feat: Merging the AVM WAF Changes from feature/avm-waf-aligned into dev

README.md

@@ -8,7 +8,7 @@ The Modernize your code solution accelerator allows users to specify a group of
 <br/>
 
 <div align="center">
-  
+
 [**SOLUTION OVERVIEW**](#solution-overview) \| [**QUICK DEPLOY**](#quick-deploy) \| [**BUSINESS SCENARIO**](#business-scenario) \| [**SUPPORTING DOCUMENTATION**](#supporting-documentation)
 
 </div>
@@ -24,7 +24,10 @@ The solution leverages Azure AI Foundry, Azure OpenAI Service, Azure Container A
 |![image](./docs/images/read_me/solArchitecture.png)|
 |---|
 
+This architecture will be deployed with the 'sandbox' setting of our deployment process. Optionally you can deploy [Well-Architected Framework (WAF) aligned](https://learn.microsoft.com/en-us/azure/well-architected/) architecture, described in [WAF-Aligned Solution Architecture](./docs/ArchitectureWAF.md), with the WAF-Aligned deployment option described in [Deployment Guide](./docs/DeploymentGuide.md).
+
 ### Agentic architecture
+
 |![image](./docs/images/read_me/agentArchitecture.png)|
 |---|
 
@@ -51,16 +54,16 @@ If you'd like to customize the solution accelerator, here are some common areas
   <summary>Click to learn more about the key features this solution enables</summary>
 
   - **Code language modernization** <br/>
-  Modernizing outdated code ensures compatibility with current technologies, reduces reliance on legacy expertise, and keeps businesses competitive.
+    Modernizing outdated code ensures compatibility with current technologies, reduces reliance on legacy expertise, and keeps businesses competitive.
 
   - **Summary and review of new code** <br/>
-  Generating summaries and translating code files keeps humans in the loop, enhances their understanding, and facilitates timely interventions, ensuring the files are ready to export.
+    Generating summaries and translating code files keeps humans in the loop, enhances their understanding, and facilitates timely interventions, ensuring the files are ready to export.
 
   - **Business logic analysis** <br/>
-  Leveraging AI to decipher business logic from legacy code helps minimizes the risk of human error.
+    Leveraging AI to decipher business logic from legacy code helps minimizes the risk of human error.
 
   - **Efficient code transformation** <br/>
-  Streamlining the process of analyzing, converting, and iterative error testing reduces time and effort required to modernize the systems.
+    Streamlining the process of analyzing, converting, and iterative error testing reduces time and effort required to modernize the systems.
 
 </details>
 
@@ -77,7 +80,7 @@ Follow the quick deploy steps on the deployment guide to deploy this solution to
 
 | [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/microsoft/Modernize-your-Code-Solution-Accelerator) | [![Open in Dev Containers](https://img.shields.io/static/v1?style=for-the-badge&label=Dev%20Containers&message=Open&color=blue&logo=visualstudiocode)](https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/microsoft/Modernize-your-Code-Solution-Accelerator) |
 |---|---|
- 
+
 <br/>
 
 > ⚠️ **Important: Check Azure OpenAI Quota Availability**
@@ -141,19 +144,19 @@ The sample data used in this repository is synthetic and generated using Azure O
   <summary>Click to learn more about what value this solution provides</summary>
 
   - **Accelerated Migration** <br/>
-  Automate the translation of SQL queries, significantly reducing migration time and effort.
+    Automate the translation of SQL queries, significantly reducing migration time and effort.
 
   - **Error Reduction** <br/>
-  Multi-agent validation ensures accurate translations and maintains data integrity.
+    Multi-agent validation ensures accurate translations and maintains data integrity.
 
   - **Knowledge Preservation** <br/>
-  Captures and preserves business logic during the modernization process.
+    Captures and preserves business logic during the modernization process.
 
   - **Cost Efficiency** <br/>
-  Reduces reliance on specialized legacy system expertise and manual translation efforts.
+    Reduces reliance on specialized legacy system expertise and manual translation efforts.
 
   - **Standardization** <br/>
-  Ensures consistent query translation across the organization.
+    Ensures consistent query translation across the organization.
 
