From b54c7e573db3e7dd3c6c8c36be46d9a06135956a Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Fri, 26 Jul 2024 17:55:17 -0500 Subject: [PATCH 1/8] Defining a larger VNET and AKS subnets while allowing for IP space to expand --- deploy/standard/infra/networking-rg.bicep | 48 +++++++---------------- 1 file changed, 15 insertions(+), 33 deletions(-) diff --git a/deploy/standard/infra/networking-rg.bicep b/deploy/standard/infra/networking-rg.bicep index c1e6448135..690c2b9feb 100644 --- a/deploy/standard/infra/networking-rg.bicep +++ b/deploy/standard/infra/networking-rg.bicep @@ -1,5 +1,6 @@ // Inputs -param cidrVnet string = '10.220.128.0/21' +param cidrVnet string = '10.220.128.0/18' +param createVpnGateway bool = false param environmentName string param hubResourceGroup string param hubSubscriptionId string = subscription().subscriptionId @@ -11,38 +12,19 @@ param timestamp string = utcNow() param allowedExternalCidr string // Locals -@description('Private DNS Zones to link.') -var privateDnsZone = { - agentsvc: 'privatelink.agentsvc.azure-automation.net' - aks: 'privatelink.${location}.azmk8s.io' - blob: 'privatelink.blob.${environment().suffixes.storage}' - cognitiveservices: 'privatelink.cognitiveservices.azure.com' - configuration_stores: 'privatelink.azconfig.io' - cosmosdb: 'privatelink.documents.azure.com' - cr: 'privatelink.azurecr.io' - cr_region: '${location}.privatelink.azurecr.io' - dfs: 'privatelink.dfs.${environment().suffixes.storage}' - eventgrid: 'privatelink.eventgrid.azure.net' - file: 'privatelink.file.${environment().suffixes.storage}' - monitor: 'privatelink.monitor.azure.com' - ods: 'privatelink.ods.opinsights.azure.com' - oms: 'privatelink.oms.opinsights.azure.com' - openai: 'privatelink.openai.azure.com' - queue: 'privatelink.queue.${environment().suffixes.storage}' - search: 'privatelink.search.windows.net' - sites: 'privatelink.azurewebsites.net' - sql_server: 'privatelink${environment().suffixes.sqlServerHostname}' - table: 'privatelink.table.${environment().suffixes.storage}' - vault: 'privatelink.vaultcore.azure.net' -} - -var cidrFllmAuth = cidrSubnet(cidrVnet, 26, 17) // 10.220.132.64/26 -var cidrFllmBackend = cidrSubnet(cidrVnet, 24, 1) // 10.220.129.0/24 -var cidrFllmFrontend = cidrSubnet(cidrVnet, 24, 2) // 10.220.130.0/24 -var cidrFllmOpenAi = cidrSubnet(cidrVnet, 26, 12) // 10.220.131.0/26 -var cidrFllmOps = cidrSubnet(cidrVnet, 26, 15) // 10.220.131.192/26 -var cidrFllmVec = cidrSubnet(cidrVnet, 26, 16) // 10.220.132.0/26 -var cidrNetSvc = cidrSubnet(cidrVnet, 24, 6) // 10.220.134.0/24 +var cidrFllmBackend = cidrSubnet(cidrVnet, 20, 0) // 10.220.128.0/20 +var cidrFllmFrontend = cidrSubnet(cidrVnet, 20, 1) // 10.220.144.0/20 +// var reserved20 = cidrSubnet(cidrVnet, 20, 2) // 10.220.160.0/20 +var cidrNetSvc = cidrSubnet(cidrVnet, 24, 48) // 10.220.176.0/24 +// var reserved24_0 = cidrSubnet(cidrVnet, 24, 49) // 10.220.177.0/24 +// var reserved24_1 = cidrSubnet(cidrVnet, 24, 50) // 10.220.178.0/24 +// var reserved24_2 = cidrSubnet(cidrVnet, 24, 51) // 10.220.179.0/24 +var cidrFllmAuth = cidrSubnet(cidrVnet, 26, 208) // 10.220.180.0/26 +var cidrFllmOpenAi = cidrSubnet(cidrVnet, 26, 209) // 10.220.180.64/26 +var cidrFllmOps = cidrSubnet(cidrVnet, 26, 210) // 10.220.180.128/26 +var cidrFllmVec = cidrSubnet(cidrVnet, 26, 211) // 10.220.180.192/26 +var cidrVpnGateway = cidrSubnet(cidrVnet, 26, 212) // 10.220.181.0/26 +// var reserved26 = cidrSubnet(cidrVnet, 26, 213) // 10.220.181.64/26 // TODO: Use Namer FUnction from main.bicep var name = networkName == '' ? 