diff --git a/.gitignore b/.gitignore index 99b7b6f9c4..1ece5e3b1b 100644 --- a/.gitignore +++ b/.gitignore @@ -374,3 +374,7 @@ log *.csproj.user *.pyproj.user +.DS_Store +**/certbot/* +**/certbot.ini +**/Deployment-Manifest.json \ No newline at end of file diff --git a/docs/deployment/app-configuration-values.md b/docs/deployment/app-configuration-values.md index 83f3df1ad2..ffc59c3d2d 100644 --- a/docs/deployment/app-configuration-values.md +++ b/docs/deployment/app-configuration-values.md @@ -4,170 +4,170 @@ FoundationaLLM uses Azure App Configuration to store configuration values, Key V ## Configuration values -| Key | Default Value | Description | -| --- | ------------- | ----------- | -| `FoundationaLLM:AgentHub:AgentMetadata:StorageContainer` | agents | | -| `FoundationaLLM:AgentHub:StorageManager:BlobStorage:ConnectionString` | Key Vault secret name: `foundationallm-agenthub-storagemanager-blobstorage-connectionstring` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:AgentFactoryAPI:APIKey` | Key Vault secret name: `foundationallm-apis-agentfactoryapi-apikey` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:AgentFactoryAPI:APIUrl` | Enter the URL to the service. | | -| `FoundationaLLM:APIs:AgentFactoryAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:AgentFactoryAPI:ForceHttpsRedirection` | true | By default, the Agent Factory API forces HTTPS redirection. To override this behavior and allow it to handle HTTP requests, set this value to false. | -| `FoundationaLLM:APIs:AgentHubAPI:APIKey` | Key Vault secret name: `foundationallm-apis-agenthubapi-apikey` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:AgentHubAPI:APIUrl` | Enter the URL to the service. | | -| `FoundationaLLM:APIs:AgentHubAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:CoreAPI:APIUrl` | Enter the URL to the service. | | -| `FoundationaLLM:APIs:CoreAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:CoreAPI:BypassGatekeeper` | false | By default, the Core API does not bypass the Gatekeeper API. To override this behavior and allow it to bypass the Gatekeeper API, set this value to true. Beware that bypassing the Gatekeeper means that you bypass content protection and filtering in favor of improved performance. Make sure you understand the risks before setting this value to true. | -| `FoundationaLLM:APIs:DataSourceHubAPI:APIKey` | Key Vault secret name: `foundationallm-apis-datasourcehubapi-apikey` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:DataSourceHubAPI:APIUrl` | Enter the URL to the service. | | -| `FoundationaLLM:APIs:DataSourceHubAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:GatekeeperAPI:APIKey` | Key Vault secret name: `foundationallm-apis-gatekeeperapi-apikey` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:GatekeeperAPI:APIUrl` | Enter the URL to the service. | | -| `FoundationaLLM:APIs:GatekeeperAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:GatekeeperAPI:Configuration:EnableAzureContentSafety` | true | By default, the Gatekeeper API has Azure Content Safety integration enabled. To disable this feature, set this value to false. | -| `FoundationaLLM:APIs:GatekeeperAPI:Configuration:EnableMicrosoftPresidio` | true | By default, the Gatekeeper API has Microsoft Presidio integration enabled. To disable this feature, set this value to false. | -| `FoundationaLLM:APIs:GatekeeperAPI:ForceHttpsRedirection` | true | By default, the Gatekeeper API forces HTTPS redirection. To override this behavior and allow it to handle HTTP requests, set this value to false. | -| `FoundationaLLM:APIs:GatekeeperIntegrationAPI:APIKey` | Key Vault secret name: `foundationallm-apis-gatekeeperintegrationapi-apikey` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:GatekeeperIntegrationAPI:APIUrl` | Enter the URL to the service. | | -| `FoundationaLLM:APIs:LangChainAPI:APIKey` | Key Vault secret name: `foundationallm-apis-langchainapi-apikey` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:LangChainAPI:APIUrl` | Enter the URL to the service. | | -| `FoundationaLLM:APIs:LangChainAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:ManagementAPI:APIUrl` | Enter the URL to the service. | | -| `FoundationaLLM:APIs:ManagementAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:PromptHubAPI:APIKey` | Key Vault secret name: `foundationallm-apis-prompthubapi-apikey` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:PromptHubAPI:APIUrl` | Enter the URL to the service. | | -| `FoundationaLLM:APIs:PromptHubAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:SemanticKernelAPI:APIKey` | Key Vault secret name: `foundationallm-apis-semantickernelapi-apikey` | This is a Key Vault reference. | -| `FoundationaLLM:APIs:SemanticKernelAPI:APIUrl` | Enter the URL to the service. | | -| `FoundationaLLM:APIs:SemanticKernelAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | -| `FoundationaLLM:AzureContentSafety:APIKey` | Key Vault