You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
1. The exact number of private endpoints created depends on the [optional features](./deploy_features.md) used.
36
-
1.[Private DNS Zones](https://azure.microsoft.com/pricing/details/dns/)
34
+
*[Azure Container Registry](https://azure.microsoft.com/pricing/details/container-registry/): Premium tier is used when virtual network is added (required for private links), which incurs additional costs.
35
+
*[Azure Container Apps](https://azure.microsoft.com/pricing/details/container-apps/): Workload profiles environment is used when virtual network is added (required for private links), which incurs additional costs. Additionally, min replica count is set to 1, so you will be charged for at least one instance. If you need to customize the environment configuration further, edit the container-apps-environment.bicep file.
36
+
*[VPN Gateway](https://azure.microsoft.com/pricing/details/vpn-gateway/): VpnGw2 SKU. Pricing includes a base monthly cost plus an hourly cost based on the number of connections.
37
+
*[Virtual Network](https://azure.microsoft.com/pricing/details/virtual-network/): Pay-as-you-go tier. Costs based on data processed.
The pricing for the following features depends on the [optional features](./deploy_features.md) used. Most deployments will have at least 5 private endpoints (Azure OpenAI, Azure Cognitive Services, Azure AI Search, Azure Blob Storage, and either Azure App Service or Azure Container Apps).
39
40
40
-
1.`AZURE_PUBLIC_NETWORK_ACCESS`: Controls the value of public network access on supported Azure resources. Valid values are 'Enabled' or 'Disabled'.
41
-
1. When public network access is 'Enabled', Azure resources are open to the internet.
42
-
1. When public network access is 'Disabled', Azure resources are only accessible over a virtual network.
43
-
1.`AZURE_USE_PRIVATE_ENDPOINT`: Controls deployment of [private endpoints](https://learn.microsoft.com/azure/private-link/private-endpoint-overview) which connect Azure resources to the virtual network.
44
-
1. When set to 'true', ensures private endpoints are deployed for connectivity even when `AZURE_PUBLIC_NETWORK_ACCESS` is 'Disabled'.
45
-
1. Note that private endpoints do not make the chat app accessible from the internet. Connections must be initiated from inside the virtual network.
41
+
*[Azure Private Endpoints](https://azure.microsoft.com/pricing/details/private-link/): Pricing is per hour per endpoint.
42
+
*[Private DNS Zones](https://azure.microsoft.com/pricing/details/dns/): Pricing is per month and zones.
43
+
*[Azure Private DNS Resolver](https://azure.microsoft.com/pricing/details/dns/): Pricing is per month and zones.
44
+
45
+
⚠️ To avoid unnecessary costs, remember to take down your app if it's no longer in use,
46
+
either by deleting the resource group in the Portal or running `azd down`.
47
+
You might also decide to delete the VPN Gateway when not in use.
46
48
47
49
## Recommended deployment strategy for private access
48
50
@@ -79,7 +81,7 @@ Deploying with public access disabled adds additional cost to your deployment. P
79
81
</clientconfig>
80
82
```
81
83
82
-
> **Note:** The IP address `10.0.11.4` is the first available IP in the `dns-resolver-subnet`(10.0.11.0/28), as Azure reserves the first four IP addresses in each subnet. Adding this DNS server allows your VPN client to resolve private DNS names for Azure services accessed through private endpoints. See the network configuration in [network-isolation.bicep](../infra/network-isolation.bicep) for details.
84
+
> **Note:** We use the IP address `10.0.11.4` since it is the first available IP in the `dns-resolver-subnet`(10.0.11.0/28) from the provisioned virtual network, as Azure reserves the first four IP addresses in each subnet. Adding this DNS server allows your VPN client to resolve private DNS names for Azure services accessed through private endpoints. See the network configuration in [network-isolation.bicep](../infra/network-isolation.bicep) for details.
83
85
84
86
5. Install the [Azure VPN Client](https://learn.microsoft.com/azure/vpn-gateway/azure-vpn-client-versions).
85
87
@@ -99,6 +101,16 @@ Deploying with public access disabled adds additional cost to your deployment. P
1. `AZURE_PUBLIC_NETWORK_ACCESS`: Controls the value of public network access on supported Azure resources. Valid values are 'Enabled' or 'Disabled'.
107
+
1. When public network access is 'Enabled', Azure resources are open to the internet.
108
+
1. When public network access is 'Disabled', Azure resources are only accessible over a virtual network.
109
+
1. `AZURE_USE_PRIVATE_ENDPOINT`: Controls deployment of [private endpoints](https://learn.microsoft.com/azure/private-link/private-endpoint-overview) which connect Azure resources to the virtual network.
110
+
1. When set to 'true', ensures private endpoints are deployed for connectivity even when `AZURE_PUBLIC_NETWORK_ACCESS` is 'Disabled'.
111
+
1. Note that private endpoints do not make the chat app accessible from the internet. Connections must be initiated from inside the virtual network.
112
+
1. `AZURE_USE_VPN_GATEWAY`: Controls deployment of a VPN gateway for the virtual network. If you do not use this and public access is disabled, you will need a different way to connect to the virtual network.
113
+
102
114
## Compatibility with other features
103
115
104
116
***GitHub Actions / Azure DevOps**: The private access deployment is not compatible with the built-in CI/CD pipelines, as it requires a VPN connection to deploy the app. You could modify the pipeline to only do provisioning, and set up a different deployment strategy for the app.
0 commit comments