'vnet-${environmentName}-${location}-net' : networkName From b3be156f722fe7c55dcb8210f4c346dc331ee27d Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Mon, 5 Aug 2024 10:12:24 -0500 Subject: [PATCH 2/8] Expanded CIDR ranges and updated references to subnets --- .../azd-hooks/utility/Generate-Config.ps1 | 4 +- deploy/standard/infra/app-rg.bicep | 14 +-- deploy/standard/infra/auth-rg.bicep | 4 +- deploy/standard/infra/networking-rg.bicep | 103 +++++++++++------- deploy/standard/infra/openai-rg.bicep | 4 +- deploy/standard/infra/storage-rg.bicep | 4 +- .../scripts/deploy/Generate-Config.ps1 | 4 +- 7 files changed, 79 insertions(+), 58 deletions(-) diff --git a/deploy/standard/azd-hooks/utility/Generate-Config.ps1 b/deploy/standard/azd-hooks/utility/Generate-Config.ps1 index 3951a549d6..c9d1e99684 100644 --- a/deploy/standard/azd-hooks/utility/Generate-Config.ps1 +++ b/deploy/standard/azd-hooks/utility/Generate-Config.ps1 @@ -377,7 +377,7 @@ $vnetName = Invoke-AndRequireSuccess "Get VNet Name" { $subnetBackend = Invoke-AndRequireSuccess "Get Backend Subnet CIDR" { az network vnet subnet show ` - --name "FLLMBackend" ` + --name "aks-backend" ` --query addressPrefix ` --resource-group $resourceGroups.net ` --vnet-name $vnetName ` @@ -387,7 +387,7 @@ $tokens.privateIpIngressBackend = Get-CIDRHost -baseCidr $subnetBackend -hostNum $subnetFrontend = Invoke-AndRequireSuccess "Get Frontend Subnet CIDR" { az network vnet subnet show ` - --name "FLLMFrontend" ` + --name "aks-frontend" ` --query addressPrefix ` --resource-group $resourceGroups.net ` --vnet-name $vnetName ` diff --git a/deploy/standard/infra/app-rg.bicep b/deploy/standard/infra/app-rg.bicep index 706a737260..324047224e 100644 --- a/deploy/standard/infra/app-rg.bicep +++ b/deploy/standard/infra/app-rg.bicep @@ -106,9 +106,9 @@ module network 'modules/utility/virtualNetworkData.bicep' = { params: { vnetName: vnetName subnetNames: [ - 'FLLMBackend' - 'FLLMFrontend' - 'FLLMServices' + 'aks-backend' + 'aks-frontend' + 'services' ] } } @@ -141,8 +141,8 @@ module aksBackend 'modules/aks.bicep' = { opsResourceGroupName: opsResourceGroupName privateDnsZones: filter(dnsZones.outputs.ids, (zone) => contains([ 'aks' ], zone.key)) resourceSuffix: '${resourceSuffix}-backend' - subnetId: subnets.FLLMBackend.id - subnetIdPrivateEndpoint: subnets.FLLMServices.id + subnetId: subnets.aks-backend.id + subnetIdPrivateEndpoint: subnets.services.id tags: tags } } @@ -161,8 +161,8 @@ module aksFrontend 'modules/aks.bicep' = { opsResourceGroupName: opsResourceGroupName privateDnsZones: filter(dnsZones.outputs.ids, (zone) => contains([ 'aks' ], zone.key)) resourceSuffix: '${resourceSuffix}-frontend' - subnetId: subnets.FLLMFrontend.id - subnetIdPrivateEndpoint: subnets.FLLMServices.id + subnetId: subnets.aks-frontend.id + subnetIdPrivateEndpoint: subnets.services.id tags: tags } } diff --git a/deploy/standard/infra/auth-rg.bicep b/deploy/standard/infra/auth-rg.bicep index