feat: Restrict backend Container App access in WAF deployment by Prajwal-Microsoft · Pull Request #939 · microsoft/Multi-Agent-Custom-Automation-Engine-Solution-Accelerator

Prajwal-Microsoft · 2026-04-21T06:49:54Z

Purpose

When enablePrivateNetworking (WAF mode) is active, the backend Container App URL should not be exposed to the browser. This PR adds an application-layer proxy so the browser only communicates with the frontend App Service.

Changes

Infrastructure (infra/main.bicep & infra/main_custom.bicep):

Added PROXY_API_REQUESTS env var to frontend App Service (true in WAF mode)

Frontend (src/App/):

frontend_server.py: Added httpx-based reverse proxy for /api/* routes. /config returns same-origin /api URL in WAF mode so the browser never sees the Container App URL
requirements.txt: Added httpx dependency

Post-deploy scripts:

Both PowerShell and Bash scripts detect WAF mode (checks PROXY_API_REQUESTS setting) and route API calls through the frontend proxy

Architecture (WAF mode)

Browser -> Frontend App (public) -> FastAPI /api/* proxy -> Container App (VNet)

Non-WAF deployments are unchanged — browser calls backend directly.

Resolves AB#39249

Does this introduce a breaking change?

Yes
No

How to Test

Deploy with WAF parameters and verify:

/config returns {"API_URL":"/api"} (same-origin)
All use cases work through the frontend proxy
Post-deploy script detects WAF mode and routes through frontend

What to Check

Frontend proxies API calls correctly in WAF mode
Non-WAF deployment still works as before
Post-deploy scripts upload team configs successfully

Other Information

Related PRs: microsoft/customer-chatbot-solution-accelerator#173, microsoft/Conversation-Knowledge-Mining-Solution-Accelerator#861
Replaces PR #904 (which had unrelated merge commits from dev-v4)

When enablePrivateNetworking (WAF mode) is active: Infrastructure: - Set Container App Environment to internal with public access disabled - Create private DNS zone for the CAE default domain linked to VNet - Add wildcard A record pointing to CAE static IP for DNS resolution - Frontend App Service gets PROXY_API_REQUESTS=true env var Frontend: - FastAPI server proxies /api/* requests to backend via httpx over VNet - /config endpoint returns same-origin /api URL in WAF mode - Added httpx dependency Post-deploy scripts: - Detect internal ingress / IP restrictions / PROXY_API_REQUESTS - Route API calls through frontend App Service proxy Non-WAF deployments remain unchanged. Resolves AB#39249 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

The frontend proxy only handled HTTP requests but MACAE uses WebSocket connections for real-time agent streaming. Add a WebSocket proxy route that forwards wss:// connections to the private backend Container App over the VNet using the websockets library. Also fix Dockerfile BuildKit --mount issue for ACR Task builds. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Prajwal-Microsoft requested review from Avijit-Microsoft, Fr4nc3, Roopan-Microsoft, Vinay-Microsoft, aniaroramsft, dgp10801, marktayl1, nchandhi and toherman-msft as code owners April 21, 2026 06:49

Prajwal-Microsoft temporarily deployed to production April 21, 2026 06:49 — with GitHub Actions Inactive

Prajwal-Microsoft force-pushed the feature/39249-waf-api-private-access-clean branch from b13a2bb to e92c2d0 Compare April 21, 2026 07:20

Prajwal-Microsoft temporarily deployed to production April 21, 2026 07:21 — with GitHub Actions Inactive

Kamini-Microsoft temporarily deployed to production April 21, 2026 09:18 — with GitHub Actions Inactive

Kamini-Microsoft temporarily deployed to production April 21, 2026 09:22 — with GitHub Actions Inactive

Kamini-Microsoft had a problem deploying to production April 21, 2026 09:23 — with GitHub Actions Failure

Kamini-Microsoft temporarily deployed to production April 21, 2026 09:43 — with GitHub Actions Inactive

Kamini-Microsoft had a problem deploying to production April 21, 2026 09:46 — with GitHub Actions Failure

Kamini-Microsoft temporarily deployed to production April 21, 2026 11:08 — with GitHub Actions Inactive

Prajwal-Microsoft temporarily deployed to production April 21, 2026 11:11 — with GitHub Actions Inactive

Kamini-Microsoft temporarily deployed to production April 22, 2026 04:41 — with GitHub Actions Inactive

Kamini-Microsoft temporarily deployed to production April 22, 2026 04:44 — with GitHub Actions Inactive

Kamini-Microsoft had a problem deploying to production April 22, 2026 04:44 — with GitHub Actions Failure

Kamini-Microsoft temporarily deployed to production April 22, 2026 05:02 — with GitHub Actions Inactive

Kamini-Microsoft had a problem deploying to production April 22, 2026 05:05 — with GitHub Actions Failure

Roopan-Microsoft approved these changes Apr 22, 2026

View reviewed changes

Roopan-Microsoft merged commit 22a8688 into dev-v4 Apr 22, 2026
17 of 19 checks passed

Prajwal-Microsoft deleted the feature/39249-waf-api-private-access-clean branch April 22, 2026 16:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Restrict backend Container App access in WAF deployment#939

feat: Restrict backend Container App access in WAF deployment#939
Roopan-Microsoft merged 2 commits intodev-v4from
feature/39249-waf-api-private-access-clean

Prajwal-Microsoft commented Apr 21, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants