diff --git a/docs/CustomizingAzdParameters.md b/docs/CustomizingAzdParameters.md index 79830249a..d573e3240 100644 --- a/docs/CustomizingAzdParameters.md +++ b/docs/CustomizingAzdParameters.md @@ -13,7 +13,7 @@ By default this template will use the environment name as the prefix to prevent | `AZURE_ENV_OPENAI_LOCATION` | string | `` | Specifies the region for OpenAI resource deployment. | | `AZURE_ENV_MODEL_DEPLOYMENT_TYPE` | string | `GlobalStandard` | Defines the deployment type for the AI model (e.g., Standard, GlobalStandard). | | `AZURE_ENV_MODEL_NAME` | string | `gpt-4o` | Specifies the name of the GPT model to be deployed. | -| `AZURE_ENV_FOUNDRY_PROJECT_ID` | string | `` | Set this if you want to reuse an AI Foundry Project instead of creating a new one. | +| `AZURE_EXISTING_AI_PROJECT_RESOURCE_ID` | string | `` | Set this if you want to reuse an AI Foundry Project instead of creating a new one. | | `AZURE_ENV_MODEL_VERSION` | string | `2024-08-06` | Version of the GPT model to be used for deployment. | | `AZURE_ENV_MODEL_CAPACITY` | int | `150` | Sets the GPT model capacity. | | `AZURE_ENV_IMAGETAG` | string | `latest` | Docker image tag used for container deployments. | diff --git a/docs/DeploymentGuide.md b/docs/DeploymentGuide.md index ce9e88f08..9c8de2184 100644 --- a/docs/DeploymentGuide.md +++ b/docs/DeploymentGuide.md @@ -61,6 +61,23 @@ By default, the `azd up` command uses the [`main.parameters.json`](../infra/main For **production deployments**, the repository also provides [`main.waf.parameters.json`](../infra/main.waf.parameters.json), which applies a [Well-Architected Framework (WAF) aligned](https://learn.microsoft.com/en-us/azure/well-architected/) configuration. This option enables additional Azure best practices for reliability, security, cost optimization, operational excellence, and performance efficiency, such as: + **Prerequisite** — Enable the Microsoft.Compute/EncryptionAtHost feature for every subscription (and region, if required) where you plan to deploy VMs or VM scale sets with `encryptionAtHost: true`. Repeat the registration steps below for each target subscription (and for each region when applicable). This step is required for **WAF-aligned** (production) deployments. + + Steps to enable the feature: + 1. Set the target subscription: + Run: az account set --subscription "<YourSubscriptionId>" + 2. Register the feature (one time per subscription): + Run: az feature register --name EncryptionAtHost --namespace Microsoft.Compute + 3. Wait until registration completes and shows "Registered": + Run: az feature show --name EncryptionAtHost --namespace Microsoft.Compute --query properties.state -o tsv + 4. Refresh the provider (if required): + Run: az provider register --namespace Microsoft.Compute + 5. Re-run the deployment after registration is complete. + + Note: Feature registration can take several minutes. Ensure the feature is registered before attempting deployments that require encryptionAtHost. + + Reference: Azure Host Encryption — https://learn.microsoft.com/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-cli + - Enhanced network security (e.g., Network protection with private endpoints) - Stricter access controls and managed identities - Logging, monitoring, and diagnostics enabled by default diff --git a/docs/re-use-foundry-project.md b/docs/re-use-foundry-project.md index c29ac5d8a..7d33dfb98 100644 --- a/docs/re-use-foundry-project.md +++ b/docs/re-use-foundry-project.md @@ -36,7 +36,7 @@ In the left-hand menu of the project blade: ### 6. Set the Foundry Project Resource ID in Your Environment Run the following command in your terminal ```bash -azd env set AZURE_ENV_FOUNDRY_PROJECT_ID '' +azd env set AZURE_EXISTING_AI_PROJECT_RESOURCE_ID '' ``` Replace `` with the value obtained from Step 5. diff --git a/infra/main.bicep b/infra/main.bicep index 790f0b09b..dd7a907aa 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -232,7 +232,7 @@ module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0 features: { enableLogAccessUsingOnlyResourcePermissions: true } diagnosticSettings: [{ useThisWorkspace: true }] // WAF aligned configuration for Redundancy - dailyQuotaGb: enableRedundancy ? 