microsoft · Prajwal-Microsoft · Sep 18, 2025 · Jul 25, 2025 · Jul 25, 2025 · Jul 28, 2025
@@ -127,10 +127,10 @@ jobs:
         id: determine_tag
         run: |
           BRANCH=${{ github.ref_name }}
-          if [[ "$BRANCH" == "main" ]]; then TAG="latest"
+          if [[ "$BRANCH" == "main" ]]; then TAG="latest_waf"
           elif [[ "$BRANCH" == "dev" ]]; then TAG="dev"
           elif [[ "$BRANCH" == "demo" ]]; then TAG="demo"
-          else TAG="latest"; fi
+          else TAG="latest_waf"; fi
           echo "IMAGE_TAG=$TAG" >> $GITHUB_ENV
           echo "Image Tag: $TAG"
       - name: Deploy and extract values from deployment output
@@ -144,7 +144,7 @@ jobs:
           DEPLOY_OUTPUT=$(az deployment group create \
             --resource-group ${{ env.RESOURCE_GROUP_NAME }} \
             --template-file infra/main.bicep \
-            --parameters aiDeploymentsLocation=${{ env.AZURE_LOCATION }} solutionName=${{ env.SOLUTION_PREFIX }} cosmosLocation=westus gptDeploymentCapacity=${{ env.GPT_MIN_CAPACITY }} embeddingDeploymentCapacity=${{ env.TEXT_EMBEDDING_MIN_CAPACITY }} imageTag=${{ env.IMAGE_TAG }} createdBy="Pipeline" \
+            --parameters location=${{ env.AZURE_LOCATION }} azureAiServiceLocation=${{ env.AZURE_LOCATION }} solutionName=${{ env.SOLUTION_PREFIX }} cosmosLocation=westus gptModelCapacity=${{ env.GPT_MIN_CAPACITY }} embeddingDeploymentCapacity=${{ env.TEXT_EMBEDDING_MIN_CAPACITY }} containerImageTag=${{ env.IMAGE_TAG }} createdBy="Pipeline" \
             --query "properties.outputs" -o json)
 
           echo "Deployment output: $DEPLOY_OUTPUT"

@@ -52,7 +52,7 @@ jobs:
       id: determine_tag
       run: |
         if [[ "${{ github.ref_name }}" == "main" ]]; then
-          echo "tagname=latest" >> $GITHUB_OUTPUT
+          echo "tagname=latest_waf" >> $GITHUB_OUTPUT
         elif [[ "${{ github.ref_name }}" == "dev" ]]; then
           echo "tagname=dev" >> $GITHUB_OUTPUT
         elif [[ "${{ github.ref_name }}" == "demo" ]]; then

@@ -17,7 +17,7 @@ By default this template will use the environment name as the prefix to prevent
 | `AZURE_ENV_MODEL_CAPACITY`     | integer | `30`               | Set the model capacity for GPT deployment. Choose based on your Azure quota and usage needs.         |
 | `AZURE_ENV_EMBEDDING_MODEL_NAME`            | string  | `text-embedding-ada-002`  | Set the model name used for embeddings.                                                              |
 | `AZURE_ENV_EMBEDDING_MODEL_CAPACITY` | integer | `80`              | Set the capacity for embedding model deployment.                                                     |
-| `AZURE_ENV_IMAGETAG`                  | string  | `latest`            | Set the image tag (allowed values: `latest`, `dev`, `hotfix`).                                             |
+| `AZURE_ENV_IMAGETAG`                  | string  | `latest_waf`            | Set the image tag (allowed values: `latest_waf`, `dev`, `hotfix`).                                             |
 | `AZURE_LOCATION`            | string  | `<User selects during deployment>`         | Sets the Azure region for resource deployment.  |
 | `AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID`            | string  | Guide to get your [Existing Workspace ID](/docs/re-use-log-analytics.md)        | Reuses an existing Log Analytics Workspace instead of provisioning a new one.   |
 | `AZURE_EXISTING_AI_PROJECT_RESOURCE_ID`            | string  | `<Existing AI Foundry Project Resource Id>`         | Reuses an existing AI Foundry Project Resource Id instead of provisioning a new one.   |

@@ -14,19 +14,53 @@ Check the [Azure Products by Region](https://azure.microsoft.com/en-us/explore/g
 
 Here are some example regions where the services are available: East US, East US2, Australia East, UK South, France Central.
 