dd62c63421..697053c4a0 100644 --- a/deploy/standard/infra/auth-rg.bicep +++ b/deploy/standard/infra/auth-rg.bicep @@ -113,7 +113,7 @@ module authStore 'modules/storageAccount.bicep' = { logAnalyticWorkspaceId: logAnalyticsWorkspaceId privateDnsZones: filter(dnsZones.outputs.ids, (zone) => contains(['blob', 'dfs'], zone.key)) resourceSuffix: resourceToken - subnetId: '${vnetId}/subnets/FLLMAuth' + subnetId: '${vnetId}/subnets/auth' tags: tags containers: [ 'role-assignments' @@ -132,7 +132,7 @@ module authKeyvault 'modules/keyVault.bicep' = { logAnalyticWorkspaceId: logAnalyticsWorkspaceId privateDnsZones: filter(dnsZones.outputs.ids, (zone) => zone.key == 'vault') resourceSuffix: resourceSuffix - subnetId: '${vnetId}/subnets/FLLMAuth' + subnetId: '${vnetId}/subnets/auth' tags: tags } } diff --git a/deploy/standard/infra/networking-rg.bicep b/deploy/standard/infra/networking-rg.bicep index 690c2b9feb..9fabc84e7f 100644 --- a/deploy/standard/infra/networking-rg.bicep +++ b/deploy/standard/infra/networking-rg.bicep @@ -12,26 +12,47 @@ param timestamp string = utcNow() param allowedExternalCidr string // Locals -var cidrFllmBackend = cidrSubnet(cidrVnet, 20, 0) // 10.220.128.0/20 -var cidrFllmFrontend = cidrSubnet(cidrVnet, 20, 1) // 10.220.144.0/20 -// var reserved20 = cidrSubnet(cidrVnet, 20, 2) // 10.220.160.0/20 -var cidrNetSvc = cidrSubnet(cidrVnet, 24, 48) // 10.220.176.0/24 -// var reserved24_0 = cidrSubnet(cidrVnet, 24, 49) // 10.220.177.0/24 -// var reserved24_1 = cidrSubnet(cidrVnet, 24, 50) // 10.220.178.0/24 -// var reserved24_2 = cidrSubnet(cidrVnet, 24, 51) // 10.220.179.0/24 -var cidrFllmAuth = cidrSubnet(cidrVnet, 26, 208) // 10.220.180.0/26 -var cidrFllmOpenAi = cidrSubnet(cidrVnet, 26, 209) // 10.220.180.64/26 -var cidrFllmOps = cidrSubnet(cidrVnet, 26, 210) // 10.220.180.128/26 -var cidrFllmVec = cidrSubnet(cidrVnet, 26, 211) // 10.220.180.192/26 -var cidrVpnGateway = cidrSubnet(cidrVnet, 26, 212) // 10.220.181.0/26 -// var reserved26 = cidrSubnet(cidrVnet, 26, 213) // 10.220.181.64/26 +@description('Private DNS Zones to link.') +var privateDnsZone = { + agentsvc: 'privatelink.agentsvc.azure-automation.net' + aks: 'privatelink.${location}.azmk8s.io' + blob: 'privatelink.blob.${environment().suffixes.storage}' + cognitiveservices: 'privatelink.cognitiveservices.azure.com' + configuration_stores: 'privatelink.azconfig.io' + cosmosdb: 'privatelink.documents.azure.com' + cr: 'privatelink.azurecr.io' + cr_region: '${location}.privatelink.azurecr.io' + dfs: 'privatelink.dfs.${environment().suffixes.storage}' + eventgrid: 'privatelink.eventgrid.azure.net' + file: 'privatelink.file.${environment().suffixes.storage}' + monitor: 'privatelink.monitor.azure.com' + ods: 'privatelink.ods.opinsights.azure.com' + oms: 'privatelink.oms.opinsights.azure.com' + openai: 'privatelink.openai.azure.com' + queue: 'privatelink.queue.${environment().suffixes.storage}' + search: 'privatelink.search.windows.net' + sites: 'privatelink.azurewebsites.net' + sql_server: 'privatelink${environment().suffixes.sqlServerHostname}' + table: 'privatelink.table.