Private Endpoint for App Service (Azure#144)

Author: hudua

azresources/compute/web/appservice-linux-container.bicep

@@ -28,6 +28,16 @@ param aiIKey string
 @description('Virtual Network Integration Subnet Resource Id.')
 param vnetIntegrationSubnetId string
 
+@description('Whether to deploy private endpoint for inbound traffic')
+param enablePrivateEndpoint bool
+
+@description('Private DNS Zone Resource Id.')
+param privateZoneId string
+
+@description('Private endpoint subnet ID')
+param privateEndpointSubnetId string
+
+
 // Linux Web App with Virtual Network Integration
 resource app 'Microsoft.Web/sites@2021-02-01' = {
   name: name
@@ -74,3 +84,39 @@ resource app 'Microsoft.Web/sites@2021-02-01' = {
     }
   }
 }
+
+
+resource appservice_linuxcontainer_pe 'Microsoft.Network/privateEndpoints@2020-06-01' = if (enablePrivateEndpoint) {
+  location: resourceGroup().location
+  name: '${app.name}-endpoint'
+  properties: {
+    subnet: {
+      id: privateEndpointSubnetId
+    }
+    privateLinkServiceConnections: [
+      {
+        name: '${app.name}-endpoint'
+        properties: {
+          privateLinkServiceId: app.id
+          groupIds: [
+            'sites'
+          ]
+        }
+      }
+    ]
+  }
+
+  resource appservice_pe_dns_reg 'privateDnsZoneGroups@2020-06-01' = {
+    name: 'default'
+    properties: {
+      privateDnsZoneConfigs: [
+        {
+          name: 'privatelink_azure_websites_net'
+          properties: {
+            privateDnsZoneId: privateZoneId
+          }
+        }
+      ]
+    }
+  }
+}

config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/8c6e48a4-4c73-4a1f-9f95-9447804f2c98_machinelearning_canadacentral.json

@@ -96,7 +96,8 @@
       "value": {
         "enabled": true,
         "skuName": "P1V2",
-        "skuTier": "Premium"
+        "skuTier": "Premium",
+        "enablePrivateEndpoint": true
       }
     },
     "sqldb": {

config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/ec6c5689-db04-4f1e-b76d-834a51dd0e27_machinelearning_canadacentral.json

@@ -103,7 +103,8 @@
       "value": {
         "enabled": true,
         "skuName": "P1V2",
-        "skuTier": "Premium"
+        "skuTier": "Premium",
+        "enablePrivateEndpoint": true
       }
     },
     "sqldb": {

config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/f08c3057-1713-4a6f-b7e6-0df355b60c30_machinelearning_canadacentral.json

@@ -103,7 +103,8 @@
       "value": {
         "enabled": true,
         "skuName": "P1V2",
-        "skuTier": "Premium"
+        "skuTier": "Premium",
+        "enablePrivateEndpoint": true
       }
     },
     "sqldb": {

config/subscriptions/CanadaESLZ-main/pubsec/LandingZones/DevTest/f459218a-e8bb-49c9-b768-ee6828a144aa_machinelearning_canadacentral.json

@@ -103,7 +103,8 @@
       "value": {
         "enabled": true,
         "skuName": "P1V2",
-        "skuTier": "Premium"
+        "skuTier": "Premium",
+        "enablePrivateEndpoint": true
       }
     },
     "sqldb": {

docs/archetypes/machinelearning.md

@@ -89,8 +89,6 @@ Subscription can be moved to a target Management Group through Azure ARM Templat
 | Monitoring | Application Insights - Application performance and monitoring cloud service | - | [Azure Docs](https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview)
 
 
-> For App Service, for using the SKU tier `Premium` to support private endpoints, it may require a quota increase.
-
 The intended cloud service workflows and data movements for this archetype include:
 
 1. Data can be ingested from various sources using Data Factory, which uses managed virtual network for its Azure hosted integration runtime.
@@ -131,10 +129,12 @@ Once the machine learning archetype is deployed and available to use, access con
 | Azure Storage Account for Azure ML | Network ACL deny | Private endpoint on `blob`, `file` + DNS registration to either hub or spoke | `privateEndpoints`|
 | Azure Data Factory | Public network access disabled, Azure integration runtime with managed virtual network | Private endpoint on `dataFactory` + DNS registration to either hub or spoke | `privateEndpoints`|
 | Azure Kubernetes Service | Private cluster, network profile set with either kubenet or Azure CNI | N/A | `aks`|
-| Azure App Service | Virtual Network integration | N/A | `appService` | 
+| Azure App Service | Virtual Network integration. Public network access can be disabled, using private endpoint instead | Private endpoint on `azureWebsites` + DNS registration to either hub or spoke | `appService`, `privateEndpoints` | 
 | Azure Container Registry | Network ACL deny, public network access disabled | Private endpoint on `registry` + DNS registration to either hub or spoke | `privateEndpoints`|f
 | Azure Application Insights | N/A | N/A | N/A |
 
+> For App Service, private endpoint requires the SKU tier `Premium`: https://docs.microsoft.com/azure/app-service/networking/private-endpoint so this may require a quota increase.
+
 This archetype also has the following security features as options for deployment:
 
