added dns for exisiting project

Author: AjitPadhi-Microsoft

infra/main.bicep

@@ -479,6 +479,46 @@ module existingAiFoundryAiServicesDeployments 'modules/ai-services-deployments.b
   }
 }
 
+// ========== Private Endpoint for Existing AI Services ========== //
+// Always create private endpoint when using existing AI Services with private networking enabled
+var shouldCreatePrivateEndpoint = useExistingAiFoundryAiProject && enablePrivateNetworking
+
+// Use existing DNS zones if provided, otherwise use newly created ones
+var privateDnsZoneIds = {
+      cognitiveServices: avmPrivateDnsZones[dnsZoneIndex.cognitiveServices]!.outputs.resourceId
+      openAI: avmPrivateDnsZones[dnsZoneIndex.openAI]!.outputs.resourceId
+      aiServices: avmPrivateDnsZones[dnsZoneIndex.aiServices]!.outputs.resourceId
+    }
+
+module existingAiServicesPrivateEndpoint 'modules/private-endpoint.bicep' = if (shouldCreatePrivateEndpoint) {
+  name: take('module.private-endpoint.${existingAiFoundryAiServices.name}', 64)
+  scope: resourceGroup()
+  params: {
+    name: 'pep-${existingAiFoundryAiServices.name}'
+    location: location
+    subnetResourceId: network!.outputs.subnetPrivateEndpointsResourceId
+    targetResourceId: existingAiFoundryAiServices.id
+    groupIds: ['account']
+    customNetworkInterfaceName: 'nic-${existingAiFoundryAiServices.name}'
+    tags: tags
+    privateDnsZoneGroupConfigs: [
+      {
+        name: 'ai-services-dns-zone-cognitiveservices'
+        privateDnsZoneResourceId: privateDnsZoneIds.cognitiveServices
+      }
+      {
+        name: 'ai-services-dns-zone-openai'
+        privateDnsZoneResourceId: privateDnsZoneIds.openAI
+      }
+      {
+        name: 'ai-services-dns-zone-aiservices'
+        privateDnsZoneResourceId: privateDnsZoneIds.aiServices
+      }
+    ]
+  }
+}
+
+
 module aiFoundryAiServices 'br:mcr.microsoft.com/bicep/avm/res/cognitive-services/account:0.13.2' = if (!useExistingAiFoundryAiProject) {
   name: take('avm.res.cognitive-services.account.${aiFoundryAiServicesResourceName}', 64)
   params: {
@@ -584,7 +624,7 @@ module aiFoundryAiServicesProject 'modules/ai-project.bicep' = if (!useExistingA
 }
 
 var aiFoundryAiProjectEndpoint = useExistingAiFoundryAiProject
-  ? existingAiFoundryAiServicesProject!.properties.endpoints['AI Foundry API']
+  ? 'https://${aiFoundryAiServicesResourceName}.services.ai.azure.com/api/projects/${aiFoundryAiProjectResourceName}'
   : aiFoundryAiServicesProject!.outputs.apiEndpoint
 
 // ========== Search Service to AI Services Role Assignment ========== //

infra/modules/private-endpoint.bicep

@@ -0,0 +1,75 @@
+// ========== Private Endpoint Module ========== //
+@description('Name of the private endpoint')
+param name string
+
+@description('Location for the private endpoint')
+param location string = resourceGroup().location
+
+@description('Subnet resource ID where the private endpoint will be created')
+param subnetResourceId string
+
+@description('Resource ID of the target resource for the private endpoint')
+param targetResourceId string
+
+@description('Group IDs for the private endpoint connection')
+param groupIds array = ['account']
+
+@description('Custom network interface name for the private endpoint')
+param customNetworkInterfaceName string = ''
+
+@description('Private DNS zone group configurations')
+param privateDnsZoneGroupConfigs array = []
+
+@description('Tags to apply to the private endpoint')
+param tags object = {}
+
+// ========== Private Endpoint Resource ========== //
+resource privateEndpoint 'Microsoft.Network/privateEndpoints@2024-05-01' = {
+  name: name
+  location: location
+  tags: tags
+  properties: {
+    subnet: {
+      id: subnetResourceId
+    }
+    privateLinkServiceConnections: [
+      {
+        name: name
+        properties: {
+          privateLinkServiceId: targetResourceId
+          groupIds: groupIds
+        }
+      }
+    ]
+    customNetworkInterfaceName: !empty(customNetworkInterfaceName) ? customNetworkInterfaceName : null
+  }
+}
+
+// ========== Private DNS Zone Group ========== //
+resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2024-05-01' = if (!empty(privateDnsZoneGroupConfigs)) {
+  name: 'default'
+  parent: privateEndpoint
+  properties: {
+    privateDnsZoneConfigs: [
+      for config in privateDnsZoneGroupConfigs: {
+        name: config.name
+        properties: {
+          privateDnsZoneId: config.privateDnsZoneResourceId
+        }
+      }
+    ]
+  }
+}
+
+// ========== Outputs ========== //
+@description('Resource ID of the private endpoint')
+output resourceId string = privateEndpoint.id
+
+@description('Name of the private endpoint')
+output name string = privateEndpoint.name
+
+@description('Location of the private endpoint')
+output location string = privateEndpoint.location
+
+@description('Network interface resource IDs associated with the private endpoint')
+output networkInterfaceResourceIds array = privateEndpoint.properties.networkInterfaces