10 : null //WAF recommendation: 10 GB per day is a good starting point for most workloads + dailyQuotaGb: enableRedundancy ? 150 : null //WAF recommendation: 150 GB per day is a good starting point for most workloads replication: enableRedundancy ? { enabled: true @@ -799,6 +799,26 @@ module windowsVmDataCollectionRules 'br/public:avm/res/insights/data-collection- name: 'perfCounterDataSource60' } ] + windowsEventLogs: [ + { + name: 'SecurityAuditEvents' + streams: [ + 'Microsoft-WindowsEvent' + ] + eventLogName: 'Security' + eventTypes: [ + { + eventType: 'Audit Success' + } + { + eventType: 'Audit Failure' + } + ] + xPathQueries: [ + 'Security!*[System[(EventID=4624 or EventID=4625)]]' + ] + } + ] } destinations: { logAnalytics: [ @@ -856,7 +876,7 @@ module virtualMachine 'br/public:avm/res/compute/virtual-machine:0.17.0' = if (e bypassPlatformSafetyChecksOnUserSchedule: true maintenanceConfigurationResourceId: maintenanceConfiguration!.outputs.resourceId enableAutomaticUpdates: true - encryptionAtHost: false + encryptionAtHost: true availabilityZone: virtualMachineAvailabilityZone proximityPlacementGroupResourceId: proximityPlacementGroup!.outputs.resourceId imageReference: { @@ -1498,6 +1518,7 @@ module webSite 'modules/web-sites.bicep' = { vnetImagePullEnabled: enablePrivateNetworking ? true : false virtualNetworkSubnetId: enablePrivateNetworking ? virtualNetwork!.outputs.subnetResourceIds[4] : null publicNetworkAccess: 'Enabled' // Always enabling the public network access for Web App + e2eEncryptionEnabled: true } } diff --git a/infra/main.parameters.json b/infra/main.parameters.json index 14965085a..0fc46a65b 100644 --- a/infra/main.parameters.json +++ b/infra/main.parameters.json @@ -36,7 +36,7 @@ "value": "${AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID}" }, "existingAiFoundryAiProjectResourceId": { - "value": "${AZURE_ENV_FOUNDRY_PROJECT_ID}" + "value": "${AZURE_EXISTING_AI_PROJECT_RESOURCE_ID}" } } } \ No newline at end of file diff --git a/infra/main.waf.parameters.json b/infra/main.waf.parameters.json index c6fd16c49..67a9916c4 100644 --- a/infra/main.waf.parameters.json +++ b/infra/main.waf.parameters.json @@ -51,7 +51,26 @@ "value": "${AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID}" }, "existingAiFoundryAiProjectResourceId": { - "value": "${AZURE_ENV_FOUNDRY_PROJECT_ID}" + "value": "${AZURE_EXISTING_AI_PROJECT_RESOURCE_ID}" + }, + "allowedFqdnList": { + "value": [ + "mcr.microsoft.com", + "openai.azure.com", + "cognitiveservices.azure.com", + "login.microsoftonline.com", + "management.azure.com", + "aiinfra.azure.com", + "aiinfra.azure.net", + "aiinfra.azureedge.net", + "blob.core.windows.net", + "database.windows.net", + "vault.azure.net", + "monitoring.azure.com", + "dc.services.visualstudio.com", + "azconfig.io", + "azconfig.azure.net" + ] } } } \ No newline at end of file diff --git a/infra/modules/web-sites.bicep b/infra/modules/web-sites.bicep index 520f33669..022e82b15 100644 --- a/infra/modules/web-sites.bicep +++ b/infra/modules/web-sites.bicep @@ -207,6 +207,7 @@ resource app 'Microsoft.Web/sites@2024-04-01' = { vnetImagePullEnabled: vnetImagePullEnabled vnetRouteAllEnabled: vnetRouteAllEnabled scmSiteAlsoStopped: scmSiteAlsoStopped + // Always enforce end to end encryption endToEndEncryptionEnabled: e2eEncryptionEnabled dnsConfiguration: dnsConfiguration autoGeneratedDomainNameLabelScope: autoGeneratedDomainNameLabelScope diff --git a/infra/old/08-2025/main.parameters.json b/infra/old/08-2025/main.parameters.json index 16b465617..efab1db7f 100644 --- a/infra/old/08-2025/main.parameters.json +++ b/infra/old/08-2025/main.parameters.json @@ -40,7 +40,7 @@ "value": "${AZURE_ENV_MODEL_CAPACITY}" }, "existingFoundryProjectResourceId": { - "value": "${AZURE_ENV_FOUNDRY_PROJECT_ID}" + "value": "${AZURE_EXISTING_AI_PROJECT_RESOURCE_ID}" }, "imageTag": { "value": "${AZURE_ENV_IMAGE_TAG}"