Merge pull request #2 from nourshaker-msft/main

pablocast · web-flow · commit dda7cbae42d2 · 2025-12-22T13:19:08.000-03:00
Changes to ensure inter-oprability with WSL and missing items from the VM Start up
diff --git a/labs/ai-foundry-private-mcp/agent/load_env_from_kv.py b/labs/ai-foundry-private-mcp/agent/load_env_from_kv.py
@@ -21,5 +21,6 @@ def load_secrets_from_keyvault(vault_url: str):
             env_var_name = secret_name.replace("-", "_")
             os.environ[env_var_name] = secret.value
         except Exception as e:
+            print(f"Error loading secret {secret_name}: {e}")
     
     print("Environment variables loaded successfully!")
diff --git a/labs/ai-foundry-private-mcp/clean-up-resources.ipynb b/labs/ai-foundry-private-mcp/clean-up-resources.ipynb
@@ -20,13 +20,15 @@
     "import utils\n",
     "\n",
     "deployment_name = os.path.basename(os.path.dirname(globals()['__vsc_ipynb_file__']))\n",
-    "utils.cleanup_resources(deployment_name)"
+    "resource_group = f\"lab-{deployment_name}\"\n",
+    "\n",
+    "utils.cleanup_resources(deployment_name, resource_group_name=resource_group)"
    ]
   }
  ],
  "metadata": {
   "kernelspec": {
-   "display_name": ".venv",
+   "display_name": "base",
    "language": "python",
    "name": "python3"
   },
@@ -40,7 +42,7 @@
    "name": "python",
    "nbconvert_exporter": "python",
    "pygments_lexer": "ipython3",
-   "version": "3.11.0rc2"
+   "version": "3.12.2"
   }
  },
  "nbformat": 4,
diff --git a/labs/ai-foundry-private-mcp/foundry-private-mcp.ipynb b/labs/ai-foundry-private-mcp/foundry-private-mcp.ipynb
@@ -9,7 +9,7 @@
     "## Microsoft Foundry Private connectivity lab\n",
     "![flow](./architecture.png)\n",
     "\n",
-    "Playground to show how to create a private network for consuming REST API managed as MCPs using `Foundry Agents V1`. This lab demonstrates how to create a private network for consuming MCPs from `Foundry Agents V1` using `Private Link Services`, `Azure API Management (APIM)`, and `Azure Front Door`.\n",
+    "Playground to show how to create a private network for consuming REST API managed as MCPs using `Foundry Agents Classic`. This lab demonstrates how to create a private network for consuming MCPs from `Foundry Agents Classic` using `Private Link Services`, `Azure API Management (APIM)`, and `Azure Front Door`.\n",
     "\n",
     "Notes:\n",
     "- `Foundry Agents` are only accessible through `Private Endpoints`. Public network access is disabled.\n",
@@ -19,6 +19,7 @@
     "- **`Azure Front Door` is the only publicly-accessible service.**\n",
     "\n",
     "### Prerequisites\n",
+    "- **important** Admin access to be able to deploy and configure Enterprise Applications in Entra ID\n",
     "- [Python 3.12 or later version](https://www.python.org/) installed\n",
     "- [Pandas Library](https://pandas.pydata.org/) and matplotlib installed\n",
     "- [VS Code](https://code.visualstudio.com/) installed with the [Jupyter notebook extension](https://marketplace.visualstudio.com/items?itemName=ms-toolsai.jupyter) enabled\n",
@@ -160,10 +161,10 @@
     "if output.success and output.json_data:\n",
     "    apim_resource_id = utils.get_deployment_output(output, 'apimResourceId', 'apimResourceId')\n",
     "\n",
-    "    outputPls = utils.run(f\"az network private-endpoint-connection list --id {apim_resource_id} --query [?properties.privateLinkServiceConnectionState.status=='Pending'].id --output tsv\")\n",
+    "    outputPls = utils.run(f\"az network private-endpoint-connection list --id {apim_resource_id} --query \\\"[?properties.privateLinkServiceConnectionState.status=='Pending'].id\\\" --output tsv\")\n",
     "\n",
     "    if outputPls.success:\n",
-    "        pls_connection_id = outputPls.text\n",
+    "        pls_connection_id = outputPls.text.strip()\n",
     "        print(pls_connection_id)\n",
     "        utils.run(f\"az network private-endpoint-connection approve --id {pls_connection_id} --description 'Approved'\", f\"Private Link Connection approved.\", f\"Failed to approve Private Link Connection: {pls_connection_id}\")"
    ]
@@ -219,7 +220,9 @@
     "    apim_resource_gateway_url = utils.get_deployment_output(output, 'apimResourceGatewayURL', 'APIM API Gateway URL')\n",
     "    apim_subscription_key = utils.get_deployment_output(output, 'apimSubscriptionKey', 'APIM Subscription Key (masked)', True)\n",
     "    ai_foundry_project_endpoint = utils.get_deployment_output(output, 'ai_project_endpoint', 'AI Foundry Project Endpoint')\n",
-    "    ai_deployment_name = utils.get_deployment_output(output, 'ai_model_deployment_name', 'AI Model Deployment Name')"
+    "    ai_deployment_name = utils.get_deployment_output(output, 'ai_model_deployment_name', 'AI Model Deployment Name')\n",
+    "    vm_resource_id = utils.get_deployment_output(output, 'vmResourceId', 'VM Resource ID')\n",
+    "    key_vault_url = utils.get_deployment_output(output, 'keyVaultUrl', 'Key Vault URL')"
    ]
   },
   {
@@ -229,7 +232,9 @@
     "<a id='6'></a>\n",
     "### 6️⃣ 🧪 Test the API using a direct HTTP call through Frontdoor\n",
     "\n",
