Skip to content

Latest commit

 

History

History
55 lines (40 loc) · 3.88 KB

deploy_private.md

File metadata and controls

55 lines (40 loc) · 3.88 KB

Deploying with private access

If you want to disable public access when deploying the Chat App, you can do so by setting azd environment values.

📺 Watch a video overview of the VM provisioning process

Before you begin

Deploying with public access disabled adds additional cost to your deployment. Please see pricing for the following products:

  1. Private Endpoints
    1. The exact number of private endpoints created depends on the optional features used.
  2. Private DNS Zones
  3. (Optional, but recommended)Azure Virtual Machines
  4. (Optional, but recommended)Azure Bastion

Environment variables controlling private access

  1. AZURE_PUBLIC_NETWORK_ACCESS: Controls the value of public network access on supported Azure resources. Valid values are 'Enabled' or 'Disabled'.

    1. When public network access is 'Enabled', Azure resources are open to the internet.
    2. When public network access is 'Disabled', Azure resources are only accessible over a virtual network.

  2. AZURE_USE_PRIVATE_ENDPOINT: Controls deployment of private endpoints which connect Azure resources to the virtual network.

    1. When set to 'true', ensures private endpoints are deployed for connectivity even when AZURE_PUBLIC_NETWORK_ACCESS is 'Disabled'.
    2. Note that private endpoints do not make the chat app accessible from the internet. Connections must be initiated from inside the virtual network.

  3. AZURE_PROVISION_VM: Controls deployment of a virtual machine and Azure Bastion. Azure Bastion allows you to securely connect to the virtual machine, without being connected virtual network. Since the virtual machine is connected to the virtual network, you are able to access the chat app.

    1. You must set AZURE_VM_USERNAME and AZURE_VM_PASSWORD to provision the built-in administrator account with the virtual machine so you can log in through Azure Bastion.
    2. By default, a server version of Windows is used for the VM. If you need to enroll your device in Microsoft Intune, you should use a desktop version of Windows by setting the following environment variables:
    • azd env set AZURE_VM_OS_PUBLISHER MicrosoftWindowsDesktop
    • azd env set AZURE_VM_OS_OFFER Windows-11
    • azd env set AZURE_VM_OS_VERSION win11-23h2-pro

Recommended deployment strategy for private access

  1. Deploy the app with private endpoints enabled and public access enabled.
azd env set AZURE_USE_PRIVATE_ENDPOINT true
azd env set AZURE_PUBLIC_NETWORK_ACCESS Enabled
azd up
  1. Validate that you can connect to the chat app and it's working as expected from the internet.
  2. Re-provision the app with public access disabled.
azd env set AZURE_PUBLIC_NETWORK_ACCESS Disabled
azd env set AZURE_PROVISION_VM true # Optional but recommended
azd env set AZURE_VM_USERNAME myadminusername # https://learn.microsoft.com/azure/virtual-machines/windows/faq#what-are-the-username-requirements-when-creating-a-vm-
azd env set AZURE_VM_PASSWORD mypassword # https://learn.microsoft.com/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-
azd provision
  1. Log into your new VM using Azure Bastion. Validate the chat app is accessible from the virtual machine using a web browser.