Azure-Samples · pamelafox · Dec 4, 2025 · Dec 3, 2025 · Dec 4, 2025 · Dec 4, 2025
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,15 @@
+.azure
+.venv
+.logfire
+.devcontainer
+infra
+
+# Common Python and development files to exclude
+__pycache__
+*.pyc
+*.pyo
+*.egg-info
+.pytest_cache
+.ruff_cache
+.env
+.git
diff --git a/agents/Dockerfile b/agents/Dockerfile
@@ -0,0 +1,38 @@
+# ------------------- Stage 1: Build Stage ------------------------------
+# We use Alpine for smaller image size (~329MB vs ~431MB for Debian slim).
+# Trade-off: We must install build tools to compile native extensions (cryptography, etc.)
+# since pre-built musl wheels aren't available. Debian -slim would skip compilation
+# but produces a larger final image due to glibc wheel sizes.
+FROM python:3.13-alpine AS build
+
+# Install build dependencies for packages with native extensions (cryptography, etc.)
+# https://cryptography.io/en/latest/installation/#building-cryptography-on-linux
+RUN apk add --no-cache gcc g++ musl-dev python3-dev libffi-dev openssl-dev cargo pkgconfig
+
+COPY --from=ghcr.io/astral-sh/uv:0.9.14 /uv /uvx /bin/
+
+WORKDIR /code
+
+# Copy dependency files and install dependencies (for layer caching)
+# Note: We can't use --mount=type=cache since Azure Container Apps remote build doesn't support BuildKit:
+# https://github.com/Azure/acr/issues/721
+COPY uv.lock pyproject.toml ./
+RUN uv sync --locked --no-install-project
+
+# Copy the project and sync
+COPY . .
+RUN uv sync --locked
+
+# ------------------- Stage 2: Final Stage ------------------------------
+FROM python:3.13-alpine AS final
+
+RUN addgroup -S app && adduser -S app -G app
+
+COPY --from=build --chown=app:app /code /code
+
+WORKDIR /code/agents
+USER app
+
+ENV PATH="/code/.venv/bin:$PATH"
+
+ENTRYPOINT ["python", "agentframework_http.py"]
diff --git a/azure.yaml b/azure.yaml
@@ -3,15 +3,24 @@
 name: python-mcp-demo
 metadata:
   template: [email protected]
+
 services:
-  # Not using remoteBuild due to private endpoint usage
-  aca:
+  server:
     project: .
     language: docker
     host: containerapp
     docker:
+      remoteBuild: true
       path: ./servers/Dockerfile
       context: .
+  agent:
+    project: .
+    language: docker
+    host: containerapp
+    docker:
+      remoteBuild: true
+      path: ./agents/Dockerfile
+      context: .
 hooks:
   postprovision:
     posix:
@@ -21,4 +30,4 @@ hooks:
     windows:
       shell: pwsh
       run: ./infra/write_env.ps1
-      continueOnError: true
+      continueOnError: true
diff --git a/infra/aca.bicep → infra/agent.bicep b/infra/aca.bicep → infra/agent.bicep
@@ -5,16 +5,14 @@ param tags object = {}
 param identityName string
 param containerAppsEnvironmentName string
 param containerRegistryName string
-param serviceName string = 'aca'
+param serviceName string = 'agent'
 param exists bool
 param openAiDeploymentName string
 param openAiEndpoint string
-param cosmosDbAccount string
-param cosmosDbDatabase string
-param cosmosDbContainer string
+param mcpServerUrl string
 param applicationInsightsConnectionString string = ''
 
-resource acaIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+resource agentIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
   name: identityName
   location: location
 }
@@ -25,11 +23,11 @@ module app 'core/host/container-app-upsert.bicep' = {
     name: name
     location: location
     tags: union(tags, { 'azd-service-name': serviceName })
-    identityName: acaIdentity.name
+    identityName: agentIdentity.name
     exists: exists
     containerAppsEnvironmentName: containerAppsEnvironmentName
     containerRegistryName: containerRegistryName
-    ingressEnabled: true
+    ingressEnabled: false
     env: [
       {
         name: 'AZURE_OPENAI_CHAT_DEPLOYMENT'
@@ -40,36 +38,31 @@ module app 'core/host/container-app-upsert.bicep' = {
         value: openAiEndpoint
       }
       {
-        name: 'RUNNING_IN_PRODUCTION'
-        value: 'true'
+        name: 'API_HOST'
+        value: 'azure'
       }
       {
         name: 'AZURE_CLIENT_ID'
-        value: acaIdentity.properties.clientId
-      }
-      {
-        name: 'AZURE_COSMOSDB_ACCOUNT'
-        value: cosmosDbAccount
+        value: agentIdentity.properties.clientId
       }
       {
-        name: 'AZURE_COSMOSDB_DATABASE'
-        value: cosmosDbDatabase
+        name: 'MCP_SERVER_URL'
+        value: mcpServerUrl
       }
       {
-        name: 'AZURE_COSMOSDB_CONTAINER'
-        value: cosmosDbContainer
+        name: 'RUNNING_IN_PRODUCTION'
+        value: 'true'
       }
       // We typically store sensitive values in secrets, but App Insights connection strings are not considered highly sensitive
       {
         name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
         value: applicationInsightsConnectionString
       }
     ]
-    targetPort: 8000
   }
 }
 
