Harden WAF backend exposure and document private ingress validation

Ashwal-Microsoft · Ashwal-Microsoft · commit 3fea684c1724 · 2026-05-06T16:48:53.000+05:30
diff --git a/azure.yaml b/azure.yaml
@@ -9,8 +9,8 @@ infra:
   module: "main"
   parameters: "main.bicepparam"
 
-metadata:
-  template: deploy-your-ai-application-in-production@1.0
+# metadata:
+#   template: deploy-your-ai-application-in-production@1.0
 
 # Pre/Post-provision automation hooks
 hooks:
diff --git a/docs/deploymentguide.md b/docs/deploymentguide.md
@@ -248,6 +248,8 @@ azd env set VM_ADMIN_USERNAME "youradminuser"
 azd env set VM_ADMIN_PASSWORD "<your-strong-password>"
 ```
 
+When `networkIsolation=true`, the deployment uses a private Azure Container Apps environment with VNet integration. In this accelerator, the backend Container App ingress is internal-only in that mode, so the backend endpoint is reachable only from inside the network boundary. The public entry point remains the frontend path published through the WAF/Application Gateway architecture.
+
 
 </details>
 
diff --git a/docs/post_deployment_steps.md b/docs/post_deployment_steps.md
@@ -193,6 +193,18 @@ When accessing Microsoft Foundry from outside the virtual network, you should se
 
 This is **expected behavior** — the resources are only accessible from within the virtual network.
 
+### Check Backend Container App Isolation
+
+For WAF or other network-isolated deployments in this repo, validate the backend Container App is not internet reachable:
+
+1. Go to **Azure Portal** → **Container Apps Environment**.
+2. Verify **Internal load balancer** is enabled and **Public network access** is disabled.
+3. Open the backend **Container App** (for this accelerator, `orchestrator`) and select **Ingress**.
+4. Verify **External ingress** is disabled. The app should only resolve through the private Container Apps environment path.
+5. Open the virtual network subnet used by the Container Apps environment and confirm the subnet NSG is attached. With the repo defaults, no explicit inbound allow rule from the public internet is added for the backend path.
+
+This is the expected WAF topology for the accelerator: the frontend remains public through the WAF/Application Gateway path, while backend Container Apps stay internal-only.
+
 ---
 
 ## 8. Connecting via Bastion (Network Isolated Deployments)
diff --git a/infra/main.bicepparam b/infra/main.bicepparam
@@ -185,7 +185,9 @@ param databaseContainersList = [
 param containerAppsList = [
   {
     name: null
-    external: true
+    // WAF deployment (networkIsolation=true): internal-only ingress — backend is not publicly accessible.
+    // Non-WAF deployment (networkIsolation=false): external ingress enabled.
+    external: !networkIsolation
     service_name: 'orchestrator'
     profile_name: 'main'
     min_replicas: 1