-    "Requests is an elegant and simple HTTP library for Python that will be used here to make raw API requests and inspect the responses. "
+    "Requests is an elegant and simple HTTP library for Python that will be used here to make raw API requests and inspect the responses.\n",
+    "\n",
+    "**After a successful deployment it may take up to 45 mins for this cell to run correctly**"
    ]
   },
   {
@@ -245,10 +250,11 @@
     "    request = {\"method\":\"tools/call\",\"params\":{\"name\":\"PlaceOrder-invoke\",\"arguments\":{\"request-PlaceOrder\":{\"sku\":\"sku-123\",\"quantity\":5}}},\"jsonrpc\":\"2.0\",\"id\":1}\n",
     "    print(f\"Calling MCP endpoint at URL: {url}\")\n",
     "    utils.print_info(\"Calling MCP endpoint WITH authorization...\")\n",
-    "    output = utils.run(\"az account get-access-token --resource \\\"https://azure-api.net/authorization-manager\\\"\")\n",
+    "    output = utils.run('az account get-access-token --resource \"https://azure-api.net/authorization-manager\"')\n",
     "\n",
     "    access_token = output.json_data['accessToken']\n",
     "    response = requests.post(url, stream=True, headers={\"Content-Type\": \"application/json\", \"agent-id\": \"Agent1\", \"Authorization\": \"Bearer \" + str(access_token)}, json=request)\n",
+    "    print(response.status_code)\n",
     "\n",
     "    print(f\"Response status code: {response.status_code}\")\n",
     "\n",
@@ -265,7 +271,11 @@
     "                    data = json.loads(line.strip()[5:])\n",
     "                    print(json.dumps(json.loads(data[\"result\"][\"content\"][0][\"text\"]), indent=4))\n",
     "    else:\n",
-    "        utils.print_error(f\"Unexpected status code: {response.status_code}. Response text: {response.text}\")\n",
+    "        try:\n",
+    "            error_text = response.text\n",
+    "        except Exception:\n",
+    "            error_text = \"[Unable to read response body]\"\n",
+    "        utils.print_error(f\"Unexpected status code: {response.status_code}.\")\n",
     "\n",
     "call_mcp_api(f\"https://{frontdoor_endpoint}\")"
    ]
@@ -304,12 +314,28 @@
     "\n"
    ]
   },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "utils.print_info(f\"\"\"Run the following command to connect to the VM via Bastion: \n",
+    "az network bastion ssh \\\n",
+    "--name bastion-host \\\n",
+    "--resource-group {resource_group_name} \\\n",
+    "--target-resource-id {vm_resource_id} \\\n",
+    "--auth-type password \\\n",
+    "--username azureuser\n",
+    "\"\"\")"
+   ]
+  },
   {
    "cell_type": "markdown",
    "metadata": {},
    "source": [
     "##### 1. Connect to Jumpbox\n",
-    "Use Azure Bastion to connect to the VM:\n",
+    "Use Azure Bastion to connect to the VM (full command is the output from previos cell):\n",
     "\n",
     "```bash\n",
     "az network bastion ssh \\\n",
@@ -320,35 +346,28 @@
     "  --username azureuser\n",
     "```\n",
     "\n",
+    "***Password:***\n",
+    "```bash\n",
+    "@Aa123456789\n",
+    "```\n",
+    "\n",
     "Or connect via the Azure Portal: Navigate to the VM → Connect → Bastion\n",
     "\n",
     "Once connected to the jumpbox, create the required scripts:\n",
     "\n",
-    "##### 2. Create `scripts/load_env_from_kv.py`\n",
+    "##### 2. Download needed files\n",
     "```bash \n",
-    "cat > ~/scripts/load_env_from_kv.py << 'EOF'\n",
-    "# Paste content of agent/load_env_from_kv.py here\n",
-    "EOF\n",
+    "wget https://raw.githubusercontent.com/pablocast/AI-Gateway/refs/heads/main/labs/ai-foundry-private-mcp/agent/load_env_from_kv.py\n",
+    "wget https://raw.githubusercontent.com/pablocast/AI-Gateway/refs/heads/main/labs/ai-foundry-private-mcp/agent/sample_agents_mcp.py\n",
     "```\n",
     "\n",
-    "\n",
-    "##### 3. Create `scripts/sample_agents_mcp.py`\n",
-    "```bash \n",
-    "cat > ~/scripts/sample_agents_mcp.py << 'EOF'\n",
-    "# Paste content of agent/sample_agents_mcp.py here\n",
-    "EOF\n",
-    "```\n",
-    "\n",
-    "##### 4. Run the agent\n",
+    "##### 3. Run the agent\n",
     "```bash\n",
-    "# Activate virtual environment\n",
-    "source ~/venv/bin/activate\n",
-    "\n",
     "# Get Key Vault URL from deployment outputs\n",
-    "KEY_VAULT_URL=\"https://kv-xxxxx.vault.azure.net/\"\n",
+    "KEY_VAULT_URL=\"<KEY-VAULT-URL>\"\n",
     "\n",
     "# Run the MCP agent\n",
-    "python3 ~/scripts/sample_agents_mcp.py $KEY_VAULT_URL\n",
+    "python3 ~/sample_agents_mcp.py $KEY_VAULT_URL\n",
     "```\n",
     "\n"
    ]
@@ -367,7 +386,7 @@
  ],
  "metadata": {
   "kernelspec": {
-   "display_name": ".venv",
+   "display_name": "base",
    "language": "python",
    "name": "python3"
   },
@@ -381,7 +400,7 @@
    "name": "python",
    "nbconvert_exporter": "python",
    "pygments_lexer": "ipython3",
-   "version": "3.12.10"
+   "version": "3.12.2"
   }
  },
  "nbformat": 4,
diff --git a/labs/ai-foundry-private-mcp/main.bicep b/labs/ai-foundry-private-mcp/main.bicep
@@ -81,6 +81,29 @@ resource nsgApim 'Microsoft.Network/networkSecurityGroups@2023-11-01' = {
   location: resourceGroup().location
 }
 
