#!/bin/bash # Variables SUBSCRIPTION_ID="68e2151b-b2ea-40ad-92e0-41588d046641" RESOURCE_GROUP="trulo-ai-devTest" LOCATION="East US" VNET_NAME="vnet-trulo-ai-devTest" VNET_ADDRESS_PREFIX="10.0.0.0/16" INTEGRATION_SUBNET_NAME="vnet-integration-subnet" INTEGRATION_SUBNET_PREFIX="10.0.0.0/24" ENDPOINT_SUBNET_NAME="private-endpoint-subnet" ENDPOINT_SUBNET_PREFIX="10.0.1.0/24" FRONTEND_APP_NAME="trulo-ai-web-devTest" BACKEND_APP_NAME="trulo-ai-user-devTest" DNS_ZONE_NAME="privatelink.azurewebsites.net" DNS_LINK_NAME="truloDnsLink" PRIVATE_ENDPOINT_NAME="truloPrivateEndpoint" CONNECTION_NAME="truloConnection" ZONE_GROUP_NAME="truloZoneGroup" echo "Starting setup of secure N-tier architecture for Azure App Service..." # 1. Create Virtual Network echo "Creating Virtual Network..." az network vnet create \ --resource-group $RESOURCE_GROUP \ --location $LOCATION \ --name $VNET_NAME \ --address-prefixes $VNET_ADDRESS_PREFIX # 2. Create Integration Subnet for Frontend echo "Creating Integration Subnet..." az network vnet subnet create \ --resource-group $RESOURCE_GROUP \ --vnet-name $VNET_NAME \ --name $INTEGRATION_SUBNET_NAME \ --address-prefixes $INTEGRATION_SUBNET_PREFIX \ --delegation Microsoft.Web/serverFarms \ --private-endpoint-network-policies Disabled # 3. Create Private Endpoint Subnet for Backend echo "Creating Private Endpoint Subnet..." az network vnet subnet create \ --resource-group $RESOURCE_GROUP \ --vnet-name $VNET_NAME \ --name $ENDPOINT_SUBNET_NAME \ --address-prefixes $ENDPOINT_SUBNET_PREFIX \ --private-endpoint-network-policies Disabled # 4. Create Private DNS Zone echo "Creating Private DNS Zone..." az network private-dns zone create \ --resource-group $RESOURCE_GROUP \ --name $DNS_ZONE_NAME # 5. Link DNS Zone to Virtual Network echo "Linking DNS Zone to Virtual Network..." az network private-dns link vnet create \ --resource-group $RESOURCE_GROUP \ --name $DNS_LINK_NAME \ --zone-name $DNS_ZONE_NAME \ --virtual-network $VNET_NAME \ --registration-enabled false # 6. Create Private Endpoint for Backend echo "Creating Private Endpoint for Backend..." BACKEND_ID=$(az webapp show --resource-group $RESOURCE_GROUP --name $BACKEND_APP_NAME --query id --output tsv) az network private-endpoint create \ --resource-group $RESOURCE_GROUP \ --name $PRIVATE_ENDPOINT_NAME \ --location $LOCATION \ --connection-name $CONNECTION_NAME \ --private-connection-resource-id $BACKEND_ID \ --group-id sites \ --vnet-name $VNET_NAME \ --subnet $ENDPOINT_SUBNET_NAME # 7. Configure DNS for Private Endpoint echo "Configuring DNS for Private Endpoint..." az network private-endpoint dns-zone-group create \ --resource-group $RESOURCE_GROUP \ --endpoint-name $PRIVATE_ENDPOINT_NAME \ --name $ZONE_GROUP_NAME \ --private-dns-zone $DNS_ZONE_NAME \ --zone-name $DNS_ZONE_NAME # 8. Configure VNet Integration for Frontend echo "Configuring VNet Integration for Frontend..." az webapp vnet-integration add \ --resource-group $RESOURCE_GROUP \ --name $FRONTEND_APP_NAME \ --vnet $VNET_NAME \ --subnet $INTEGRATION_SUBNET_NAME # 9. Configure Frontend App Settings - THE CRITICAL PART! echo "Configuring Frontend App Settings..." az webapp config appsettings set \ --resource-group $RESOURCE_GROUP \ --name $FRONTEND_APP_NAME \ --settings WEBSITE_VNET_ROUTE_ALL=1 WEBSITE_DNS_SERVER=168.63.129.16 # 10. Set the correct backend API URL in the frontend app settings echo "Setting correct backend API URL in frontend settings..." az webapp config appsettings set \ --resource-group $RESOURCE_GROUP \ --name $FRONTEND_APP_NAME \ --settings API_URL=https://$BACKEND_APP_NAME.azurewebsites.net # 11. Disable Public Network Access to Backend echo "Disabling Public Network Access to Backend..." az webapp update \ --resource-group $RESOURCE_GROUP \ --name $BACKEND_APP_NAME \ --set publicNetworkAccess=Disabled # 12. Set IP Security Restrictions Default Action to Deny echo "Setting IP Security Restrictions for Backend..." az resource update \ --resource-group $RESOURCE_GROUP \ --name $BACKEND_APP_NAME \ --namespace Microsoft.Web \ --resource-type sites \ --set properties.siteConfig.ipSecurityRestrictionsDefaultAction=Deny # 13. Allow SCM Access for Deployments echo "Allowing SCM Access for Deployments..." az resource update \ --resource-group $RESOURCE_GROUP \ --name $BACKEND_APP_NAME \ --namespace Microsoft.Web \ --resource-type sites \ --set properties.siteConfig.scmIpSecurityRestrictionsDefaultAction=Allow # 14. Disable FTP Publishing for Frontend echo "Disabling FTP Publishing for Frontend..." az resource update \ --resource-group $RESOURCE_GROUP \ --name ftp \ --namespace Microsoft.Web \ --resource-type basicPublishingCredentialsPolicies \ --parent sites/$FRONTEND_APP_NAME \ --set properties.allow=false # 15. Disable FTP Publishing for Backend echo "Disabling FTP Publishing for Backend..." az resource update \ --resource-group $RESOURCE_GROUP \ --name ftp \ --namespace Microsoft.Web \ --resource-type basicPublishingCredentialsPolicies \ --parent sites/$BACKEND_APP_NAME \ --set properties.allow=false # 16. Enable diagnostic logs for troubleshooting echo "Enabling diagnostic logs for both apps..." az webapp log config \ --resource-group $RESOURCE_GROUP \ --name $FRONTEND_APP_NAME \ --application-logging filesystem \ --detailed-error-messages true \ --web-server-logging filesystem az webapp log config \ --resource-group $RESOURCE_GROUP \ --name $BACKEND_APP_NAME \ --application-logging filesystem \ --detailed-error-messages true \ --web-server-logging filesystem # 17. Restart both apps to apply all changes echo "Restarting apps to apply changes..." az webapp restart --resource-group $RESOURCE_GROUP --name $FRONTEND_APP_NAME az webapp restart --resource-group $RESOURCE_GROUP --name $BACKEND_APP_NAME echo "Setup complete! Your secure N-tier architecture has been deployed." echo "Frontend public URL: https://$FRONTEND_APP_NAME.azurewebsites.net" echo "Backend private URL (accessible only from frontend): https://$BACKEND_APP_NAME.azurewebsites.net" echo "" echo "If issues persist, check the logs using:" echo "az webapp log tail --resource-group $RESOURCE_GROUP --name $FRONTEND_APP_NAME"