Remove VM (#1852)

Author: pamelafox

docs/deploy_private.md

@@ -3,17 +3,13 @@
 
 If you want to disable public access when deploying the Chat App, you can do so by setting `azd` environment values.
 
-[📺 Watch a video overview of the VM provisioning process](https://www.youtube.com/watch?v=RbITd0a5who)
-
 ## Before you begin
 
 Deploying with public access disabled adds additional cost to your deployment. Please see pricing for the following products:
 
 1. [Private Endpoints](https://azure.microsoft.com/pricing/details/private-link/)
     1. The exact number of private endpoints created depends on the [optional features](./deploy_features.md) used.
 1. [Private DNS Zones](https://azure.microsoft.com/pricing/details/dns/)
-1. (Optional, but recommended)[Azure Virtual Machines](https://azure.microsoft.com/pricing/details/virtual-machines/windows/)
-1. (Optional, but recommended)[Azure Bastion](https://azure.microsoft.com/pricing/details/azure-bastion/)
 
 ## Environment variables controlling private access
 
@@ -23,13 +19,6 @@ Deploying with public access disabled adds additional cost to your deployment. P
 1. `AZURE_USE_PRIVATE_ENDPOINT`: Controls deployment of [private endpoints](https://learn.microsoft.com/azure/private-link/private-endpoint-overview) which connect Azure resources to the virtual network.
     1. When set to 'true', ensures private endpoints are deployed for connectivity even when `AZURE_PUBLIC_NETWORK_ACCESS` is 'Disabled'.
     1. Note that private endpoints do not make the chat app accessible from the internet. Connections must be initiated from inside the virtual network.
-1. `AZURE_PROVISION_VM`: Controls deployment of a [virtual machine](https://learn.microsoft.com/azure/virtual-machines/overview) and [Azure Bastion](https://learn.microsoft.com/azure/bastion/bastion-overview). Azure Bastion allows you to securely connect to the virtual machine, without being connected virtual network. Since the virtual machine is connected to the virtual network, you are able to access the chat app.
-    1. You must set `AZURE_VM_USERNAME` and `AZURE_VM_PASSWORD` to provision the built-in administrator account with the virtual machine so you can log in through Azure Bastion.
-    1. By default, a server version of Windows is used for the VM. If you need to [enroll your device in Microsoft Intune](https://learn.microsoft.com/mem/intune/user-help/enroll-windows-10-device), you should use a desktop version of Windows by setting the following environment variables:
-
-      * `azd env set AZURE_VM_OS_PUBLISHER MicrosoftWindowsDesktop`
-      * `azd env set AZURE_VM_OS_OFFER Windows-11`
-      * `azd env set AZURE_VM_OS_VERSION win11-23h2-pro`
 
 ## Recommended deployment strategy for private access
 
@@ -46,10 +35,7 @@ Deploying with public access disabled adds additional cost to your deployment. P
 
   ```shell
   azd env set AZURE_PUBLIC_NETWORK_ACCESS Disabled
-  azd env set AZURE_PROVISION_VM true # Optional but recommended
-  azd env set AZURE_VM_USERNAME myadminusername # https://learn.microsoft.com/azure/virtual-machines/windows/faq#what-are-the-username-requirements-when-creating-a-vm-
-  azd env set AZURE_VM_PASSWORD mypassword # https://learn.microsoft.com/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-
   azd provision
   ```
 
-1. Log into your new VM using [Azure Bastion](https://learn.microsoft.com/azure/bastion/tutorial-create-host-portal#connect). Validate the chat app is accessible from the virtual machine using a web browser.
+1. Log into your network using a tool like [Azure VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) and validate that you can connect to the chat app from inside the network.

infra/core/host/vm.bicep

@@ -151,17 +151,6 @@ param publicNetworkAccess string = 'Enabled'
 @description('Add a private endpoints for network connectivity')
 param usePrivateEndpoint bool = false
 
-@description('Provision a VM to use for private endpoint connectivity')
-param provisionVm bool = false
-param vmUserName string = ''
-@secure()
-param vmPassword string = ''
-param vmOsVersion string = ''
-param vmOsPublisher string = ''
-param vmOsOffer string = ''
-@description('Size of the virtual machine.')
-param vmSize string = 'Standard_DS1_v2'
-
 @description('Id of the user or app to assign application roles')
 param principalId string = ''
 
