feat: restrict backend API to private access in WAF deployment

When enablePrivateNetworking (WAF mode) is active:
- Add privatelink.azurewebsites.net private DNS zone linked to VNet
- Create private endpoint for backend API App Service in peps subnet
- Set publicNetworkAccess to Disabled for backend API
- Frontend nginx reverse-proxies /api/ and /history/ requests to backend over VNet
- APP_API_BASE_URL set to empty so frontend calls same origin in WAF mode
- Non-WAF deployments remain unchanged

Resolves AB#39249

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Prajwal-Microsoft

infra/main.bicep

@@ -445,6 +445,7 @@ var privateDnsZones = [
   'privatelink.documents.azure.com'
   'privatelink${environment().suffixes.sqlServerHostname}'
   'privatelink.search.windows.net'
+  'privatelink.azurewebsites.net'
 ]
 
 // DNS Zone Index Constants
@@ -459,6 +460,7 @@ var dnsZoneIndex = {
   cosmosDB: 7
   sqlServer: 8
   search: 9
+  webApp: 10
 }
 
 // ===================================================
@@ -1360,7 +1362,22 @@ module webSiteBackend 'modules/web-sites.bicep' = {
     vnetRouteAllEnabled: enablePrivateNetworking ? true : false
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
     virtualNetworkSubnetId: enablePrivateNetworking ? virtualNetwork!.outputs.webSubnetResourceId : null
-    publicNetworkAccess: 'Enabled'
+    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    privateEndpoints: enablePrivateNetworking
+      ? [
+          {
+            name: 'pep-${backendWebSiteResourceName}'
+            customNetworkInterfaceName: 'nic-${backendWebSiteResourceName}'
+            privateDnsZoneGroup: {
+              privateDnsZoneGroupConfigs: [
+                { privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.webApp]!.outputs.resourceId }
+              ]
+            }
+            service: 'sites'
+            subnetResourceId: virtualNetwork!.outputs.pepsSubnetResourceId
+          }
+        ]
+      : []
   }
 }
 
@@ -1387,7 +1404,8 @@ module webSiteFrontend 'modules/web-sites.bicep' = {
       {
         name: 'appsettings'
         properties: {
-          APP_API_BASE_URL: 'https://api-${solutionSuffix}.azurewebsites.net'
+          APP_API_BASE_URL: enablePrivateNetworking ? '' : 'https://api-${solutionSuffix}.azurewebsites.net'
+          BACKEND_API_HOST: enablePrivateNetworking ? 'api-${solutionSuffix}.azurewebsites.net' : ''
         }
         applicationInsightResourceId: enableMonitoring ? applicationInsights!.outputs.resourceId : null
       }

infra/main_custom.bicep

@@ -446,6 +446,7 @@ var privateDnsZones = [
   'privatelink.documents.azure.com'
   'privatelink${environment().suffixes.sqlServerHostname}'
   'privatelink.search.windows.net'
+  'privatelink.azurewebsites.net'
 ]
 
 // DNS Zone Index Constants
@@ -460,6 +461,7 @@ var dnsZoneIndex = {
   cosmosDB: 7
   sqlServer: 8
   search: 9
+  webApp: 10
 }
 
 // ===================================================
@@ -1359,7 +1361,22 @@ module webSiteBackend 'modules/web-sites.bicep' = {
     vnetRouteAllEnabled: enablePrivateNetworking ? true : false
     vnetImagePullEnabled: enablePrivateNetworking ? true : false
     virtualNetworkSubnetId: enablePrivateNetworking ? virtualNetwork!.outputs.webSubnetResourceId : null
-    publicNetworkAccess: 'Enabled'
+    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    privateEndpoints: enablePrivateNetworking
+      ? [
+          {
+            name: 'pep-${backendWebSiteResourceName}'
+            customNetworkInterfaceName: 'nic-${backendWebSiteResourceName}'
+            privateDnsZoneGroup: {
+              privateDnsZoneGroupConfigs: [
+                { privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.webApp]!.outputs.resourceId }
+              ]
+            }
+            service: 'sites'
+            subnetResourceId: virtualNetwork!.outputs.pepsSubnetResourceId
+          }
+        ]
+      : []
   }
 }
 
