Azure-Samples
diff --git a/‎app/backend/prepdocs.py‎
Lines changed: 1 addition & 1 deletion b/‎app/backend/prepdocs.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/deploy_private.md‎
Lines changed: 44 additions & 13 deletions b/‎docs/deploy_private.md‎
Lines changed: 44 additions & 13 deletions
diff --git a/‎infra/core/host/container-app-upsert.bicep‎
Lines changed: 35 additions & 71 deletions b/‎infra/core/host/container-app-upsert.bicep‎
Lines changed: 35 additions & 71 deletions
@@ -323,7 +323,7 @@ async def main(strategy: Strategy, setup_index: bool = True):
 
     load_azd_env()
 
-    if os.getenv("AZURE_PUBLIC_NETWORK_ACCESS") == "Disabled":
+    if os.getenv("AZURE_PUBLIC_NETWORK_ACCESS") == "Disabled" and os.getenv("AZURE_USE_VPN_GATEWAY") != "true":
         logger.error("AZURE_PUBLIC_NETWORK_ACCESS is set to Disabled. Exiting.")
         exit(0)
 
 
@@ -46,20 +46,51 @@ Deploying with public access disabled adds additional cost to your deployment. P
 
 ## Recommended deployment strategy for private access
 
-1. Deploy the app with private endpoints enabled and public access enabled.
+1. Deploy the app with private endpoints enabled, public network access disabled, and a VPN gateway configured. This will allow you to connect to the chat app from inside the virtual network.
 
-  ```shell
-  azd env set AZURE_USE_PRIVATE_ENDPOINT true
-  azd env set AZURE_PUBLIC_NETWORK_ACCESS Enabled
-  azd up
-  ```
+    ```shell
+    azd env set AZURE_USE_PRIVATE_ENDPOINT true
+    azd env set AZURE_USE_VPN_GATEWAY true
+    azd env set AZURE_PUBLIC_NETWORK_ACCESS Enabled
+    azd up
+    ```
 
-1. Validate that you can connect to the chat app and it's working as expected from the internet.
-1. Re-provision the app with public access disabled.
+2. First provision all the resources:
 
-  ```shell
-  azd env set AZURE_PUBLIC_NETWORK_ACCESS Disabled
-  azd provision
-  ```
+    ```bash
+    azd provision
+    ```
 
-1. Log into your network using a tool like [Azure VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) and validate that you can connect to the chat app from inside the network.
+3. Once provisioning is complete, run this command to get the VPN configuration download link:
+
+    ```bash
+    azd env get-value AZURE_VPN_CONFIG_DOWNLOAD_LINK
+    ```
+
+    Select "Download VPN client" to download a ZIP file containing the VPN configuration.
+
+4. Open `AzureVPN/azurevpnconfig.xml`, and replace the `<clientconfig>` empty tag with the following:
+
+    ```xml
+      <clientconfig>
+        <dnsservers>
+          <dnsserver>10.0.11.4</dnsserver>
+        </dnsservers>
+      </clientconfig>
+    ```
+
+5. Open the "Azure VPN" client and select "Import" button. Select the `azurevpnconfig.xml` file you just downloaded and modified.
+
+6. Select "Connect" and the new VPN connection. You will be prompted to select your Microsoft account and login.
+
+7. Once you're successfully connected to VPN, you can run the data ingestion script:
+
+    ```bash
+    azd hooks run postprovision
+    ```
+
+8. Finally, you can deploy the app:
+
+    ```bash
+    azd deploy
+    ```
@@ -1,89 +1,57 @@
-metadata description = 'Creates or updates an existing Azure Container App.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
 
-
-@description('The number of CPU cores allocated to a single container instance, e.g., 0.5')
-param containerCpuCoreCount string = '0.5'
-
-@description('The maximum number of replicas to run. Must be at least 1.')
-@minValue(1)
-param containerMaxReplicas int = 10
-
-@description('The amount of memory allocated to a single container instance, e.g., 1Gi')
-param containerMemory string = '1.0Gi'
-
-@description('The minimum number of replicas to run. Must be at least 1 for non-consumption workloads.')
-param containerMinReplicas int = 0
-
-@description('The name of the container')
+param containerAppsEnvironmentName string
 param containerName string = 'main'
-
-@description('The environment name for the container apps')
-param containerAppsEnvironmentName string = '${containerName}env'
-
-@description('The name of the container registry')
 param containerRegistryName string
 
