Agents/setup/remove service endpoint (#212)

* Remove service endpoints
* Update network ACLs
* Update Subnet delegation

Author: dharakumarmsft

scenarios/Agents/setup/network-secured-agent/azuredeploy.json

@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.33.93.31351",
-      "templateHash": "127170888874315892"
+      "templateHash": "14632217224620265892"
     }
   },
   "parameters": {
@@ -341,7 +341,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.33.93.31351",
-              "templateHash": "9007602006679851007"
+              "templateHash": "11931798975158233939"
             }
           },
           "parameters": {
@@ -409,27 +409,7 @@
                   {
                     "name": "[parameters('hubSubnetName')]",
                     "properties": {
-                      "addressPrefix": "172.16.0.0/24",
-                      "serviceEndpoints": [
-                        {
-                          "service": "Microsoft.KeyVault",
-                          "locations": [
-                            "[parameters('location')]"
-                          ]
-                        },
-                        {
-                          "service": "Microsoft.Storage",
-                          "locations": [
-                            "[parameters('location')]"
-                          ]
-                        },
-                        {
-                          "service": "Microsoft.CognitiveServices",
-                          "locations": [
-                            "[parameters('modelLocation')]"
-                          ]
-                        }
-                      ]
+                      "addressPrefix": "172.16.0.0/24"
                     }
                   },
                   {
@@ -440,7 +420,7 @@
                         {
                           "name": "Microsoft.app/environments",
                           "properties": {
-                            "serviceName": "Microsoft.app/environments"
+                            "serviceName": "Microsoft.App/environments"
                           }
                         }
                       ]
@@ -542,9 +522,6 @@
           },
           "userAssignedIdentityName": {
             "value": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-{1}--identity', parameters('name'), parameters('uniqueSuffix'))), '2022-09-01').outputs.uaiName.value]"
-          },
-          "vnetName": {
-            "value": "[reference(resourceId('Microsoft.Resources/deployments', format('{0}-{1}--vnet', parameters('name'), parameters('uniqueSuffix'))), '2022-09-01').outputs.virtualNetworkName.value]"
           }
         },
         "template": {
@@ -554,7 +531,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.33.93.31351",
-              "templateHash": "93381250633572287"
+              "templateHash": "12473094046332996300"
             }
           },
           "parameters": {
@@ -660,15 +637,12 @@
                 "description": "The Kind of AI Service, can be \"OpenAI\" or \"AIService\""
               }
             },
-            "vnetName": {
+            "userAssignedIdentityName": {
               "type": "string",
               "metadata": {
-                "description": "The name of the virtual network"
+                "description": "User-assigned managed identity name"
               }
             },
-            "userAssignedIdentityName": {
-              "type": "string"
-            },
             "noZRSRegions": {
               "type": "array",
               "defaultValue": [
@@ -727,12 +701,7 @@
                 ],
                 "networkAcls": {
                   "bypass": "AzureServices",
-                  "defaultAction": "Deny",
-                  "virtualNetworkRules": [
-                    {
-                      "id": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('vnetName')), '2024-05-01').subnets[0].id]"
-                    }
-                  ]
+                  "defaultAction": "Deny"
                 },
                 "sku": {
                   "family": "A",
@@ -765,12 +734,7 @@
                 },
                 "networkAcls": {
                   "bypass": "AzureServices",
-                  "defaultAction": "Deny",
-                  "virtualNetworkRules": [
-                    {
-                      "id": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('vnetName')), '2024-05-01').subnets[0].id]"
-                    }
-                  ]
+                  "defaultAction": "Deny"
                 },
                 "publicNetworkAccess": "Disabled"
               }
@@ -820,9 +784,13 @@
                 },
                 "hostingMode": "default",
                 "partitionCount": 1,
-                "publicNetworkAccess": "Disabled",
+                "publicNetworkAccess": "disabled",
                 "replicaCount": 1,
-                "semanticSearch": "disabled"
+                "semanticSearch": "disabled",
+                "networkRuleSet": {
+                  "bypass": "None",
+                  "ipRules": []
+                }
               },
               "sku": {
                 "name": "standard"
@@ -845,12 +813,7 @@
                 "publicNetworkAccess": "Disabled",
                 "networkAcls": {
                   "bypass": "AzureServices",
-                  "defaultAction": "Deny",
-                  "virtualNetworkRules": [
-                    {
-                      "id": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('vnetName')), '2024-05-01').subnets[0].id]"
-                    }
-                  ]
+                  "defaultAction": "Deny"
                 },
                 "allowSharedKeyAccess": false
               }
@@ -1092,8 +1055,7 @@
         }
       },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/deployments', format('{0}-{1}--identity', parameters('name'), parameters('uniqueSuffix')))]",
-        "[resourceId('Microsoft.Resources/deployments', format('{0}-{1}--vnet', parameters('name'), parameters('uniqueSuffix')))]"
+        "[resourceId('Microsoft.Resources/deployments', format('{0}-{1}--identity', parameters('name'), parameters('uniqueSuffix')))]"
       ]
     },
     {

scenarios/Agents/setup/network-secured-agent/main.bicep

@@ -197,11 +197,8 @@ module aiDependencies 'modules-network-secured/network-secured-dependent-resourc
      modelSkuName: modelSkuName
      modelCapacity: modelCapacity
      modelLocation: modelLocation
-
+     // User-assigned managed identity
      userAssignedIdentityName: identity.outputs.uaiName
-
-    // VNet
-    vnetName: vnet.outputs.virtualNetworkName
     }
 }
 

scenarios/Agents/setup/network-secured-agent/modules-network-secured/network-secured-dependent-resources.bicep

