Add Azure Application Gateway configuration for secure HTTPS access

Author: wesback

README.md

@@ -53,11 +53,7 @@ docker run -p 8501:8501 -e AZURE_OPENAI_ENDPOINT="<your-endpoint>" -e AZURE_OPEN
 
 3. **Access the application**:
 
-Open your browser and navigate to:
-
-```
-http://localhost:8501
-```
+For local development, use `http://localhost:8501` (HTTPS is not configured for localhost).
 
 ## Container Registry Setup and Deployment
 
@@ -132,10 +128,38 @@ You can get ACR credentials using:
 az acr credential show --name <your-acr-name>
 ```
 
-Once deployed, access your application at:
-```
-http://<your-container-group-name>.<region>.azurecontainer.io:8501
-```
+### Using Azure Application Gateway for SSL Termination
+
+To enable secure communication over HTTPS, this solution integrates with Azure Application Gateway. The Application Gateway handles SSL termination and proxies traffic to the Azure Container Instance (ACI) running on port 8501.
+
+#### Steps to Configure Azure Application Gateway
+
+1. **Update Parameters**:
+   - Add the following parameters to your deployment command:
+     - `applicationGatewayName`: The name of the Azure Application Gateway resource.
+     - `publicIpName`: The name of the public IP resource for the Application Gateway.
+
+2. **Deploy with Application Gateway**:
+   ```bash
+   az deployment group create \
+     --resource-group <your-resource-group> \
+     --template-file infra/aci.bicep \
+     --parameters image="<your-image-path>" \
+                  azureOpenAIEndpoint="<your-endpoint>" \
+                  azureOpenAIAPIKey="<your-api-key>" \
+                  registryType="<DockerHub|ACR>" \
+                  registryName="<your-acr-name>" \
+                  applicationGatewayName="<your-app-gateway-name>" \
+                  publicIpName="<your-public-ip-name>"
+   ```
+
+3. **Access the Application**:
+   - Once deployed, access your application securely at the public IP or DNS name of the Application Gateway.
+
+#### Notes
+- The Application Gateway listens on port 443 and forwards traffic to the ACI on port 8501.
+- SSL termination is handled by the Application Gateway using the provided SSL certificate.
+- Ensure that the SSL certificate is in PFX format and base64-encoded, and provide the password as a parameter.
 
 ## GitHub Actions CI/CD
 

infra/aci.bicep

@@ -25,6 +25,12 @@ param registryPassword string = ''
 @description('ACR registry name (required for ACR, without .azurecr.io)')
 param registryName string = ''
 
+@description('Azure Application Gateway name')
+param applicationGatewayName string
+
+@description('Azure Application Gateway public IP name')
+param publicIpName string
+
 resource containerGroup 'Microsoft.ContainerInstance/containerGroups@2023-05-01' = {
   name: containerGroupName
   location: resourceGroup().location
@@ -80,4 +86,119 @@ resource containerGroup 'Microsoft.ContainerInstance/containerGroups@2023-05-01'
   }
 }
 
+resource publicIp 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
+  name: publicIpName
+  location: resourceGroup().location
+  sku: {
+    name: 'Standard'
+  }
+  properties: {
+    publicIPAllocationMethod: 'Static'
+  }
+}
+
+resource applicationGateway 'Microsoft.Network/applicationGateways@2021-02-01' = {
+  name: applicationGatewayName
+  location: resourceGroup().location
+  properties: {
+    sku: {
+      name: 'Standard_v2'
+      tier: 'Standard_v2'
+      capacity: 1
+    }
+    gatewayIPConfigurations: [
+      {
+        name: 'appGatewayIpConfig'
+        properties: {
+          subnet: {
+            id: resourceId('Microsoft.Network/virtualNetworks/subnets', 'vnetName', 'subnetName')
+          }
+        }
+      }
+    ]
+    frontendIPConfigurations: [
+      {
+        name: 'appGatewayFrontendIp'
+        properties: {
+          publicIPAddress: {
+            id: publicIp.id
+          }
+        }
+      }
+    ]
+    frontendPorts: [
+      {
+        name: 'appGatewayFrontendPort'
+        properties: {
+          port: 443
+        }
+      }
+    ]
+    backendAddressPools: [
+      {
+        name: 'appGatewayBackendPool'
+        properties: {
+          backendAddresses: [
+            {
+              fqdn: containerGroup.properties.ipAddress.fqdn
+            }
+          ]
+        }
+      }
+    ]
+    httpListeners: [
+      {
+        name: 'appGatewayListener'
+        properties: {
+          frontendIPConfiguration: {
+            id: resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', applicationGatewayName, 'appGatewayFrontendIp')
+          }
+          frontendPort: {
+            id: resourceId('Microsoft.Network/applicationGateways/frontendPorts', applicationGatewayName, 'appGatewayFrontendPort')
+          }
+          protocol: 'Https'
+          sslCertificate: {
+            id: resourceId('Microsoft.Network/applicationGateways/sslCertificates', applicationGatewayName, 'appGatewaySslCert')
+          }
+        }
+      }
+    ]
+    requestRoutingRules: [
+      {
+        name: 'appGatewayRoutingRule'
+        properties: {
+          httpListener: {
+            id: resourceId('Microsoft.Network/applicationGateways/httpListeners', applicationGatewayName, 'appGatewayListener')
+          }
+          backendAddressPool: {
+            id: resourceId('Microsoft.Network/applicationGateways/backendAddressPools', applicationGatewayName, 'appGatewayBackendPool')
+          }
+          backendHttpSettings: {
+            id: resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', applicationGatewayName, 'appGatewayBackendHttpSettings')
+          }
+        }
+      }
+    ]
+    backendHttpSettingsCollection: [
+      {
+        name: 'appGatewayBackendHttpSettings'
+        properties: {
+          port: 8501
+          protocol: 'Http'
+          cookieBasedAffinity: 'Disabled'
+        }
+      }
+    ]
+    sslCertificates: [
+      {
+        name: 'appGatewaySslCert'
+        properties: {
+          data: '<base64-encoded-pfx>'
+          password: '<certificate-password>'
+        }
+      }
+    ]
+  }
+}
+
 output fqdn string = containerGroup.properties.ipAddress.fqdn