Purpose

• This pull request introduces several important updates to the deployment documentation and infrastructure templates, primarily focused on improving security, compliance with best practices, and parameter consistency across the codebase. Key changes include enforcing encryption and logging standards, updating environment variable names for clarity, and enhancing network configuration for production deployments.

Security and Compliance Improvements:

• Enabled host-based encryption for virtual machines by setting encryptionAtHost: true in infra/main.bicep, and updated the documentation to require Microsoft.Compute/EncryptionAtHost feature registration for WAF-aligned deployments. [1] [2]
• Increased the default daily quota for Log Analytics workspace to 150 GB for WAF-aligned redundancy, supporting larger workloads and compliance.
• Added collection of Windows Security Audit Events (success/failure for Event IDs 4624 and 4625) to data collection rules for improved monitoring.
• Enforced end-to-end encryption for web applications by setting e2eEncryptionEnabled: true in infra/main.bicep and wiring it to the web app resource. [1] [2]

Parameter and Documentation Consistency:

• Standardized the environment variable for referencing an existing AI Foundry project from AZURE_ENV_FOUNDRY_PROJECT_ID to AZURE_EXISTING_AI_PROJECT_RESOURCE_ID across documentation and parameter files, improving clarity and reducing confusion. [1] [2] [3] [4]

Production Network Configuration:

• Added an explicit list of allowed FQDNs (allowedFqdnList) to the WAF-aligned deployment parameters for stricter outbound network control in production environments.

Does this introduce a breaking change?

• Yes
• No

How to Test

• Get the code

git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install

• Test the code

What to Check

Verify that the following are valid

• ...

Other Information