Private endpoints draft

Author: pamelafox

infra/main.bicep

@@ -431,7 +431,7 @@ module backend 'core/host/appservice.bicep' = if (deploymentTarget == 'appservic
     appCommandLine: 'python3 -m gunicorn main:app'
     scmDoBuildDuringDeployment: true
     managedIdentity: true
-    virtualNetworkSubnetId: isolation.outputs.appSubnetId
+    virtualNetworkSubnetId: usePrivateEndpoint ? isolation.outputs.appSubnetId : ''
     publicNetworkAccess: publicNetworkAccess
     allowedOrigins: allowedOrigins
     clientAppId: clientAppId
@@ -472,6 +472,7 @@ module containerApps 'core/host/container-apps.bicep' = if (deploymentTarget ==
     containerAppsEnvironmentName: acaManagedEnvironmentName
     containerRegistryName: '${containerRegistryName}${resourceToken}'
     logAnalyticsWorkspaceResourceId: useApplicationInsights ? monitoring.outputs.logAnalyticsWorkspaceId : ''
+    virtualNetworkSubnetId: usePrivateEndpoint ? isolation.outputs.appSubnetId : ''
   }
 }
 
@@ -1047,17 +1048,15 @@ module cosmosDbRoleBackend 'core/security/documentdb-sql-role.bicep' = if (useAu
   }
 }
 
-module isolation 'network-isolation.bicep' = {
+module isolation 'network-isolation.bicep' = if (usePrivateEndpoint) {
   name: 'networks'
   scope: resourceGroup
   params: {
-    deploymentTarget: deploymentTarget
     location: location
     tags: tags
     vnetName: '${abbrs.virtualNetworks}${resourceToken}'
-    // Need to check deploymentTarget due to https://github.com/Azure/bicep/issues/3990
-    appServicePlanName: deploymentTarget == 'appservice' ? appServicePlan.outputs.name : ''
     usePrivateEndpoint: usePrivateEndpoint
+    containerAppsEnvName: acaManagedEnvironmentName
   }
 }
 
@@ -1103,7 +1102,7 @@ var otherPrivateEndpointConnections = (usePrivateEndpoint && deploymentTarget ==
 
 var privateEndpointConnections = concat(otherPrivateEndpointConnections, openAiPrivateEndpointConnection)
 
-module privateEndpoints 'private-endpoints.bicep' = if (usePrivateEndpoint && deploymentTarget == 'appservice') {
+module privateEndpoints 'private-endpoints.bicep' = if (usePrivateEndpoint) {
   name: 'privateEndpoints'
   scope: resourceGroup
   params: {

infra/network-isolation.bicep

@@ -9,18 +9,15 @@ param location string = resourceGroup().location
 @description('The tags to apply to all resources')
 param tags object = {}
 
-@description('The name of an existing App Service Plan to connect to the VNet')
-param appServicePlanName string
-
 param usePrivateEndpoint bool = false
 
-@allowed(['appservice', 'containerapps'])
-param deploymentTarget string
+param containerAppsEnvName string
 
-resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' existing = if (deploymentTarget == 'appservice') {
-  name: appServicePlanName
+resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' existing = {
+  name: containerAppsEnvName
 }
 
+
 module vnet './core/networking/vnet.bicep' = if (usePrivateEndpoint) {
   name: 'vnet'
   params: {
@@ -36,42 +33,28 @@ module vnet './core/networking/vnet.bicep' = if (usePrivateEndpoint) {
           privateLinkServiceNetworkPolicies: 'Enabled'
         }
       }
-      {
-        name: 'AzureBastionSubnet'
-        properties: {
-          addressPrefix: '10.0.2.0/24'
-          privateEndpointNetworkPolicies: 'Enabled'
-          privateLinkServiceNetworkPolicies: 'Enabled'
-        }
-      }
-      {
+      { // App Service / Container Apps specific subnet
         name: 'app-int-subnet'
         properties: {
-          addressPrefix: '10.0.3.0/24'
+          addressPrefix: '10.0.4.0/23'
           privateEndpointNetworkPolicies: 'Enabled'
           privateLinkServiceNetworkPolicies: 'Enabled'
           delegations: [
             {
-              id: appServicePlan.id
-              name: appServicePlan.name
+              id: containerAppsEnvironment.id
+              name: containerAppsEnvironment.name
               properties: {
-                serviceName: 'Microsoft.Web/serverFarms'
+                serviceName: 'Microsoft.App/environments'
               }
             }
           ]
         }
       }
-      {
-        name: 'vm-subnet'
-        properties: {
-          addressPrefix: '10.0.4.0/24'
-        }
-      }
     ]
   }
 }
 
 
-output appSubnetId string = usePrivateEndpoint ? vnet.outputs.vnetSubnets[2].id : ''
+output appSubnetId string = usePrivateEndpoint ? vnet.outputs.vnetSubnets[1].id : ''
 output backendSubnetId string = usePrivateEndpoint ? vnet.outputs.vnetSubnets[0].id : ''
 output vnetName string = usePrivateEndpoint ? vnet.outputs.name : ''

infra/private-endpoints.bicep

@@ -81,7 +81,8 @@ module monitorDnsZones './core/networking/private-dns-zones.bicep' = [for monito
   }
 }]
 // Get blob DNS zone index for monitor private link
-var dnsZoneBlobIndex = filter(flatten(privateEndpointInfo), info => info.groupId == 'blob')[0].dnsZoneIndex
+var blobEndpointInfo = filter(flatten(privateEndpointInfo), info => info.groupId == 'blob')
+var dnsZoneBlobIndex = empty(blobEndpointInfo) ? 0 : blobEndpointInfo[0].dnsZoneIndex
 
 // Azure Monitor Private Link Scope
 // https://learn.microsoft.com/azure/azure-monitor/logs/private-link-security
@@ -150,9 +151,9 @@ module monitorPrivateEndpoint './core/networking/private-endpoint.bicep' = {
         }
       }
       {
-        name: dnsZones[dnsZoneBlobIndex].name
+        name: 'blob-dnszone' // dnsZones[dnsZoneBlobIndex].name
         properties: {
-          privateDnsZoneId: dnsZones[dnsZoneBlobIndex].outputs.id
+          privateDnsZoneId: '/subscriptions/77d8a3d0-8b18-47e9-b773-08bee327bb4a/resourceGroups/rg-pf-ragprivate/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net' // dnsZones[dnsZoneBlobIndex].outputs.id
         }
       }
     ]