feat: implement network policy to restrict backend API access and update DNS name handling in deployment script

Author: Abdul-Microsoft

Deployment/kubernetes/deploy.ingress.waf.yaml.template

@@ -24,6 +24,13 @@ spec:
   - host: {{ fqdn }}
     http:
       paths:
+      - path: /backend(/|$)(.*)
+        pathType: Prefix
+        backend:
+          service:
+            name: aiservice-service
+            port:
+              number: 9001
       - path: /()(.*)
         pathType: Prefix
         backend:

Deployment/kubernetes/deploy.networkpolicy.yaml.template

@@ -0,0 +1,34 @@
+# NetworkPolicy to restrict backend services (aiservice, kernelmemory) to only
+# accept traffic from within the cluster — frontend pods and internal ingress.
+# This ensures backend APIs are not directly accessible from the public internet
+# when WAF deployment mode is enabled.
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-external-to-backend
+  namespace: ns-km
+spec:
+  podSelector:
+    matchExpressions:
+    - key: app
+      operator: In
+      values:
+      - aiservice
+      - kernelmemory
+  policyTypes:
+  - Ingress
+  ingress:
+  # Allow traffic from frontend pods in the same namespace
+  - from:
+    - podSelector:
+        matchLabels:
+          app: frontapp
+  # Allow traffic from ingress controller namespace (app-routing-system)
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: app-routing-system
+  # Allow traffic from within the ns-km namespace (inter-service communication)
+  - from:
+    - podSelector: {}

Deployment/resourcedeployment.ps1

@@ -739,14 +739,21 @@ try {
     #  6-1. Get Az Network resource Name with the public IP address
     Write-Host "Assign DNS Name to the public IP address" -ForegroundColor Green
     $publicIpName=$(az network public-ip list --resource-group $aksResourceGroupName --query "[?ipAddress=='$externalIP'].name" --output tsv)
-    #  6-2. Generate Unique backend API fqdn Name - esgdocanalysis-3 digit random number with padding 0
-    $dnsName = "kmgs$($(Get-Random -Minimum 0 -Maximum 9999).ToString("D4"))"
-    
-    # Validate if the AKS Resource Group Name, Public IP name and DNS Name are provided
+    #  6-2. Reuse existing DNS name if already assigned, otherwise generate a new one
+    # Validate if the AKS Resource Group Name and Public IP name are provided
     ValidateVariableIsNullOrEmpty -variableValue $aksResourceGroupName -variableName "AKS Resource Group name"  
 
     ValidateVariableIsNullOrEmpty -variableValue $publicIpName -variableName "Public IP name" 
 
+    $existingDnsName = az network public-ip show --resource-group $aksResourceGroupName --name $publicIpName --query "dnsSettings.domainNameLabel" --output tsv 2>$null
+    if ($existingDnsName) {
+        Write-Host "Reusing existing DNS name: $existingDnsName" -ForegroundColor Yellow
+        $dnsName = $existingDnsName
+    } else {
+        $dnsName = "kmgs$($(Get-Random -Minimum 0 -Maximum 9999).ToString("D4"))"
+        Write-Host "Generated new DNS name: $dnsName" -ForegroundColor Green
+    }
+
     ValidateVariableIsNullOrEmpty -variableValue $dnsName -variableName "DNS Name" 
 
     #  6-3. Assign DNS Name to the public IP address
@@ -1028,7 +1035,7 @@ try {
         kubectl apply -f "./kubernetes/deploy.ingress.internal.yaml.template" -n $kubenamespace
 
         # Deploy network policies to restrict backend traffic to internal only
-        kubectl apply -f "./kubernetes/deploy.networkpolicy.yaml" -n $kubenamespace
+        kubectl apply -f "./kubernetes/deploy.networkpolicy.yaml.template" -n $kubenamespace
 
         Write-Host "WAF network policies and internal backend ingress applied successfully." -ForegroundColor Green
     }

infra/main.bicep

@@ -967,7 +967,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:0.10.
     }
     serviceCidr: '10.20.0.0/16'
     dnsServiceIP: '10.20.0.10'
-    enablePrivateCluster: enablePrivateNetworking
+    enablePrivateCluster: false
     primaryAgentPoolProfiles: [
       {
         name: 'agentpool'