@@ -66,11 +66,7 @@ param modelLocation string
 @description('The Kind of AI Service, can be "OpenAI" or "AIService"')
 param aisKind string
 
-// Network Resource Names
-@description('The name of the virtual network')
-param vnetName string
-
-
+@description('User-assigned managed identity name')
 param userAssignedIdentityName string
 
 // Subnet reference variables for network rules
@@ -83,12 +79,6 @@ resource uai 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-previe
   name: userAssignedIdentityName
 }
 
-/* -------------------------------------------- Virtual Network Resources -------------------------------------------- */
-
-resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-05-01' existing = {
-  name: vnetName
-}
-
 /* -------------------------------------------- Existing Resource References -------------------------------------------- */
 
 resource existingStorage 'Microsoft.Storage/storageAccounts@2022-05-01' existing = if(storageExists) {
@@ -137,11 +127,6 @@ resource defaultKeyVault 'Microsoft.KeyVault/vaults@2022-07-01' = if(!keyvaultEx
     networkAcls: {
       bypass: 'AzureServices'              // Allow trusted Azure services
       defaultAction: 'Deny'                // Deny all other traffic
-      virtualNetworkRules:[                // Allow access from customer hub subnet
-        {
-          id: virtualNetwork.properties.subnets[0].id
-        }
-      ]
     }
     sku: {
       family: 'A'
@@ -171,11 +156,6 @@ resource defaultAiServices 'Microsoft.CognitiveServices/accounts@2024-06-01-prev
     networkAcls: {
       bypass: 'AzureServices'              // Allow trusted Azure services
       defaultAction: 'Deny'                // Deny all other traffic
-      virtualNetworkRules:[                // Allow access from customer hub subnet
-        {
-          id: virtualNetwork.properties.subnets[0].id
-        }
-      ]
     }
     publicNetworkAccess: 'Disabled'        // Block public access
   }
@@ -217,9 +197,13 @@ resource defaultAiSearch 'Microsoft.Search/searchServices@2024-06-01-preview' =
     }
     hostingMode: 'default'
     partitionCount: 1
-    publicNetworkAccess: 'Disabled'        // Block public access
+    publicNetworkAccess: 'disabled'        // Block public access, use lowercase
     replicaCount: 1
-    semanticSearch: 'disabled'
+    semanticSearch: 'disabled' // use lowercase
+    networkRuleSet: {
+      bypass: 'None'
+      ipRules: []
+      }
   }
   sku: {
     name: 'standard'
@@ -243,11 +227,6 @@ resource defaultStorage 'Microsoft.Storage/storageAccounts@2022-05-01' = if(!sto
     networkAcls: {
       bypass: 'AzureServices'              // Allow trusted Azure services
       defaultAction: 'Deny'                // Deny all other traffic
-      virtualNetworkRules: [               // Allow access from customer hub subnet
-        {
-          id: virtualNetwork.properties.subnets[0].id
-        }
-      ]
     }
     allowSharedKeyAccess: false           // Enforce Azure AD authentication
   }

scenarios/Agents/setup/network-secured-agent/modules-network-secured/networking/vnet.bicep

@@ -51,26 +51,6 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-05-01' = {
         name: hubSubnetName
         properties: {
           addressPrefix: '172.16.0.0/24'
-          serviceEndpoints: [
-            {
-              service: 'Microsoft.KeyVault'
-              locations: [
-                location
-              ]
-            }
-            {
-              service: 'Microsoft.Storage'
-              locations: [
-                location
-              ]
-            }
-            {
-              service: 'Microsoft.CognitiveServices'
-              locations: [
-                modelLocation
-              ]
-            }
-          ]
         }
       }
       {
@@ -81,7 +61,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-05-01' = {
             {
               name: 'Microsoft.app/environments'
               properties: {
-                serviceName: 'Microsoft.app/environments'
+                serviceName: 'Microsoft.App/environments'
               }
             }
           ]

scenarios/Agents/setup/utils/deleteCaphost.sh

@@ -56,28 +56,35 @@ echo -e "\nCapability host deletion request initiated."
 echo "Monitoring operation: ${operation_url}"
 
 # Poll the operation URL until the operation completes
-status="InProgress"
-while [ "${status}" = "InProgress" ]; do
+status="Creating"
+while [ "${status}" = "Creating" ]; do
     echo "Checking operation status..."
-    
+    access_token=$(az account get-access-token --query accessToken -o tsv)
     # Get the operation status
     operation_response=$(curl -s \
         -H "Authorization: Bearer ${access_token}" \
         -H "Content-Type: application/json" \
         "${operation_url}")
-    
-    # Extract the status from the response
-    status=$(echo "${operation_response}" | grep -o '"status":"[^"]*"' | cut -d'"' -f4)
-    
+
+    # Check for transient errors
+    error_code=$(echo "${operation_response}" | jq -r '.error.code // empty')
+    if [ "${error_code}" = "TransientError" ]; then
+        echo "Transient error encountered. Continuing to poll..."
+        sleep 10
+        continue
+    fi
+    # Extract the status from the response using jq
+    status=$(echo "${operation_response}" | jq -r '.status')
+
     if [ -z "${status}" ]; then
         echo "Error: Could not determine operation status."
         echo "Response: ${operation_response}"
         exit 1
     fi
-    
+
     echo "Current status: ${status}"
-    
-    if [ "${status}" = "InProgress" ]; then
+
+    if [ "${status}" = "Creating" ]; then
         echo "Operation still in progress. Waiting 10 seconds before checking again..."
         sleep 10
     fi
@@ -90,4 +97,4 @@ else
     echo -e "\nCapability host deletion failed with status: ${status}"
     echo "Response: ${operation_response}"
     exit 1
-fi
+fi