${environment().suffixes.storage}' + vault: 'privatelink.vaultcore.azure.net' +} + +var dnsResolverSubnetCidr = cidrSubnet(cidrVnet, 28, 0) // 10.220.134.0/28 +var opsSubnetCidr = cidrSubnet(cidrVnet, 26, 1) // 10.220.128.64/26 +var servicesSubnetCidr = cidrSubnet(cidrVnet, 26, 2) // 10.220.128.128/26 +var authSubnetCidr = cidrSubnet(cidrVnet, 26, 3) // 10.220.128.192/26 +var openAiSubnetCidr = cidrSubnet(cidrVnet, 26, 4) // 10.220.129.0/26 +var storageSubnetCidr = cidrSubnet(cidrVnet, 26, 5) // 10.220.129.64/26 +var vectorizationSubnetCidr = cidrSubnet(cidrVnet, 26, 6) // 10.220.129.128/26 +var backendAksSubnetCidr = cidrSubnet(cidrVnet, 22, 1) // 10.220.132.0/22 +var frontendAksSubnetCidr = cidrSubnet(cidrVnet, 22, 4) // 10.220.140.0/22 // TODO: Use Namer FUnction from main.bicep var name = networkName == '' ? 'vnet-${environmentName}-${location}-net' : networkName var subnets = [ { - name: 'FLLMBackend' - addressPrefix: cidrFllmBackend + name: 'aks-backend' + addressPrefix: backendAksSubnetCidr inbound: [ { access: 'Allow' @@ -52,8 +73,8 @@ var subnets = [ ] } { - name: 'FLLMFrontEnd' - addressPrefix: cidrFllmFrontend + name: 'aks-frontend' + addressPrefix: frontendAksSubnetCidr inbound: [ { access: 'Allow' @@ -74,8 +95,8 @@ var subnets = [ ] } { - name: 'FLLMNetSvc' - addressPrefix: cidrNetSvc + name: 'dns-resolver' + addressPrefix: dnsResolverSubnetCidr rules: { inbound: [ { @@ -100,8 +121,8 @@ var subnets = [ ] } { - name: 'FLLMOpenAI' - addressPrefix: cidrFllmOpenAi + name: 'openai' + addressPrefix: openAiSubnetCidr rules: { inbound: [ { @@ -133,7 +154,7 @@ var subnets = [ protocol: '*' sourcePortRange: '*' sourceAddressPrefixes: [ - cidrFllmBackend + backendAksSubnetCidr ] } { @@ -218,8 +239,8 @@ var subnets = [ ] } { - name: 'FLLMServices' - addressPrefix: cidrSubnet(cidrVnet, 26, 13) + name: 'services' + addressPrefix: servicesSubnetCidr rules: { inbound: [ { @@ -230,7 +251,7 @@ var subnets = [ priority: 256 protocol: '*' sourcePortRange: '*' - sourceAddressPrefixes: [cidrFllmBackend] + sourceAddressPrefixes: [backendAksSubnetCidr] } { access: 'Allow' @@ -262,8 +283,8 @@ var subnets = [ ] } { - name: 'FLLMStorage' - addressPrefix: cidrSubnet(cidrVnet, 26, 14) + name: 'storage' + addressPrefix: storageSubnetCidr rules: { inbound: [ { @@ -274,7 +295,7 @@ var subnets = [ priority: 128 protocol: '*' sourcePortRange: '*' - sourceAddressPrefixes: [cidrFllmOps] + sourceAddressPrefixes: [opsSubnetCidr] } { access: 'Allow' @@ -294,7 +315,7 @@ var subnets = [ name: 'allow-aks-inbound' priority: 256 protocol: '*' - sourceAddressPrefixes: [cidrFllmBackend] + sourceAddressPrefixes: [backendAksSubnetCidr] sourcePortRange: '*' } { @@ -329,8 +350,8 @@ var subnets = [ ] } { - name: 'ops' // TODO: PLEs. Maybe put these in FLLMServices? - addressPrefix: cidrFllmOps + name: 'ops' // TODO: PLEs. Maybe put these in services? + addressPrefix: opsSubnetCidr rules: { inbound: [ { @@ -341,7 +362,7 @@ var subnets = [ priority: 128 protocol: '*' sourcePortRange: '*' - sourceAddressPrefixes: [cidrFllmOps] + sourceAddressPrefixes: [opsSubnetCidr] } { access: 'Allow' @@ -362,8 +383,8 @@ var subnets = [ protocol: '*' sourcePortRange: '*' sourceAddressPrefixes: [ - cidrFllmFrontend - cidrFllmBackend + frontendAksSubnetCidr + backendAksSubnetCidr ] } { @@ -386,8 +407,8 @@ var subnets = [ ] } { - name: 'Vectorization' - addressPrefix: cidrFllmVec + name: 'vectorization' + addressPrefix: vectorizationSubnetCidr rules: { inbound: [ { @@ -407,7 +428,7 @@ var subnets = [ name: 'allow-aks-inbound' priority: 256 protocol: '*' - sourceAddressPrefixes: [cidrFllmBackend] + sourceAddressPrefixes: [backendAksSubnetCidr] sourcePortRange: '*' } { @@ -443,8 +464,8 @@ var subnets = [ ] } { - name: 'FLLMAuth' - addressPrefix: cidrFllmAuth + name: 'auth' + addressPrefix: authSubnetCidr rules: { inbound: [ { @@ -455,7 +476,7 @@ var subnets = [ priority: 128 protocol: '*' sourcePortRange: '*' - sourceAddressPrefixes: [cidrFllmOps] + sourceAddressPrefixes: [opsSubnetCidr] } { access: 'Allow' @@ -475,7 +496,7 @@ var subnets = [ name: 'allow-aks-inbound' priority: 256 protocol: '*' - sourceAddressPrefixes: [cidrFllmBackend] + sourceAddressPrefixes: [backendAksSubnetCidr] sourcePortRange: '*' } { diff --git a/deploy/standard/infra/openai-rg.bicep b/deploy/standard/infra/openai-rg.bicep index 4b659ef31e..05e71f2e88 100644 --- a/deploy/standard/infra/openai-rg.bicep +++ b/deploy/standard/infra/openai-rg.bicep @@ -61,7 +61,7 @@ module contentSafety 'modules/contentSaftey.bicep' = { opsResourceGroupName: opsResourceGroupName privateDnsZones: filter(dnsZones.outputs.ids, (zone) => zone.key == 'cognitiveservices') resourceSuffix: resourceSuffix - subnetId: '${vnetId}/subnets/FLLMOpenAI' + subnetId: '${vnetId}/subnets/openai' tags: tags } } @@ -76,7 +76,7 @@ module openai './modules/openai.bicep' = if (deployOpenAi) { logAnalyticWorkspaceId: logAnalyticsWorkspaceId privateDnsZones: filter(dnsZones.outputs.ids, (zone) => zone.key == 'openai') resourceSuffix: resourceSuffix - subnetId: '${vnetId}/subnets/FLLMOpenAI' + subnetId: '${vnetId}/subnets/openai' tags: tags } } diff --git a/deploy/standard/infra/storage-rg.bicep b/deploy/standard/infra/storage-rg.bicep index 5b059b36ad..9898d6eddb 100644 --- a/deploy/standard/infra/storage-rg.bicep +++ b/deploy/standard/infra/storage-rg.bicep @@ -57,7 +57,7 @@ module cosmosdb 'modules/cosmosdb.bicep' = { logAnalyticWorkspaceId: logAnalyticsWorkspaceId privateDnsZones: filter(dnsZones.outputs.ids, (zone) => zone.key == 'cosmosdb') resourceSuffix: resourceSuffix - subnetId: '${vnetId}/subnets/FLLMStorage' + subnetId: '${vnetId}/subnets/storage' tags: tags } } @@ -73,7 +73,7 @@ module storage 'modules/storageAccount.bicep' = { logAnalyticWorkspaceId: logAnalyticsWorkspaceId privateDnsZones: dnsZones.outputs.idsStorage resourceSuffix: resourceSuffix - subnetId: '${vnetId}/subnets/FLLMStorage' + subnetId: '${vnetId}/subnets/storage' tags: tags containers: [ 'resource-provider' diff --git a/deploy/standard/scripts/deploy/Generate-Config.ps1 b/deploy/standard/scripts/deploy/Generate-Config.ps1 index 87a0e75d21..0c66d7ff43 100644 --- a/deploy/standard/scripts/deploy/Generate-Config.ps1 +++ b/deploy/standard/scripts/deploy/Generate-Config.ps1 @@ -397,7 +397,7 @@ $vnetName = Invoke-AndRequireSuccess "Get VNet Name" { $subnetBackend = Invoke-AndRequireSuccess "Get Backend Subnet CIDR" { az network vnet subnet show ` - --name "FLLMBackend" ` + --name "aks-backend" ` --query addressPrefix ` --resource-group $resourceGroups.net ` --vnet-name $vnetName ` @@ -407,7 +407,7 @@ $tokens.privateIpIngressBackend = Get-CIDRHost -baseCidr $subnetBackend -hostNum $subnetFrontend = Invoke-AndRequireSuccess "Get Frontend Subnet CIDR" { az network vnet subnet show ` - --name "FLLMFrontend" ` + --name "aks-frontend" ` --query addressPrefix ` --resource-group $resourceGroups.net ` --vnet-name $vnetName ` From 879f60a1a4d28b91f85fad59ab511c9ce3c0f32d Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Mon, 5 Aug 2024 10:16:41 -0500 Subject: [PATCH 3/8] Expanded CIDR ranges and updated references to subnets --- deploy/standard/infra/vec-rg.