Configure network isolation

Commencing September 1, 2023, it is strongly advised to employ the Azure Service Tag method for network isolation. The utilization of DL-ASE should be limited to highly specific scenarios. Prior to implementing this solution in a production environment, we kindly recommend consulting your support team for guidance.

You can add network isolation to an existing Direct Line App Service extension bot. A private endpoint lets your network isolated bot communicate with required Bot Framework services so that the bot can run correctly while being limited to the virtual network.

To add network isolation to your bot:

1. Use a virtual network and configure the network to prevent outbound traffic. At this point, your bot will lose the ability to communicate with other Bot Framework services.
2. Configure private endpoints to restore connectivity.
3. Restart you app service and test your bot within your isolated network.
4. Disable public network access to your bot.

Prerequisites

• An Azure account. If you don't already have one, create a free account before you begin.
  • A subscription with permission to create Azure Virtual Network and network security group resources.
• A working Direct Line App Service extension bot.
  • Your bot uses the Bot Framework SDK for C# or JavaScript, version 4.16 or later.
  • Your bot has named pipes enabled.
  • Your bot's app service has the Direct Line App Service extension enabled.
• A Web Chat control connected to your bot's Direct Line client.

To confirm that your existing bot is configured correctly:

1. In a browser, open the Direct Line client endpoint for your bot. For example, https://<your-app_service>.azurewebsites.net/.bot.

2. Verify the page displays the following:

   {"v":"123","k":true,"ib":true,"ob":true,"initialized":true}
   

   • v shows the build version of the Direct Line App Service extension.
   • k indicates whether the extension was able to read an extension key from its configuration.
   • initialized indicates whether the extension was able to download bot metadata from Azure AI Bot Service.
   • ib indicates whether the extension was able to establish an inbound connection to the bot.
   • ob indicates whether the extension was able to establish an outbound connection from the bot.

Create a virtual network

1. Go to Azure portal.
2. Create an Azure Virtual Network resource in the same region as your bot.
   • This creates both a virtual network and a subnet.
   • Don't create any virtual machines.
   • For general instructions, see Create a virtual network using the Azure portal.
3. Open the app service resource for your bot and enable virtual network integration.
   • Use the virtual network and subnet from the previous step.
   • For general instructions, see Enable virtual network integration in Azure App Service.
4. Create a second subnet. You'll use the second subnet later to add your private endpoint.

Deny outbound traffic from your network

1. Open the network security group associated with your first subnet.
   • If no security group is configured, create one. For more information, see Network security groups.
2. Under Settings, select Outbound security rules.
   1. In the outbound security rules list, enable DenyAllInternetOutbound.
3. Go to the app service resource for your bot.
4. Restart your app service.

Verify that connectivity is broken

1. In a separate browser tab, open the Direct Line client endpoint for your bot. For example, https://<your-app_service>.azurewebsites.net/.bot.

2. Verify the page displays the following:

   {"v":"123","k":true,"ib":true,"ob":true,"initialized":false}
   

   The value of initialized should be false, because your app service and app service extension are unable to connect to other Bot Framework services to initialize itself. Your bot is now isolated in a virtual network for outbound connections.

Create your private endpoint

1. Go to Azure portal.
2. Open the Azure Bot resource for your bot.
3. Under Settings, select Networking.
   1. On the Private access tab and select Create a private endpoint.
      1. On the Resource tab, for Target sub-resource, select Bot from the list.
      2. On the Virtual Network tab, select your virtual network and the second subnet you created.
      3. Save your private endpoint.

Add your private endpoint to your bot's app service

1. Open the Azure App Service resource for your bot.
2. Under Settings, select Configuration.
   1. On the Application settings tab, select New application setting.
      1. Set Name to DirectLineExtensionABSEndpoint.
      2. Set Value to the private endpoint URL, for example, https://<your_azure_bot>.privatelink.directline.botframework.com/v3/extension.
      3. Save the new setting.

Restart your app service and verify that connectivity is restored

1. Restart the app service for your bot.

2. In a separate browser tab, open the Direct Line client endpoint for your bot. For example, https://<your-app_service>.azurewebsites.net/.bot.

3. Verify the page displays the following:

   {"v":"123","k":true,"ib":true,"ob":true,"initialized":true}
   

   The value of initialized should be true.

4. Use the Web Chat control connected to your bot's Direct Line client to interact with your bot inside the private network.

If your private endpoint doesn't work correctly, you can add a rule to allow outbound traffic specifically to Azure AI Bot Service.

Note

This will make you virtual network a little less isolated.

1. Open the network security group associated with your first subnet.
2. Under Settings, select Outbound security rules.
   1. In the outbound security rules list, enable AllowAzureBotService.
3. Go to the app service resource for your bot.
4. Restart your app service.

Disable public network access to your bot

You can block public access to your Azure AI Bot Service and only allow access through Private Endpoint. You can disable network access of Azure AI Bot Service in Azure portal.

Tip

This will unconfigure the Teams channels. No other channels (except Direct Line) can be configurated or updated in Azure portal.

1. Go to Azure portal.
2. Open the app service for your bot.
3. Disable public network access.

Additional information

Virtual network configuration

You have a couple options to configure your bot for a virtual network.

• Create a virtual network and then enable Azure App Service within the network. This is the option used in this article.
• Create an App Service environment and then add an App Service Plan within the environment.

Virtual network

1. Create a virtual network.
2. Enable Azure App Service integration within the virtual network.

These are the steps used in this article, as described in the Create a virtual network section.

For more information, see Create a virtual network using the Azure portal and Enable virtual network integration in Azure App Service.

App Service Environment

The Direct Line App Service extension is available on all Azure App services, including those hosted within an Azure App Service Environment. An Azure App Service Environment provides isolation and is a good way to work within a virtual network.

1. Create an internal or external App Service Environment. For more information, see Create an External App Service Environment and Create and use an Internal Load Balancer App Service Environment.
2. Add an App Service Plan inside your environment. You can deploy your bots—such as a Direct Line App Service extension bot—within your plan.
   1. In the Azure portal, create a new App Service Plan resource.
   2. Under Region, select your App Service Environment.
   3. Finish creating your App Service Plan.