feat: restrict backend API to private access in WAF mode #39405

[Abdul-Microsoft]

Purpose

• Implement private backend access for WAF (Well-Architected Framework) deployment mode, ensuring backend APIs (aiservice, kernelmemory) are not directly exposed to the public internet.
• Frontend acts as a server-side reverse proxy (Vite) to route API calls internally to backend services — backend has no public ingress route.
• Add Kubernetes NetworkPolicy to restrict direct external traffic to backend pods.
• Fix DNS name reuse on script re-runs to prevent hostname mismatch when the deployment script is re-executed.
• Fix PDF viewer URL resolution for relative API paths in WAF mode.

Does this introduce a breaking change?

• Yes
• No

Golden Path Validation

• I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

• I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

• Frontend is publicly accessible via HTTPS
• Backend is NOT directly accessible on port 9001 (should timeout)
• Backend is NOT accessible via public /backend route (should return 404)
• Backend is accessible only through the frontend's server-side Vite proxy (internal ClusterIP routing)
• File upload and document retrieval working end-to-end
• PDF document viewer renders correctly (details button)
• NetworkPolicy deny-external-to-backend is active and enforcing traffic restrictions
• Re-running the deployment script does not change the DNS name

Other Information

New Files

• Deployment/kubernetes/deploy.ingress.waf.yaml.template - WAF-specific public ingress that routes frontend only (no backend route)
• Deployment/kubernetes/deploy.networkpolicy.yaml.template - Kubernetes NetworkPolicy restricting direct external access to backend pods

Modified Files

• App/frontend-app/vite.config.ts - Added Vite server-side proxy to forward /backend and /api requests internally to aiservice ClusterIP
• App/frontend-app/src/components/documentViewer/iFrameComponent.tsx - Fixed PDF URL construction for relative API paths
• Deployment/resourcedeployment.ps1 - WAF mode detection, conditional ingress template selection, frontend proxy config, DNS name reuse, NetworkPolicy deployment
• docs/DeploymentGuide.md - Added WAF network architecture documentation with traffic flow diagram

Architecture (WAF Mode)

• Public Ingress — Frontend only, no /backend route exists on public ingress
• Server-Side Proxy — Vite dev server proxies /backend and /api requests internally to aiservice-service:80 via ClusterIP DNS
• NetworkPolicy — Blocks direct external traffic to backend pods; allows only frontapp, aiservice (inter-service), and ingress controller
• All PaaS services — Behind private endpoints (Storage, CosmosDB, OpenAI, AI Search, etc.)

Traffic Flow

Internet → Public Ingress (nginx) → Frontend (frontapp:5900)
                                         ↓ (server-side)
                                   Vite Proxy: /backend → aiservice (ClusterIP, internal only)
                                                              ↓
                                                        Azure PaaS (via Private Endpoints)

Backend from internet → NOT ROUTABLE (no public ingress route)
Direct pod access → BLOCKED by NetworkPolicy

[Copilot]

Pull request overview

Implements a WAF (Well-Architected Framework) deployment mode that keeps backend APIs (aiservice/kernelmemory) off the public ingress, routing browser /backend requests through the frontend’s server-side proxy and enforcing pod-level isolation via Kubernetes NetworkPolicy. Also improves deployment idempotency by reusing an existing Public IP DNS label on reruns.

Changes:

• Add WAF-specific public ingress template (frontend-only) and a backend-restricting NetworkPolicy.
• Update deployment script to detect WAF mode via RG tag, choose the WAF ingress, apply NetworkPolicy, and reuse existing DNS label.
• Add Vite proxying for /backend and /api, and update deployment guide/docs for WAF networking.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
docs/DeploymentGuide.md	Documents WAF-mode network architecture and backend private-access expectations.
Deployment/resourcedeployment.ps1	Detects WAF mode, reuses DNS label, selects WAF ingress template, and applies NetworkPolicy; updates frontend API base for WAF.
Deployment/kubernetes/deploy.networkpolicy.yaml.template	Adds NetworkPolicy intended to block direct external access to backend pods.
Deployment/kubernetes/deploy.ingress.waf.yaml.template	Adds WAF public ingress template that routes only to the frontend service.
App/frontend-app/vite.config.ts	Adds Vite proxy rules to forward /backend and /api to the internal backend service target.
App/frontend-app/src/components/documentViewer/iFrameComponent.tsx	Makes PDF URL construction robust for relative URLs by providing a base origin.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.