secret name: `foundationallm-azurecontentsafety-apikey` | This is a Key Vault reference. | -| `FoundationaLLM:AzureContentSafety:APIUrl` | Enter the URL to the service. | | -| `FoundationaLLM:AzureContentSafety:HateSeverity` | 2 | | -| `FoundationaLLM:AzureContentSafety:SelfHarmSeverity` | 2 | | -| `FoundationaLLM:AzureContentSafety:SexualSeverity` | 2 | | -| `FoundationaLLM:AzureContentSafety:ViolenceSeverity` | 2 | | -| `FoundationaLLM:AzureOpenAI:API:Completions:DeploymentName` | completions | | -| `FoundationaLLM:AzureOpenAI:API:Completions:MaxTokens` | 8096 | | -| `FoundationaLLM:AzureOpenAI:API:Completions:ModelName` | gpt-35-turbo | | -| `FoundationaLLM:AzureOpenAI:API:Completions:ModelVersion` | 0301 | | -| `FoundationaLLM:AzureOpenAI:API:Completions:Temperature` | 0 | | -| `FoundationaLLM:AzureOpenAI:API:Embeddings:DeploymentName` | embeddings | | -| `FoundationaLLM:AzureOpenAI:API:Embeddings:MaxTokens` | 8191 | | -| `FoundationaLLM:AzureOpenAI:API:Embeddings:ModelName` | text-embedding-ada-002 | | -| `FoundationaLLM:AzureOpenAI:API:Embeddings:Temperature` | 0 | | -| `FoundationaLLM:AzureOpenAI:API:Endpoint` | Enter the URL to the service. | | -| `FoundationaLLM:AzureOpenAI:API:Key` | Key Vault secret name: `foundationallm-azureopenai-api-key` | This is a Key Vault reference. | -| `FoundationaLLM:AzureOpenAI:API:Version` | 2023-05-15 | | -| `FoundationaLLM:BlobStorageMemorySource:BlobStorageConnection` | Key Vault secret name: `foundationallm-blobstoragememorysource-blobstorageconnection` | This is a Key Vault reference. | -| `FoundationaLLM:BlobStorageMemorySource:BlobStorageContainer` | memory-source | | -| `FoundationaLLM:BlobStorageMemorySource:ConfigFilePath` | BlobMemorySourceConfig.json | | -| `FoundationaLLM:Branding:AccentColor` | #fff | | -| `FoundationaLLM:Branding:AccentTextColor` | #131833 | | -| `FoundationaLLM:Branding:AllowAgentSelection` | default, SDZWA | These are merely sample agent names. Define one or more agents configured for your environment. **Note:** This value corresponds with the `FoundationaLLM-AllowAgentHint` feature flag. If the feature flag is `true`, then the User Portal UI uses these values to provide agent hints to the Agent Hub in completions-based requests. Otherwise, these values are ignored. | -| `FoundationaLLM:Branding:BackgroundColor` | #fff | | -| `FoundationaLLM:Branding:CompanyName` | FoundationaLLM | | -| `FoundationaLLM:Branding:FavIconUrl` | favicon.ico | | -| `FoundationaLLM:Branding:KioskMode` | false | | -| `FoundationaLLM:Branding:LogoText` | | | -| `FoundationaLLM:Branding:LogoUrl` | foundationallm-logo-white.svg | | -| `FoundationaLLM:Branding:PageTitle` | FoundationaLLM Chat Copilot | | -| `FoundationaLLM:Branding:PrimaryColor` | #131833 | | -| `FoundationaLLM:Branding:PrimaryTextColor` | #fff | | -| `FoundationaLLM:Branding:SecondaryColor` | #334581 | | -| `FoundationaLLM:Branding:SecondaryTextColor` | #fff | | -| `FoundationaLLM:Branding:PrimaryButtonBackgroundColor` | #5472d4 | | -| `FoundationaLLM:Branding:PrimaryButtonTextColor` | #fff | | -| `FoundationaLLM:Branding:SecondaryButtonBackgroundColor` | #70829a | | -| `FoundationaLLM:Branding:SecondaryButtonTextColor` | #fff | | -| `FoundationaLLM:Chat:Entra:CallbackPath` | /signin-oidc | | -| `FoundationaLLM:Chat:Entra:ClientId` | | | -| `FoundationaLLM:Chat:Entra:ClientSecret` | Key Vault secret name: `foundationallm-chat-entra-clientsecret` | This is a Key Vault reference. | -| `FoundationaLLM:Chat:Entra:Instance` | Enter the URL to the service. | | -| `FoundationaLLM:Chat:Entra:Scopes` | api://FoundationaLLM-Auth/Data.Read | | -| `FoundationaLLM:Chat:Entra:TenantId` | | | -| `FoundationaLLM:CognitiveSearch:EndPoint` | Enter the URL to the service. | | -| `FoundationaLLM:CognitiveSearch:IndexName` | vector-index | | -| `FoundationaLLM:CognitiveSearch:Key` | Key Vault secret name: `foundationallm-cognitivesearch-key` | This is a Key Vault reference. | -| `FoundationaLLM:CognitiveSearch:MaxVectorSearchResults` | 10 | | -| `FoundationaLLM:CognitiveSearchMemorySource:BlobStorageConnection` | Key Vault secret name: `foundationallm-cognitivesearchmemorysource-blobstorageconnection` | This is a Key Vault reference. | -| `FoundationaLLM:CognitiveSearchMemorySource:BlobStorageContainer` | memory-source | | -| `FoundationaLLM:CognitiveSearchMemorySource:ConfigFilePath` | ACSMemorySourceConfig.json | | -| `FoundationaLLM:CognitiveSearchMemorySource:EndPoint` | Enter the URL to the service. | | -| `FoundationaLLM:CognitiveSearchMemorySource:IndexName` | vector-index | | -| `FoundationaLLM:CognitiveSearchMemorySource:Key` | Key Vault secret name: `foundationallm-cognitivesearchmemorysource-key` | This is a Key Vault reference. | -| `FoundationaLLM:CoreAPI:Entra:CallbackPath` | /signin-oidc | | -| `FoundationaLLM:CoreAPI:Entra:ClientId` | | | -| `FoundationaLLM:CoreAPI:Entra:ClientSecret` | Key Vault secret name: `foundationallm-coreapi-entra-clientsecret` | This is a Key Vault reference. | -| `FoundationaLLM:CoreAPI:Entra:Instance` | Enter the URL to the service. | | -| `FoundationaLLM:CoreAPI:Entra:Scopes` | Data.Read | | -| `FoundationaLLM:CoreAPI:Entra:TenantId` | | | -| `FoundationaLLM:CoreWorker:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | -| `FoundationaLLM:CosmosDB:ChangeFeedLeaseContainer` | leases | | -| `FoundationaLLM:CosmosDB:Containers` | Sessions, UserSessions | | -| `FoundationaLLM:CosmosDB:Database` | database | | -| `FoundationaLLM:CosmosDB:Endpoint` | Enter the URL to the service. | | -| `FoundationaLLM:CosmosDB:Key` | Key Vault secret name: `foundationallm-cosmosdb-key` | This is a Key Vault reference. | -| `FoundationaLLM:CosmosDB:MonitoredContainers` | Sessions | | -| `FoundationaLLM:DataSourceHub:DataSourceMetadata:StorageContainer` | data-sources | | -| `FoundationaLLM:DataSourceHub:StorageManager:BlobStorage:ConnectionString` | Key Vault secret name: `foundationallm-datasourcehub-storagemanager-blobstorage-connectionstring` | This is a Key Vault reference. | -| `FoundationaLLM:DataSources:AboutFoundationaLLM:BlobStorage:ConnectionString` | Key Vault secret name: `foundationallm-datasourcehub-storagemanager-blobstorage-connectionstring` | This is a Key Vault reference. | -| `FoundationaLLM:DurableSystemPrompt:BlobStorageConnection` | Key Vault secret name: `foundationallm-durablesystemprompt-blobstorageconnection` | This is a Key Vault reference. | -| `FoundationaLLM:DurableSystemPrompt:BlobStorageContainer` | system-prompt | | -| `FoundationaLLM:LangChain:CSVFile:URL` | Key Vault secret name: `foundationallm-langchain-csvfile-url` | This is a Key Vault reference. | -| `FoundationaLLM:LangChain:SQLDatabase:TestDB:Password` | Key Vault secret name: `foundationallm-langchain-sqldatabase-testdb-password` | This is a Key Vault reference. | -| `FoundationaLLM:LangChain:Summary:MaxTokens` | 4097 | | -| `FoundationaLLM:LangChain:Summary:ModelName` | gpt-35-turbo | | -| `FoundationaLLM:LangChainAPI:Key` | Key Vault secret name: `foundationallm-langchainapi-key` | This is a Key Vault reference. | -| `FoundationaLLM:Management:Entra:CallbackPath` | /signin-oidc | | -| `FoundationaLLM:Management:Entra:ClientId` | | | -| `FoundationaLLM:Management:Entra:ClientSecret` | Key Vault secret name: `foundationallm-management-entra-clientsecret` | This is a Key Vault reference. | -| `FoundationaLLM:Management:Entra:Instance` | Enter the URL to the service. | | -| `FoundationaLLM:Management:Entra:Scopes` | api://FoundationaLLM-Management-Auth/Data.Manage | | -| `FoundationaLLM:Management:Entra:TenantId` | | | -| `FoundationaLLM:ManagementAPI:Entra:ClientId` | | | -| `FoundationaLLM:ManagementAPI:Entra:ClientSecret` | Key Vault secret name: `foundationallm-managementapi-entra-clientsecret` | This is a Key Vault reference. | -| `FoundationaLLM:ManagementAPI:Entra:Instance` | Enter the URL to the service. | | -| `FoundationaLLM:ManagementAPI:Entra:Scopes` | Data.Manage | | -| `FoundationaLLM:ManagementAPI:Entra:TenantId` | | | -| `FoundationaLLM:OpenAI:API:Endpoint` | Enter the URL to the service. | | -| `FoundationaLLM:OpenAI:API:Key` | Key Vault secret name: `foundationallm-openai-api-key` | This is a Key Vault reference. | -| `FoundationaLLM:OpenAI:API:Temperature` | 0 | | -| `FoundationaLLM:PromptHub:PromptMetadata:StorageContainer` | system-prompt | | -| `FoundationaLLM:PromptHub:StorageManager:BlobStorage:ConnectionString` | Key Vault secret name: `foundationallm-prompthub-storagemanager-blobstorage-connectionstring` | This is a Key Vault reference. | -| `FoundationaLLM:Refinement` | | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI:Key` | Key Vault secret name: `foundationallm-semantickernelapi-openai-key` | This is a Key Vault reference. | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.ChatCompletionPromptName` | RetailAssistant.Default | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.CompletionsDeployment` | completions | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.CompletionsDeploymentMaxTokens` | 8096 | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.EmbeddingsDeployment` | embeddings | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.EmbeddingsDeploymentMaxTokens` | 8191 | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.Endpoint` | Enter the URL to the service. | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.CompletionsMaxTokens` | 300 | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.CompletionsMinTokens` | 50 | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.MemoryMaxTokens` | 3000 | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.MemoryMinTokens` | 1500 | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.MessagesMaxTokens` | 3000 | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.MessagesMinTokens` | 100 | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.SystemMaxTokens` | 1500 | | -| `FoundationaLLM:SemanticKernelAPI:OpenAI.ShortSummaryPromptName` | Summarizer.TwoWords | | -| `FoundationaLLM:APIs:VectorizationAPI:APIUrl` | | The URL of the vectorization API. | -| `FoundationaLLM:APIs:VectorizationAPI:APIKey` | Key Vault secret name: `foundationallm-apis-vectorizationapi-apikey` | The API key of the vectorization API. | -| `FoundationaLLM:APIs:VectorizationAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | The connection string to the Application Insights instance used by the vectorization API. | -| `FoundationaLLM:APIs:VectorizationWorker:APIUrl` | | The URL of the vectorization worker API. | -| `FoundationaLLM:APIs:VectorizationWorker:APIKey` | Key Vault secret name: `foundationallm-apis-vectorizationworker-apikey` | The API key of the vectorization worker API. | -| `FoundationaLLM:APIs:VectorizationWorker:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | The connection string to the Application Insights instance used by the vectorization worker API. | -| `FoundationaLLM:Vectorization:VectorizationWorker` | | The settings used by each instance of the vectorization worker service. For more details, see [default vectorization worker settings](../setup-guides/vectorization/vectorization-worker.md#default-vectorization-worker-settings) | -| `FoundationaLLM:Vectorization:Queues:Embed:ConnectionString` | Key Vault secret name: `foundationallm-vectorization-queues-connectionstring` | The connection string to the Azure Storage account used for the embed vectorization queue. | -| `FoundationaLLM:Vectorization:Queues:Extract:ConnectionString` | Key Vault secret name: `foundationallm-vectorization-queues-connectionstring` | The connection string to the Azure Storage account used for the extract vectorization queue. | -| `FoundationaLLM:Vectorization:Queues:Index:ConnectionString` | Key Vault secret name: `foundationallm-vectorization-queues-connectionstring` | The connection string to the Azure Storage account used for the index vectorization queue. | -| `FoundationaLLM:Vectorization:Queues:Partition:ConnectionString` | Key Vault secret name: `foundationallm-vectorization-queues-connectionstring` | The connection string to the Azure Storage account used for the partition vectorization queue. | -| `FoundationaLLM:Vectorization:StateService:Storage:AuthenticationType` | | The authentication type used to connect to the underlying storage. Can be one of `AzureIdentity`, `AccountKey`, or `ConnectionString`. | -| `FoundationaLLM:Vectorization:StateService:Storage:ConnectionString` | Key Vault secret name: `foundationallm-vectorization-state-connectionstring` | The connection string to the Azure Storage account used for the vectorization state service. | -| `FoundationaLLM:Vectorization:ResourceProviderService:Storage:AuthenticationType` | | The authentication type used to connect to the underlying storage. Can be one of `AzureIdentity`, `AccountKey`, or `ConnectionString`. | -| `FoundationaLLM:Vectorization:ResourceProviderService:Storage:ConnectionString` | Key Vault secret name: `foundationallm-vectorization-resourceprovider-storage-connectionstring` | The connection string to the Azure Storage account used for the vectorization state service. | +| Key | Default Value | Description | +| --------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `FoundationaLLM:AgentHub:AgentMetadata:StorageContainer` | agents | | +| `FoundationaLLM:AgentHub:StorageManager:BlobStorage:ConnectionString` | Key Vault secret name: `foundationallm-agenthub-storagemanager-blobstorage-connectionstring` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:AgentFactoryAPI:APIKey` | Key Vault secret name: `foundationallm-apis-agentfactoryapi-apikey` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:AgentFactoryAPI:APIUrl` | Enter the URL to the service. | | +| `FoundationaLLM:APIs:AgentFactoryAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:AgentFactoryAPI:ForceHttpsRedirection` | true | By default, the Agent Factory API forces HTTPS redirection. To override this behavior and allow it to handle HTTP requests, set this value to false. | +| `FoundationaLLM:APIs:AgentHubAPI:APIKey` | Key Vault secret name: `foundationallm-apis-agenthubapi-apikey` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:AgentHubAPI:APIUrl` | Enter the URL to the service. | | +| `FoundationaLLM:APIs:AgentHubAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:CoreAPI:APIUrl` | Enter the URL to the service. | | +| `FoundationaLLM:APIs:CoreAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:CoreAPI:BypassGatekeeper` | false | By default, the Core API does not bypass the Gatekeeper API. To override this behavior and allow it to bypass the Gatekeeper API, set this value to true. Beware that bypassing the Gatekeeper means that you bypass content protection and filtering in favor of improved performance. Make sure you understand the risks before setting this