To achieve enterprise grade security we've ensured you can leverage the features below through an opt-in flag:
-
Deploy in a virtual network, to restrict access to the resources including the Azure Functions API and the Azure Storage where the documents are stored.
-
Leverage Azure Entra managed identity to disable all local authentication methods (ie API keys) and rely Role-based Access Control (RBAC).
You can enable these features when deploying this sample by following these steps:
- Create a new environment for your deployment (you cannot update an existing one):
azd env create my-secure-env
- Enable the virtual network feature and disable local authentication:
azd env set USE_VNET true
- Deploy the sample to the new environment:
azd up
Note that enabling virtual network will induce additional costs, as it requires the deployment of extra resources and needs to switch to paid plans for the Azure Functions and Azure Static Web App.
Important
When VNET is enabled, you will lose the ability to run the sample locally while connected to Azure resources.
You can always fall back to using a local AI model and database for development purposes, by deleting the api/.env file