Move infrastructure & sample overviews to dedicated README files

simonkurtz-MSFT · simonkurtz-MSFT · commit 58cbf2edaa17 · 2025-06-05T22:58:12.000-04:00
diff --git a/README.md b/README.md
@@ -49,11 +49,11 @@ The first time you run a Jupyter notebook, you'll be asked to install the Jupyte
 
 | Sample Name                                                     | Description                                                                                                         | Supported Infrastructure(s)   |
 |:----------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------|:------------------------------|
-| [AuthX](./samples/authx/create.ipynb)                           | Authentication and role-based authorization in a mock HR API.                                                       | All infrastructures           |
-| [AuthX Pro](./samples/authx-pro/create.ipynb)                   | Authentication and role-based authorization in a mock product with multiple APIs and policy fragments.              | All infrastructures           |
-| [General](./samples/general/create.ipynb)                       | Basic demo of APIM sample setup and policy usage.                                                                   | All infrastructures           |
-| [Load Balancing](./samples/load-balancing/create.ipynb)         | Priority and weighted load balancing across backends.                                                               | apim-aca, afd-apim (with ACA) |
-| [Secure Blob Access](./samples/secure-blob-access/create.ipynb) | Secure blob access via the [valet key pattern](https://learn.microsoft.com/azure/architecture/patterns/valet-key).  | All infrastructures           |
+| [AuthX](./samples/authx/README.md)                           | Authentication and role-based authorization in a mock HR API.                                                       | All infrastructures           |
+| [AuthX Pro](./samples/authx-pro/README.md)                   | Authentication and role-based authorization in a mock product with multiple APIs and policy fragments.              | All infrastructures           |
+| [General](./samples/general/README.md)                       | Basic demo of APIM sample setup and policy usage.                                                                   | All infrastructures           |
+| [Load Balancing](./samples/load-balancing/README.md)         | Priority and weighted load balancing across backends.                                                               | apim-aca, afd-apim (with ACA) |
+| [Secure Blob Access](./samples/secure-blob-access/README.md) | Secure blob access via the [valet key pattern](https://learn.microsoft.com/azure/architecture/patterns/valet-key).  | All infrastructures           |
 
 ### ▶️ Running a Sample
 
diff --git a/infrastructure/afd-apim/README.md b/infrastructure/afd-apim/README.md
@@ -1,6 +1,6 @@
 # Front Door & API Management & Container Apps Infrastructure
 
-Secure architecture that takes all traffic off the public Internet once Azure Front Door is traversed. This is due to Front Door's use of a private link to Azure API Management.
+Secure architecture that takes all traffic off the public Internet once Azure Front Door is traversed. Traffic behind the Front Door is subsequently inaccessible to the public. This is due to Front Door's use of a private link to Azure API Management.
 
 <img src="./Azure Front Door, API Management & Container Apps Architecture.svg" alt="Diagram showing Azure Front Door, API Management, and Container Apps architecture. Azure Front Door routes traffic to API Management, which then routes to Container Apps. Telemetry is sent to Azure Monitor." title="Azure Front Door, API Management & Container Apps Architecture" width="1000" />
 
@@ -17,4 +17,6 @@ Adjust the `user-defined parameters` in this lab's Jupyter Notebook's [Initializ
 
 ## ▶️ Execution
 
-1. Execute this lab's [Jupyter Notebook](./create.ipynb) step-by-step or via _Run All_.
+👟 **Expected *Run All* runtime: ~13 minutes**
+
+1. Execute this lab's [Jupyter Notebook](./create.ipynb) step-by-step or via _Run All_.
diff --git a/infrastructure/afd-apim/create.ipynb b/infrastructure/afd-apim/create.ipynb
@@ -1,16 +1,5 @@
 {
  "cells": [
-  {
-   "cell_type": "markdown",
-   "metadata": {},
-   "source": [
-    "# Infrastructure: Azure Front Door to API Management via Private Link\n",
-    "\n",
-    "Sets up the infrastructure for an Azure Front Door Premium instance to connect to API Management via a private link. API Management is not accessible publicly at all and can only be reached via the private link.\n",
-    "\n",
-    "⌚ **Expected *Run All* runtime: ~13 minutes**"
-   ]
-  },
   {
    "cell_type": "markdown",
    "metadata": {},
diff --git a/infrastructure/apim-aca/README.md b/infrastructure/apim-aca/README.md
@@ -16,4 +16,6 @@ Adjust the `user-defined parameters` in this lab's Jupyter Notebook's [Initializ
 
