Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
Expand Up @@ -54,3 +54,17 @@
/samples/typescript/quickstart/create-agent/src/quickstart-create-agent.ts @microsoft-foundry/AI-Platform-Docs
/samples/typescript/quickstart/responses/src/quickstart-responses.ts @microsoft-foundry/AI-Platform-Docs

#### Additional ownership entries (added via issue triage) ##############################################
# Routing for sample paths that were uncovered during issue triage.
# Owners chosen from CODEOWNERS pattern of peer directories and from git log of top contributors.

# TS quickstart agent-service — peer of chat-with-agent / create-agent / responses
/samples/typescript/quickstart/agent-service/ @microsoft-foundry/AI-Platform-Docs

# Infrastructure (bicep) — networked agent setup templates
/infrastructure/infrastructure-setup-bicep/01-connections/apim/ @meerakurup
/infrastructure/infrastructure-setup-bicep/15-private-network-standard-agent-setup/ @haflidif
/infrastructure/infrastructure-setup-bicep/16-private-network-standard-agent-apim-setup/ @meerakurup

# Infrastructure (terraform) — BYO-VNet variant
/infrastructure/infrastructure-setup-terraform/15b-private-network-standard-agent-setup-byovnet/ @deeikele
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ This template combines:
| **AI Foundry Project** | Project with system-assigned managed identity |
| **Capability Host** | Basic agent capability host (platform-managed storage) |
| **Model Deployment** | gpt-4.1 (configurable) |
| **Azure Container Registry** *(optional)* | Premium SKU ACR with private endpoint, DNS zone (`privatelink.azurecr.io`), and AcrPull role for the project identity |


[![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure-ai-foundry%2Ffoundry-samples%2Frefs%2Fheads%2Fmain%2Finfrastructure%2Finfrastructure-setup-bicep%2F11-private-network-basic-vnet%2Fmain.json)
Expand Down Expand Up @@ -166,6 +167,8 @@ Before deleting an **Account** resource, it is essential to first delete the ass
| `dnsZonesSubscriptionId` | Subscription ID for existing DNS zones | `''` (current sub) | No |
| `existingDnsZones` | Map of DNS zone names to resource groups | All empty (creates new) | No |
| `projectCapHost` | Name of the project capability host | `caphostproj` | No |
| `enableContainerRegistry` | When `true`, creates an Azure Container Registry (Premium SKU) with a private endpoint in the PE subnet, a `privatelink.azurecr.io` DNS zone, and an AcrPull role assignment for the project managed identity. | `true` | No |
| `developerIpCidr` | Developer IP CIDR to allowlist for ACR push access (e.g., `203.0.113.0/26`). When set, enables public network access with a deny-all default + an IP allowlist rule so developers can push images. When empty, public access remains fully disabled. | `''` | No |

#### BYO Virtual Network Details

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ Note: If not provided, the following resources will be created automatically for
- Azure Cosmos DB for NoSQL
- Azure AI Search
- Azure Storage
- Azure Container Registry (Premium SKU) with private endpoint *(when `enableContainerRegistry=true`)*

#### Parameters

Expand Down Expand Up @@ -169,6 +170,8 @@ Note: If not provided, the following resources will be created automatically for
| `createAccountCapabilityHost` | When `true`, the template explicitly creates the account-level capability host. Leave `false` for fresh deployments — the platform auto-creates it via `networkInjections.scenario='agent'`. Set `true` only for a BYO account with no capability host, or to recreate after running `deleteCapHost.sh`. Only one capability host per account is allowed. | `false` | No |
| `dnsZonesSubscriptionId` | Subscription ID for existing DNS zones. Accepts either a bare GUID (`<subscription-id>`) or a full ARM subscription path (`/subscriptions/<subscription-id>`); the template normalizes the value internally. | `''` (current sub) | No |
| `existingDnsZones` | Map of DNS zone names to resource groups | All empty (creates new) | No |
| `enableContainerRegistry` | When `true`, creates an Azure Container Registry (Premium SKU) with a private endpoint in the PE subnet, a `privatelink.azurecr.io` DNS zone, and an AcrPull role assignment for the project managed identity. | `true` | No |
| `developerIpCidr` | Developer IP CIDR to allowlist for ACR push access (e.g., `203.0.113.0/26`). When set, enables public network access with a deny-all default + an IP allowlist rule so developers can push images. When empty, public access remains fully disabled. | `''` | No |

#### BYO Resource Details

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,7 @@ Use the table below to choose the right infrastructure template for your scenari
Note: If not provided, the following resources will be created automatically for you:
- VNet and two subnets
- Azure Storage
- Azure Container Registry (Premium SKU) with private endpoint *(when `enableContainerRegistry=true`)*

