Revert "fix: resolve nginx 405 on POST and CAE internal mode issues"

This reverts commit 8c0985c.

Author: Ashwal-Microsoft

infra/main.bicep

@@ -931,8 +931,8 @@ module avmContainerAppEnv 'br/public:avm/res/app/managed-environment:0.13.2' = {
       }
     ]
     enableTelemetry: enableTelemetry
-    publicNetworkAccess: 'Enabled'
-    internal: false
+    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    internal: enablePrivateNetworking ? true : false
 
     // <========== WAF related parameters
 
@@ -945,6 +945,34 @@ module avmContainerAppEnv 'br/public:avm/res/app/managed-environment:0.13.2' = {
   }
 }
 
+// ========== Private DNS Zone for internal Container App Environment ========== //
+// When the CAE is internal, its FQDN is resolvable only within the VNet via this zone.
+module caeDnsZone 'br/public:avm/res/network/private-dns-zone:0.8.0' = if (enablePrivateNetworking) {
+  name: take('avm.res.network.private-dns-zone.cae.${solutionSuffix}', 64)
+  params: {
+    name: avmContainerAppEnv.outputs.defaultDomain
+    tags: tags
+    enableTelemetry: enableTelemetry
+    a: [
+      {
+        name: '*'
+        aRecords: [
+          {
+            ipv4Address: avmContainerAppEnv.outputs.staticIp
+          }
+        ]
+        ttl: 300
+      }
+    ]
+    virtualNetworkLinks: [
+      {
+        name: take('vnetlink-vnet-${solutionSuffix}-cae', 64)
+        virtualNetworkResourceId: virtualNetwork!.outputs.resourceId
+      }
+    ]
+  }
+}
+
 // //=========== Managed Identity for Container Registry ========== //
 module avmContainerRegistryReader 'br/public:avm/res/managed-identity/user-assigned-identity:0.5.0' = {
   name: take('avm.res.managed-identity.user-assigned-identity.${solutionSuffix}', 64)
@@ -1943,8 +1971,5 @@ output CONTAINER_REGISTRY_LOGIN_SERVER string = avmContainerRegistry.outputs.log
 @description('The name of the Content Understanding AI Services account.')
 output CONTENT_UNDERSTANDING_ACCOUNT_NAME string = avmAiServices_cu.outputs.name
 
-@description('Whether private networking (WAF) is enabled.')
-output ENABLE_PRIVATE_NETWORKING bool = enablePrivateNetworking
-
 @description('The resource group the resources were deployed into.')
 output AZURE_RESOURCE_GROUP string = resourceGroup().name

infra/main_custom.bicep

@@ -934,8 +934,8 @@ module avmContainerAppEnv 'br/public:avm/res/app/managed-environment:0.13.2' = {
       }
     ]
     enableTelemetry: enableTelemetry
-    publicNetworkAccess: 'Enabled'
-    internal: false
+    publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
+    internal: enablePrivateNetworking ? true : false
 
     // <========== WAF related parameters
 
@@ -948,6 +948,34 @@ module avmContainerAppEnv 'br/public:avm/res/app/managed-environment:0.13.2' = {
   }
 }
 
+// ========== Private DNS Zone for internal Container App Environment ========== //
+// When the CAE is internal, its FQDN is resolvable only within the VNet via this zone.
+module caeDnsZone 'br/public:avm/res/network/private-dns-zone:0.8.0' = if (enablePrivateNetworking) {
+  name: take('avm.res.network.private-dns-zone.cae.${solutionSuffix}', 64)
+  params: {
+    name: avmContainerAppEnv.outputs.defaultDomain
+    tags: tags
+    enableTelemetry: enableTelemetry
+    a: [
+      {
+        name: '*'
+        aRecords: [
+          {
+            ipv4Address: avmContainerAppEnv.outputs.staticIp
+          }
+        ]
+        ttl: 300
+      }
+    ]
+    virtualNetworkLinks: [
+      {
+        name: take('vnetlink-vnet-${solutionSuffix}-cae', 64)
+        virtualNetworkResourceId: virtualNetwork!.outputs.resourceId
+      }
+    ]
+  }
+}
+
 // //=========== Managed Identity for Container Registry ========== //
 module avmContainerRegistryReader 'br/public:avm/res/managed-identity/user-assigned-identity:0.5.0' = {
   name: take('avm.res.managed-identity.user-assigned-identity.${solutionSuffix}', 64)
@@ -1984,8 +2012,5 @@ output AZURE_CONTAINER_REGISTRY_ENDPOINT string = avmContainerRegistry.outputs.l
 @description('The name of the Content Understanding AI Services account.')
 output CONTENT_UNDERSTANDING_ACCOUNT_NAME string = avmAiServices_cu.outputs.name
 