value to true. | +| `FoundationaLLM:APIs:DataSourceHubAPI:APIKey` | Key Vault secret name: `foundationallm-apis-datasourcehubapi-apikey` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:DataSourceHubAPI:APIUrl` | Enter the URL to the service. | | +| `FoundationaLLM:APIs:DataSourceHubAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:GatekeeperAPI:APIKey` | Key Vault secret name: `foundationallm-apis-gatekeeperapi-apikey` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:GatekeeperAPI:APIUrl` | Enter the URL to the service. | | +| `FoundationaLLM:APIs:GatekeeperAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:GatekeeperAPI:Configuration:EnableAzureContentSafety` | true | By default, the Gatekeeper API has Azure Content Safety integration enabled. To disable this feature, set this value to false. | +| `FoundationaLLM:APIs:GatekeeperAPI:Configuration:EnableMicrosoftPresidio` | true | By default, the Gatekeeper API has Microsoft Presidio integration enabled. To disable this feature, set this value to false. | +| `FoundationaLLM:APIs:GatekeeperAPI:ForceHttpsRedirection` | true | By default, the Gatekeeper API forces HTTPS redirection. To override this behavior and allow it to handle HTTP requests, set this value to false. | +| `FoundationaLLM:APIs:GatekeeperIntegrationAPI:APIKey` | Key Vault secret name: `foundationallm-apis-gatekeeperintegrationapi-apikey` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:GatekeeperIntegrationAPI:APIUrl` | Enter the URL to the service. | | +| `FoundationaLLM:APIs:LangChainAPI:APIKey` | Key Vault secret name: `foundationallm-apis-langchainapi-apikey` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:LangChainAPI:APIUrl` | Enter the URL to the service. | | +| `FoundationaLLM:APIs:LangChainAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:ManagementAPI:APIUrl` | Enter the URL to the service. | | +| `FoundationaLLM:APIs:ManagementAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:PromptHubAPI:APIKey` | Key Vault secret name: `foundationallm-apis-prompthubapi-apikey` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:PromptHubAPI:APIUrl` | Enter the URL to the service. | | +| `FoundationaLLM:APIs:PromptHubAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:SemanticKernelAPI:APIKey` | Key Vault secret name: `foundationallm-apis-semantickernelapi-apikey` | This is a Key Vault reference. | +| `FoundationaLLM:APIs:SemanticKernelAPI:APIUrl` | Enter the URL to the service. | | +| `FoundationaLLM:APIs:SemanticKernelAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | +| `FoundationaLLM:AzureContentSafety:APIKey` | Key Vault secret name: `foundationallm-azurecontentsafety-apikey` | This is a Key Vault reference. | +| `FoundationaLLM:AzureContentSafety:APIUrl` | Enter the URL to the service. | | +| `FoundationaLLM:AzureContentSafety:HateSeverity` | 2 | | +| `FoundationaLLM:AzureContentSafety:SelfHarmSeverity` | 2 | | +| `FoundationaLLM:AzureContentSafety:SexualSeverity` | 2 | | +| `FoundationaLLM:AzureContentSafety:ViolenceSeverity` | 2 | | +| `FoundationaLLM:AzureOpenAI:API:Completions:DeploymentName` | completions | | +| `FoundationaLLM:AzureOpenAI:API:Completions:MaxTokens` | 8096 | | +| `FoundationaLLM:AzureOpenAI:API:Completions:ModelName` | gpt-35-turbo | | +| `FoundationaLLM:AzureOpenAI:API:Completions:ModelVersion` | 0301 | | +| `FoundationaLLM:AzureOpenAI:API:Completions:Temperature` | 0 | | +| `FoundationaLLM:AzureOpenAI:API:Embeddings:DeploymentName` | embeddings | | +| `FoundationaLLM:AzureOpenAI:API:Embeddings:MaxTokens` | 8191 | | +| `FoundationaLLM:AzureOpenAI:API:Embeddings:ModelName` | text-embedding-ada-002 | | +| `FoundationaLLM:AzureOpenAI:API:Embeddings:Temperature` | 0 | | +| `FoundationaLLM:AzureOpenAI:API:Endpoint` | Enter the URL to the service. | | +| `FoundationaLLM:AzureOpenAI:API:Key` | Key Vault secret name: `foundationallm-azureopenai-api-key` | This is a Key Vault reference. | +| `FoundationaLLM:AzureOpenAI:API:Version` | 2023-05-15 | | +| `FoundationaLLM:BlobStorageMemorySource:BlobStorageConnection` | Key Vault secret name: `foundationallm-blobstoragememorysource-blobstorageconnection` | This is a Key Vault reference. | +| `FoundationaLLM:BlobStorageMemorySource:BlobStorageContainer` | memory-source | | +| `FoundationaLLM:BlobStorageMemorySource:ConfigFilePath` | BlobMemorySourceConfig.json | | +| `FoundationaLLM:Branding:AccentColor` | #fff | | +| `FoundationaLLM:Branding:AccentTextColor` | #131833 | | +| `FoundationaLLM:Branding:AllowAgentSelection` | default, SDZWA | These are merely sample agent names. Define one or more agents configured for your environment. **Note:** This value corresponds with the `FoundationaLLM-AllowAgentHint` feature flag. If the feature flag is `true`, then the User Portal UI uses these values to provide agent hints to the Agent Hub in completions-based requests. Otherwise, these values are ignored. | +| `FoundationaLLM:Branding:BackgroundColor` | #fff | | +| `FoundationaLLM:Branding:CompanyName` | FoundationaLLM | | +| `FoundationaLLM:Branding:FavIconUrl` | favicon.ico | | +| `FoundationaLLM:Branding:KioskMode` | false | | +| `FoundationaLLM:Branding:LogoText` | | | +| `FoundationaLLM:Branding:LogoUrl` | foundationallm-logo-white.svg | | +| `FoundationaLLM:Branding:PageTitle` | FoundationaLLM Chat Copilot | | +| `FoundationaLLM:Branding:PrimaryColor` | #131833 | | +| `FoundationaLLM:Branding:PrimaryTextColor` | #fff | | +| `FoundationaLLM:Branding:SecondaryColor` | #334581 | | +| `FoundationaLLM:Branding:SecondaryTextColor` | #fff | | +| `FoundationaLLM:Branding:PrimaryButtonBackgroundColor` | #5472d4 | | +| `FoundationaLLM:Branding:PrimaryButtonTextColor` | #fff | | +| `FoundationaLLM:Branding:SecondaryButtonBackgroundColor` | #70829a | | +| `FoundationaLLM:Branding:SecondaryButtonTextColor` | #fff | | +| `FoundationaLLM:Chat:Entra:CallbackPath` | /signin-oidc | | +| `FoundationaLLM:Chat:Entra:ClientId` | | | +| `FoundationaLLM:Chat:Entra:ClientSecret` | Key Vault secret name: `foundationallm-chat-entra-clientsecret` | This is a Key Vault reference. | +| `FoundationaLLM:Chat:Entra:Instance` | Enter the URL to the service. | | +| `FoundationaLLM:Chat:Entra:Scopes` | api://FoundationaLLM-Auth/Data.Read | | +| `FoundationaLLM:Chat:Entra:TenantId` | | | +| `FoundationaLLM:CognitiveSearch:EndPoint` | Enter the URL to the service. | | +| `FoundationaLLM:CognitiveSearch:IndexName` | vector-index | | +| `FoundationaLLM:CognitiveSearch:Key` | Key Vault secret name: `foundationallm-cognitivesearch-key` | This is a Key Vault reference. | +| `FoundationaLLM:CognitiveSearch:MaxVectorSearchResults` | 10 | | +| `FoundationaLLM:CognitiveSearchMemorySource:BlobStorageConnection` | Key Vault secret name: `foundationallm-cognitivesearchmemorysource-blobstorageconnection` | This is a Key Vault reference. | +| `FoundationaLLM:CognitiveSearchMemorySource:BlobStorageContainer` | memory-source | | +| `FoundationaLLM:CognitiveSearchMemorySource:ConfigFilePath` | ACSMemorySourceConfig.json | | +| `FoundationaLLM:CognitiveSearchMemorySource:EndPoint` | Enter the URL to the service. | | +| `FoundationaLLM:CognitiveSearchMemorySource:IndexName` | vector-index | | +| `FoundationaLLM:CognitiveSearchMemorySource:Key` | Key Vault secret name: `foundationallm-cognitivesearchmemorysource-key` | This is a Key Vault reference. | +| `FoundationaLLM:CoreAPI:Entra:CallbackPath` | /signin-oidc | | +| `FoundationaLLM:CoreAPI:Entra:ClientId` | | | +| `FoundationaLLM:CoreAPI:Entra:ClientSecret` | Key Vault secret name: `foundationallm-coreapi-entra-clientsecret` | This is a Key Vault reference. | +| `FoundationaLLM:CoreAPI:Entra:Instance` | Enter the URL to the service. | | +| `FoundationaLLM:CoreAPI:Entra:Scopes` | Data.Read | | +| `FoundationaLLM:CoreAPI:Entra:TenantId` | | | +| `FoundationaLLM:CoreWorker:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | This is a Key Vault reference. | +| `FoundationaLLM:CosmosDB:ChangeFeedLeaseContainer` | leases | | +| `FoundationaLLM:CosmosDB:Containers` | Sessions, UserSessions | | +| `FoundationaLLM:CosmosDB:Database` | database | | +| `FoundationaLLM:CosmosDB:Endpoint` | Enter the URL to the service. | | +| `FoundationaLLM:CosmosDB:Key` | Key Vault secret name: `foundationallm-cosmosdb-key` | This is a Key Vault reference. | +| `FoundationaLLM:CosmosDB:MonitoredContainers` | Sessions | | +| `FoundationaLLM:DataSourceHub:DataSourceMetadata:StorageContainer` | data-sources | | +| `FoundationaLLM:DataSourceHub:StorageManager:BlobStorage:ConnectionString` | Key Vault secret name: `foundationallm-datasourcehub-storagemanager-blobstorage-connectionstring` | This is a Key Vault reference. | +| `FoundationaLLM:DataSources:AboutFoundationaLLM:BlobStorage:ConnectionString` | Key Vault secret name: `foundationallm-datasourcehub-storagemanager-blobstorage-connectionstring` | This is a Key Vault reference. | +| `FoundationaLLM:DurableSystemPrompt:BlobStorageConnection` | Key Vault secret name: `foundationallm-durablesystemprompt-blobstorageconnection` | This is a Key Vault reference. | +| `FoundationaLLM:DurableSystemPrompt:BlobStorageContainer` | system-prompt | | +| `FoundationaLLM:LangChain:CSVFile:URL` | Key Vault secret name: `foundationallm-langchain-csvfile-url` | This is a Key Vault reference. | +| `FoundationaLLM:LangChain:SQLDatabase:TestDB:Password` | Key Vault secret name: `foundationallm-langchain-sqldatabase-testdb-password` | This is a Key Vault reference. | +| `FoundationaLLM:LangChain:Summary:MaxTokens` | 4097 | | +| `FoundationaLLM:LangChain:Summary:ModelName` | gpt-35-turbo | | +| `FoundationaLLM:LangChainAPI:Key` | Key Vault secret name: `foundationallm-langchainapi-key` | This is a Key Vault reference. | +| `FoundationaLLM:Management:Entra:CallbackPath` | /signin-oidc | | +| `FoundationaLLM:Management:Entra:ClientId` | | | +| `FoundationaLLM:Management:Entra:ClientSecret` | Key