 * Customer managed keys for encryption at rest, including Azure ML, storage, Container Registry, Data Factory, SQL Database / Managed Instance, and Kubernetes Service.
@@ -272,7 +272,7 @@ Reference implementation uses parameter files with `object` parameters to consol
 | Deployment with AKS using Network Plugin: Azure CNI + Network Policy: Calico | [tests/schemas/lz-machinelearning/AKS-AzureCNI-Calico.json](../../tests/schemas/lz-machinelearning/AKS-AzureCNI-Calico.json) | `parameters.aks.value.networkPlugin`  equals ***azure***, `parameters.aks.value.networkPlugin`  equals ***calico***, `parameters.aks.value.podCidr` is ***empty***, `parameters.aks.value.serviceCidr` is filled, `parameters.aks.value.dnsServiceIP` is filled and `parameters.aks.value.dockerBridgeCidr`  is filled |
 | Deployment with AKS using Network Plugin: Azure CNI + Network Policy: Azure | [tests/schemas/lz-machinelearning/AKS-AzureCNI-AzureNP.json](../../tests/schemas/lz-machinelearning/AKS-AzureCNI-AzureNP.json) | `parameters.aks.value.networkPlugin`  equals ***azure***, `parameters.aks.value.networkPlugin`  equals ***azure***, `parameters.aks.value.podCidr` is ***empty***, `parameters.aks.value.serviceCidr` is filled, `parameters.aks.value.dnsServiceIP` is filled and `parameters.aks.value.dockerBridgeCidr`  is filled |
 | Deployment without Azure App Service for Linux Containers | [tests/schemas/lz-machinelearning/AppServiceLinuxContainerIsFalse.json](../../tests/schemas/lz-machinelearning/AppServiceLinuxContainerIsFalse.json) | `parameters.appServiceLinuxContainer.value.enabled` is false. |
-
+| Deployment with Azure App Service for Linux Containers without Private Endpoint| [tests/schemas/lz-machinelearning/AppServiceLinuxContainerPrivateEndpointIsFalse.json](../../tests/schemas/lz-machinelearning/AppServiceLinuxContainerPrivateEndpointIsFalse.json) | `parameters.appServiceLinuxContainer.value.enabled` is true, `parameters.appServiceLinuxContainer.value.sku{Name,Tier}` are filled, and `parameters.appServiceLinuxContainer.value.enablePrivateEndpoint` is false. |
 ### Example Deployment Parameters
 
 This example configures:
@@ -418,7 +418,8 @@ This example configures:
       "value": {
         "enabled": true,
         "skuName": "P1V2",
-        "skuTier": "Premium"
+        "skuTier": "Premium",
+        "enablePrivateEndpoint": true
       }
     },
     "aml": {

docs/media/architecture/archetype-machinelearning-networking.jpg

@@ -414,7 +414,10 @@ module appServiceLC '../../azresources/compute/web/appservice-linux-container.bi
     storageId: dataLakeMetaData.outputs.storageId
 
     vnetIntegrationSubnetId: networking.outputs.appServiceSubnetId
-    
+    enablePrivateEndpoint: appServiceLinuxContainer.enablePrivateEndpoint
+    privateEndpointSubnetId: networking.outputs.privateEndpointSubnetId
+    privateZoneId: networking.outputs.asPrivateDnsZoneId
+
     tags: resourceTags
   }
 }

landingzones/lz-machinelearning/lz.bicep

@@ -584,6 +584,21 @@ module privatezone_acr '../../azresources/network/private-dns-zone.bicep' = {
   }
 }
 
+module privatezone_as '../../azresources/network/private-dns-zone.bicep' = {
+  name: 'deploy-privatezone-as'
+  scope: resourceGroup()
+  params: {
+    zone: 'privatelink.azurewebsites.net'
+    vnetId: vnet.id
+
+    dnsCreateNewZone: !hubNetwork.privateDnsManagedByHub
+    dnsLinkToVirtualNetwork: !hubNetwork.privateDnsManagedByHub || (hubNetwork.privateDnsManagedByHub && !usingCustomDNSServers)
+    dnsExistingZoneSubscriptionId: hubNetwork.privateDnsManagedByHubSubscriptionId
+    dnsExistingZoneResourceGroupName: hubNetwork.privateDnsManagedByHubResourceGroupName
+    registrationEnabled: false
+  }
+}
+
 module privatezone_datalake_blob '../../azresources/network/private-dns-zone.bicep' = {
   name: 'deploy-privatezone-blob'
   scope: resourceGroup()
@@ -698,5 +713,6 @@ output sqlDBPrivateDnsZoneId string = privatezone_sqldb.outputs.privateDnsZoneId
 output amlApiPrivateDnsZoneId string = privatezone_azureml_api.outputs.privateDnsZoneId
 output amlNotebooksPrivateDnsZoneId string = privatezone_azureml_notebook.outputs.privateDnsZoneId
 output aksPrivateDnsZoneId string = privatezone_aks.outputs.privateDnsZoneId
+output asPrivateDnsZoneId string = privatezone_as.outputs.privateDnsZoneId
 
 output aksUdrNAme string = udrAKS.name

landingzones/lz-machinelearning/networking.bicep

@@ -22,12 +22,20 @@
                 },
                 "skuTier": {
                   "type": "string"
+                },
+                "enablePrivateEndpoint": {
+                  "type": "boolean",
+                  "enum": [
+                    true,
+                    false
+                  ]
                 }
               },
               "required": [
                 "enabled",
                 "skuName",
-                "skuTier"
+                "skuTier",
+                "enablePrivateEndpoint"
               ]
             },
             {