#### Parameters

Expand All @@ -155,6 +156,8 @@ Note: If not provided, the following resources will be created automatically for
| `azureStorageAccountResourceId` | ARM Resource ID of existing Storage account | `''` (creates new) | No |
| `dnsZonesSubscriptionId` | Subscription ID for existing DNS zones | `''` (current sub) | No |
| `existingDnsZones` | Map of DNS zone names to resource groups | All empty (creates new) | No |
| `enableContainerRegistry` | When `true`, creates an Azure Container Registry (Premium SKU) with a private endpoint in the PE subnet, a `privatelink.azurecr.io` DNS zone, and an AcrPull role assignment for the project managed identity. | `true` | No |
| `developerIpCidr` | Developer IP CIDR to allowlist for ACR push access (e.g., `203.0.113.0/26`). When set, enables public network access with a deny-all default + an IP allowlist rule so developers can push images. When empty, public access remains fully disabled. | `''` | No |

#### BYO Resource Details

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,7 @@ Note: If not provided, the following resources will be created automatically for
- Azure Cosmos DB for NoSQL
- Azure AI Search
- Azure Storage
- Azure Container Registry (Premium SKU) with private endpoint *(when `enableContainerRegistry=true`)*

**Private APIM Integration (Optional):** This template supports connecting an **existing Azure API Management service** behind a private endpoint. APIM is not created by this template — you must provide the ARM Resource ID of an existing APIM instance via the `apiManagementResourceId` parameter. When provided, a private endpoint and DNS zone for APIM (`privatelink.azure-api.net`) are created within your VNet.

Expand Down Expand Up @@ -164,6 +165,8 @@ Note: If not provided, the following resources will be created automatically for
| `apiManagementResourceId` | ARM Resource ID of existing API Management service | `''` (no APIM) | No |
| `dnsZonesSubscriptionId` | Subscription ID for existing DNS zones | `''` (current sub) | No |
| `existingDnsZones` | Map of DNS zone names to resource groups | All empty (creates new) | No |
| `enableContainerRegistry` | When `true`, creates an Azure Container Registry (Premium SKU) with a private endpoint in the PE subnet, a `privatelink.azurecr.io` DNS zone, and an AcrPull role assignment for the project managed identity. | `true` | No |
| `developerIpCidr` | Developer IP CIDR to allowlist for ACR push access (e.g., `203.0.113.0/26`). When set, enables public network access with a deny-all default + an IP allowlist rule so developers can push images. When empty, public access remains fully disabled. | `''` | No |

#### BYO Resource Details

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,7 @@ Note: If not provided, the following resources will be created automatically for
- Azure Cosmos DB for NoSQL
- Azure AI Search
- Azure Storage
- Azure Container Registry (Premium SKU) with private endpoint *(when `enableContainerRegistry=true`)*

#### Parameters

Expand All @@ -160,6 +161,8 @@ Note: If not provided, the following resources will be created automatically for
| `azureCosmosDBAccountResourceId` | ARM Resource ID of existing Cosmos DB | `''` (creates new) | No |
| `dnsZonesSubscriptionId` | Subscription ID for existing DNS zones | `''` (current sub) | No |
| `existingDnsZones` | Map of DNS zone names to resource groups | All empty (creates new) | No |
| `enableContainerRegistry` | When `true`, creates an Azure Container Registry (Premium SKU) with a private endpoint in the PE subnet, a `privatelink.azurecr.io` DNS zone, and an AcrPull role assignment for the project managed identity (user-assigned identity in this template). | `true` | No |
| `developerIpCidr` | Developer IP CIDR to allowlist for ACR push access (e.g., `203.0.113.0/26`). When set, enables public network access with a deny-all default + an IP allowlist rule so developers can push images. When empty, public access remains fully disabled. | `''` | No |

#### BYO Resource Details

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,7 @@ Note: If not provided, the following resources will be created automatically for
- Azure Cosmos DB for NoSQL
- Azure AI Search
- Azure Storage
- Azure Container Registry (Premium SKU) with private endpoint *(when `enableContainerRegistry=true`)*

#### Parameters

Expand Down Expand Up @@ -226,6 +227,8 @@ Note: If not provided, the following resources will be created automatically for
| `existingAzureCosmosDBAccountResourceId` | ARM Resource ID of existing Cosmos DB | `''` (creates new) | No |
| `existingFabricWorkspaceResourceId` | ARM Resource ID of existing Fabric workspace | `''` | No |
| `existingDnsZones` | Map of `'<zoneFqdn>': { subscriptionId, resourceGroup }` — see [Use existing Private DNS zones](#5-use-existing-private-dns-zones-cross-rg--cross-subscription) | All `{ subscriptionId: '', resourceGroup: '' }` (creates new) | No |
| `enableContainerRegistry` | When `true`, creates an Azure Container Registry (Premium SKU) with a private endpoint in the PE subnet, a `privatelink.azurecr.io` DNS zone, and an AcrPull role assignment for the project managed identity. | `true` | No |
| `developerIpCidr` | Developer IP CIDR to allowlist for ACR push access (e.g., `203.0.113.0/26`). When set, enables public network access with a deny-all default + an IP allowlist rule so developers can push images. When empty, public access remains fully disabled. | `''` | No |

> **Naming change (May 2026):** `aiSearchResourceId`, `azureStorageAccountResourceId`, `azureCosmosDBAccountResourceId`, and `fabricWorkspaceResourceId` were renamed to `existingAiSearchResourceId`, `existingAzureStorageAccountResourceId`, `existingAzureCosmosDBAccountResourceId`, and `existingFabricWorkspaceResourceId` for consistency with the `existing*ResourceId` pattern used by VNet and subnet params. Update existing parameter files accordingly.

