Revert template 15 to upstream and add template 19 (hybrid private resources)

- Reverted 15-private-network-standard-agent-setup to match upstream/main exactly
- Added 19-hybrid-private-resources-agent-setup: hybrid architecture with public
  AI Services endpoint and private backend resources (AI Search, Cosmos DB, Storage)
- Template 19 enables portal-based agent testing while keeping data resources private
- Includes TESTING-GUIDE.md, test scripts, and architecture diagrams in template 19

Author: djetchev

infrastructure/infrastructure-setup-bicep/15-private-network-standard-agent-setup/TESTING-GUIDE.md

@@ -5,13 +5,13 @@
     "_generator": {
       "name": "bicep",
       "version": "0.39.26.7824",
-      "templateHash": "3024624923779287280"
+      "templateHash": "16616047834738415823"
     }
   },
   "parameters": {
     "location": {
       "type": "string",
-      "defaultValue": "eastus2",
+      "defaultValue": "eastus",
       "allowedValues": [
         "westus",
         "eastus",
@@ -50,7 +50,7 @@
     },
     "modelName": {
       "type": "string",
-      "defaultValue": "gpt-4o",
+      "defaultValue": "gpt-4.1",
       "metadata": {
         "description": "The name of the model you want to deploy"
       }
@@ -64,7 +64,7 @@
     },
     "modelVersion": {
       "type": "string",
-      "defaultValue": "2024-11-20",
+      "defaultValue": "2025-04-14",
       "metadata": {
         "description": "The version of your model"
       }

infrastructure/infrastructure-setup-bicep/15-private-network-standard-agent-setup/azuredeploy.json

@@ -30,18 +30,18 @@ Standard Setup Network Secured Steps for main.bicep
   'switzerlandnorth'
   'norwayeast'
 ])
-param location string = 'eastus2'
+param location string = 'eastus'
 
 @description('Name for your AI Services resource.')
 param aiServices string = 'aiservices'
 
 // Model deployment parameters
 @description('The name of the model you want to deploy')
-param modelName string = 'gpt-4o'
+param modelName string = 'gpt-4.1'
 @description('The provider of your model')
 param modelFormat string = 'OpenAI'
 @description('The version of your model')
-param modelVersion string = '2024-11-20'
+param modelVersion string = '2025-04-14'
 @description('The sku of your model deployment')
 param modelSkuName string = 'GlobalStandard'
 @description('The tokens per minute (TPM) of your model deployment')
@@ -71,9 +71,6 @@ param agentSubnetName string = 'agent-subnet'
 @description('The name of Private Endpoint subnet to create new or existing subnet for private endpoints')
 param peSubnetName string = 'pe-subnet'
 
-@description('The name of MCP subnet for user-deployed Container Apps (e.g., MCP servers)')
-param mcpSubnetName string = 'mcp-subnet'
-
 //Existing standard Agent required resources
 @description('Existing Virtual Network name Resource ID')
 param existingVnetResourceId string = ''
@@ -87,19 +84,13 @@ param agentSubnetPrefix string = ''
 @description('Address prefix for the private endpoint subnet')
 param peSubnetPrefix string = ''
 
-@description('Address prefix for the MCP subnet. The default value is 192.168.2.0/24.')
-param mcpSubnetPrefix string = ''
-
 @description('The AI Search Service full ARM Resource ID. This is an optional field, and if not provided, the resource will be created.')
 param aiSearchResourceId string = ''
 @description('The AI Storage Account full ARM Resource ID. This is an optional field, and if not provided, the resource will be created.')
 param azureStorageAccountResourceId string = ''
 @description('The Cosmos DB Account full ARM Resource ID. This is an optional field, and if not provided, the resource will be created.')
 param azureCosmosDBAccountResourceId string = ''
 