infra/scripts/process_sample_data.sh

@@ -12,34 +12,30 @@ aif_resource_id="${8}"
 
 # Global variables to track original network access states
 original_storage_public_access=""
-original_storage_default_action=""
 original_keyvault_public_access=""
 original_foundry_public_access=""
 aif_resource_group=""
 aif_account_resource_id=""
+aif_subscription_id=""
 
 # Function to enable public network access temporarily
 enable_public_access() {
     echo "=== Temporarily enabling public network access for services ==="
 
     # Enable public access for Storage Account
-    echo "Enabling public access for Storage Account: $storageAccount"
     original_storage_public_access=$(az storage account show \
         --name "$storageAccount" \
         --resource-group "$resourceGroupName" \
         --query "publicNetworkAccess" \
         -o tsv)
-    original_storage_default_action=$(az storage account show \
-        --name "$storageAccount" \
-        --resource-group "$resourceGroupName" \
-        --query "networkRuleSet.defaultAction" \
-        -o tsv)
 
     if [ "$original_storage_public_access" != "Enabled" ]; then
+        echo "Enabling public access for Storage Account: $storageAccount"
         az storage account update \
             --name "$storageAccount" \
             --resource-group "$resourceGroupName" \
             --public-network-access Enabled \
+            --default-action Allow \
             --output none
         if [ $? -eq 0 ]; then
             echo "✓ Storage Account public access enabled"
@@ -50,46 +46,28 @@ enable_public_access() {
     else
         echo "✓ Storage Account public access already enabled"
     fi
-    
-    # Also ensure the default network action allows access
-    if [ "$original_storage_default_action" != "Allow" ]; then
-        echo "Setting Storage Account network default action to Allow"
-        az storage account update \
-            --name "$storageAccount" \
-            --resource-group "$resourceGroupName" \
-            --default-action Allow \
-            --output none
-        if [ $? -eq 0 ]; then
-            echo "✓ Storage Account network default action set to Allow"
-        else
-            echo "✗ Failed to set Storage Account network default action"
-            return 1
-        fi
-    else
-        echo "✓ Storage Account network default action already set to Allow"
-    fi
 
     # Enable public access for AI Foundry
-    # Extract the account resource ID (remove /projects/... part if present)
     aif_account_resource_id=$(echo "$aif_resource_id" | sed 's|/projects/.*||')
-    aif_resource_name=$(basename "$aif_account_resource_id")
-    # Extract resource group from the AI Foundry account resource ID
     aif_resource_group=$(echo "$aif_account_resource_id" | sed -n 's|.*/resourceGroups/\([^/]*\)/.*|\1|p')
-    
-    original_foundry_public_access=$(az cognitiveservices account show \
-        --name "$aif_resource_name" \
-        --resource-group "$aif_resource_group" \
+    # Extract subscription ID from AI Foundry resource ID
+    aif_subscription_id=$(echo "$aif_account_resource_id" | sed -n 's|.*/subscriptions/\([^/]*\)/.*|\1|p')
+
+    original_foundry_public_access=$(MSYS_NO_PATHCONV=1 az resource show \
+        --ids "$aif_account_resource_id" \
+        --subscription "$aif_subscription_id" \
+        --api-version 2024-10-01 \
         --query "properties.publicNetworkAccess" \
         --output tsv)
     if [ -z "$original_foundry_public_access" ] || [ "$original_foundry_public_access" = "null" ]; then
         echo "⚠ Info: Could not retrieve AI Foundry network access status."
         echo "  AI Foundry network access might be managed differently."
     elif [ "$original_foundry_public_access" != "Enabled" ]; then
-        echo "Current AI Foundry public access: $original_foundry_public_access"
-        echo "Enabling public access for AI Foundry resource: $aif_resource_name (Resource Group: $aif_resource_group)"
+        echo "Enabling public access for AI Foundry: $aif_resource_group"
         if MSYS_NO_PATHCONV=1 az resource update \
             --ids "$aif_account_resource_id" \
             --api-version 2024-10-01 \
+            --subscription "$aif_subscription_id" \
             --set properties.publicNetworkAccess=Enabled \
             --set properties.apiProperties.qnaAzureSearchEndpointKey="" \
             --output none; then
@@ -100,24 +78,21 @@ enable_public_access() {
     else
         echo "✓ AI Foundry public access already enabled"
     fi
-
-    # Wait a bit for changes to take effect
-    echo "Waiting for network access changes to propagate..."
-    sleep 10
 
     # Enable public access for Key Vault
-    echo "Enabling public access for Key Vault: $keyvaultName"
     original_keyvault_public_access=$(az keyvault show \
         --name "$keyvaultName" \
         --resource-group "$resourceGroupName" \
         --query "properties.publicNetworkAccess" \
         -o tsv)
 
     if [ "$original_keyvault_public_access" != "Enabled" ]; then
+        echo "Enabling public access for Key Vault: $keyvaultName"
         az keyvault update \
             --name "$keyvaultName" \
             --resource-group "$resourceGroupName" \
             --public-network-access Enabled \
+            --default-action Allow \
             --output none
         if [ $? -eq 0 ]; then
             echo "✓ Key Vault public access enabled"
@@ -131,7 +106,6 @@ enable_public_access() {
 
     # Additional wait for all changes to propagate fully
     echo "Allowing additional time for all network access changes to propagate..."
-    echo "Note: Changes may take up to 5 minutes to fully appear in Azure Portal"
     sleep 30
     echo "=== Public network access configuration completed ==="
     return 0
@@ -154,6 +128,7 @@ restore_network_access() {
             --name "$storageAccount" \
             --resource-group "$resourceGroupName" \
             --public-network-access "$restore_value" \
+            --default-action Deny \
             --output none
         if [ $? -eq 0 ]; then
             echo "✓ Storage Account access restored"
@@ -164,23 +139,6 @@ restore_network_access() {
         echo "Storage Account access unchanged (already at desired state)"
     fi
 
-    # Restore Storage Account network default action
-    if [ -n "$original_storage_default_action" ] && [ "$original_storage_default_action" != "Allow" ]; then
-        echo "Restoring Storage Account network default action to: $original_storage_default_action"
-        az storage account update \
-            --name "$storageAccount" \
-            --resource-group "$resourceGroupName" \
-            --default-action "$original_storage_default_action" \
-            --output none
-        if [ $? -eq 0 ]; then
-            echo "✓ Storage Account network default action restored"
-        else
-            echo "✗ Failed to restore Storage Account network default action"
-        fi
-    else
-        echo "Storage Account network default action unchanged (already at desired state)"
-    fi
-    
     # Restore Key Vault access
     if [ -n "$original_keyvault_public_access" ] && [ "$original_keyvault_public_access" != "Enabled" ]; then
         echo "Restoring Key Vault public access to: $original_keyvault_public_access"
@@ -194,6 +152,7 @@ restore_network_access() {
             --name "$keyvaultName" \
             --resource-group "$resourceGroupName" \
             --public-network-access "$restore_value" \
+            --default-action Deny \
             --output none
         if [ $? -eq 0 ]; then
             echo "✓ Key Vault access restored"
@@ -211,6 +170,7 @@ restore_network_access() {
         if MSYS_NO_PATHCONV=1 az resource update \
             --ids "$aif_account_resource_id" \
             --api-version 2024-10-01 \
+            --subscription "$aif_subscription_id" \
             --set properties.publicNetworkAccess="$original_foundry_public_access" \
             --set properties.apiProperties.qnaAzureSearchEndpointKey="" \
             --set properties.networkAcls.bypass="AzureServices" \
@@ -272,7 +232,6 @@ if [ -z "$aif_resource_id" ]; then
 fi
 
 # Get subscription id from azd env or from environment variable
-
 azSubscriptionId=$(azd env get-value AZURE_SUBSCRIPTION_ID) || azSubscriptionId="$AZURE_SUBSCRIPTION_ID"
 
 # Check if all required arguments are provided