Final changes to 15-network-secured set-up

Final changes to 15-network-secured set-up

Author: meerakurup

samples/microsoft/infrastructure-setup/15-private-network-standard-agent-setup/CheckCapabilityHostReadiness.ps1

@@ -18,7 +18,7 @@ if ($provisioningState -eq "Succeeded") {
  }
 
 if ($provisioningState -eq "Failed" -or $provisioningState -eq "Canceled") {
- Write-Output "Provisioning State: $provisioningState, project provisionig will not work."
+ Write-Output "Provisioning State: $provisioningState, project provisioning will not work."
  break;
  }
 

samples/microsoft/infrastructure-setup/15-private-network-standard-agent-setup/CheckCapbilityHostReadiness.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+subscriptionId="$1"
+resourcegroup="$2"
+accountName="$3"
+
+if [[ -z "$subscriptionId" || -z "$resourcegroup" || -z "$accountName" ]]; then
+    echo "Usage: $0 <subscriptionId> <resourcegroup> <accountName>"
+    exit 1
+fi
+
+while true; do
+    token=$(az account get-access-token --subscription "$subscriptionId" --query accessToken -o tsv)
+    uri="https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourcegroup/providers/Microsoft.CognitiveServices/accounts/$accountName/capabilityHosts/?api-version=2025-04-01-preview"
+    content=$(az rest --method get --uri "$uri" --headers "Authorization=Bearer $token")
+    provisioningState=$(echo "$content" | jq -r '.value[0].properties.provisioningState')
+
+    echo "Provisioning State: $provisioningState"
+
+    if [[ "$provisioningState" == "Succeeded" ]]; then
+        echo "Provisioning State: $provisioningState, Please proceed with project creation template."
+        break
+    fi
+
+    if [[ "$provisioningState" == "Failed" || "$provisioningState" == "Canceled" ]]; then
+        echo "Provisioning State: $provisioningState, project provisioning will not work."
+        break
+    fi
+
+    sleep 30
+done

samples/microsoft/infrastructure-setup/15-private-network-standard-agent-setup/README.md

@@ -4,13 +4,15 @@
 * PNA disabled resources
 * PE's to all resources
 * Network injection enabled for Agents
+* Virtual Network Address speace support for Class B or Class C e.g. 172.16.0.0/16 or 192.168.0.0/16
+
 
 ## Steps 
 
 1. Create new (or use existing) resource group:
 
 ```bash
-    az group create --name <new-rg-name> --location eastus
+    az group create --name <new-rg-name> --location <your-rg-region>
 ```
 
 2. Deploy the main-create.bicep
@@ -24,10 +26,27 @@
     .\CheckCapabilityHostReadiness.ps1 -subscriptionId "<your-sub-id>" -resourcegroup "<new-rg-name>" -accountname "<your-aiservices-name>"
 ```
 
+If you do not want to run the Powershell script, you can run a bash script instead, from the file CheckCapabilityHostReadiness.sh. Run the following two commands:
+
+```bash
+    chmod +x CheckCapabilityHostReadiness.sh
+    ./CheckCapabilityHostReadiness.sh "<your-sub-id>" "<new-rg-name>" "<your-aiservices-name>"
+```
+
 4. Deploy the main-project-caphost-create.bicep
 