 </details>
 

azure.yaml

@@ -1,6 +1,3 @@
-environment:
-  name: modernize-your-code-solution-accelerator
-  location: eastus
 name: modernize-your-code-solution-accelerator
 metadata:
     template: modernize-your-code-solution-accelerator@1.0
@@ -36,4 +33,4 @@ hooks:
         $location = if ($env:AZURE_AISERVICE_LOCATION) { $env:AZURE_AISERVICE_LOCATION } else { "japaneast" };
         ./scripts/validate_model_deployment_quota.ps1 -SubscriptionId $env:AZURE_SUBSCRIPTION_ID -Location $location -ModelsParameter "aiModelDeployments"
       interactive: false
-      continueOnError: false
+      continueOnError: false

docs/ArchitectureWAF.md

@@ -0,0 +1,59 @@
+# Azure WAF-Aligned Architecture
+
+This architecture implements [Azure Well-Architected Framework (WAF)](https://learn.microsoft.com/en-us/azure/well-architected/) principles for enterprise-grade deployments, deployed with the WAF-Aligned deployment option: 
+
+![WAF-Aligned Architecture Diagram](../docs/images/read_me/solArchitectureWAF.png)
+
+## WAF Pillars Implementation
+
+###  Security
+- **Zero Trust Network:** Private VNet with private endpoints for all PaaS services
+- **Identity & Access:** Managed identities with RBAC and least-privilege access
+- **Secure Admin Access:** Azure Bastion + Jumpbox for internal administration
+- **Secrets Management:** Azure Key Vault integration
+
+###  Operational Excellence  
+- **Observability:** Centralized logging via Log Analytics Workspace
+- **Application Monitoring:** Application Insights for telemetry and diagnostics
+- **Infrastructure as Code:** Bicep templates with parameterized configurations
+
+### Performance Efficiency
+- **Auto-scaling:** Container Apps with configurable scaling policies
+- **Regional Proximity:** Resources deployed in optimal Azure regions
+
+###  Cost Optimization
+- **Right-sizing:** Parameterized SKUs and capacity settings
+- **Resource Sharing:** Shared networking and monitoring infrastructure
+
+###  Reliability
+- **High Availability:** Multi-zone deployment options
+- **Data Redundancy:** Configurable geo-replication for critical data stores
+- **Private Connectivity:** Eliminates internet dependencies
+
+## Core Architecture Components
+
+| Component | Purpose | WAF Alignment |
+|-----------|---------|---------------|
+| **Virtual Network** | Network isolation boundary | Security, Reliability |
+| **Private Endpoints** | Secure PaaS connectivity (AI Services, Storage, Cosmos DB, Key Vault) | Security |
+| **Private DNS Zones** | Internal name resolution | Security, Reliability |
+| **Azure Bastion + Jumpbox** | Secure administrative access | Security |
+| **Container Apps** | Application hosting with VNet integration | Performance, Reliability |
+| **Log Analytics + App Insights** | Centralized monitoring and diagnostics | Operational Excellence |
+
+## Deployment Configuration
+- **Parameter File:** `infra/main.waf-aligned.bicepparam` - Controls all WAF features
+- **Network-first Design:** All components deployed within private network boundaries
+- **Enterprise-ready:** Production-grade security and monitoring enabled
+
+## Application Information Flow
+
+The application information flow remains the same for both 'sandbox' and 'waf-aligned' configuration. 
+
+The solution is composed of several services:
+
+- The web app front end and the backend app logic are containerized and run from Azure Container service instances. 
+- When a request for conversion is created in the web app admin console, the user specifies what files should be converted and the target SQL dialect for conversion. 
+- These files are then uploaded to blob storage and initial data about the request is stored in Cosmos DB. 
+- The conversion takes place using appropriate LLM models using multiple agents, with each agent having a dedicated purpose in the conversion process. As files are converted, they are placed into blob storage, with metadata collected into Cosmos detailing the conversion process and the current state of the batch. 
+- Cosmos also stores the logs from the individual agents so the results can be fully reviewed before any of the converted files are put into production.