-@description('The Microsoft Fabric Workspace full ARM Resource ID. This is an optional field for Fabric private link connectivity.')
-param fabricWorkspaceResourceId string = ''
-
 //New Param for resource group of Private DNS zones
 //@description('Optional: Resource group containing existing private DNS zones. If specified, DNS zones will not be created.')
 //param existingDnsZonesResourceGroup string = ''
@@ -108,11 +99,10 @@ param fabricWorkspaceResourceId string = ''
 param existingDnsZones object = {
   'privatelink.services.ai.azure.com': ''
   'privatelink.openai.azure.com': ''
-  'privatelink.cognitiveservices.azure.com': ''
-  'privatelink.search.windows.net': ''
-  'privatelink.blob.core.windows.net': ''
-  'privatelink.documents.azure.com': ''
-  'privatelink.analysis.windows.net': ''
+  'privatelink.cognitiveservices.azure.com': ''               
+  'privatelink.search.windows.net': ''           
+  'privatelink.blob.core.windows.net': ''                            
+  'privatelink.documents.azure.com': ''                       
 }
 
 @description('Zone Names for Validation of existing Private Dns Zones')
@@ -123,9 +113,9 @@ param dnsZoneNames array = [
   'privatelink.search.windows.net'
   'privatelink.blob.core.windows.net'
   'privatelink.documents.azure.com'
-  'privatelink.analysis.windows.net'
 ]
 
+
 var projectName = toLower('${firstProjectName}${uniqueSuffix}')
 var cosmosDBName = toLower('${aiServices}${uniqueSuffix}cosmosdb')
 var aiSearchName = toLower('${aiServices}${uniqueSuffix}search')
@@ -137,6 +127,7 @@ var searchPassedIn = aiSearchResourceId != ''
 var cosmosPassedIn = azureCosmosDBAccountResourceId != ''
 var existingVnetPassedIn = existingVnetResourceId != ''
 
+
 var acsParts = split(aiSearchResourceId, '/')
 var aiSearchServiceSubscriptionId = searchPassedIn ? acsParts[2] : subscription().subscriptionId
 var aiSearchServiceResourceGroupName = searchPassedIn ? acsParts[4] : resourceGroup().name
@@ -168,11 +159,9 @@ module vnet 'modules-network-secured/network-agent-vnet.bicep' = {
     existingVnetResourceGroupName: vnetResourceGroupName
     agentSubnetName: agentSubnetName
     peSubnetName: peSubnetName
-    mcpSubnetName: mcpSubnetName
     vnetAddressPrefix: vnetAddressPrefix
     agentSubnetPrefix: agentSubnetPrefix
     peSubnetPrefix: peSubnetPrefix
-    mcpSubnetPrefix: mcpSubnetPrefix
     existingVnetSubscriptionId: vnetSubscriptionId
   }
 }
@@ -231,20 +220,18 @@ module aiDependencies 'modules-network-secured/standard-dependent-resources.bice
     // Cosmos DB Account
     cosmosDBResourceId: azureCosmosDBAccountResourceId
     cosmosDBExists: validateExistingResources.outputs.cosmosDBExists
-  }
+    }
 }
 
 resource storage 'Microsoft.Storage/storageAccounts@2022-05-01' existing = {
   name: aiDependencies.outputs.azureStorageName
   scope: resourceGroup(azureStorageSubscriptionId, azureStorageResourceGroupName)
 }
 
+
 resource aiSearch 'Microsoft.Search/searchServices@2023-11-01' existing = {
   name: aiDependencies.outputs.aiSearchName
-  scope: resourceGroup(
-    aiDependencies.outputs.aiSearchServiceSubscriptionId,
-    aiDependencies.outputs.aiSearchServiceResourceGroupName
-  )
+  scope: resourceGroup(aiDependencies.outputs.aiSearchServiceSubscriptionId, aiDependencies.outputs.aiSearchServiceResourceGroupName)
 }
 
