Add App Service private endpoint for deployment

pamelafox · pamelafox · commit 5a92db1c1a1d · 2025-07-30T11:22:48.000-07:00
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -1206,6 +1206,16 @@ var containerAppsPrivateEndpointConnection = (usePrivateEndpoint && deploymentTa
       }
     ]
   : []
+
+var appServicePrivateEndpointConnection = (usePrivateEndpoint && deploymentTarget == 'appservice')
+  ? [
+      {
+        groupId: 'sites'
+        dnsZoneName: 'privatelink.azurewebsites.net'
+        resourceIds: [backend.outputs.id]
+      }
+    ]
+  : []
 var otherPrivateEndpointConnections = (usePrivateEndpoint)
   ? [
       {
@@ -1226,7 +1236,7 @@ var otherPrivateEndpointConnections = (usePrivateEndpoint)
     ]
   : []
 
-var privateEndpointConnections = concat(otherPrivateEndpointConnections, openAiPrivateEndpointConnection, cognitiveServicesPrivateEndpointConnection, containerAppsPrivateEndpointConnection)
+var privateEndpointConnections = concat(otherPrivateEndpointConnections, openAiPrivateEndpointConnection, cognitiveServicesPrivateEndpointConnection, containerAppsPrivateEndpointConnection, appServicePrivateEndpointConnection)
 
 module privateEndpoints 'private-endpoints.bicep' = if (usePrivateEndpoint) {
   name: 'privateEndpoints'
diff --git a/infra/network-isolation.bicep b/infra/network-isolation.bicep
@@ -214,17 +214,16 @@ module vnet 'br/public:avm/res/network/virtual-network:0.6.1' = {
       deploymentTarget == 'appservice'
         ? [
             {
-              name: 'app-int-subnet'
-              addressPrefix: '10.0.3.0/24'
+              name: 'app-service-subnet'
+              addressPrefix: '10.0.9.0/24'
               privateEndpointNetworkPolicies: 'Enabled'
               privateLinkServiceNetworkPolicies: 'Enabled'
-              // TODO: Are we sure we don't need App Service Plan/ID? Test this.
               delegation: 'Microsoft.Web/serverFarms'
             }
           ]
         : [
             {
-              name: 'app-int-subnet'
+              name: 'container-apps-subnet'
               addressPrefix: '10.0.0.0/21'
               networkSecurityGroupResourceId: containerAppsNSG.outputs.resourceId
               delegation: 'Microsoft.App/environments'
diff --git a/todo.txt b/todo.txt

Original file line number	Diff line number	Diff line change
`@@ -1206,6 +1206,16 @@ var containerAppsPrivateEndpointConnection = (usePrivateEndpoint && deploymentTa`
`1206`	`1206`	`}`
`1207`	`1207`	`]`
`1208`	`1208`	`: []`
	`1209`	`+`
	`1210`	`+var appServicePrivateEndpointConnection = (usePrivateEndpoint && deploymentTarget == 'appservice')`
	`1211`	`+ ? [`
	`1212`	`+ {`
	`1213`	`+ groupId: 'sites'`
	`1214`	`+ dnsZoneName: 'privatelink.azurewebsites.net'`
	`1215`	`+ resourceIds: [backend.outputs.id]`
	`1216`	`+ }`
	`1217`	`+ ]`
	`1218`	`+ : []`
`1209`	`1219`	`var otherPrivateEndpointConnections = (usePrivateEndpoint)`
`1210`	`1220`	`? [`
`1211`	`1221`	`{`
`@@ -1226,7 +1236,7 @@ var otherPrivateEndpointConnections = (usePrivateEndpoint)`
`1226`	`1236`	`]`
`1227`	`1237`	`: []`
`1228`	`1238`
`1229`		`-var privateEndpointConnections = concat(otherPrivateEndpointConnections, openAiPrivateEndpointConnection, cognitiveServicesPrivateEndpointConnection, containerAppsPrivateEndpointConnection)`
	`1239`	`+var privateEndpointConnections = concat(otherPrivateEndpointConnections, openAiPrivateEndpointConnection, cognitiveServicesPrivateEndpointConnection, containerAppsPrivateEndpointConnection, appServicePrivateEndpointConnection)`
`1230`	`1240`
`1231`	`1241`	`module privateEndpoints 'private-endpoints.bicep' = if (usePrivateEndpoint) {`
`1232`	`1242`	`name: 'privateEndpoints'`
Original file line number	Diff line number	Diff line change
`@@ -214,17 +214,16 @@ module vnet 'br/public:avm/res/network/virtual-network:0.6.1' = {`
`214`	`214`	`deploymentTarget == 'appservice'`
`215`	`215`	`? [`
`216`	`216`	`{`
`217`		`- name: 'app-int-subnet'`
`218`		`- addressPrefix: '10.0.3.0/24'`
	`217`	`+ name: 'app-service-subnet'`
	`218`	`+ addressPrefix: '10.0.9.0/24'`
`219`	`219`	`privateEndpointNetworkPolicies: 'Enabled'`
`220`	`220`	`privateLinkServiceNetworkPolicies: 'Enabled'`
`221`		`- // TODO: Are we sure we don't need App Service Plan/ID? Test this.`
`222`	`221`	`delegation: 'Microsoft.Web/serverFarms'`
`223`	`222`	`}`
`224`	`223`	`]`
`225`	`224`	`: [`
`226`	`225`	`{`
`227`		`- name: 'app-int-subnet'`
	`226`	`+ name: 'container-apps-subnet'`
`228`	`227`	`addressPrefix: '10.0.0.0/21'`
`229`	`228`	`networkSecurityGroupResourceId: containerAppsNSG.outputs.resourceId`
`230`	`229`	`delegation: 'Microsoft.App/environments'`