fix: Restrict public access for api endpoint

[Priyanka-Microsoft]

Purpose

• ...
  This pull request significantly enhances the network security and private networking capabilities of the Azure deployment, particularly for production/WAF scenarios. The main focus is on restricting public access to backend APIs, enabling private endpoints for all backend services, and allowing fine-grained IP security restrictions while keeping deployment (SCM) endpoints accessible. Documentation is also updated to reflect these architectural improvements.

Network Security & Private Endpoints

• All backend services (including Function App, Storage, Key Vault, Cosmos DB/PostgreSQL, OpenAI, and Search) now support private endpoints, ensuring they are only accessible through the private virtual network. The frontend remains publicly accessible, but backend APIs are restricted from public access. [1] [2] [3] [4]
• Added privatelink.azurewebsites.net to the list of private DNS zones and integrated it into the deployment, ensuring private DNS resolution for the Function App when private networking is enabled. [1] [2] [3] [4] [5]

IP Security Restrictions

• Introduced new parameters and logic to set IP security restrictions for both the main (API) site and the SCM (deployment) site, allowing public access to be blocked for APIs while deployments remain possible. These restrictions are configurable and do not apply to SCM by default. [1] [2] [3] [4] [5] [6] [7]

Network Security Group (NSG) Rules

• Updated NSG rules to explicitly allow outbound traffic from backend subnets to private endpoints and the VNet, ensuring backend services can communicate securely and efficiently within the private network.

Documentation Updates

• Expanded documentation in docs/best_practices.md and docs/LOCAL_DEPLOYMENT.md to clearly describe the new network security architecture, private endpoint usage, and the distinction between public and private access for frontend and backend services. [1] [2]

Other Improvements

• Added a SecurityControl: Ignore tag to telemetry resources to avoid unnecessary security alerts for resources that are intentionally exposed.

These changes collectively ensure that in production deployments, only the frontend is exposed to the public internet, while all backend APIs and data services are securely isolated within a private network, following best practices for Azure network security.

Does this introduce a breaking change?

• Yes
• No

How to Test

• Get the code

git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install

• Test the code

What to Check

Verify that the following are valid

• ...

Other Information