Merge pull request #47 from microsoft/shshr/ObservabilityUpdate

Update Agent Observability + Security Update for Container Apps Env

Author: shshr

infra/core/host/container-apps-environment.bicep

@@ -13,7 +13,10 @@ param logAnalyticsWorkspaceId string
 @description('Whether to enable zone redundancy')
 param zoneRedundant bool = false
 
-resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = {
+@description('The resource ID of the subnet for Container Apps infrastructure')
+param infrastructureSubnetId string
+
+resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2024-03-01' = {
   name: name
   location: location
   tags: tags
@@ -25,6 +28,16 @@ resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2023-05-01'
         sharedKey: listKeys(logAnalyticsWorkspaceId, '2021-12-01-preview').primarySharedKey
       }
     }
+    vnetConfiguration: {
+      internal: false // Must be false to have public IP address as per security requirements
+      infrastructureSubnetId: infrastructureSubnetId
+    }
+    workloadProfiles: [
+      {
+        name: 'Consumption'
+        workloadProfileType: 'Consumption'
+      }
+    ]
     zoneRedundant: zoneRedundant
   }
 }

infra/core/networking/nat-gateway.bicep

@@ -0,0 +1,50 @@
+@description('The name of the NAT gateway')
+param name string
+
+@description('The location for the NAT gateway')
+param location string = resourceGroup().location
+
+@description('The tags to apply to the NAT gateway')
+param tags object = {}
+
+@description('The name of the public IP address')
+param publicIpName string
+
+@description('Idle timeout in minutes for the NAT gateway')
+param idleTimeoutInMinutes int = 4
+
+resource publicIp 'Microsoft.Network/publicIPAddresses@2023-09-01' = {
+  name: publicIpName
+  location: location
+  tags: tags
+  sku: {
+    name: 'Standard'
+    tier: 'Regional'
+  }
+  properties: {
+    publicIPAllocationMethod: 'Static'
+    publicIPAddressVersion: 'IPv4'
+  }
+}
+
+resource natGateway 'Microsoft.Network/natGateways@2023-09-01' = {
+  name: name
+  location: location
+  tags: tags
+  sku: {
+    name: 'Standard'
+  }
+  properties: {
+    publicIpAddresses: [
+      {
+        id: publicIp.id
+      }
+    ]
+    idleTimeoutInMinutes: idleTimeoutInMinutes
+  }
+}
+
+output natGatewayId string = natGateway.id
+output natGatewayName string = natGateway.name
+output publicIpId string = publicIp.id
+output publicIpAddress string = publicIp.properties.ipAddress

infra/core/networking/virtual-network.bicep

@@ -0,0 +1,62 @@
+@description('The name of the virtual network')
+param name string
+
+@description('The location for the virtual network')
+param location string = resourceGroup().location
+
+@description('The tags to apply to the virtual network')
+param tags object = {}
+
+@description('The address space for the virtual network')
+param addressSpace string = '10.0.0.0/16'
+
+@description('The name of the subnet for Container Apps')
+param subnetName string = 'container-apps-subnet'
+
+@description('The address prefix for the Container Apps subnet')
+param subnetAddressPrefix string = '10.0.0.0/23'
+
+@description('The resource ID of the NAT gateway to attach to the subnet')
+param natGatewayId string
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-09-01' = {
+  name: name
+  location: location
+  tags: tags
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        addressSpace
+      ]
+    }
+    subnets: [
+      {
+        name: subnetName
+        properties: {
+          addressPrefix: subnetAddressPrefix
+          natGateway: {
+            id: natGatewayId
+          }
+          serviceEndpoints: []
+          delegations: [
+            {
+              name: 'Microsoft.App.environments'
+              properties: {
+                serviceName: 'Microsoft.App/environments'
+              }
+              type: 'Microsoft.Network/virtualNetworks/subnets/delegations'
+            }
+          ]
+        }
+        type: 'Microsoft.Network/virtualNetworks/subnets'
+      }
+    ]
+    virtualNetworkPeerings: []
+    enableDdosProtection: false
+  }
+}
+
+output vnetId string = virtualNetwork.id
+output vnetName string = virtualNetwork.name
+output subnetId string = virtualNetwork.properties.subnets[0].id
+output subnetName string = subnetName

infra/main.bicep

@@ -195,7 +195,31 @@ module containerRegistry './core/host/container-registry.bicep' = {
   }
 }
 