docs/DeploymentGuide.md

@@ -31,7 +31,7 @@ Check the [Azure Products by Region](https://azure.microsoft.com/en-us/explore/g
 
 | [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/microsoft/Modernize-your-Code-Solution-Accelerator) | [![Open in Dev Containers](https://img.shields.io/static/v1?style=for-the-badge&label=Dev%20Containers&message=Open&color=blue&logo=visualstudiocode)](https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/microsoft/Modernize-your-Code-Solution-Accelerator) |
 |---|---|
- 
+
 ### **Configurable Deployment Settings**  
 
 When you start the deployment, most parameters will have **default values**, but you can update the following settings by following the steps [here](../docs/CustomizingAzdParameters.md):  
@@ -61,7 +61,29 @@ By default, the **GPT model capacity** in deployment is set to **5k tokens**.
 
 To adjust quota settings, follow these [steps](../docs/AzureGPTQuotaSettings.md)
 
-### Deployment Options
+### Deployment Options & Steps 
+### Sandbox or WAF Aligned Deployment Options
+
+The [`infra`](../infra) folder contains the [`main.bicep`](../infra/main.bicep) Bicep script, which defines all Azure infrastructure components for this solution.
+
+By default, the `azd up` command uses the [`main.bicepparam`](../infra/main.bicepparam) file to deploy the solution. This file is pre-configured for a **sandbox environment** — ideal for development and proof-of-concept scenarios, with minimal security and cost controls for rapid iteration.
+
+For **production deployments**, the repository also provides [`main.waf-aligned.bicepparam`](../infra/main.waf-aligned.bicepparam), which applies a [WAF-aligned](https://learn.microsoft.com/en-us/azure/well-architected/) configuration. This option enables additional Azure best practices for reliability, security, cost optimization, operational excellence, and performance efficiency, such as:
+
+- Enhanced network security (e.g., Network protection with private endpoints)
+- Stricter access controls and managed identities
+- Logging, monitoring, and diagnostics enabled by default
+- Resource tagging and cost management recommendations
+
+**How to choose your deployment configuration:**
+
+- Use the default [`main.bicepparam`](../infra/main.bicepparam) for a sandbox/dev environment.
+- For a WAF-aligned, production-ready deployment, copy the contents of [`main.waf-aligned.bicepparam`](../infra/main.waf-aligned.bicepparam) into `main.bicepparam` before running `azd up`.
+
+> [!TIP]
+> Always review and adjust parameter values (such as region, capacity, security settings and log analytics workspace configuration) to match your organization’s requirements before deploying. For production, ensure you have sufficient quota and follow the principle of least privilege for all identities and role assignments.
+
+
 Pick from the options below to see step-by-step instructions for: GitHub Codespaces, VS Code Dev Containers, Local Environments, and Bicep deployments.
 
 <details>
@@ -133,23 +155,28 @@ To change the azd parameters from the default values, follow the steps [here](..
 
 1. Login to Azure:
 
-    ```shell
-    azd auth login
-    ```
+   ```shell
+   azd auth login
+   ```
+
+   #### Note: To authenticate with Azure Developer CLI (`azd`) to a specific tenant, use the previous command with your **Tenant ID**:
+
+   ```sh
+   azd auth login --tenant-id <tenant-id>
+   ```
 
-    #### Note: To authenticate with Azure Developer CLI (`azd`) to a specific tenant, use the previous command with your **Tenant ID**:
+2. Provide an `azd` environment name (like "cmsaapp")
 
-    ```sh
-    azd auth login --tenant-id <tenant-id>
+   ```sh
+   azd env new <cmsaapp>
    ```
 
-2. Provision and deploy all the resources:
+3. Provision and deploy all the resources:
 
     ```shell
     azd up
     ```
 
-3. Provide an `azd` environment name (like "cmsaapp")
 4. Select a subscription from your Azure account, and select a location which has quota for all the resources. 
     * This deployment will take *6-9 minutes* to provision the resources in your account and set up the solution with sample data. 
     * If you get an error or timeout with deployment, changing the location can help, as there may be availability constraints for the resources.