Skip to content

Latest commit

 

History

History
244 lines (147 loc) · 14.9 KB

get-started-app-chat-private-endpoint.md

File metadata and controls

244 lines (147 loc) · 14.9 KB
title description ms.date ms.topic ms.subservice ms.custom ms.collection
Get started with chat private endpoints
Secure the chat app with a virtual network.
02/26/2025
get-started
intelligent-apps
devx-track-python, devx-track-python-ai, devx-track-extended-azdevcli, build-2024-intelligent-apps
ce-skilling-ai-copilot

Get started with chat private endpoints for Python

This article shows you how to deploy and run the enterprise chat app sample for Python that's accessible by private endpoints.

This sample implements a chat app by using Python, Azure OpenAI Service, and Retrieval Augmented Generation (RAG) in Azure AI Search to get answers about employee benefits at a fictitious company. The app is seeded with PDF files that include the employee handbook, a benefits document, and a list of company roles and expectations.

By following the instructions in this article, you:

  • Deploy a chat app to Azure for public access in a web browser.
  • Redeploy a chat app with private endpoints.

After you finish this procedure, you can start modifying the new project with your custom code and redeploy, knowing that your chat app is accessible only through the private network.

Architectural overview

The default deployment creates a chat app with public endpoints.

:::image type="content" source="media/get-started-app-chat-private-endpoints/simple-architecture-diagram-chat-app.png" lightbox="media/get-started-app-chat-private-endpoints/simple-architecture-diagram-chat-app.png" alt-text="Diagram that shows the network architecture of a basic RAG chat app.":::

For chat apps enriched with private data, securing access to your chat app is crucial. This article presents a solution by using a virtual network.

:::image type="content" source="media/get-started-app-chat-private-endpoints/diagram-vnet.png" lightbox="media/get-started-app-chat-private-endpoints/diagram-vnet.png" alt-text="Diagram that shows network architecture with all services inside an Azure virtual network.":::

Within the virtual network, there's a separate subnet for the Azure App Service app versus the other back-end Azure services. This structure makes it easy to apply different network security group rules to each subnet.

:::image type="content" source="media/get-started-app-chat-private-endpoints/diagram-subnets.png" lightbox="media/get-started-app-chat-private-endpoints/diagram-subnets.png" alt-text="Diagram that shows a chat app subnet and a back-end subnet within the virtual network.":::

Within the virtual network, the services use private endpoints to communicate with each other. Each private endpoint is associated with a private Domain Name System (DNS) zone to resolve the private endpoint's name to an IP address within the virtual network.

:::image type="content" source="media/get-started-app-chat-private-endpoints/diagram-private-endpoint-openai.png" lightbox="media/get-started-app-chat-private-endpoints/diagram-private-endpoint-openai.png" alt-text="Diagram that shows the private endpoint and private DNS zone for Azure OpenAI within the virtual network.":::

Deployment steps

We recommend that you deploy the solution twice. Deploy once with public access to validate that the chat app is working correctly. Deploy again with private access to secure your chat app by using a virtual network.

Prerequisites

A development container environment is available with all dependencies that are required to finish this article. You can run the development container in GitHub Codespaces (in a browser) or locally by using Visual Studio Code.

To use this article, you need the following prerequisites.

Codespaces (recommended)

Visual Studio Code

Open development environment

Begin now with a development environment that has all the dependencies installed to complete this article.

GitHub Codespaces (recommended)

GitHub Codespaces runs a development container managed by GitHub with Visual Studio Code for the Web as the user interface. For the most straightforward development environment, use GitHub Codespaces so that you have the correct developer tools and dependencies preinstalled to complete this article.

Important

All GitHub accounts can use GitHub Codespaces for up to 60 hours free each month with two core instances. For more information, see GitHub Codespaces monthly included storage and core hours.

  1. Start the process to create a new GitHub codespace on the main branch of the Azure-Samples/azure-search-openai-demo GitHub repository.

  2. Right-click the following button, and select Open link in new windows to have the development environment and the documentation available at the same time.

    Open in GitHub Codespaces.

  3. On the Create codespace page, review the codespace configuration settings, and then select Create codespace.

    :::image type="content" source="./media/get-started-app-chat-private-endpoints/github-create-codespace.png" lightbox="./media/get-started-app-chat-private-endpoints/github-create-codespace.png" alt-text="Screenshot that shows the confirmation screen before you create a new codespace.":::

  4. Wait for the codespace to start. This startup process can take a few minutes.

  5. In the terminal at the bottom of the screen, sign in to Azure with the Azure Developer CLI:

    azd auth login

  6. Copy the code from the terminal and then paste it into a browser. Follow the instructions to authenticate with your Azure account.

The remaining tasks in this article take place in the context of this development container.

Visual Studio Code

The Dev Containers extension for Visual Studio Code requires Docker to be installed on your local machine. The extension hosts the development container locally by using the Docker host with the correct developer tools and dependencies preinstalled to complete this article.

  1. Create a new local directory on your computer for the project:

    mkdir my-intelligent-app && cd my-intelligent-app

  2. Open Visual Studio Code in that directory:

    code .

  3. Open a new terminal in Visual Studio Code.

  4. Run the following AZD command to bring the GitHub repository to your local computer:

    azd init -t azure-search-openai-demo

  5. Open the Command palette, and search for and select Dev Containers: Open Folder in Container to open the project in a dev container. Wait until the dev container opens before you continue.

  6. Sign in to Azure with the Azure Developer CLI:

    azd auth login

  7. Copy the code from the terminal and then paste it into a browser. Follow the instructions to authenticate with your Azure account.

The remaining exercises in this project take place in the context of this development container.

Custom settings

This solution configures and deploys the infrastructure based on custom settings configured with the Azure Developer CLI. The following table explains the custom settings for this solution.

Setting Description
AZURE_PUBLIC_NETWORK_ACCESS Controls the value of public network access on supported Azure resources. Valid values are Enabled or Disabled.
AZURE_USE_PRIVATE_ENDPOINT Controls deployment of private endpoints, which connect Azure resources to the virtual network. The TRUE value means that private endpoints are deployed for connectivity.

Deploy the chat app

The first deployment creates the resources and provides a publicly accessible endpoint.

  1. Run the following command to configure this solution for public access:

    azd env set AZURE_PUBLIC_NETWORK_ACCESS Enabled

    When you're asked for an environment name, remember that the environment name is used to create the resource group. Enter a meaningful name. If you're on a team or in an organization, include your name, as in morgan-chat-private-endpoints. Make note of the environment name. You need it later to find the resources in the Azure portal.

  2. Run the following command to include provisioning the virtual network resources. Remember that the deployment doesn't restrict access until the second deployment.

    azd env set AZURE_USE_PRIVATE_ENDPOINT true

  3. Deploy the solution with the following command:

    azd up

    Provisioning resources is the most time-consuming part of the deployment process. Wait for the deployment to finish before you continue.

  4. At the end of the deployment process, the app endpoint appears. Copy that endpoint into a browser to open the chat app. Select one of the questions on the cards and then wait for the answer.

    Make note of the endpoint URL because you need it again later in the article.

Deploy the chat app to Azure with private access

Change the deployment configuration to secure the chat app for private access.

  1. Run the following command to turn off public access:

    azd env set AZURE_PUBLIC_NETWORK_ACCESS Disabled

  2. Run the following command to change the resource configuration. This command doesn't redeploy the application code because that code hasn't changed.

    azd provision

  3. After the provisioning finishes, open the chat app in a browser again. The chat app is no longer accessible because the public endpoint is disabled.

Access the chat app

To access the chat app, use a tool such as Azure VPN Gateway or Azure Virtual Desktop. Remember that any tool you use to access the app must be secure and compliant with your organization's security policies.

Clean up resources

The following steps walk you through the process of cleaning up the resources you used.

GitHub Codespaces

Deleting the GitHub Codespaces environment ensures that you can maximize the amount of free per-core hours entitlement that you get for your account.

Important

For more information about your GitHub account's entitlements, see GitHub Codespaces monthly included storage and core hours.

  1. Sign in to the GitHub Codespaces dashboard.

  2. Locate your currently running codespaces that are sourced from the Azure-Samples/azure-search-openai-demo GitHub repository.

    :::image type="content" source="./media/get-started-app-chat-private-endpoints/github-codespace-dashboard.png" lightbox="./media/get-started-app-chat-private-endpoints/github-codespace-dashboard.png" alt-text="Screenshot that shows all the running codespaces including their status and templates.":::

  3. Open the context menu for the codespace and then select Delete.

    :::image type="content" source="./media/get-started-app-chat-private-endpoints/github-codespace-delete.png" lightbox="./media/get-started-app-chat-private-endpoints/github-codespace-delete.png" alt-text="Screenshot that shows the context menu for a single codespace with the Delete option highlighted.":::

Visual Studio Code

You aren't necessarily required to clean up your local environment, but you can stop the running development container and return to running Visual Studio Code in the context of a local workspace.

  1. Open the Command palette, and search for the Dev Containers commands.

  2. Select Dev Containers: Reopen Folder Locally.

    :::image type="content" source="./media/get-started-app-chat-private-endpoints/reopen-local-command-palette.png" lightbox="./media/get-started-app-chat-private-endpoints/reopen-local-command-palette.png" alt-text="Screenshot that shows the Command palette option to reopen the current folder within your local environment.":::

Tip

Visual Studio Code stops the running development container, but the container still exists in Docker in a stopped state. You always have the option to delete the container instance, container image, and volumes from Docker to free up more space on your local machine.

Get help

This sample repository offers troubleshooting information.

If your issue isn't addressed, add your issue to the repository's Issues webpage.

Related content