 resource cosmosDB 'Microsoft.DocumentDB/databaseAccounts@2024-11-15' existing = {
@@ -259,32 +246,31 @@ resource cosmosDB 'Microsoft.DocumentDB/databaseAccounts@2024-11-15' existing =
 // 3. Links private DNS zones to the VNet for name resolution
 // 4. Configures network policies to restrict access to private endpoints only
 module privateEndpointAndDNS 'modules-network-secured/private-endpoint-and-dns.bicep' = {
-  name: '${uniqueSuffix}-private-endpoint'
-  params: {
-    aiAccountName: aiAccount.outputs.accountName // AI Services to secure
-    aiSearchName: aiDependencies.outputs.aiSearchName // AI Search to secure
-    storageName: aiDependencies.outputs.azureStorageName // Storage to secure
-    cosmosDBName: aiDependencies.outputs.cosmosDBName
-    fabricWorkspaceResourceId: fabricWorkspaceResourceId // Microsoft Fabric workspace (optional)
-    vnetName: vnet.outputs.virtualNetworkName // VNet containing subnets
-    peSubnetName: vnet.outputs.peSubnetName // Subnet for private endpoints
-    suffix: uniqueSuffix // Unique identifier
-    vnetResourceGroupName: vnet.outputs.virtualNetworkResourceGroup
-    vnetSubscriptionId: vnet.outputs.virtualNetworkSubscriptionId // Subscription ID for the VNet
-    cosmosDBSubscriptionId: cosmosDBSubscriptionId // Subscription ID for Cosmos DB
-    cosmosDBResourceGroupName: cosmosDBResourceGroupName // Resource Group for Cosmos DB
-    aiSearchSubscriptionId: aiSearchServiceSubscriptionId // Subscription ID for AI Search Service
-    aiSearchResourceGroupName: aiSearchServiceResourceGroupName // Resource Group for AI Search Service
-    storageAccountResourceGroupName: azureStorageResourceGroupName // Resource Group for Storage Account
-    storageAccountSubscriptionId: azureStorageSubscriptionId // Subscription ID for Storage Account
-    existingDnsZones: existingDnsZones
-  }
-  dependsOn: [
-    aiSearch // Ensure AI Search exists
-    storage // Ensure Storage exists
-    cosmosDB // Ensure Cosmos DB exists
+    name: '${uniqueSuffix}-private-endpoint'
+    params: {
+      aiAccountName: aiAccount.outputs.accountName    // AI Services to secure
+      aiSearchName: aiDependencies.outputs.aiSearchName       // AI Search to secure
+      storageName: aiDependencies.outputs.azureStorageName        // Storage to secure
+      cosmosDBName:aiDependencies.outputs.cosmosDBName
+      vnetName: vnet.outputs.virtualNetworkName    // VNet containing subnets
+      peSubnetName: vnet.outputs.peSubnetName        // Subnet for private endpoints
+      suffix: uniqueSuffix                                    // Unique identifier
+      vnetResourceGroupName: vnet.outputs.virtualNetworkResourceGroup
+      vnetSubscriptionId: vnet.outputs.virtualNetworkSubscriptionId // Subscription ID for the VNet
+      cosmosDBSubscriptionId: cosmosDBSubscriptionId // Subscription ID for Cosmos DB
+      cosmosDBResourceGroupName: cosmosDBResourceGroupName // Resource Group for Cosmos DB
+      aiSearchSubscriptionId: aiSearchServiceSubscriptionId // Subscription ID for AI Search Service
+      aiSearchResourceGroupName: aiSearchServiceResourceGroupName // Resource Group for AI Search Service
+      storageAccountResourceGroupName: azureStorageResourceGroupName // Resource Group for Storage Account
+      storageAccountSubscriptionId: azureStorageSubscriptionId // Subscription ID for Storage Account
+      existingDnsZones: existingDnsZones
+    }
+    dependsOn: [
+    aiSearch      // Ensure AI Search exists
+    storage       // Ensure Storage exists
+    cosmosDB      // Ensure Cosmos DB exists
   ]
-}
+  }
 