 ## ▶️ Execution
 
-1. Execute this lab's [Jupyter Notebook](./create.ipynb) step-by-step or via _Run All_.
+👟 **Expected *Run All* runtime: ~5 minutes**
+
+1. Execute this lab's [Jupyter Notebook](./create.ipynb) step-by-step or via _Run All_.
diff --git a/infrastructure/apim-aca/create.ipynb b/infrastructure/apim-aca/create.ipynb
@@ -1,18 +1,5 @@
 {
  "cells": [
-  {
-   "cell_type": "markdown",
-   "metadata": {},
-   "source": [
-    "# Infrastructure: API Management using Azure Container Apps as its API backends\n",
-    "\n",
-    "Sets up the infrastructure for API Management to connect to backend APIs hosted in Azure Container Apps. \n",
-    "\n",
-    "This simplified setup uses public endpoints on the container apps. It _may_ eventually switch to using VNet or private link. \n",
-    "\n",
-    "⌚ **Expected *Run All* runtime: ~5 minutes**"
-   ]
-  },
   {
    "cell_type": "markdown",
    "metadata": {},
diff --git a/infrastructure/simple-apim/README.md b/infrastructure/simple-apim/README.md
@@ -15,4 +15,6 @@ Adjust the `user-defined parameters` in this lab's Jupyter Notebook's [Initializ
 