Vault secret name: `foundationallm-management-entra-clientsecret` | This is a Key Vault reference. | +| `FoundationaLLM:Management:Entra:Instance` | Enter the URL to the service. | | +| `FoundationaLLM:Management:Entra:Scopes` | api://FoundationaLLM-Management-Auth/Data.Manage | | +| `FoundationaLLM:Management:Entra:TenantId` | | | +| `FoundationaLLM:ManagementAPI:Entra:ClientId` | | | +| `FoundationaLLM:ManagementAPI:Entra:ClientSecret` | Key Vault secret name: `foundationallm-managementapi-entra-clientsecret` | This is a Key Vault reference. | +| `FoundationaLLM:ManagementAPI:Entra:Instance` | Enter the URL to the service. | | +| `FoundationaLLM:ManagementAPI:Entra:Scopes` | Data.Manage | | +| `FoundationaLLM:ManagementAPI:Entra:TenantId` | | | +| `FoundationaLLM:OpenAI:API:Endpoint` | Enter the URL to the service. | | +| `FoundationaLLM:OpenAI:API:Key` | Key Vault secret name: `foundationallm-openai-api-key` | This is a Key Vault reference. | +| `FoundationaLLM:OpenAI:API:Temperature` | 0 | | +| `FoundationaLLM:PromptHub:PromptMetadata:StorageContainer` | system-prompt | | +| `FoundationaLLM:PromptHub:StorageManager:BlobStorage:ConnectionString` | Key Vault secret name: `foundationallm-prompthub-storagemanager-blobstorage-connectionstring` | This is a Key Vault reference. | +| `FoundationaLLM:Refinement` | | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI:Key` | Key Vault secret name: `foundationallm-semantickernelapi-openai-key` | This is a Key Vault reference. | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.ChatCompletionPromptName` | RetailAssistant.Default | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.CompletionsDeployment` | completions | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.CompletionsDeploymentMaxTokens` | 8096 | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.EmbeddingsDeployment` | embeddings | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.EmbeddingsDeploymentMaxTokens` | 8191 | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.Endpoint` | Enter the URL to the service. | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.CompletionsMaxTokens` | 300 | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.CompletionsMinTokens` | 50 | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.MemoryMaxTokens` | 3000 | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.MemoryMinTokens` | 1500 | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.MessagesMaxTokens` | 3000 | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.MessagesMinTokens` | 100 | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.PromptOptimization.SystemMaxTokens` | 1500 | | +| `FoundationaLLM:SemanticKernelAPI:OpenAI.ShortSummaryPromptName` | Summarizer.TwoWords | | +| `FoundationaLLM:APIs:VectorizationAPI:APIUrl` | | The URL of the vectorization API. | +| `FoundationaLLM:APIs:VectorizationAPI:APIKey` | Key Vault secret name: `foundationallm-apis-vectorizationapi-apikey` | The API key of the vectorization API. | +| `FoundationaLLM:APIs:VectorizationAPI:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | The connection string to the Application Insights instance used by the vectorization API. | +| `FoundationaLLM:APIs:VectorizationWorker:APIUrl` | | The URL of the vectorization worker API. | +| `FoundationaLLM:APIs:VectorizationWorker:APIKey` | Key Vault secret name: `foundationallm-apis-vectorizationworker-apikey` | The API key of the vectorization worker API. | +| `FoundationaLLM:APIs:VectorizationWorker:AppInsightsConnectionString` | Key Vault secret name: `foundationallm-app-insights-connection-string` | The connection string to the Application Insights instance used by the vectorization worker API. | +| `FoundationaLLM:Vectorization:VectorizationWorker` | | The settings used by each instance of the vectorization worker service. For more details, see [default vectorization worker settings](../setup-guides/vectorization/vectorization-worker.md#default-vectorization-worker-settings) | +| `FoundationaLLM:Vectorization:Queues:Embed:ConnectionString` | Key Vault secret name: `foundationallm-vectorization-queues-connectionstring` | The connection string to the Azure Storage account used for the embed vectorization queue. | +| `FoundationaLLM:Vectorization:Queues:Extract:ConnectionString` | Key Vault secret name: `foundationallm-vectorization-queues-connectionstring` | The connection string to the Azure Storage account used for the extract vectorization queue. | +| `FoundationaLLM:Vectorization:Queues:Index:ConnectionString` | Key Vault secret name: `foundationallm-vectorization-queues-connectionstring` | The connection string to the Azure Storage account used for the index vectorization queue. | +| `FoundationaLLM:Vectorization:Queues:Partition:ConnectionString` | Key Vault secret name: `foundationallm-vectorization-queues-connectionstring` | The connection string to the Azure