-// Create Container Apps Environment
+// Create NAT Gateway with public IP for Container Apps
+module natGateway './core/networking/nat-gateway.bicep' = {
+  name: 'nat-gateway'
+  scope: rg
+  params: {
+    name: '${abbrs.networkNatGateways}${resourceToken}'
+    location: location
+    tags: tags
+    publicIpName: '${abbrs.networkPublicIPAddresses}${resourceToken}'
+  }
+}
+
+// Create Virtual Network with subnet for Container Apps
+module virtualNetwork './core/networking/virtual-network.bicep' = {
+  name: 'virtual-network'
+  scope: rg
+  params: {
+    name: '${abbrs.networkVirtualNetworks}${resourceToken}'
+    location: location
+    tags: tags
+    natGatewayId: natGateway.outputs.natGatewayId
+  }
+}
+
+// Create Container Apps Environment with subnet and NAT gateway
 module containerAppsEnvironment './core/host/container-apps-environment.bicep' = {
   name: 'container-apps-environment'
   scope: rg
@@ -204,6 +228,7 @@ module containerAppsEnvironment './core/host/container-apps-environment.bicep' =
     location: location
     tags: tags
     logAnalyticsWorkspaceId: monitoring.outputs.logAnalyticsWorkspaceId
+    infrastructureSubnetId: virtualNetwork.outputs.subnetId
   }
 }
 
@@ -352,6 +377,13 @@ output FRONTEND_URL string = staticWebApp.outputs.uri
 output AZURE_CONTAINER_REGISTRY_ENDPOINT string = containerRegistry.outputs.loginServer
 output AZURE_CONTAINER_REGISTRY_NAME string = containerRegistry.outputs.name
 
+// Network infrastructure outputs
+output VIRTUAL_NETWORK_ID string = virtualNetwork.outputs.vnetId
+output VIRTUAL_NETWORK_NAME string = virtualNetwork.outputs.vnetName
+output SUBNET_ID string = virtualNetwork.outputs.subnetId
+output NAT_GATEWAY_ID string = natGateway.outputs.natGatewayId
+output PUBLIC_IP_ADDRESS string = natGateway.outputs.publicIpAddress
+
 @secure()
 output AZURE_AI_FOUNDRY_RESOURCE_GROUP string = azureAiFoundryResourceGroup
 @secure()

src/backend/common/agent_factory/agent_base.py

@@ -48,7 +48,7 @@ async def get_instance(cls: Type[T], logger: AppLogger, tracer_provider: AppTrac
 
             async with cls._locks[cls]:
                 if cls not in cls._instances:
-                    cls._instances[cls] = cls(logger)
+                    cls._instances[cls] = cls(logger, tracer_provider)
 
         return cls._instances[cls]
 
@@ -156,10 +156,7 @@ async def run(
         if tools and isinstance(tools, MCPStreamableHTTPTool):
             use_async_context = True
 
-        with self._tracer_provider.trace_agent_run(
-            session_id=session_id,
-            agent_name=self._agent.name
-        ):
+        with self._tracer_provider.trace_agent_run(session_id=session_id, agent_name=self._agent.name):
             if use_async_context:
                 async with tools:
                     agent_response = await self._agent.run(
@@ -168,7 +165,7 @@ async def run(
                         tools=tools,
                         response_format=response_format,
                         max_tokens=runtime_configuration.max_completion_tokens,
-                        model=runtime_configuration.model,
+                        model_id=runtime_configuration.model,
                         temperature=runtime_configuration.temperature,
                         top_p=runtime_configuration.top_p,
                         **kwargs
@@ -181,7 +178,7 @@ async def run(
                     tools=tools,
                     response_format=response_format,
                     max_tokens=runtime_configuration.max_completion_tokens,
-                    model=runtime_configuration.model,
+                    model_id=runtime_configuration.model,
                     temperature=runtime_configuration.temperature,
                     top_p=runtime_configuration.top_p,
                     **kwargs

src/backend/common/telemetry/__init__.py

@@ -0,0 +1,12 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+
+from .app_logger import AppLogger
+from .app_tracer_provider import AppTracerProvider
+from .log_classes import LogProperties
+
+__all__ = [
+    "AppLogger",
+    "AppTracerProvider",
+    "LogProperties"
+]

src/backend/common/telemetry/app_logger.py

@@ -7,13 +7,13 @@
 from azure.monitor.opentelemetry.exporter import AzureMonitorLogExporter
 from opentelemetry.sdk._logs import LoggerProvider, LoggingHandler
 from opentelemetry.sdk._logs.export import BatchLogRecordProcessor
-from opentelemetry.sdk.resources import Resource, ResourceAttributes
+from opentelemetry.sdk.resources import Resource
 from opentelemetry._logs import set_logger_provider
 
 
 from common.telemetry.log_classes import LogProperties
 
-resource = Resource.create({ResourceAttributes.SERVICE_NAME: "telemetry"})
+DEFAULT_RESOURCE = Resource.create({"resource.name": "telemetry"})
 