 ## ▶️ Execution
 
-1. Execute this lab's [Jupyter Notebook](./create.ipynb) step-by-step or via _Run All_.
+👟 **Expected *Run All* runtime: ~3 minutes**
+
+1. Execute this lab's [Jupyter Notebook](./create.ipynb) step-by-step or via _Run All_.
diff --git a/infrastructure/simple-apim/create.ipynb b/infrastructure/simple-apim/create.ipynb
@@ -1,16 +1,5 @@
 {
  "cells": [
-  {
-   "cell_type": "markdown",
-   "metadata": {},
-   "source": [
-    "# Infrastructure: Simple API Management\n",
-    "\n",
-    "Sets up the infrastructure for a simple API Management setup with a publicly-accessible APIM instance.\n",
-    "\n",
-    "⌚ **Expected *Run All* runtime: ~3 minutes**"
-   ]
-  },
   {
    "cell_type": "markdown",
    "metadata": {},
diff --git a/samples/_TEMPLATE/README.md b/samples/_TEMPLATE/README.md
@@ -0,0 +1,27 @@
+# Samples: [TEMPLATE NAME]
+
+[BRIEF SAMPLE DESCRIPTION]
+
+⚙️ **Supported infrastructures**: [Comma-separated names of the supported infrastructures or "All infrastructures"]
+
+👟 **Expected *Run All* runtime (excl. infrastructure prerequisite): ~[NOTEBOOK RUNTIME] minute**
+
+## 🎯 Objectives
+
+1. [LEARNING / EXPERIMENTATION OBJECTIVE 1]
+1. [LEARNING / EXPERIMENTATION OBJECTIVE 2]
+1. ...
+
+## 📝 Scenario
+
+[IF THE SAMPLE IS DEMONSTRATED THROUGH A USE CASE OR SCENARIO, PLEASE DETAIL IT HERE. OTHERWISE, DELETE THIS SECTION]
+
+## 🛩️ Lab Components
+
+[DESCRIBE IN MORE DETAIL WHAT THIS LAB SETS UP AND HOW THIS BENEFITS THE LEARNER/USER.]
+
+## ⚙️ Configuration
+
+1. Decide which of the [Infrastructure Architectures](../../README.md#infrastructure-architectures) you wish to use.
+    1. If the infrastructure _does not_ yet exist, navigate to the desired [infrastructure](../../infrastructure/) folder and follow its README.md.
+    1. If the infrastructure _does_ exist, adjust the `user-defined parameters` in the _Initialize notebook variables_ below. Please ensure that all parameters match your infrastructure.
diff --git a/samples/_TEMPLATE/create.ipynb b/samples/_TEMPLATE/create.ipynb
@@ -1,38 +1,5 @@
 {
  "cells": [
-  {
-   "cell_type": "markdown",
-   "metadata": {},
-   "source": [
-    "# Samples: [TEMPLATE NAME]\n",
-    "\n",
-    "[BRIEF SAMPLE DESCRIPTION]\n",
-    "\n",
-    "⚙️ **Supported infrastructures**: [Comma-separated names of the supported infrastructures or \"All infrastructures\"]\n",
-    "\n",
-    "⌚ **Expected *Run All* runtime (excl. infrastructure prerequisite): ~[NOTEBOOK RUNTIME] minute**\n",
-    "\n",
-    "## 🎯 Objectives\n",
-    "\n",
-    "1. [LEARNING / EXPERIMENTATION OBJECTIVE 1]\n",
-    "1. [LEARNING / EXPERIMENTATION OBJECTIVE 2]\n",
-    "1. ...\n",
-    "\n",
-    "## 📝 Scenario\n",
-    "\n",
-    "[IF THE SAMPLE IS DEMONSTRATED THROUGH A USE CASE OR SCENARIO, PLEASE DETAIL IT HERE. OTHERWISE, DELETE THIS SECTION]\n",
-    "\n",
-    "## 🧩 Lab Components\n",
-    "\n",
-    "[DESCRIBE IN MORE DETAIL WHAT THIS LAB SETS UP AND HOW THIS BENEFITS THE LEARNER/USER.]\n",
-    "\n",
-    "## ⚙️ Configuration\n",
-    "\n",
-    "1. Decide which of the [Infrastructure Architectures](../../README.md#infrastructure-architectures) you wish to use.\n",
-    "    1. If the infrastructure _does not_ yet exist, navigate to the desired [infrastructure](../../infrastructure/) folder and follow its README.md.\n",
-    "    1. If the infrastructure _does_ exist, adjust the `user-defined parameters` in the _Initialize notebook variables_ below. Please ensure that all parameters match your infrastructure."
-   ]
-  },
   {
    "cell_type": "markdown",
    "metadata": {},
diff --git a/samples/authX-pro/README.md b/samples/authX-pro/README.md
@@ -0,0 +1,31 @@
+# Samples: AuthX Pro - Authentication & Authorization
+
+Sets up a more sophisticate authentication (authN) and authorization (authZ) combination for role-based access control (RBAC) to a mock API and its operations.  
+
+⚙️ **Supported infrastructures**: All infrastructures
+
+👟 **Expected *Run All* runtime (excl. infrastructure prerequisite): ~2-3 minutes**
+
+## 🎯 Objectives
+
+1. Understand how API Management supports OAuth 2.0 authentication (authN) with JSON Web Tokens (JWT).
+1. Learn how authorization (authZ) can be accomplished based on JWT claims.
+1. Configure authN and authZ at various levels in the API Management hierarchy - product, API, and API operations
+1. Use external secrets in policies.
+1. Experience how API Management policy fragments simplify shared logic.
+
+## 📝 Scenario
+This sample, compared to the simpler _AuthX_, introduces use of API Management Product and policy fragments to simplify and consolidate shared logic. When considering scaling, consider this as your starting point.
+
+The same two personas from _AuthX_ are at play:
+
+- `HR Administrator` - holds broad rights to the API
+- `HR Associate` - has read-only permissions
+
+The API hierarchy is as follows:
+
+1. All APIs / global
+    This is a great place to do authentication, but we refrain from doing it in the sample as to not affect other samples. 
+1. HR Product
