+//       {
+//         name: 'private-endpoint-connection'
+//         properties: {
+//           privateLinkServiceId: search.id
+//           groupIds: ['searchService']
+//         }
+//       }
+//     ]
+//   }
+// }
+
+// resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2024-01-01' = {
+//   name: 'km-search-pe-zg-${suffix}'
+//   parent: privateEndpoint
+//   properties: {
+//     privateDnsZoneConfigs: [
+//       {
+//         name: 'km-search-pe-zg-Config-${suffix}'
+//         properties: {
+//           privateDnsZoneId: privateDnsZoneId
+//         }
+//       }
+//     ]
+//   }
+// }
+
+module module_search_pe '../network/private-endpoint.bicep' = {
+  name: 'module_search_pe_${suffix}'
+  params: {
+    suffix: suffix
+    location: location
+    tags: tags
+
+    serviceName_Used_for_PE: name
+
+    DNSZoneName: 'privatelink.search.windows.net' // https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns
+    vnetId: vnetId
+    privateEndpointSubnetId: privateEndpointSubnetId
+
+    privateLinkServiceId: search.id
+    privateLinkServiceConnections_GroupIds: ['searchService'] // https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource
   }
 }
 
+////////////////////////// RBAC
+
 // Search Index Data Contributor
 resource roleAssignment1 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid('Search Index Data Contributor-${suffix}')
@@ -89,4 +157,9 @@ resource roleAssignment2 'Microsoft.Authorization/roleAssignments@2022-04-01' =
   }
 }
 
+////////////////////////// Output
+
 output searchName string = search.name
+
+// output searchObj object = search
+// output searchPrivateEndpointObj object = privateEndpoint

infra/main.json

@@ -1,11 +1,18 @@
 param suffix string = uniqueString(resourceGroup().id)
+
+param vnetId string
+param privateEndpointSubnetId string
+
 param managedIdentityPrincipalId string
 
 metadata description = 'Creates an Azure Document Intelligence (form recognizer) instance.'
 
 param name string
 param location string = resourceGroup().location
 
+@description('The tags to be assigned to the created resources.')
+param tags object
+
 @description('The custom subdomain name used to access the API. Defaults to the value of the name parameter.')
 param customSubDomainName string = name
 param kind string = 'FormRecognizer'
@@ -30,6 +37,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
   name: name
   location: location
   kind: kind
+  tags: tags
   properties: {
     customSubDomainName: customSubDomainName
     publicNetworkAccess: publicNetworkAccess
@@ -39,6 +47,28 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
   sku: sku
 }
 
+////////////////////////// Private endpoint
+
+module module_DocIntel_pe '../network/private-endpoint.bicep' = {
+  name: 'module_DocIntel_pe${suffix}'
+  params: {
+    suffix: suffix
+    location: location
+    tags: tags
+
+    serviceName_Used_for_PE: name
+
+    DNSZoneName: 'privatelink.cognitiveservices.azure.com' // https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns
+    vnetId: vnetId
+    privateEndpointSubnetId: privateEndpointSubnetId
+
+    privateLinkServiceId: account.id
+    privateLinkServiceConnections_GroupIds: ['account'] // https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource
+  }
+}
+
+////////////////////////// RBAC
+
 // Cognitive Services User
 resource roleAssignment1 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid('Cognitive Services User-${suffix}')
@@ -53,4 +83,6 @@ resource roleAssignment1 'Microsoft.Authorization/roleAssignments@2022-04-01' =
   }
 }
 
+////////////////////////// Output
+
 output endpoint string = account.properties.endpoint

infra/modules/ai-search.bicep renamed to infra/modules/cognitive/ai-search.bicep

@@ -1,10 +1,12 @@
 param suffix string = uniqueString(resourceGroup().id)
-param managedIdentityPrincipalId string
 
 metadata description = 'Creates an Azure Cognitive Services instance.'
 param name string
 param location string = resourceGroup().location
-param tags object = {}
+
+@description('The tags to be assigned to the created resources.')
+param tags object
+
 @description('The custom subdomain name used to access the API. Defaults to the value of the name parameter.')
 param customSubDomainName string = name
 param deployments array = []
@@ -17,6 +19,12 @@ param sku object = {
 }
 
 param allowedIpRules array = []
+
+param vnetId string
+param privateEndpointSubnetId string
+
+param managedIdentityPrincipalId string
+
 param networkAcls object = empty(allowedIpRules)
   ? {
       defaultAction: 'Allow'
@@ -47,17 +55,37 @@ resource deployment 'Microsoft.CognitiveServices/accounts/deployments@2023-05-01
     name: deployment.name
     properties: {
       model: deployment.model
-      raiPolicyName: contains(deployment, 'raiPolicyName') ? deployment.raiPolicyName : null
+      raiPolicyName: deployment.?raiPolicyName ?? null
+    }
+    sku: deployment.?sku ?? {
+      name: 'Standard'
+      capacity: 1
     }
-    sku: contains(deployment, 'sku')
-      ? deployment.sku
-      : {
-          name: 'Standard'
-          capacity: 1
-        }
   }
 ]
 