@@ -716,10 +705,8 @@ module isolation 'network-isolation.bicep' = {
   params: {
     location: location
     tags: tags
-    resourceToken: resourceToken
     vnetName: '${abbrs.virtualNetworks}${resourceToken}'
     appServicePlanName: appServicePlan.outputs.name
-    provisionVm: provisionVm
     usePrivateEndpoint: usePrivateEndpoint
   }
 }
@@ -774,22 +761,6 @@ module privateEndpoints 'private-endpoints.bicep' = if (usePrivateEndpoint) {
   }
 }
 
-module vm 'core/host/vm.bicep' = if (provisionVm && usePrivateEndpoint) {
-  name: 'vm'
-  scope: resourceGroup
-  params: {
-    name: '${abbrs.computeVirtualMachines}${resourceToken}'
-    location: location
-    adminUsername: vmUserName
-    adminPassword: vmPassword
-    nicId: isolation.outputs.nicId
-    osVersion: vmOsVersion
-    osPublisher: vmOsPublisher
-    osOffer: vmOsOffer
-    vmSize: vmSize
-  }
-}
-
 // Used to read index definitions (required when using authentication)
 // https://learn.microsoft.com/azure/search/search-security-rbac
 module searchReaderRoleBackend 'core/security/role.bicep' = if (useAuthentication) {

infra/core/networking/bastion.bicep

@@ -215,24 +215,6 @@
     "bypass": {
       "value": "${AZURE_NETWORK_BYPASS=AzureServices}"
     },
-    "provisionVm": {
-      "value": "${AZURE_PROVISION_VM=false}"
-    },
-    "vmUserName": {
-      "value": "${AZURE_VM_USERNAME}"
-    },
-    "vmPassword": {
-      "value": "${AZURE_VM_PASSWORD}"
-    },
-    "vmOsVersion": {
-      "value": "${AZURE_VM_OS_VERSION=2022-datacenter-azure-edition}"
-    },
-    "vmOsPublisher": {
-      "value": "${AZURE_VM_OS_PUBLISHER=MicrosoftWindowsServer}"
-    },
-    "vmOsOffer": {
-      "value": "${AZURE_VM_OS_OFFER=WindowsServer}"
-    },
     "useIntegratedVectorization": {
       "value": "${USE_FEATURE_INT_VECTORIZATION}"
     },

infra/core/networking/ip.bicep

@@ -12,15 +12,8 @@ param tags object = {}
 @description('The name of an existing App Service Plan to connect to the VNet')
 param appServicePlanName string
 
-@description('A unique token to append to the end of all resource names')
-param resourceToken string
-
-param provisionVm bool = false
-
 param usePrivateEndpoint bool = false
 
-var abbrs = loadJsonContent('abbreviations.json')
-
 resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' existing = {
   name: appServicePlanName
 }
@@ -75,34 +68,7 @@ module vnet './core/networking/vnet.bicep' = if (usePrivateEndpoint) {
   }
 }
 
-module nic 'core/networking/nic.bicep' = if (usePrivateEndpoint && provisionVm) {
-  name: 'nic'
-  params: {
-    name: '${abbrs.networkNetworkInterfaces}${resourceToken}'
-    location: location
-    subnetId: usePrivateEndpoint ? vnet.outputs.vnetSubnets[3].id : ''
-  }
-}
-
-module publicIp 'core/networking/ip.bicep' = if (usePrivateEndpoint && provisionVm) {
-  name: 'ip'
-  params: {
-    name: '${abbrs.networkPublicIPAddresses}${resourceToken}'
-    location: location
-  }
-}
-
-module bastion 'core/networking/bastion.bicep' = if (usePrivateEndpoint && provisionVm) {
-  name: 'bastion'
-  params: {
-    name: '${abbrs.networkBastionHosts}${resourceToken}'
-    location: location
-    subnetId: usePrivateEndpoint ? vnet.outputs.vnetSubnets[1].id : ''
-    publicIPId: provisionVm ? publicIp.outputs.id : ''
-  }
-}
 
 output appSubnetId string = usePrivateEndpoint ? vnet.outputs.vnetSubnets[2].id : ''
 output backendSubnetId string = usePrivateEndpoint ? vnet.outputs.vnetSubnets[0].id : ''
 output vnetName string = usePrivateEndpoint ? vnet.outputs.name : ''
-output nicId string = provisionVm && usePrivateEndpoint ? nic.outputs.id : ''