 class LogEvent(Enum):
     REQUEST_RECEIVED = "Request.Received"
@@ -28,40 +28,86 @@ class ConsoleLogFilter(logging.Filter):
     def __init__(self):
         super().__init__()
         self.base_dir = os.path.abspath(os.path.join(__file__, "..", ".."))
+
         # Define allowed third-party loggers (only show WARNING and above)
         self.allowed_third_party = [
             "semantic_kernel",
-            "agent_framework", 
+            "agent_framework",
             "azure_mcp"
         ]
-    
+
     def filter(self, record):
         # Always allow logs from our application
         if os.path.abspath(record.pathname).startswith(self.base_dir):
             return True
-        
+
         # For third-party libraries, only show WARNING and above to reduce noise
         for allowed in self.allowed_third_party:
             if record.name.startswith(allowed):
                 return record.levelno >= logging.WARNING
-        
+
         # Filter out everything else
         return False
 
 class AppLogger:
-    def __init__(self, connection_string: str):
-        self.connection_string = connection_string
+    def __init__(self, connection_string: str = None, logger: logging.Logger = None, resource: Resource = None):
+        """
+        Initialize AppLogger with either a connection string or an existing logger.
 
-        logging.getLogger("azure.identity").setLevel(logging.WARNING)
-        logging.getLogger("azure.core.pipeline.policies").setLevel(logging.WARNING)
-        logging.getLogger("azure.monitor.opentelemetry.exporter.export").setLevel(logging.WARNING)
+        Args:
+            connection_string: Azure Monitor connection string for telemetry (optional if logger is provided)
+            logger: Existing logger instance to wrap (optional if connection_string is provided)
+            resource: Resource describing the service (optional)
+        """
+        if logger is not None:
+            # Initialize from existing logger
+            self.connection_string = connection_string
+            self.logger = logger
+            self.logger_provider = LoggerProvider(resource or DEFAULT_RESOURCE)
+            self._from_existing_logger = True
+
+            self.logger.setLevel(logging.INFO)
+
+            # Set up third-party logger levels
+            logging.getLogger("azure.identity").setLevel(logging.WARNING)
+            logging.getLogger("azure.core.pipeline.policies").setLevel(logging.WARNING)
+            logging.getLogger("azure.monitor.opentelemetry.exporter.export").setLevel(logging.WARNING)
+
+            # Only initialize Azure Monitor if connection string is provided
+            if connection_string:
+                self.initialize_loggers()
+        else:
+            # Original initialization path
+            if connection_string is None:
+                raise ValueError("Either connection_string or logger must be provided")
+
+            self.connection_string = connection_string
+            self._from_existing_logger = False
+
+            logging.getLogger("azure.identity").setLevel(logging.WARNING)
+            logging.getLogger("azure.core.pipeline.policies").setLevel(logging.WARNING)
+            logging.getLogger("azure.monitor.opentelemetry.exporter.export").setLevel(logging.WARNING)
+
+            self.logger = logging.getLogger()
+            self.logger.setLevel(logging.INFO)
+            self.logger_provider = LoggerProvider(resource)
+
+            self.initialize_loggers()
+
+    @classmethod
+    def from_logger(cls, logger: logging.Logger, connection_string: str = None, resource: Resource = None) -> "AppLogger":
+        """
+        Create an AppLogger instance from an existing logger.
 
-        self.logger = logging.getLogger()
-        self.logger.setLevel(logging.INFO)
-        self.logger_provider = LoggerProvider(resource)
+        Args:
+            logger: Existing logger instance to wrap
+            connection_string: Optional Azure Monitor connection string for telemetry
+
+        Returns:
+            AppLogger instance that wraps the provided logger
+        """
+        return cls(connection_string=connection_string, logger=logger, resource=resource)
 
-        self.initialize_loggers()
-        
     def initialize_loggers(self):
         if self.connection_string:
             if not any(
@@ -73,7 +119,7 @@ def initialize_loggers(self):
                 self.handler = LoggingHandler()
                 self.logger.addHandler(self.handler)
 
-        # add console logger if it is not already added by another instance of CustomLogger
+        # Only add console handler if we're not using an existing logger or if no StreamHandler exists
         if not any(
             isinstance(handler, logging.StreamHandler)
             for handler in self.logger.handlers
@@ -85,7 +131,9 @@ def initialize_loggers(self):
             console_handler.setLevel(log_level)
             console_handler.addFilter(ConsoleLogFilter())
             self.logger.addHandler(console_handler)
-        set_logger_provider(self.logger_provider)
+
+        if not self._from_existing_logger:
+            set_logger_provider(self.logger_provider)
 
     def info(self, message:str, properties: dict = None):
         self.logger.info(message)