Get started with chat private endpoints for Python
This article shows you how to deploy and run the Enterprise chat app sample for Python accessible by private endpoints.
This sample implements a chat app using Python, Azure OpenAI Service, and Retrieval Augmented Generation (RAG) in Azure AI Search to get answers about employee benefits at a fictitious company. The app is seeded with PDF files including the employee handbook, a benefits document and a list of company roles and expectations.
By following the instructions in this article, you will:
- Deploy a chat app to Azure for public access in a web browser.
- Redeploy chat app with private endpoints.
Once you complete this procedure, you can start modifying the new project with your custom code and redeploy, knowing your chat app is accessible only through the private network.
Architectural overview
The default deployment creates a chat app with public endpoints.
For chat apps enriched with private data, securing access to your chat app is crucial. This article presents a solution using a virtual network (VNET).
Within the VNET, there is a separate subnet for the App Service app versus the other backend Azure services. This makes it easy to apply different network security group rules to each subnet.
Within the VNET, the services use private endpoints to communicate with each other. Each private endpoint is associated with a private DNS zone to resolve the private endpoint's name to an IP address within the VNET.
Deployment steps
It's recommended to deploy the solution twice, once with public access to validate the chat app is working correctly, and again with private access to secure your chat app using a virtual network.
Prerequisites
A development container environment is available with all dependencies required to complete this article. You can run the development container in GitHub Codespaces (in a browser) or locally using Visual Studio Code.
To use this article, you need the following prerequisites:
An Azure subscription - Create one for free
Azure account permissions - Your Azure Account must have Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner.
Access granted to Azure OpenAI in the desired Azure subscription. Currently, access to this service is granted only by application. You can apply for access to Azure OpenAI by completing the form at https://aka.ms/oai/access. Open an issue on this repo to contact us if you have an issue.
GitHub account
Open development environment
Begin now with a development environment that has all the dependencies installed to complete this article.
GitHub Codespaces runs a development container managed by GitHub with Visual Studio Code for the Web as the user interface. For the most straightforward development environment, use GitHub Codespaces so that you have the correct developer tools and dependencies preinstalled to complete this article.
Important
All GitHub accounts can use Codespaces for up to 60 hours free each month with 2 core instances. For more information, see GitHub Codespaces monthly included storage and core hours.
Start the process to create a new GitHub Codespace on the
main
branch of theAzure-Samples/azure-search-openai-demo
GitHub repository.Right-click on the following button, and select Open link in new windows in order to have both the development environment and the documentation available at the same time.
On the Create codespace page, review the Codespace configuration settings and then select Create new codespace.
Wait for the Codespace to start. This startup process can take a few minutes.
In the terminal at the bottom of the screen, sign in to Azure with the Azure Developer CLI.
azd auth login
Copy the code from the terminal and then paste it into a browser. Follow the instructions to authenticate with your Azure account.
The remaining tasks in this article take place in the context of this development container.
Custom settings
This solution configures and deploys the infrastructure based on custom settings configured with Azure Developer CLI. The following table explains the custom settings for this solution.
Setting | Description |
---|---|
AZURE_PUBLIC_NETWORK_ACCESS |
Controls the value of public network access on supported Azure resources. Valid values are Enabled or Disabled . |
AZURE_USE_PRIVATE_ENDPOINT |
Controls deployment of private endpoints, which connect Azure resources to the virtual network. TRUE means private endpoints are deployed for connectivity. |
Deploy the chat app
The first deployment creates the resources and provides a publicly accessible endpoint.
Run the following command to configure this solution for public access.
azd env set AZURE_PUBLIC_NETWORK_ACCESS Enabled
When asked for an environment name, remember that the environment name is used to create the resource group. Enter a meaningful name. If you are on a team or in an organization, include your name:
morgan-chat-private-endpoints
. Make note of the environment name. You need it to find the resources in the Azure portal later.Run the following command to include provisioning the virtual network resources. Remember the deployment doesn't restrict access until the second deployment.
azd env set AZURE_USE_PRIVATE_ENDPOINT true
Deploy the solution with the following command:
azd up
Provisioning resources is the most time-consuming part of the deployment process. Wait for the deployment to complete before continuing.
At the end of the deployment process, the app endpoint is shown. Copy that endpoint into a browser to open the chat app. Select one of the questions on the cards then wait for the answer.
Make note of the endpoint URL. You'll need it again later in the article.
Deploy chat app to Azure with private access
Change the deployment configuration to secure the chat app for private access.
Run the following command to turn off public access.
azd env set AZURE_PUBLIC_NETWORK_ACCESS Disabled
Run the following command to change the resource configuration. This command doesn't redeploy the application code because that code hasn't changed.
azd provision
Once the provisioning completes, open the chat app in a browser again. The chat app is no longer accessible because the public endpoint is disabled.
Access the chat app
To access the chat app, use a tool such as Azure VPN Gateway or Azure Virtual Desktop. Remember that any tool used for accessing the app must be secure and compliant with your organization's security policies.
Clean up GitHub Codespaces
Deleting the GitHub Codespaces environment ensures that you can maximize the amount of free per-core hours entitlement you get for your account.
Important
For more information about your GitHub account's entitlements, see GitHub Codespaces monthly included storage and core hours.
Sign into the GitHub Codespaces dashboard (https://github.com/codespaces).
Locate your currently running Codespaces sourced from the
Azure-Samples/azure-search-openai-demo
GitHub repository.Open the context menu for the Codespace and then select Delete.
Get help
This sample repository offers troubleshooting information.
If your issue isn't addressed, log your issue to the repository's Issues.
Next step
- Enterprise chat app GitHub repository
- Build a chat app with Azure OpenAI best practice solution architecture
- Access control in Generative AI Apps with Azure AI Search