-
-### **Important: Check Azure OpenAI Quota Availability**
-
-⚠️ To ensure sufficient quota is available in your subscription, please follow [quota check instructions guide](./QuotaCheck.md) before you deploy the solution.
-
-
 ### [Optional] Quota Recommendations  
 By default, the **Gpt-4o-mini model capacity** in deployment is set to **30k tokens**, so we recommend updating the following:
 
 > **For Global Standard | GPT-4o-mini - increase the capacity to at least 150k tokens post-deployment for optimal performance.**
 
 Depending on your subscription quota and capacity, you can [adjust quota settings](AzureGPTQuotaSettings.md) to better meet your specific needs. You can also [adjust the deployment parameters](CustomizingAzdParameters.md) for additional optimization.
 
+## Deployment Options
+
+### Sandbox or WAF Aligned Deployment Options
+
+The [`infra`](../infra) folder of the Build-your-own-copilot-Solution-Accelerator contains the [`main.bicep`](../infra/main.bicep) Bicep script, which defines all Azure infrastructure components for this solution.
+
+By default, the `azd up` command uses the [`main.parameters.json`](../infra/main.parameters.json) file to deploy the solution. This file is pre-configured for a **sandbox environment** — ideal for development and proof-of-concept scenarios, with minimal security and cost controls for rapid iteration.
+
+For **production deployments**, the repository also provides [`main.waf.parameters.json`](../infra/main.waf.parameters.json), which applies a [Well-Architected Framework (WAF) aligned](https://learn.microsoft.com/en-us/azure/well-architected/) configuration. This option enables additional Azure best practices for reliability, security, cost optimization, operational excellence, and performance efficiency, such as:
+
+  - Enhanced network security (e.g., Network protection with private endpoints)
+  - Stricter access controls and managed identities
+  - Logging, monitoring, and diagnostics enabled by default
+  - Resource tagging and cost management recommendations
+
+**How to choose your deployment configuration:**
+
+* Use the default `main.parameters.json` file for a **sandbox/dev environment**
+* For a **WAF-aligned, production-ready deployment**, copy the contents of `main.waf.parameters.json` into `main.parameters.json` before running `azd up`
+
+---
+
+### VM Credentials Configuration
+
+By default, the solution sets the VM administrator username and password from environment variables.
+
+To set your own VM credentials before deployment, use:
+
+```sh
+azd env set AZURE_ENV_VM_ADMIN_USERNAME <your-username>
+azd env set AZURE_ENV_VM_ADMIN_PASSWORD <your-password>
+```
+
+> [!TIP]
+> Always review and adjust parameter values (such as region, capacity, security settings and log analytics workspace configuration) to match your organization’s requirements before deploying. For production, ensure you have sufficient quota and follow the principle of least privilege for all identities and role assignments.
+
+
+> [!IMPORTANT]
+> The WAF-aligned configuration is under active development. More Azure Well-Architected recommendations will be added in future updates.
+
 ## Deployment Options & Steps
 
 Pick from the options below to see step-by-step instructions for GitHub Codespaces, VS Code Dev Containers, and Local Environments.
@@ -114,7 +148,7 @@ When you start the deployment, most parameters will have **default values**, but
 | **GPT Model Deployment Capacity**    | Configure capacity for **GPT models**. Choose based on Azure OpenAI quota.                         | `30`                     |
 | **Embedding Model**                  | OpenAI embedding model used for vector similarity.                                                 | `text-embedding-ada-002` |
 | **Embedding Model Capacity**         | Set the capacity for **embedding models**. Choose based on usage and quota.                        | `80`                     |
-| **Image Tag**                        | The version of the Docker image to use (e.g., `latest`, `dev`, `hotfix`).                          | `latest`                 |
+| **Image Tag**                        | The version of the Docker image to use (e.g., `latest_waf`, `dev`, `hotfix`).                          | `latest_waf`                 |
 | **Azure OpenAI API Version**         | Set the API version for OpenAI model deployments.                                                  | `2025-04-01-preview`     |
 | **AZURE_LOCATION**                  | Sets the Azure region for resource deployment. | `<User selects during deployment>`              |
 | **Existing Log Analytics Workspace** | To reuse an existing Log Analytics Workspace ID instead of creating a new one.                     | *(empty)*                |