@@ -1387,9 +1404,10 @@ module webSiteFrontend 'modules/web-sites.bicep' = {
         properties: {
           SCM_DO_BUILD_DURING_DEPLOYMENT: 'true'
           ENABLE_ORYX_BUILD: 'true'
-          REACT_APP_API_BASE_URL: 'https://api-${solutionSuffix}.azurewebsites.net'
+          REACT_APP_API_BASE_URL: enablePrivateNetworking ? '' : 'https://api-${solutionSuffix}.azurewebsites.net'
           WEBSITE_NODE_DEFAULT_VERSION: '~20'
-          APP_API_BASE_URL: 'https://api-${solutionSuffix}.azurewebsites.net'
+          APP_API_BASE_URL: enablePrivateNetworking ? '' : 'https://api-${solutionSuffix}.azurewebsites.net'
+          BACKEND_API_HOST: enablePrivateNetworking ? 'api-${solutionSuffix}.azurewebsites.net' : ''
         }
         applicationInsightResourceId: enableMonitoring ? applicationInsights!.outputs.resourceId : null
       }

src/App/WebApp.Dockerfile

@@ -17,6 +17,12 @@ COPY env.sh /docker-entrypoint.d/env.sh
 RUN chmod +x /docker-entrypoint.d/env.sh
 RUN sed -i 's/\r$//' /docker-entrypoint.d/env.sh
 
+# Custom nginx config with API proxy support
+COPY nginx.conf /etc/nginx/nginx.conf
+
+# Create empty api-proxy conf (overwritten at startup for WAF deployments)
+RUN mkdir -p /etc/nginx/conf.d && touch /etc/nginx/conf.d/api-proxy.conf
+
 # Expose the application port
 EXPOSE 3000
 

src/App/env.sh

@@ -1,10 +1,48 @@
 #!/bin/sh
+
+# If BACKEND_API_HOST is set (WAF mode), configure nginx reverse proxy
+if [ -n "$BACKEND_API_HOST" ]; then
+  # Write nginx proxy config for /api/ and /history/ routes
+  cat > /etc/nginx/conf.d/api-proxy.conf << PROXYEOF
+location /api/ {
+    resolver 168.63.129.16 valid=30s;
+    set \$backend "https://$BACKEND_API_HOST";
+    proxy_pass \$backend;
+    proxy_set_header Host $BACKEND_API_HOST;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+    proxy_ssl_server_name on;
+    proxy_read_timeout 300s;
+    proxy_connect_timeout 60s;
+    proxy_buffering off;
+}
+
+location /history/ {
+    resolver 168.63.129.16 valid=30s;
+    set \$backend "https://$BACKEND_API_HOST";
+    proxy_pass \$backend;
+    proxy_set_header Host $BACKEND_API_HOST;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+    proxy_ssl_server_name on;
+    proxy_read_timeout 300s;
+    proxy_connect_timeout 60s;
+    proxy_buffering off;
+}
+PROXYEOF
+else
+  # Ensure empty file exists for non-WAF deployments
+  > /etc/nginx/conf.d/api-proxy.conf
+fi
+
+# Replace APP_* env vars in built frontend files (existing behavior)
 for i in $(env | grep ^APP_)
 do
     key=$(echo $i | cut -d '=' -f 1)
     value=$(echo $i | cut -d '=' -f 2-)
     echo $key=$value
-    # Use sed to replace only the exact matches of the key
     find /usr/share/nginx/html -type f -exec sed -i "s|\b${key}\b|${value}|g" '{}' +
 done
 echo 'done'

src/App/nginx.conf

@@ -0,0 +1,34 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    server {
+        listen 80;
+        server_name localhost;
+        root /usr/share/nginx/html;
+        index index.html;
+
+        # Include API proxy config (generated at startup for WAF/private networking deployments)
+        include /etc/nginx/conf.d/api-proxy.conf;
+
+        # Handle React Router
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+
+        # Cache static assets
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+        }
+
+        # Security headers
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+    }
+}