-@description('Whether private networking (WAF) is enabled.')
-output ENABLE_PRIVATE_NETWORKING bool = enablePrivateNetworking
-
 @description('The resource group the resources were deployed into.')
 output AZURE_RESOURCE_GROUP string = resourceGroup().name

infra/scripts/post_deployment.ps1

@@ -50,26 +50,11 @@ Write-Host "  [Link] Portal URL: $WORKFLOW_APP_PORTAL_URL"
 
 Write-Host ""
 Write-Host "[Package] Registering schemas and creating schema set..."
-
-# Check if private networking (WAF) is enabled
-$ENABLE_PRIVATE_NETWORKING = $null
-try {
-    $ENABLE_PRIVATE_NETWORKING = azd env get-value ENABLE_PRIVATE_NETWORKING 2>$null
-} catch { }
-
-# When private networking is enabled, the API is internal-only (ingressExternal=false).
-# Use the web app's /api proxy to reach the backend through same-origin routing.
-if ($ENABLE_PRIVATE_NETWORKING -eq "true") {
-    Write-Host "  [Info] Private networking (WAF) is enabled. Using web app /api proxy to reach backend."
-    $ApiBaseUrl = "https://$CONTAINER_WEB_APP_FQDN/api"
-} else {
-    $ApiBaseUrl = "https://$CONTAINER_API_APP_FQDN"
-}
-
 Write-Host "  [Wait] Waiting for API to be ready..."
 
 $MaxRetries = 10
 $RetryInterval = 15
+$ApiBaseUrl = "https://$CONTAINER_API_APP_FQDN"
 $ApiReady = $false
 
 for ($i = 1; $i -le $MaxRetries; $i++) {

infra/scripts/post_deployment.sh

@@ -60,23 +60,11 @@ echo "  🔗 Portal URL: $WORKFLOW_APP_PORTAL_URL"
 
 echo ""
 echo "📦 Registering schemas and creating schema set..."
-
-# Check if private networking (WAF) is enabled
-ENABLE_PRIVATE_NETWORKING=$(azd env get-value ENABLE_PRIVATE_NETWORKING 2>/dev/null || echo "")
-
-# When private networking is enabled, the API is internal-only (ingressExternal=false).
-# Use the web app's /api proxy to reach the backend through same-origin routing.
-if [ "$ENABLE_PRIVATE_NETWORKING" = "true" ]; then
-  echo "  ℹ️  Private networking (WAF) is enabled. Using web app /api proxy to reach backend."
-  API_BASE_URL="https://$CONTAINER_WEB_APP_FQDN/api"
-else
-  API_BASE_URL="https://$CONTAINER_API_APP_FQDN"
-fi
-
 echo "  ⏳ Waiting for API to be ready..."
 
 MAX_RETRIES=10
 RETRY_INTERVAL=15
+API_BASE_URL="https://$CONTAINER_API_APP_FQDN"
 
 for i in $(seq 1 $MAX_RETRIES); do
   STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$API_BASE_URL/schemavault/" 2>/dev/null || echo "000")

src/ContentProcessorWeb/env.sh

@@ -1,10 +1,4 @@
 #!/bin/sh
-
-# Ensure APP_BACKEND_API_URL has a safe default so nginx can always start.
-# When not set, the /api/ proxy_pass will point to a non-routable placeholder
-# and return 502, which is acceptable — the direct API path still works.
-export APP_BACKEND_API_URL="${APP_BACKEND_API_URL:-http://localhost:8080}"
-
 for i in $(env | grep ^APP_)
 do
     key=$(echo $i | cut -d '=' -f 1)

src/ContentProcessorWeb/nginx-custom.conf

@@ -14,28 +14,19 @@ http {
     types_hash_max_size 2048;
     types_hash_bucket_size 128;
 
-    # Allow large file uploads through the /api proxy
-    client_max_body_size 100m;
-
     server {
         listen 3000;
         server_name localhost;
 
         # Route browser API calls through the web container so private backend
         # endpoints remain internal-only in WAF/private networking deployments.
-        # APP_BACKEND_API_URL is substituted at runtime by env.sh; if unset, this
-        # block is effectively a no-op (returns 502) which is safe for nginx startup.
         location /api/ {
             proxy_http_version 1.1;
-            proxy_set_header Host $proxy_host;
-            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header Host $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";
-            proxy_connect_timeout 60s;
-            proxy_send_timeout 120s;
-            proxy_read_timeout 120s;
             proxy_pass APP_BACKEND_API_URL/;
         }