-output identityPrincipalId string = acaIdentity.properties.principalId
+output identityPrincipalId string = agentIdentity.properties.principalId
 output name string = app.outputs.name
 output hostName string = app.outputs.hostName
 output uri string = app.outputs.uri

diff --git a/infra/core/host/container-app-upsert.bicep b/infra/core/host/container-app-upsert.bicep
@@ -40,6 +40,9 @@ param containerCpuCoreCount string = '0.5'
 @description('Memory allocated to a single container instance, e.g. 1Gi')
 param containerMemory string = '1.0Gi'
 
+@description('Health probes for the container')
+param probes array = []
+
 resource existingApp 'Microsoft.App/containerApps@2025-01-01' existing = if (exists) {
   name: name
 }
@@ -67,6 +70,7 @@ module app 'container-app.bicep' = {
     env: env
     imageName: exists ? existingApp.properties.template.containers[0].image : ''
     targetPort: targetPort
+    probes: probes
   }
 }
 

diff --git a/infra/core/host/container-app.bicep b/infra/core/host/container-app.bicep
@@ -40,6 +40,9 @@ param containerCpuCoreCount string = '0.5'
 @description('Memory allocated to a single container instance, e.g. 1Gi')
 param containerMemory string = '1.0Gi'
 
+@description('Health probes for the container')
+param probes array = []
+
 resource userIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
   name: identityName
 }
@@ -102,6 +105,7 @@ resource app 'Microsoft.App/containerApps@2025-01-01' = {
             cpu: json(containerCpuCoreCount)
             memory: containerMemory
           }
+          probes: probes
         }
       ]
       scale: {
@@ -124,5 +128,5 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-pr
 output defaultDomain string = containerAppsEnvironment.properties.defaultDomain
 output imageName string = imageName
 output name string = app.name
-output hostName string = app.properties.configuration.ingress.fqdn
+output hostName string = ingressEnabled ? app.properties.configuration.ingress.fqdn : ''
 output uri string = ingressEnabled ? 'https://${app.properties.configuration.ingress.fqdn}' : ''
diff --git a/infra/core/host/container-apps-environment.bicep b/infra/core/host/container-apps-environment.bicep
@@ -26,7 +26,21 @@ module containerAppsEnvironment 'br/public:avm/res/app/managed-environment:0.11.
     location: location
     tags: tags
     zoneRedundant: false
-    publicNetworkAccess: 'Enabled'
+    publicNetworkAccess: usePrivateIngress ? 'Disabled' : 'Enabled'
+    workloadProfiles: usePrivateIngress
+      ? [
+          {
+            name: 'Consumption'
+            workloadProfileType: 'Consumption'
+          }
+          {
+            name: 'Warm'
+            workloadProfileType: 'D4'
+            minimumCount: 1
+            maximumCount: 3
+          }
+        ]
+      : []
     appLogsConfiguration: useLogging
       ? {
           destination: 'log-analytics'

diff --git a/infra/core/host/container-apps.bicep b/infra/core/host/container-apps.bicep
@@ -15,6 +15,8 @@ param subnetResourceId string = ''
 
 param usePrivateIngress bool = true
 
+param usePrivateAcr bool = false
+
 module containerAppsEnvironment 'container-apps-environment.bicep' = {
   name: '${name}-container-apps-environment'
   params: {
@@ -36,6 +38,7 @@ module containerRegistry 'container-registry.bicep' = {
     location: location
     tags: tags
     useVnet: !empty(vnetName)
+    usePrivateAcr: usePrivateAcr
   }
 }
 

diff --git a/infra/core/host/container-registry.bicep b/infra/core/host/container-registry.bicep
@@ -10,8 +10,8 @@ param encryption object = {
   status: 'disabled'
 }
 param networkRuleBypassOptions string = 'AzureServices'
-param publicNetworkAccess string = useVnet ? 'Disabled' : 'Enabled' // Public network access is disabled if VNet integration is enabled
 param useVnet bool = false // Determines if VNet integration is enabled
+param usePrivateAcr bool = false // Determines if public network access should be disabled
 param sku object = {
   name: useVnet ? 'Premium' : 'Standard' // Use Premium if VNet is required, otherwise Standard
 }
@@ -32,7 +32,7 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-pr
     dataEndpointEnabled: dataEndpointEnabled
     encryption: encryption
     networkRuleBypassOptions: networkRuleBypassOptions
-    publicNetworkAccess: publicNetworkAccess
+    publicNetworkAccess: usePrivateAcr ? 'Disabled' : 'Enabled'
     zoneRedundancy: zoneRedundancy
   }
 }