+    Perform authentication and authorization for HR_Member in the JWT claims. Continue on success; otherwise, return 401.
+1. HR Employee & Benefits APIs
diff --git a/samples/authX-pro/create.ipynb b/samples/authX-pro/create.ipynb
@@ -1,70 +1,5 @@
 {
  "cells": [
-  {
-   "cell_type": "markdown",
-   "metadata": {},
-   "source": [
-    "# Samples: AuthX Pro - Authentication & Authorization\n",
-    "\n",
-    "Sets up a more sophisticate authentication (authN) and authorization (authZ) combination for role-based access control (RBAC) to a mock API and its operations.  \n",
-    "\n",
-    "⚙️ **Supported infrastructures**: All infrastructures\n",
-    "\n",
-    "⌚ **Expected *Run All* runtime (excl. infrastructure prerequisite): ~2-3 minutes**\n",
-    "\n",
-    "## 🎯 Objectives\n",
-    "\n",
-    "1. Understand how API Management supports OAuth 2.0 authentication (authN) with JSON Web Tokens (JWT).\n",
-    "1. Learn how authorization (authZ) can be accomplished based on JWT claims.\n",
-    "1. Configure authN and authZ at various levels in the API Management hierarchy - product, API, and API operations\n",
-    "1. Use external secrets in policies.\n",
-    "1. Experience how API Management policy fragments simplify shared logic.\n",
-    "\n",
-    "## 📝 Scenario\n",
-    "This sample, compared to the simpler _AuthX_, introduces use of API Management Product and policy fragments to simplify and consolidate shared logic. When considering scaling, consider this as your starting point.\n",
-    "\n",
-    "The same two personas from _AuthX_ are at play:\n",
-    "\n",
-    "- `HR Administrator` - holds broad rights to the API\n",
-    "- `HR Associate` - has read-only permissions\n",
-    "\n",
-    "The API hierarchy is as follows:\n",
-    "\n",
-    "1. All APIs / global\n",
-    "    This is a great place to do authentication, but we refrain from doing it in the sample as to not affect other samples. \n",
-    "1. HR Product\n",
-    "    Perform authentication and authorization for HR_Member in the JWT claims. Continue on success; otherwise, return 401.\n",
-    "1. HR Employee & Benefits APIs\n",
-    "    Both APIs are associated with the HR Product. The API must be called in a product context.\n",
-    "1. API Operations\n",
-    "    GET authorization must either satisfy an HR Administrator or HR Associate role\n",
-    "    POST authorization must satisfy an HR Administrator role..\n",
-    "\n",
-    "Both personas are part of an HR_Members group and may access the HR API Management Product. Subsequent access to the APIs and their operations must be granular.\n",
-    "\n",
-    "### 💡 Notes\n",
-    "\n",
-    "Many organizations require 100% authentication for their APIs. While that is prudent and typically done at the global _All APIs_ level, we refrain from doing so here as to not impact other samples. Instead, we focus on authentication at the API Management API and API operation levels.\n",
-    "\n",
-    "## 🧩 Lab Components\n",
-    "\n",
-    "While OAuth 2.0 includes an identity provider (IDP), for sake of the sample, we can remove the complexity of including real identities. It is sufficient to use mock JWTs that we can \"authenticate\" by way of a signing key. This is a valid, albeit not the default method for authentication. \n",
-    "\n",
-    "We do not need real APIs and can rely on mock returns.\n",
-    "\n",
-    "Furthermore, secrets would ideally be kept in a secret store such as Azure Key Vault and be accessed via API Management's managed identity. Adding a Key Vault to our architecture is a stretch goal that provides value but is not immediately necessary to showcase the authX sample.\n",
-    "\n",
-    "JSON Web Tokens (JWTs) are defined in RFC 7519. Several tools exist to explore JWTs:\n",
-    "\n",
-    "🔗 [RFC 7519 - JWT](https://www.rfc-editor.org/rfc/rfc7519) | [jwt.io](https://jwt.io/) | [jwt.ms](https://jwt.ms/)\n",
-    "\n",
-    "## ⚙️ Configuration\n",
-    "\n",
-    "1. Decide which of the [Infrastructure Architectures](../../README.md#infrastructure-architectures) you wish to use.\n",
-    "    1. If the infrastructure _does not_ yet exist, navigate to the desired [infrastructure](../../infrastructure/) folder and follow its README.md.\n",
-    "    1. If the infrastructure _does_ exist, adjust the `user-defined parameters` in the _Initialize notebook variables_ below. Please ensure that all parameters match your infrastructure."
-   ]
-  },
   {
    "cell_type": "markdown",
    "metadata": {},
diff --git a/samples/authX/README.md b/samples/authX/README.md
@@ -0,0 +1,29 @@
+# Samples: AuthX - Authentication & Authorization
+
+Sets up a simple authentication (authN) and authorization (authZ) combination for role-based access control (RBAC) to a mock _Employees_ API and its operations.
+
+⚙️ **Supported infrastructures**: All infrastructures
+
+👟 **Expected *Run All* runtime (excl. infrastructure prerequisite): ~2-3 minutes**
+
+## 🎯 Objectives
+
+1. Understand how API Management supports OAuth 2.0 authentication (authN) with JSON Web Tokens (JWT).