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
# Deploy AI Foundry with Basic Agent Setup and VNet Injection

This Terraform template deploys an AI Foundry resource with a basic agent configuration using VNet injection for network isolation. This is a "basic" agent setup — it does **not** create or connect BYO resources (Azure AI Search, Storage Account, Cosmos DB). Platform-managed resources are used instead.

## Description

- Creates a virtual network with an agent subnet (delegated to `Microsoft.App/environments`) and a private endpoint subnet
- Creates an AI Foundry account with VNet injection (network injection for agents)
- Creates a private endpoint and private DNS zones for the AI Services account
- Creates an AI Foundry project with system-assigned managed identity
- Creates a capability host for the project (basic agent, no BYO resources)
- Deploys a GPT-4o model
- Optionally creates an Azure Container Registry with a private endpoint

## Architecture

```
┌─────────────────────────────────────────────────────────┐
│ Virtual Network │
│ ┌─────────────────────────┐ ┌──────────────────────┐ │
│ │ Agent Subnet │ │ PE Subnet │ │
│ │ (Microsoft.App/envs) │ │ ┌─────────────────┐ │ │
│ │ │ │ │ Private Endpoint│ │ │
│ │ │ │ │ (AI Services) │ │ │
│ │ │ │ └─────────────────┘ │ │
│ │ │ │ ┌─────────────────┐ │ │
│ │ │ │ │ Private Endpoint│ │ │
│ │ │ │ │ (ACR, optional) │ │ │
│ │ │ │ └─────────────────┘ │ │
│ └─────────────────────────┘ └──────────────────────┘ │
└─────────────────────────────────────────────────────────┘
│ │
▼ ▼
┌─────────────────────┐ ┌─────────────────────────┐
│ AI Foundry Account │ │ Private DNS Zones │
│ - GPT-4o model │ │ - cognitiveservices │
│ - Project │ │ - services.ai │
│ - Capability Host │ │ - openai │
│ (Basic Agent) │ │ - azurecr.io (optional) │
└─────────────────────┘ └─────────────────────────┘
```

## Prerequisites

- Azure CLI and Terraform installed
- Appropriate Azure permissions (Contributor + User Access Administrator, or Owner)
- Access to the VNet (VM, VPN, or ExpressRoute) to use the private Foundry resource

## Deployment

1. Navigate to the code directory:

```bash
cd code
```

2. Initialize Terraform:

```bash
terraform init
```

3. Copy and customize variables:

```bash
cp example.tfvars terraform.tfvars
# Edit terraform.tfvars with your values
```

4. Deploy:

```bash
terraform plan -var-file=terraform.tfvars
terraform apply -var-file=terraform.tfvars
```

## Important Notes

- To access your Foundry resource securely, use a VM, VPN, or ExpressRoute connected to the VNet
- Public network access is completely disabled
- The agent subnet must use RFC1918 Class B or Class C address space
- The agent subnet is delegated to `Microsoft.App/environments` for VNet injection
- This is a **basic** agent setup — for standard agent setup with BYO resources, see template `15a`

## Resources Created

- Resource Group
- Virtual Network with two subnets (agent + private endpoint)
- AI Foundry account (with public network access disabled and VNet injection)
- Private Endpoint for AI Foundry
- Private DNS Zones (cognitiveservices, services.ai, openai)
- AI Foundry Project
- Capability Host (basic agent)
- Model Deployment (GPT-4o)
- Azure Container Registry with Private Endpoint (optional)

## Documentation

- [Configure private link for AI Foundry](https://learn.microsoft.com/en-us/azure/ai-foundry/how-to/configure-private-link)
- [Network isolation for agents](https://learn.microsoft.com/en-us/azure/ai-services/agents/concepts/networking)
- [AzAPI Provider](https://registry.terraform.io/providers/azure/azapi/latest/docs)

`Tags: Microsoft.CognitiveServices/accounts, Microsoft.Network/virtualNetworks, Microsoft.Network/privateEndpoints, Microsoft.ContainerRegistry/registries`
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
location = "eastus"

# Optional
virtual_network_address_space = "192.168.0.0/16"
agent_subnet_address_prefix = "192.168.0.0/24"
private_endpoint_subnet_address_prefix = "192.168.1.0/24"

# Set to true to create an Azure Container Registry with a private endpoint
enable_container_registry = false

# Optional: Developer IP CIDR for ACR push access (only used if enable_container_registry = true)
# developer_ip_cidr = "203.0.113.0/26"
Loading
Loading