Add Support for Azure Virtual Networks and Private Endpoints

[eerhardt]

In order to have as secure as possible applications, it is recommended to use network isolation for critical resources.

To support this, Aspire's Azure integrations should support explicit modeling of Virtual Networks and Private Endpoints as a lower-level primitive. Once we have the low-level primitives in place, we can build higher-level convenience APIs for having default network isolation without explicit modeling.

For this first version, we should have:

• Virtual Networks
• Subnets
• NetworkSecurityGroups
• Private Endpoints

[afscrome]

Does this supersede #13063?

[eerhardt]

Does this supersede #13063?

No. This is more like "foundational support for #13063". Mostly taking "Scenario 1" out into its own issue that can be tracked and closed when it is complete.

[Waleed-KH]

Is this going to give us the ability to create VNet / Private Endpoints and integrate it with Azure resources in the AppHost?, e.g.:

var builder = DistributedApplication.CreateBuilder(args);

// Provisioning VNet for network isolation
var vnet = builder.AddAzureVNet("vnet1", addressSpace: "10.0.0.0/16");
var acaSubnet = vnet.AddSubnet("subnet-aca", addressPrefix: "10.0.1.0/24");
var dbSubnet = vnet.AddSubnet("subnet-db", addressPrefix: "10.0.2.0/24");

builder.AddAzureContainerAppEnvironment("aca-env")
	.WithVNetSubnet(acaSubnet); // Link the container environment to a dedicated subnet

var postgres = builder.AddAzurePostgresFlexibleServer("postgres") // Or CosmosDB, Storage, Service Bus ...
	.WithPrivateEndpoint("postgres-ep", dbSubnet);

// Now resources & containers can communicate without public exposure 

Or is it going to be managed internally by Aspire, and to customize it, will need to use ConfigureInfrastructure?

[davidfowl]

Both, we'll start with manual then we'll design something more integrated later.