update document for code hosting

Author: Priyanka-Microsoft

docs/LOCAL_DEPLOYMENT.md

@@ -170,12 +170,16 @@ Review the configuration options below. You can customize any settings that meet
 | **Configuration File** | `main.parameters.json` (sandbox) | Copy `main.waf.parameters.json` to `main.parameters.json` |
 | **Security Controls** | Minimal (for rapid iteration) | Enhanced (production best practices) |
 | **Network Access** | All services publicly accessible | Backend API (Function App) restricted to private network; only frontend publicly accessible |
-| **Private Endpoints** | Disabled | Enabled for all backend services (Storage, Key Vault, Cosmos DB/PostgreSQL, OpenAI, Search, Function App) |
+| **Private Endpoints** | Disabled | Enabled for backend services (Storage, Key Vault, Cosmos DB/PostgreSQL, OpenAI, Search). Function App private endpoint is included for container hosting; for code hosting, keep API private access without adding a Function App private endpoint. |
 | **Cost** | Lower costs | Cost optimized |
 | **Use Case** | POCs, development, testing | Production workloads |
 | **Framework** | Basic configuration | [Well-Architected Framework](https://learn.microsoft.com/en-us/azure/well-architected/) |
 | **Features** | Core functionality | Reliability, security, operational excellence |
 
+> **Note - WAF Deployment (Restrict API to Private Access, Function App on App Service Plan Accelerators):**
+> If `AZURE_APP_SERVICE_HOSTING_MODEL` is set to `code`, do **not** implement a private endpoint for the backend API Function App.
+> Keep the API restricted through App Service access restrictions/private networking controls applicable to code hosting.
+
 **To use production configuration:**
 
 Copy the contents from the production configuration file to your main parameters file:

docs/best_practices.md

@@ -47,12 +47,12 @@ Moreover, optimizing the data in the index also enhances the efficiency, the spe
 
 When deploying with the production/WAF configuration (`enablePrivateNetworking: true`), the following network security measures are automatically applied:
 
-- **Private Endpoints**: All backend services including Azure OpenAI, Azure AI Search, Storage Account, Key Vault, Cosmos DB/PostgreSQL, and the Function App (backend API) are configured with private endpoints, making them accessible only through the VNet.
+- **Private Endpoints**: Backend services including Azure OpenAI, Azure AI Search, Storage Account, Key Vault, and Cosmos DB/PostgreSQL are configured with private endpoints. For the Function App (backend API), private endpoint is used in container hosting; in code hosting, follow access restrictions/private networking controls without adding a Function App private endpoint.
 - **Function App (Backend API)**: The Function App hosting the backend API is secured with:
-  - Private endpoint for inbound traffic
+  - Private endpoint for inbound traffic in container hosting
   - VNet integration for outbound traffic
-  - Public network access disabled
-  - Communication limited to internal VNet traffic only
+  - Public inbound access blocked using App Service access restrictions
+  - Communication limited to approved private paths and network controls
 - **Frontend Web Apps**: The App Service (frontend) and Admin App remain publicly accessible to serve user traffic, while communicating with backend services through the private network.
 - **Virtual Network**: All resources are integrated into a secure virtual network with properly configured subnets and Network Security Groups (NSGs).
 - **Bastion Host**: A jumpbox VM accessible via Azure Bastion is provided for management access to private resources.

infra/main.bicep

@@ -1438,12 +1438,12 @@ module function 'modules/app/function.bicep' = {
     // WAF: Use IP restrictions to block public API access while allowing SCM for deployments
     // publicNetworkAccess stays Enabled, but ipSecurityRestrictions blocks public traffic to the main site
     publicNetworkAccess: 'Enabled'
-    // Block all public access to the main site (API) - traffic must go through private endpoint
+    // Block all public access to the main site (API)
     ipSecurityRestrictions: enablePrivateNetworking
       ? [
           {
             name: 'DenyAllPublicAccess'
-            description: 'Deny public access. Use private endpoint.'
+            description: 'Deny public access to API endpoint.'
             action: 'Deny'
             priority: 100
             ipAddress: '0.0.0.0/0'
@@ -1454,7 +1454,7 @@ module function 'modules/app/function.bicep' = {
     scmIpSecurityRestrictions: []
     // Do NOT inherit main site restrictions for SCM - this allows deployments while API is private
     scmIpSecurityRestrictionsUseMain: false
-    privateEndpoints: enablePrivateNetworking
+    privateEndpoints: (enablePrivateNetworking && hostingModel == 'container')
       ? [
           {
             name: 'pep-${hostingModel == 'container' ? '${functionName}-docker' : functionName}'