-@description('Hostname suffix for container registry. Set when deploying to sovereign clouds')
-param containerRegistryHostSuffix string = 'azurecr.io'
-
-@allowed(['http', 'grpc'])
-@description('The protocol used by Dapr to connect to the app, e.g., HTTP or gRPC')
-param daprAppProtocol string = 'http'
-
-@description('Enable or disable Dapr for the container app')
-param daprEnabled bool = false
-
-@description('The Dapr app ID')
-param daprAppId string = containerName
-
-@description('Specifies if the resource already exists')
-param exists bool = false
-
-@description('Specifies if Ingress is enabled for the container app')
-param ingressEnabled bool = true
-
-@description('The type of identity for the resource')
-@allowed(['None', 'SystemAssigned', 'UserAssigned'])
-param identityType string = 'None'
-
-@description('The name of the user-assigned identity')
-param identityName string = ''
-
-@description('The name of the container image')
-param imageName string = ''
+@description('Minimum number of replicas to run')
+@minValue(1)
+param containerMinReplicas int = 1
+@description('Maximum number of replicas to run')
+@minValue(1)
+param containerMaxReplicas int = 10
 
 @description('The secrets required for the container')
 @secure()
 param secrets object = {}
 
-@description('The keyvault identities required for the container')
-@secure()
-param keyvaultIdentities object = {}
-
 @description('The environment variables for the container in key value pairs')
 param env object = {}
 
 @description('The environment variables with secret references')
 param envSecrets array = []
 
-@description('Specifies if the resource ingress is exposed externally')
 param external bool = true
+param targetPort int = 80
+param exists bool
 
-@description('The service binds associated with the container')
-param serviceBinds array = []
+@description('User assigned identity name')
+param identityName string
 
-@description('The target port for the container')
-param targetPort int = 80
+@description('Enabled Ingress for container app')
+param ingressEnabled bool = true
+
+// Dapr Options
+@description('Enable Dapr')
+param daprEnabled bool = false
+@description('Dapr app ID')
+param daprAppId string = containerName
+@allowed([ 'http', 'grpc' ])
+@description('Protocol used by Dapr to connect to the app, e.g. http or grpc')
+param daprAppProtocol string = 'http'
 
-@allowed(['Consumption', 'D4', 'D8', 'D16', 'D32', 'E4', 'E8', 'E16', 'E32', 'NC24-A100', 'NC48-A100', 'NC96-A100'])
-param workloadProfile string = 'Consumption'
+@description('CPU cores allocated to a single container instance, e.g. 0.5')
+param containerCpuCoreCount string = '0.5'
+
+@description('Memory allocated to a single container instance, e.g. 1Gi')
+param containerMemory string = '1.0Gi'
 
-param allowedOrigins array = []
+@description('Workload profile name to use for the container app when using private ingress')
+param workloadProfileName string = 'Warm'
 
-resource existingApp 'Microsoft.App/containerApps@2023-05-02-preview' existing = if (exists) {
+resource existingApp 'Microsoft.App/containerApps@2022-03-01' existing = if (exists) {
   name: name
 }
 
@@ -98,16 +66,13 @@ module app 'container-app.bicep' = {
   name: '${deployment().name}-update'
   params: {
     name: name
-    workloadProfile: workloadProfile
     location: location
     tags: tags
-    identityType: identityType
     identityName: identityName
     ingressEnabled: ingressEnabled
     containerName: containerName
     containerAppsEnvironmentName: containerAppsEnvironmentName
     containerRegistryName: containerRegistryName
-    containerRegistryHostSuffix: containerRegistryHostSuffix
     containerCpuCoreCount: containerCpuCoreCount
     containerMemory: containerMemory
     containerMinReplicas: containerMinReplicas
@@ -116,20 +81,19 @@ module app 'container-app.bicep' = {
     daprAppId: daprAppId
     daprAppProtocol: daprAppProtocol
     secrets: secrets
-    keyvaultIdentities: keyvaultIdentities
-    allowedOrigins: allowedOrigins
     external: external
     env: concat(envAsArray, envSecrets)
-    imageName: !empty(imageName) ? imageName : exists ? existingApp.properties.template.containers[0].image : ''
+    imageName: exists ? existingApp.properties.template.containers[0].image : ''
     targetPort: targetPort
-    serviceBinds: serviceBinds
+    // Pass workload profile name parameter
+    workloadProfileName: workloadProfileName
   }
 }
 
 output defaultDomain string = app.outputs.defaultDomain
 output imageName string = app.outputs.imageName
 output name string = app.outputs.name
+output hostName string = app.outputs.hostName
 output uri string = app.outputs.uri
-output id string = app.outputs.id
-output identityPrincipalId string = app.outputs.identityPrincipalId
 output identityResourceId string = app.outputs.identityResourceId
+output identityPrincipalId string = app.outputs.identityPrincipalId