Storage account used for the partition vectorization queue. | +| `FoundationaLLM:Vectorization:StateService:Storage:AuthenticationType` | | The authentication type used to connect to the underlying storage. Can be one of `AzureIdentity`, `AccountKey`, or `ConnectionString`. | +| `FoundationaLLM:Vectorization:StateService:Storage:ConnectionString` | Key Vault secret name: `foundationallm-vectorization-state-connectionstring` | The connection string to the Azure Storage account used for the vectorization state service. | +| `FoundationaLLM:Vectorization:ResourceProviderService:Storage:AuthenticationType` | | The authentication type used to connect to the underlying storage. Can be one of `AzureIdentity`, `AccountKey`, or `ConnectionString`. | +| `FoundationaLLM:Vectorization:ResourceProviderService:Storage:ConnectionString` | Key Vault secret name: `foundationallm-vectorization-resourceprovider-storage-connectionstring` | The connection string to the Azure Storage account used for the vectorization state service. | ## Feature flags -| Key | Default Value | Description | -| --- | ------------- | ----------- | -| `FoundationaLLM-AllowAgentHint` | `false` | Used for demo purposes. If the feature is enabled, the User Portal UI displays an agent hint selector for a chat session and sends an `X-AGENT-HINT` header with the selected agent name (if applicable) to all HTTP requests to the Core API. This header flows downstream to the Agent Hub, forcing the resolver to use the specified agent. The Agent Hub only uses this header value if this feature flag is enabled, as an added protective measure. | +| Key | Default Value | Description | +| ------------------------------- | ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `FoundationaLLM-AllowAgentHint` | `false` | Used for demo purposes. If the feature is enabled, the User Portal UI displays an agent hint selector for a chat session and sends an `X-AGENT-HINT` header with the selected agent name (if applicable) to all HTTP requests to the Core API. This header flows downstream to the Agent Hub, forcing the resolver to use the specified agent. The Agent Hub only uses this header value if this feature flag is enabled, as an added protective measure. | diff --git a/docs/operations/network-security-groups.md b/docs/operations/network-security-groups.md new file mode 100644 index 0000000000..5de17da303 --- /dev/null +++ b/docs/operations/network-security-groups.md @@ -0,0 +1,19 @@ +# Network Security Group Configurations + +FoundationaLLM uses Azure Virtual Networks for network segmentation. The Standard Deployment uses Network Security Groups (NSGs) to control inbound and outbound traffic. The following table lists the NSGs used in the Standard Deployment and the ports that are open by default. + +## NSG Rules + +### Application Gateway + +| Rule Name | Access | DestinationAddressPrefix | DestinationPortRange | Direction | Priority | Protocol | ProvisioningState | SourceAddressPrefix | SourcePortRange | Notes | +| ---------------------------- | ------ | ------------------------ | -------------------- | --------- | -------- | -------- | ----------------- | ------------------- | --------------- | ----------------------------------------------------------- | +| allow-internet-http-inbound | Allow | VirtualNetwork | 80 | Inbound | 128 | Tcp | Succeeded | Internet | * | Customers may restrict inbound connectivity as desired. | +| allow-internet-https-inbound | Allow | VirtualNetwork | 443 | Inbound | 132 | Tcp | Succeeded | Internet | * | Customers may restrict inbound connectivity as desired. | +| allow-gatewaymanager-inbound | Allow | * | 65200-65535 | Inbound | 148 | Tcp | Succeeded | GatewayManager | * | This rule is required by Azure and cannot be changed.[1][1] | +| allow-loadbalancer-inbound | Allow | * | * | Inbound | 164 | * | Succeeded | AzureLoadBalancer | * | This rule is required by Azure and cannot be changed.[1][1] | +| deny-all-inbound | Deny | * | * | Inbound | 4096 | * | Succeeded | * | * | Customers may modify this rule if needed (not reccomended) | + +1: For further information regarding required NSG rules for Application Gateway, please see [this article][1]. + +[1]: https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#network-security-groups \ No newline at end of file diff --git a/docs/operations/security.md b/docs/operations/security.md index c8957601be..539b445af7 100644 --- a/docs/operations/security.md +++ b/docs/operations/security.md @@ -11,6 +11,7 @@ Maintaining the security of the Azure platform is crucial for protecting sensiti - The standard deployment: - Uses Azure Virtual Networks for network segmentation. - Implements Network Security Groups (NSGs) to control inbound and outbound traffic. + - [Network Security Rule Details](./network-security-groups.md) 3. **Data Encryption** - Wherever possible the Standard Deployment uses encryption at rest with system-managed keys.