+// NSG for VM Subnet
+resource nsgVm 'Microsoft.Network/networkSecurityGroups@2023-11-01' = {
+  name: 'nsg-vm'
+  location: resourceGroup().location
+  properties: {
+    securityRules: [
+      {
+        name: 'AllowSSH'
+        properties: {
+          priority: 100
+          direction: 'Inbound'
+          access: 'Allow'
+          protocol: 'Tcp'
+          sourcePortRange: '*'
+          destinationPortRange: '22'
+          sourceAddressPrefix: '*'
+          destinationAddressPrefix: '*'
+        }
+      }
+    ]
+  }
+}
+
 // VNET and Subnets
 resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-11-01' = {
   name: virtualNetworkName
@@ -117,6 +140,9 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-11-01' = {
         name: subnetVmName
         properties: {
           addressPrefix: '10.0.2.0/24'
+          networkSecurityGroup: {
+            id: nsgVm.id
+          }
         }
       }
       {
@@ -710,15 +736,19 @@ resource vmExtension 'Microsoft.Compute/virtualMachines/extensions@2023-09-01' =
         apt-get update
         
         # Install Python and venv
-        apt-get install -y python3 python3-pip python3-venv python3-full
+        apt-get install -y python3 python3-pip python3-venv python3-full vim wget
         
         # Create a virtual environment for the azureuser
         mkdir -p /home/azureuser/scripts
         python3 -m venv /home/azureuser/venv
+
+        wget -O /home/azureuser/requirements.txt https://raw.githubusercontent.com/Azure-Samples/AI-Gateway/refs/heads/main/requirements.txt
         
         # Install packages in the virtual environment
         /home/azureuser/venv/bin/pip install --upgrade pip
-        /home/azureuser/venv/bin/pip install requests azure-identity azure-ai-projects azure-ai-agents==1.2.0b6 requests jsonref python-dotenv azure-keyvault-secrets
+        /home/azureuser/venv/bin/pip install -r /home/azureuser/requirements.txt
+
+        echo "source /home/azureuser/venv/bin/activate" >> /home/azureuser/.bashrc
 
         # Set ownership
         chown -R azureuser:azureuser /home/azureuser/venv
@@ -846,7 +876,7 @@ module keyVaultModule './modules/keyvault.bicep' = {
     privateEndpointSubnetId: subnetPe.id
     virtualNetworkId: virtualNetwork.id
     secrets: {
-      'MCP-SERVER-URL': 'https://${frontDoorEndpoint.properties.hostName}/order-mcp/mcp'
+      'MCP-SERVER-URL': '${frontDoorEndpoint.properties.hostName}/order-mcp/mcp'
       'MCP-SERVER-LABEL': 'order_mcp'
       'AZURE-AI-PROJECT-ENDPOINT': foundryAccountModule.outputs.aiFoundryProjectEndpoint
       'AZURE-AI-MODEL-DEPLOYMENT-NAME': modelsConfig[0].name
@@ -870,3 +900,4 @@ output frontDoorEndpointHostName string = frontDoorEndpoint.properties.hostName
 output ai_project_endpoint string = foundryAccountModule.outputs.aiFoundryProjectEndpoint
 output ai_model_deployment_name string = modelsConfig[0].name
 output keyVaultUrl string = keyVaultModule.outputs.keyVaultUrl
+output vmResourceId string = vm.id