+1. Learn how authorization (authZ) can be accomplished based on JWT claims.
+1. Configure authN and authZ at various levels in the API Management hierarchy.
+1. Use external secrets in policies.
+
+## 📝 Scenario
+
+This sample combines _authentication (authN)_ and _authorization (authZ)_ into _authX_. This scenario focuses on a Human Resources API that requires privileged role-based access to GET and to POST data. This is simplistic but shows the combination of authN and authZ.
+
+There are two personas at play:
+
+- `HR Administrator` - holds broad rights to the API
+- `HR Associate` - has read-only permissions
+
+Both personas are part of an HR_Members group and may access the HR Employees API, but its operations permissions are more granular.
+
+### 💡 Notes
+
+Many organizations require 100% authentication for their APIs. While that is prudent and typically done at the global _All APIs_ level, we refrain from doing so here as to not impact other samples. Instead, we focus on authentication at the API Management API and API operation levels.
diff --git a/samples/authX/create.ipynb b/samples/authX/create.ipynb
@@ -1,58 +1,5 @@
 {
  "cells": [
-  {
-   "cell_type": "markdown",
-   "metadata": {},
-   "source": [
-    "# Samples: AuthX - Authentication & Authorization\n",
-    "\n",
-    "Sets up a simple authentication (authN) and authorization (authZ) combination for role-based access control (RBAC) to a mock _Employees_ API and its operations.\n",
-    "\n",
-    "⚙️ **Supported infrastructures**: All infrastructures\n",
-    "\n",
-    "⌚ **Expected *Run All* runtime (excl. infrastructure prerequisite): ~2-3 minutes**\n",
-    "\n",
-    "## 🎯 Objectives\n",
-    "\n",
-    "1. Understand how API Management supports OAuth 2.0 authentication (authN) with JSON Web Tokens (JWT).\n",
-    "1. Learn how authorization (authZ) can be accomplished based on JWT claims.\n",
-    "1. Configure authN and authZ at various levels in the API Management hierarchy.\n",
-    "1. Use external secrets in policies.\n",
-    "\n",
-    "## 📝 Scenario\n",
-    "\n",
-    "This sample combines _authentication (authN)_ and _authorization (authZ)_ into _authX_. This scenario focuses on a Human Resources API that requires privileged role-based access to GET and to POST data. This is simplistic but shows the combination of authN and authZ.\n",
-    "\n",
-    "There are two personas at play:\n",
-    "\n",
-    "- `HR Administrator` - holds broad rights to the API\n",
-    "- `HR Associate` - has read-only permissions\n",
-    "\n",
-    "Both personas are part of an HR_Members group and may access the HR Employees API, but its operations permissions are more granular.\n",
-    "\n",
-    "### 💡 Notes\n",
-    "\n",
-    "Many organizations require 100% authentication for their APIs. While that is prudent and typically done at the global _All APIs_ level, we refrain from doing so here as to not impact other samples. Instead, we focus on authentication at the API Management API and API operation levels.\n",
-    "\n",
-    "## 🧩 Lab Components\n",
-    "\n",
-    "While OAuth 2.0 includes an identity provider (IDP), for sake of the sample, we can remove the complexity of including real identities. It is sufficient to use mock JWTs that we can \"authenticate\" by way of a signing key. This is a valid, albeit not the default method for authentication. \n",
-    "\n",
-    "We do not need real APIs and can rely on mock returns.\n",
-    "\n",
-    "Furthermore, secrets would ideally be kept in a secret store such as Azure Key Vault and be accessed via API Management's managed identity. Adding a Key Vault to our architecture is a stretch goal that provides value but is not immediately necessary to showcase the authX sample.\n",
-    "\n",
-    "JSON Web Tokens (JWTs) are defined in RFC 7519. Several tools exist to explore JWTs:\n",
-    "\n",
-    "🔗 [RFC 7519 - JWT](https://www.rfc-editor.org/rfc/rfc7519) | [jwt.io](https://jwt.io/) | [jwt.ms](https://jwt.ms/)\n",
-    "\n",
-    "## ⚙️ Configuration\n",
-    "\n",
-    "1. Decide which of the [Infrastructure Architectures](../../README.md#infrastructure-architectures) you wish to use.\n",
-    "    1. If the infrastructure _does not_ yet exist, navigate to the desired [infrastructure](../../infrastructure/) folder and follow its README.md.\n",
-    "    1. If the infrastructure _does_ exist, adjust the `user-defined parameters` in the _Initialize notebook variables_ below. Please ensure that all parameters match your infrastructure."
-   ]
-  },
   {
    "cell_type": "markdown",
    "metadata": {},
diff --git a/samples/general/README.md b/samples/general/README.md
diff --git a/samples/general/create.ipynb b/samples/general/create.ipynb
diff --git a/samples/load-balancing/README.md b/samples/load-balancing/README.md
diff --git a/samples/load-balancing/create.ipynb b/samples/load-balancing/create.ipynb
diff --git a/samples/secure-blob-access/README.md b/samples/secure-blob-access/README.md
diff --git a/samples/secure-blob-access/create.ipynb b/samples/secure-blob-access/create.ipynb