 ```bash
-    az deployment group create --resource-group <new-rg-name> --template-file main-project-caphost-create.bicep.bicep
+    az deployment group create --resource-group <new-rg-name> --template-file main-project-caphost-create.bicep
+```
+
+After running this script, you are required to input the following values:
+
+```
+    Please provide string value for 'accountName' (? for help): <your-account-name>
+    Please provide string value for 'projectName' (? for help): <your-project-name>
+    Please provide string value for 'aiSearchName' (? for help): <your-search-name>
+    Please provide string value for 'azureStorageName' (? for help): <your-storage-name>
+    Please provide string value for 'cosmosDBName' (? for help): <your-cosmosdb-name>
 ```
 
 **NOTE:** To access your Foundry resource securely, please using either a VM, VPN, or ExpressRoute.

samples/microsoft/infrastructure-setup/15-private-network-standard-agent-setup/main-create.bicep

@@ -102,7 +102,7 @@ module aiAccount 'modules-network-secured/ai-account-identity.bicep' = {
     // modelVersion: modelVersion
     // modelSkuName: modelSkuName
     // modelCapacity: modelCapacity
-    subnetId: vnet.outputs.subnetId
+    agentSubnetId: vnet.outputs.agentSubnetId
   }
 }
 /*
@@ -198,7 +198,6 @@ module storageAccountRoleAssignment 'modules-network-secured/azure-storage-accou
   name: 'storage-${azureStorageName}-${uniqueSuffix}-deployment'
   scope: resourceGroup(azureStorageSubscriptionId, azureStorageResourceGroupName)
   params: { 
-    accountPrincipalId: aiAccount.outputs.accountPrincipalId
     azureStorageName: aiDependencies.outputs.azureStorageName
     projectPrincipalId: aiProject.outputs.projectPrincipalId
   }

samples/microsoft/infrastructure-setup/15-private-network-standard-agent-setup/modules-network-secured/ai-account-identity.bicep

@@ -5,7 +5,7 @@ param location string
 // param modelVersion string 
 // param modelSkuName string 
 // param modelCapacity int
-param subnetId string
+param agentSubnetId string
 param networkInjection string = 'true'
 
 resource account 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = {
@@ -30,7 +30,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2025-04-01-preview' = {
     networkInjections:((networkInjection == 'true') ? [
       {
         scenario: 'agent'
-        subnetArmId: subnetId
+        subnetArmId: agentSubnetId
         useMicrosoftManagedNetwork: false
       }
       ] : null )

samples/microsoft/infrastructure-setup/15-private-network-standard-agent-setup/modules-network-secured/azure-storage-account-role-assignment.bicep

@@ -1,4 +1,3 @@
-param accountPrincipalId string 
 param azureStorageName string
 param projectPrincipalId string
 
@@ -14,15 +13,6 @@ resource storageBlobDataContributor 'Microsoft.Authorization/roleDefinitions@202
   scope: resourceGroup()
 }
 
-// resource storageBlobDataContributorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-//   scope: storageAccount
-//   name: guid(accountPrincipalId, storageBlobDataContributor.id, storageAccount.id)
-//   properties: {
-//     principalId: accountPrincipalId
-//     roleDefinitionId: storageBlobDataContributor.id
-//     principalType: 'ServicePrincipal'
-//   }
-// }
 resource storageBlobDataContributorRoleAssignmentProject 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   scope: storageAccount
   name: guid(projectPrincipalId, storageBlobDataContributor.id, storageAccount.id)

samples/microsoft/infrastructure-setup/15-private-network-standard-agent-setup/modules-network-secured/blob-storage-container-role-assignments.bicep

@@ -20,7 +20,6 @@ resource storageBlobDataOwner 'Microsoft.Authorization/roleDefinitions@2022-04-0
   scope: resourceGroup()
 }
 
-
 var conditionStr= '((!(ActionMatches{\'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read\'})  AND  !(ActionMatches{\'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action\'}) AND  !(ActionMatches{\'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write\'}) ) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringStartsWithIgnoreCase \'${workspaceId}\' AND @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringLikeIgnoreCase \'*-azureml-agent\'))'
 
 // Assign Storage Blob Data Owner role

samples/microsoft/infrastructure-setup/15-private-network-standard-agent-setup/modules-network-secured/standard-dependent-resources.bicep

@@ -90,6 +90,10 @@ resource aiSearch 'Microsoft.Search/searchServices@2024-06-01-preview' = if(!aiS
     publicNetworkAccess: 'disabled'
     replicaCount: 1
     semanticSearch: 'disabled'
+    networkRuleSet: {
+      bypass: 'None'
+      ipRules: []
+    }
   }
   sku: {
     name: 'standard'

samples/microsoft/infrastructure-setup/15-private-network-standard-agent-setup/modules-network-secured/vnet.bicep

@@ -3,14 +3,14 @@ Virtual Network Module
 This module deploys the core network infrastructure with security controls:
 
 1. Address Space:
-   - VNet CIDR: 172.16.0.0/16
-   - Hub Subnet: 172.16.0.0/24 (private endpoints)
-   - Agents Subnet: 172.16.101.0/24 (container apps)
+   - VNet CIDR: 172.16.0.0/16 OR 192.168.0.0/16
+   - Agents Subnet: 172.16.0.0/24 OR 192.168.0.0/24
+   - Private Endpoint Subnet: 172.16.101.0/24 OR 192.168.1.0/24
 
 2. Security Features:
-   - Service endpoints
    - Network isolation
    - Subnet delegation
+   - Private endpoint subnet 
 */
 
 @description('Azure region for the deployment')
@@ -62,5 +62,5 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-05-01' = {
 // Output variables
 output peSubnetName string = peSubnetName
 output agentSubnetName string = agentSubnetName
-output subnetId string = '${virtualNetwork.id}/subnets/${agentSubnetName}'
+output agentSubnetId string = '${virtualNetwork.id}/subnets/${agentSubnetName}'
 output virtualNetworkName string = virtualNetwork.name