Skip to content

feat: Restrict backend Container App to private access in WAF deployment#904

Open
Prajwal-Microsoft wants to merge 11 commits intodev-v4from
feature/39249-waf-api-private-access
Open

feat: Restrict backend Container App to private access in WAF deployment#904
Prajwal-Microsoft wants to merge 11 commits intodev-v4from
feature/39249-waf-api-private-access

Conversation

@Prajwal-Microsoft
Copy link
Copy Markdown
Contributor

@Prajwal-Microsoft Prajwal-Microsoft commented Apr 8, 2026

Purpose

When enablePrivateNetworking (WAF mode) is active, the backend Container App was still publicly accessible via external ingress. This PR restricts the backend to internal-only access while keeping the frontend Web App publicly reachable.

Changes

Infrastructure (infra/main.bicep & infra/main_custom.bicep):

  • Container App Environment: Set internal: true and publicNetworkAccess: 'Disabled' in WAF mode
  • Container App ingress: Set ingressExternal: false in WAF mode (internal-only)
  • Frontend App Service: Added PROXY_API_REQUESTS env var to enable server-side proxying

Frontend (src/frontend/):

  • frontend_server.py: Added httpx-based reverse proxy for /api/* routes in WAF mode. /config endpoint returns same-origin /api URL so browser calls frontend instead of backend directly
  • requirements.txt: Added httpx dependency

Architecture (WAF mode)

Browser -> Frontend App (public) -> FastAPI /api/* proxy -> VNet -> Container App (internal ingress)

Non-WAF deployments are unchanged.

Resolves AB#39249

Does this introduce a breaking change?

  • Yes
  • No

How to Test

# Copy WAF params and deploy
cp infra/main.waf.parameters.json infra/main.parameters.json
azd up

Verify:

  • Backend Container App FQDN is not reachable from public internet
  • Frontend App https://app-{suffix}.azurewebsites.net -> 200 OK
  • /config endpoint returns /api (same-origin) in WAF mode

What to Check

  • Backend Container App is not publicly accessible in WAF deployment
  • Frontend Web App is publicly accessible
  • Multi-agent automation features work end-to-end
  • Non-WAF deployment still works as before

Other Information

Related PRs: microsoft/customer-chatbot-solution-accelerator#173

Vamshi-Microsoft and others added 11 commits March 18, 2026 13:34
@Vamshi-Microsoft
ci: refactor Notification formatting
aed9bba
@Vamshi-Microsoft
ci: update notification subjects for deployment and test statuses
4af90f3
@Vamshi-Microsoft
ci: update notification messages to include test automation status
5cf168a
@Roopan-Microsoft
Merge pull request #864 from microsoft/psl-reformat-notifications
226c097 
ci: refactor notification email templates
@Vamshi-Microsoft
ci: update email subjects to include status icons
2a4e079
@Roopan-Microsoft
Merge pull request #871 from microsoft/psl-refactor-emails
7114d68 
ci: update email subjects to include status icons
@Thanusree-Microsoft
Update DeploymentGuide.md
371a5c8
@Avijit-Microsoft
docs: Update DeploymentGuide.md
1690074
@Prajwal-Microsoft
Merge pull request #866 from microsoft/dev-v4
d793d48 
test: updated the testcases to the latest agent framework. Dev v4 to main
@Roopan-Microsoft
Merge pull request #892 from microsoft/dev-v4
6a3dda5 
fix: Dev v4 to main merge
@Prajwal-Microsoft
feat: restrict backend Container App to private access in WAF deployment
a35f6da 
When enablePrivateNetworking (WAF mode) is active:
- Set Container App Environment to internal with public access disabled
- Set Container App ingress to internal (not externally accessible)
- Frontend Python server proxies /api/* requests to backend over VNet
- /config endpoint returns same-origin /api URL in WAF mode
- Non-WAF deployments remain unchanged (direct public API access)

Resolves AB#39249

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@marktayl1 marktayl1 Awaiting requested review from marktayl1 marktayl1 is a code owner

@Fr4nc3 Fr4nc3 Awaiting requested review from Fr4nc3 Fr4nc3 is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi is a code owner

@dgp10801 dgp10801 Awaiting requested review from dgp10801 dgp10801 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Prajwal-Microsoft @Vamshi-Microsoft @Roopan-Microsoft @Thanusree-Microsoft @Avijit-Microsoft