 /*
   Creates a new project (sub-resource of the AI Services account)
@@ -313,10 +299,10 @@ module aiProject 'modules-network-secured/ai-project-identity.bicep' = {
     accountName: aiAccount.outputs.accountName
   }
   dependsOn: [
-    privateEndpointAndDNS
-    cosmosDB
-    aiSearch
-    storage
+     privateEndpointAndDNS
+     cosmosDB
+     aiSearch
+     storage
   ]
 }
 
@@ -338,8 +324,8 @@ module storageAccountRoleAssignment 'modules-network-secured/azure-storage-accou
     projectPrincipalId: aiProject.outputs.projectPrincipalId
   }
   dependsOn: [
-    storage
-    privateEndpointAndDNS
+   storage
+   privateEndpointAndDNS
   ]
 }
 
@@ -383,13 +369,13 @@ module addProjectCapabilityHost 'modules-network-secured/add-project-capability-
     projectCapHost: projectCapHost
   }
   dependsOn: [
-    aiSearch // Ensure AI Search exists
-    storage // Ensure Storage exists
-    cosmosDB
-    privateEndpointAndDNS
-    cosmosAccountRoleAssignments
-    storageAccountRoleAssignment
-    aiSearchRoleAssignments
+     aiSearch      // Ensure AI Search exists
+     storage       // Ensure Storage exists
+     cosmosDB
+     privateEndpointAndDNS
+     cosmosAccountRoleAssignments
+     storageAccountRoleAssignment
+     aiSearchRoleAssignments
   ]
 }
 
@@ -415,9 +401,10 @@ module cosmosContainerRoleAssignments 'modules-network-secured/cosmos-container-
     cosmosAccountName: aiDependencies.outputs.cosmosDBName
     projectWorkspaceId: formatProjectWorkspaceId.outputs.projectWorkspaceIdGuid
     projectPrincipalId: aiProject.outputs.projectPrincipalId
+
   }
-  dependsOn: [
-    addProjectCapabilityHost
-    storageContainersRoleAssignment
+dependsOn: [
+  addProjectCapabilityHost
+  storageContainersRoleAssignment
   ]
 }

infrastructure/infrastructure-setup-bicep/15-private-network-standard-agent-setup/main.bicep

@@ -1,12 +1,12 @@
 using './main.bicep'
 
-param location = 'norwayeast'
-param aiServices = 'djetchev'
+param location = 'eastus2'
+param aiServices = 'aiservices'
 param modelName = 'gpt-4o'
 param modelFormat = 'OpenAI'
 param modelVersion = '2024-11-20'
-param modelSkuName = 'Standard'
-param modelCapacity = 1
+param modelSkuName = 'GlobalStandard'
+param modelCapacity = 30
 param firstProjectName = 'project'
 param projectDescription = 'A project for the AI Foundry account with network secured deployed Agent'
 param displayName = 'project'
@@ -25,10 +25,10 @@ param azureCosmosDBAccountResourceId = ''
 param existingDnsZones = {
   'privatelink.services.ai.azure.com': ''
   'privatelink.openai.azure.com': ''
-  'privatelink.cognitiveservices.azure.com': ''
-  'privatelink.search.windows.net': ''
-  'privatelink.blob.core.windows.net': ''
-  'privatelink.documents.azure.com': ''
+  'privatelink.cognitiveservices.azure.com': ''               
+  'privatelink.search.windows.net': ''           
+  'privatelink.blob.core.windows.net': ''                            
+  'privatelink.documents.azure.com': ''                       
 }
 
 //DNSZones names for validating if they exist
@@ -41,6 +41,7 @@ param dnsZoneNames = [
   'privatelink.documents.azure.com'
 ]
 
