microsoft
diff --git a/‎.github/workflows/deploy.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/deploy.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/docker-build-and-push.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/docker-build-and-push.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/CustomizingAzdParameters.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/CustomizingAzdParameters.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/DeploymentGuide.md‎
Lines changed: 39 additions & 1 deletion b/‎docs/DeploymentGuide.md‎
Lines changed: 39 additions & 1 deletion
@@ -126,13 +126,13 @@ jobs:
           set -e
           # set image tag based on branch
           if [[ "${{ env.BRANCH_NAME }}" == "main" ]]; then
-            IMAGE_TAG="latest"
+            IMAGE_TAG="latest_waf"
           elif [[ "${{ env.BRANCH_NAME }}" == "dev" ]]; then
             IMAGE_TAG="dev"
           elif [[ "${{ env.BRANCH_NAME }}" == "demo" ]]; then
             IMAGE_TAG="demo"
           else
-            IMAGE_TAG="latest"
+            IMAGE_TAG="latest_waf"
           fi
 
           az deployment group create \
@@ -148,7 +148,7 @@ jobs:
                 gptDeploymentCapacity=${{ env.GPT_MIN_CAPACITY }} \
                 embeddingModel="text-embedding-ada-002" \
                 embeddingDeploymentCapacity=${{ env.TEXT_EMBEDDING_MIN_CAPACITY }} \
-                aiDeploymentsLocation=${{ env.AZURE_LOCATION }} \
+                azureAiServiceLocation=${{ env.AZURE_LOCATION }} \
                 imageTag="${IMAGE_TAG}"\
                 createdBy="Pipeline"
 
 
@@ -58,7 +58,7 @@ jobs:
         id: determine_tag
         run: |
           if [[ "${{ github.ref_name }}" == "main" ]]; then
-            echo "tagname=latest" >> $GITHUB_OUTPUT
+            echo "tagname=latest_waf" >> $GITHUB_OUTPUT
           elif [[ "${{ github.ref_name }}" == "dev" ]]; then
             echo "tagname=dev" >> $GITHUB_OUTPUT
           elif [[ "${{ github.ref_name }}" == "demo" ]]; then
 
@@ -18,7 +18,7 @@ By default this template will use the environment name as the prefix to prevent
 | `AZURE_ENV_OPENAI_API_VERSION`                 | string  | `2025-01-01-preview`                   | Specifies the API version for Azure OpenAI.                    |
 | `AZURE_ENV_MODEL_CAPACITY`             | integer | `30`                         | Sets the GPT model capacity (based on what's available in your subscription). |
 | `AZURE_ENV_EMBEDDING_MODEL_NAME`       | string  | `text-embedding-ada-002`   | Sets the name of the embedding model to use.                                  |
-| `AZURE_ENV_IMAGETAG`       | string  | `latest`   | Set the Image tag Like (allowed values: latest, dev, hotfix)                                   |
+| `AZURE_ENV_IMAGETAG`       | string  | `latest_waf`   | Set the Image tag Like (allowed values: latest_waf, dev, hotfix)                                   |
 | `AZURE_ENV_EMBEDDING_MODEL_CAPACITY`   | integer | `80`                         | Sets the capacity for the embedding model deployment.                         |
 | `AZURE_ENV_LOG_ANALYTICS_WORKSPACE_ID` | string  | Guide to get your [Existing Workspace ID](/docs/re-use-log-analytics.md)  | Reuses an existing Log Analytics Workspace instead of creating a new one.     |
 | `AZURE_EXISTING_AI_PROJECT_RESOURCE_ID`    | string  | Guid to get your existing AI Foundry Project resource ID           | Reuses an existing AIFoundry and AIFoundryProject instead of creating a new one.  |
 
@@ -22,7 +22,45 @@ Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
 
 This will allow the scripts to run for the current session without permanently changing your system's policy.
 
+## Deployment Options & Steps
+
+### Sandbox or WAF Aligned Deployment Options
+
+The [`infra`](../infra) folder of the Multi Agent Solution Accelerator contains the [`main.bicep`](../infra/main.bicep) Bicep script, which defines all Azure infrastructure components for this solution.
+
+By default, the `azd up` command uses the [`main.parameters.json`](../infra/main.parameters.json) file to deploy the solution. This file is pre-configured for a **sandbox environment** — ideal for development and proof-of-concept scenarios, with minimal security and cost controls for rapid iteration.
+
+For **production deployments**, the repository also provides [`main.waf.parameters.json`](../infra/main.waf.parameters.json), which applies a [Well-Architected Framework (WAF) aligned](https://learn.microsoft.com/en-us/azure/well-architected/) configuration. This option enables additional Azure best practices for reliability, security, cost optimization, operational excellence, and performance efficiency, such as:
+
+  - Enhanced network security (e.g., Network protection with private endpoints)
+  - Stricter access controls and managed identities
+  - Logging, monitoring, and diagnostics enabled by default
+  - Resource tagging and cost management recommendations
+
+**How to choose your deployment configuration:**
+
+* Use the default `main.parameters.json` file for a **sandbox/dev environment**
+* For a **WAF-aligned, production-ready deployment**, copy the contents of `main.waf.parameters.json` into `main.parameters.json` before running `azd up`
+
+---
+
+### VM Credentials Configuration
+
+By default, the solution sets the VM administrator username and password from environment variables.
+
+To set your own VM credentials before deployment, use:
+
+```sh
+azd env set AZURE_ENV_VM_ADMIN_USERNAME <your-username>
+azd env set AZURE_ENV_VM_ADMIN_PASSWORD <your-password>
+```
+
+> [!TIP]
+> Always review and adjust parameter values (such as region, capacity, security settings and log analytics workspace configuration) to match your organization’s requirements before deploying. For production, ensure you have sufficient quota and follow the principle of least privilege for all identities and role assignments.
+
 
+> [!IMPORTANT]
+> The WAF-aligned configuration is under active development. More Azure Well-Architected recommendations will be added in future updates.
 
 ## Deployment Options & Steps
 
@@ -111,7 +149,7 @@ When you start the deployment, most parameters will have **default values**, but
 | **GPT Model Deployment Capacity**    | Configure the capacity for **GPT model deployments** (in thousands).                          | `30k`                    |
 | **Embedding Model**                  | The embedding model used by the app.                                                          | `text-embedding-ada-002` |
 | **Embedding Model Capacity**         | Configure the capacity for **embedding model deployments** (in thousands).                    | `80k`                    |
-| **Image Tag**                        | Image version for deployment (allowed: `latest`, `dev`, `hotfix`).                            | `latest`                 |
+| **Image Tag**                        | Image version for deployment (allowed: `latest_waf`, `dev`, `hotfix`).                            | `latest_waf`                 |
 | **Existing Log Analytics Workspace** | If reusing a Log Analytics Workspace, specify the ID.                                         | *(none)*                 |