+////////////////////////// Private endpoint
+
+module module_openai_pe '../network/private-endpoint.bicep' = {
+  name: 'module_openai_pe_${suffix}'
+  params: {
+    suffix: suffix
+    location: location
+    tags: tags
+
+    serviceName_Used_for_PE: name
+
+    DNSZoneName: 'privatelink.openai.azure.com' // https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns
+    vnetId: vnetId
+    privateEndpointSubnetId: privateEndpointSubnetId
+
+    privateLinkServiceId: account.id
+    privateLinkServiceConnections_GroupIds: ['account'] // https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource
+  }
+}
+
+////////////////////////// RBAC
+
 // Cognitive Services OpenAI Contributor
 resource roleAssignment1 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid('Cognitive Services OpenAI Contributor-${suffix}')
@@ -86,6 +114,8 @@ resource roleAssignment2 'Microsoft.Authorization/roleAssignments@2022-04-01' =
   }
 }
 
+////////////////////////// Output
+
 output endpoint string = account.properties.endpoint
 output id string = account.id
 output name string = account.name

infra/modules/cognitive-services-docIntel.bicep renamed to infra/modules/cognitive/docIntel.bicep

@@ -0,0 +1,64 @@
+targetScope = 'resourceGroup'
+
+param suffix string = uniqueString(resourceGroup().id)
+
+@description('The location where the resources will be created.')
+param location string = resourceGroup().location
+
+@description('The tags to be assigned to the created resources.')
+param tags object
+
+@description('The name of the container apps environment. If set, it overrides the name generated by the template.')
+param containerAppsEnvironmentName string = 'km-cae-${suffix}'
+
+@description('The name of the log analytics workspace resource create in another module.')
+param logAnalyticsWorkspaceName string
+
+@description('The name of the application insights resource create in another module.')
+param applicationInsightsName string
+
+@description('The subnet id of the subnet where the container apps environment will be deployed.')
+param acaSubnetId string
+
+//////// Previously created resources
+
+resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = {
+  name: logAnalyticsWorkspaceName
+}
+
+resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = {
+  name: applicationInsightsName
+}
+
+////////
+
+resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2022-10-01' = {
+  name: containerAppsEnvironmentName
+  location: location
+  tags: tags
+  // sku: {
+  //   name: 'Consumption'
+  // }
+  properties: {
+    daprAIInstrumentationKey: applicationInsights.properties.InstrumentationKey
+    appLogsConfiguration: {
+      destination: 'log-analytics'
+      logAnalyticsConfiguration: {
+        customerId: logAnalyticsWorkspace.properties.customerId
+        sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey
+      }
+    }
+
+    // network
+    zoneRedundant: true
+    vnetConfiguration: {
+      infrastructureSubnetId: acaSubnetId
+      internal: true
+    }
+  }
+}
+
+output containerAppsEnvironmentName string = containerAppsEnvironment.name
+output containerAppsEnvironmentId string = containerAppsEnvironment.id
+output containerAppsEnvironmentDomain string = containerAppsEnvironment.properties.defaultDomain
+output containerAppsEnvironmentStaticIp string = containerAppsEnvironment.properties.staticIp

infra/modules/cognitive-services-openAI.bicep renamed to infra/modules/cognitive/openAI.bicep

@@ -4,14 +4,18 @@ param suffix string = uniqueString(resourceGroup().id)
 
 param location string = resourceGroup().location
 
+@description('The tags to be assigned to the created resources.')
+param tags object
+
 param managedIdentityId string
 param managedIdentityClientId string
+param KernelMemoryImageTag string = 'latest'
 
 param kmServiceName string = 'km-service-${suffix}'
 
 param containerAppsEnvironmentId string
-param appInsightsInstrumentationKey string
-param applicationInsightsConnectionString string
+@description('The name of the application insights resource create in another module.')
+param applicationInsightsName string
 
 param AzureBlobs_Account string
 param AzureQueues_Account string
@@ -26,16 +30,25 @@ param AzureAIDocIntel_Endpoint string
 param KernelMemory__ServiceAuthorization__AccessKey1 string
 param KernelMemory__ServiceAuthorization__AccessKey2 string
 
+//////// Previously created resources
+
+resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = {
+  name: applicationInsightsName
+}
+
+////////
+
 resource kmService 'Microsoft.App/containerApps@2023-05-01' = {
   name: kmServiceName
   location: location
+  tags: tags
   properties: {
     environmentId: containerAppsEnvironmentId
     configuration: {
       secrets: [
         {
           name: 'appinsights-key'
-          value: appInsightsInstrumentationKey
+          value: applicationInsights.properties.InstrumentationKey
         }
       ]
       registries: []
@@ -56,7 +69,7 @@ resource kmService 'Microsoft.App/containerApps@2023-05-01' = {
       containers: [
         {
           name: 'kernelmemory-service'
-          image: 'docker.io/kernelmemory/service:latest'
+          image: 'docker.io/kernelmemory/service:${KernelMemoryImageTag}'
           command: []
           resources: {
             cpu: json('0.25')
@@ -69,7 +82,7 @@ resource kmService 'Microsoft.App/containerApps@2023-05-01' = {
             }
             {
               name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
-              value: applicationInsightsConnectionString
+              value: applicationInsights.properties.ConnectionString
             }
 
             {