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/standard/infra/vec-rg.bicep b/deploy/standard/infra/vec-rg.bicep index 56c5fea0d2..de70c4d15c 100644 --- a/deploy/standard/infra/vec-rg.bicep +++ b/deploy/standard/infra/vec-rg.bicep @@ -56,7 +56,7 @@ module search 'modules/search.bicep' = { logAnalyticsWorkspaceId: logAnalyticsWorkspaceId resourceSuffix: resourceSuffix tags: tags - subnetId: '${vnetId}/subnets/Vectorization' + subnetId: '${vnetId}/subnets/vectorization' privateDnsZones: filter(dnsZones.outputs.ids, (zone) => zone.key == 'search') } } From 6192b5e5270266b088861a6b7642073ae24c9256 Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Tue, 6 Aug 2024 07:39:03 -0500 Subject: [PATCH 4/8] Updating CIDR range to remove resolver subnet --- deploy/standard/infra/app-rg.bicep | 4 +- .../standard/infra/modules/vnet-peering.bicep | 2 +- deploy/standard/infra/networking-rg.bicep | 44 ++++--------------- 3 files changed, 11 insertions(+), 39 deletions(-) diff --git a/deploy/standard/infra/app-rg.bicep b/deploy/standard/infra/app-rg.bicep index 324047224e..5e28b45075 100644 --- a/deploy/standard/infra/app-rg.bicep +++ b/deploy/standard/infra/app-rg.bicep @@ -141,7 +141,7 @@ module aksBackend 'modules/aks.bicep' = { opsResourceGroupName: opsResourceGroupName privateDnsZones: filter(dnsZones.outputs.ids, (zone) => contains([ 'aks' ], zone.key)) resourceSuffix: '${resourceSuffix}-backend' - subnetId: subnets.aks-backend.id + subnetId: subnets['aks-backend'].id subnetIdPrivateEndpoint: subnets.services.id tags: tags } @@ -161,7 +161,7 @@ module aksFrontend 'modules/aks.bicep' = { opsResourceGroupName: opsResourceGroupName privateDnsZones: filter(dnsZones.outputs.ids, (zone) => contains([ 'aks' ], zone.key)) resourceSuffix: '${resourceSuffix}-frontend' - subnetId: subnets.aks-frontend.id + subnetId: subnets['aks-frontend'].id subnetIdPrivateEndpoint: subnets.services.id tags: tags } diff --git a/deploy/standard/infra/modules/vnet-peering.bicep b/deploy/standard/infra/modules/vnet-peering.bicep index e645596272..2b761b831d 100644 --- a/deploy/standard/infra/modules/vnet-peering.bicep +++ b/deploy/standard/infra/modules/vnet-peering.bicep @@ -10,7 +10,7 @@ resource main 'Microsoft.Network/virtualNetworks@2024-01-01' existing = { } resource destinationToSourcePeering 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2024-01-01' = { - name: 'hub-to-vnet' + name: vnetName parent: main properties: { allowVirtualNetworkAccess: allowVirtualNetworkAccess diff --git a/deploy/standard/infra/networking-rg.bicep b/deploy/standard/infra/networking-rg.bicep index 9fabc84e7f..0b7483403b 100644 --- a/deploy/standard/infra/networking-rg.bicep +++ b/deploy/standard/infra/networking-rg.bicep @@ -1,6 +1,5 @@ // Inputs -param cidrVnet string = '10.220.128.0/18' -param