+
 // Network configuration (behavior depends on `existingVnetResourceId`)
 //
 // - NEW VNet (existingVnetResourceId is empty):
@@ -64,3 +65,4 @@ param dnsZoneNames = [
 param vnetAddressPrefix = ''
 param agentSubnetPrefix = ''
 param peSubnetPrefix = ''
+

infrastructure/infrastructure-setup-bicep/15-private-network-standard-agent-setup/main.bicepparam

@@ -19,7 +19,7 @@ var roleDefinitionId = resourceId(
   '00000000-0000-0000-0000-000000000002'
 )
 
-var accountScope = '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}'
+var accountScope = '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosAccountName}/dbs/enterprise_memory'
 
 resource containerRoleAssignmentUserContainer 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2022-05-15' = {
   parent: cosmosAccount

infrastructure/infrastructure-setup-bicep/15-private-network-standard-agent-setup/modules-network-secured/cosmos-container-role-assignments.bicep

@@ -13,6 +13,7 @@ This module works with existing virtual networks and required subnets.
    - Private endpoint subnet for secure connectivity
 */
 
+
 @description('The name of the existing virtual network')
 param vnetName string
 
@@ -28,24 +29,17 @@ param agentSubnetName string = 'agent-subnet'
 @description('The name of Private Endpoint subnet')
 param peSubnetName string = 'pe-subnet'
 
-@description('The name of MCP subnet for user-deployed Container Apps')
-param mcpSubnetName string = 'mcp-subnet'
-
 @description('Address prefix for the agent subnet (only needed if creating new subnet)')
 param agentSubnetPrefix string = ''
 
 @description('Address prefix for the private endpoint subnet (only needed if creating new subnet)')
 param peSubnetPrefix string = ''
 
-@description('Address prefix for the MCP subnet (only needed if creating new subnet)')
-param mcpSubnetPrefix string = ''
-
 // Get the address space (array of CIDR strings)
 var vnetAddressSpace = existingVNet.properties.addressSpace.addressPrefixes[0]
 
 var agentSubnetSpaces = empty(agentSubnetPrefix) ? cidrSubnet(vnetAddressSpace, 24, 0) : agentSubnetPrefix
 var peSubnetSpaces = empty(peSubnetPrefix) ? cidrSubnet(vnetAddressSpace, 24, 1) : peSubnetPrefix
-var mcpSubnetSpaces = empty(mcpSubnetPrefix) ? cidrSubnet(vnetAddressSpace, 24, 2) : mcpSubnetPrefix
 
 // Reference the existing virtual network
 resource existingVNet 'Microsoft.Network/virtualNetworks@2024-05-01' existing = {
@@ -84,32 +78,11 @@ module peSubnet 'subnet.bicep' = {
   }
 }
 
-// Create the MCP subnet for user-deployed Container Apps
-module mcpSubnet 'subnet.bicep' = {
-  name: 'mcp-subnet-${uniqueString(deployment().name, mcpSubnetName)}'
-  scope: resourceGroup(vnetResourceGroupName)
-  params: {
-    vnetName: vnetName
-    subnetName: mcpSubnetName
-    addressPrefix: mcpSubnetSpaces
-    delegations: [
-      {
-        name: 'Microsoft.App/environments'
-        properties: {
-          serviceName: 'Microsoft.App/environments'
-        }
-      }
-    ]
-  }
-}
-
 // Output variables
 output peSubnetName string = peSubnetName
 output agentSubnetName string = agentSubnetName
-output mcpSubnetName string = mcpSubnetName
 output agentSubnetId string = '${existingVNet.id}/subnets/${agentSubnetName}'
 output peSubnetId string = '${existingVNet.id}/subnets/${peSubnetName}'
-output mcpSubnetId string = '${existingVNet.id}/subnets/${mcpSubnetName}'
 output virtualNetworkName string = existingVNet.name
 output virtualNetworkId string = existingVNet.id
 output virtualNetworkResourceGroup string = vnetResourceGroupName