createVpnGateway bool = false +param cidrVnet string = '10.220.128.0/20' param environmentName string param hubResourceGroup string param hubSubscriptionId string = subscription().subscriptionId @@ -37,15 +36,14 @@ var privateDnsZone = { vault: 'privatelink.vaultcore.azure.net' } -var dnsResolverSubnetCidr = cidrSubnet(cidrVnet, 28, 0) // 10.220.134.0/28 -var opsSubnetCidr = cidrSubnet(cidrVnet, 26, 1) // 10.220.128.64/26 -var servicesSubnetCidr = cidrSubnet(cidrVnet, 26, 2) // 10.220.128.128/26 -var authSubnetCidr = cidrSubnet(cidrVnet, 26, 3) // 10.220.128.192/26 -var openAiSubnetCidr = cidrSubnet(cidrVnet, 26, 4) // 10.220.129.0/26 -var storageSubnetCidr = cidrSubnet(cidrVnet, 26, 5) // 10.220.129.64/26 -var vectorizationSubnetCidr = cidrSubnet(cidrVnet, 26, 6) // 10.220.129.128/26 +var opsSubnetCidr = cidrSubnet(cidrVnet, 26, 0) // 10.220.128.0/26 +var servicesSubnetCidr = cidrSubnet(cidrVnet, 26, 1) // 10.220.128.64/26 +var authSubnetCidr = cidrSubnet(cidrVnet, 26, 2) // 10.220.128.128/26 +var openAiSubnetCidr = cidrSubnet(cidrVnet, 26, 3) // 10.220.128.192/26 +var storageSubnetCidr = cidrSubnet(cidrVnet, 26, 4) // 10.220.129.0/26 +var vectorizationSubnetCidr = cidrSubnet(cidrVnet, 26, 5) // 10.220.129.64/26 var backendAksSubnetCidr = cidrSubnet(cidrVnet, 22, 1) // 10.220.132.0/22 -var frontendAksSubnetCidr = cidrSubnet(cidrVnet, 22, 4) // 10.220.140.0/22 +var frontendAksSubnetCidr = cidrSubnet(cidrVnet, 22, 2) // 10.220.140.0/22 // TODO: Use Namer FUnction from main.bicep var name = networkName == '' ? 'vnet-${environmentName}-${location}-net' : networkName @@ -94,32 +92,6 @@ var subnets = [ } ] } - { - name: 'dns-resolver' - addressPrefix: dnsResolverSubnetCidr - rules: { - inbound: [ - { - access: 'Allow' - destinationAddressPrefix: 'VirtualNetwork' - destinationPortRange: '*' - name: 'allow-vpn' - priority: 256 - protocol: '*' - sourcePortRange: '*' - sourceAddressPrefixes: [allowedExternalCidr] - } - ] - } - delegations: [ - { - name: 'Microsoft.Network/dnsResolvers' - properties: { - serviceName: 'Microsoft.Network/dnsResolvers' - } - } - ] - } { name: 'openai' addressPrefix: openAiSubnetCidr From ec04462e0f40bcac6d5117d51b84381e910c59ba Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Tue, 6 Aug 2024 07:55:14 -0500 Subject: [PATCH 5/8] Correcting secret name --- deploy/standard/config/appconfig.template.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/standard/config/appconfig.template.json b/deploy/standard/config/appconfig.template.json index 9acd5dd35a..b28cf4e246 100644 --- a/deploy/standard/config/appconfig.template.json +++ b/deploy/standard/config/appconfig.template.json @@ -289,7 +289,7 @@ }, { "key": "FoundationaLLM:APIEndpoints:GatekeeperIntegrationAPI:Essentials:APIKey", - "value": "{\"uri\":\"{{keyvaultUri}}secrets/foundationallm-apiendpoints-gatekeeperintergrationapi-apikey\"}", + "value": "{\"uri\":\"{{keyvaultUri}}secrets/foundationallm-apiendpoints-gatekeeperintegrationapi-apikey\"}", "label": null, "content_type": "application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8", "tags": {} @@ -464,7 +464,7 @@ }, { "key": "FoundationaLLM:APIEndpoints:StateAPI:Essentials:APIKey", - "value": "{\"uri\":\"{{keyvaultUri}}secrets/foundationallm-apinedpoints-stateapi-apikey\"}", + "value": "{\"uri\":\"{{keyvaultUri}}secrets/foundationallm-apiendpoints-stateapi-apikey\"}", "label": null, "content_type": "application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8", "tags": {} From 91acea82e62d25a3db36f50379dc68f99aa0a027 Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Tue, 6 Aug 2024 14:30:25 -0500 Subject: [PATCH 6/8] Updating Agent definition --- .../FoundationaLLM.template.json | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/deploy/standard/data/resource-provider/FoundationaLLM.Agent/FoundationaLLM.template.json b/deploy/standard/data/resource-provider/FoundationaLLM.Agent/FoundationaLLM.template.json index 7f90e64779..760af4b62e 100644 --- a/deploy/standard/data/resource-provider/FoundationaLLM.Agent/FoundationaLLM.template.json +++ b/deploy/standard/data/resource-provider/FoundationaLLM.Agent/FoundationaLLM.template.json @@ -15,17 +15,8 @@ }, "orchestration_settings": { "orchestrator": "LangChain", - "agent_parameters": null, - "endpoint_configuration": { - "auth_type": "token", - "provider": "microsoft", - "endpoint": "{{openAiEndpointUri}}", - "api_version": "2024-02-01" - }, - "model_parameters": { - "temperature": 0, - "deployment_name": "completions" - } + "agent_parameters": null }, + "ai_model_object_id": "/instances/{{instanceId}}/providers/FoundationaLLM.AIModel/aiModels/DefaultCompletionAIModel", "prompt_object_id": "/instances/{{instanceId}}/providers/FoundationaLLM.Prompt/prompts/FoundationaLLM" } \ No newline at end of file From c907dcac53af4733b6f69173ada926c4362f86cb Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Tue, 6 Aug 2024 14:53:18 -0500 Subject: [PATCH 7/8] Updating output variable name --- deploy/standard/infra/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/standard/infra/main.bicep b/deploy/standard/infra/main.bicep index 705ba4d2d3..f88b01bbb0 100644 --- a/deploy/standard/infra/main.bicep +++ b/deploy/standard/infra/main.bicep @@ -247,7 +247,7 @@ output FLLM_MGMT_API_HOSTNAME string = managementApiHostname output FOUNDATIONALLM_VNET_NAME string = networking.outputs.vnetName output FOUNDATIONALLM_VNET_ID string = networking.outputs.vnetId -output FOUNDATIONALLM_HUB_VNET_NAME string = networking.outputs.hubVnetId +output FOUNDATIONALLM_HUB_VNET_ID string = networking.outputs.hubVnetId output SERVICE_GATEKEEPER_API_ENDPOINT_URL string = 'http://gatekeeper-api/gatekeeper/' output SERVICE_GATEKEEPER_INTEGRATION_API_ENDPOINT_URL string = 'http://gatekeeper-integration-api/gatekeeperintegration' From 90a4c744b5efabbf1613fe8278cc12f9eefa4359 Mon Sep 17 00:00:00 2001 From: Matthew Alan Gray Date: Tue, 6 Aug 2024 17:02:11 -0500 Subject: [PATCH 8/8] Resolving issue with State API endpoint URL --- deploy/standard/config/appconfig.template.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/standard/config/appconfig.template.json b/deploy/standard/config/appconfig.template.json index b28cf4e246..45d176e055 100644 --- a/deploy/standard/config/appconfig.template.json +++ b/deploy/standard/config/appconfig.template.json @@ -457,7 +457,7 @@ }, { "key": "FoundationaLLM:APIEndpoints:StateAPI:Essentials:APIUrl", - "value": "http://state-api/state", + "value": "http://state-api", "label": null, "content_type": "", "tags": {}