This guide focuses on configuration concepts for the AI Landing Zone.
Important: This repository deploys using Bicep parameter files, not
infra/main.parameters.json.
- Primary parameters file:
infra/main.bicepparam- AI Landing Zone submodule parameters file (if you deploy it directly):
submodules/ai-landing-zone/bicep/infra/main.bicepparamFabric options in this repo are configured in
infra/main.bicepparamvia:
fabricCapacityPreset(create|byo|none)fabricWorkspacePreset(create|byo|none)- BYO inputs:
fabricCapacityResourceId,fabricWorkspaceId,fabricWorkspaceName
- Basic Parameters
- Deployment Toggles
- Network Configuration
- AI Foundry Configuration
- Individual Service Configuration
- Common Customization Examples
Type: string
Default: ${AZURE_LOCATION=eastus2}
Description: Azure region where all resources will be deployed.
"location": {
"value": "${AZURE_LOCATION=westus2}"
}Set via azd:
azd env set AZURE_LOCATION westus2Available regions (check AI service availability):
eastus,eastus2,westus,westus2,centralusnortheurope,westeuropeaustraliaeast,southeastasia
Type: string
Default: ${AZURE_ENV_NAME}
Description: Base name used to generate resource names.
"baseName": {
"value": "${AZURE_ENV_NAME}"
}Set via azd:
azd env new my-ai-app # baseName becomes "my-ai-app"Results in resource names like:
rg-my-ai-appkv-my-ai-app-xyzacr-my-ai-app-xyz
Type: object
Default: Environment-specific tags
Description: Tags applied to all resources.
"tags": {
"value": {
"azd-env-name": "${AZURE_ENV_NAME}",
"environment": "production",
"project": "ai-application",
"cost-center": "engineering",
"owner": "ai-team"
}
}Each toggle controls whether a service is created. Set to true to deploy, false to skip.
"deployToggles": {
"value": {
"logAnalytics": true, // Log Analytics Workspace
"appInsights": true, // Application Insights
"virtualNetwork": true // Virtual Network
}
}"cosmosDb": true, // Azure Cosmos DB
"keyVault": true, // Azure Key Vault
"searchService": true, // Azure AI Search
"storageAccount": true // Storage AccountWhen to disable:
- Using existing Cosmos DB: set
cosmosDb: false+ provideresourceIds.cosmosDbResourceId - Using existing Key Vault: set
keyVault: false+ provideresourceIds.keyVaultResourceId
"containerEnv": true, // Container Apps Environment
"containerRegistry": true, // Azure Container Registry
"containerApps": false // Individual Container AppsNote: containerApps: false means no apps are deployed, but the environment is ready.
"appConfig": false, // Azure App Configuration
"apiManagement": false, // API Management
"applicationGateway": false, // Application Gateway
"applicationGatewayPublicIp": false,
"firewall": false, // Azure Firewall
"buildVm": false, // Linux build VM
"jumpVm": false, // Windows jump box
"bastionHost": false, // Azure Bastion
"groundingWithBingSearch": false, // Bing Search Service
"wafPolicy": false // Web Application FirewallWhen to enable:
apiManagement: true- For API gateway and rate limitingapplicationGateway: true- For load balancing and SSL terminationfirewall: true- For outbound traffic filteringbastionHost: true- For secure VM accessbuildVm: true- For CI/CD build agentsjumpVm: true- For Windows-based management
"agentNsg": true, // NSG for agent/workload subnet
"peNsg": true, // NSG for private endpoints subnet
"acaEnvironmentNsg": true, // NSG for container apps subnet
"applicationGatewayNsg": false, // NSG for App Gateway subnet
"apiManagementNsg": false, // NSG for APIM subnet
"jumpboxNsg": false, // NSG for jumpbox subnet
"devopsBuildAgentsNsg": false, // NSG for build agents subnet
"bastionNsg": false // NSG for Bastion subnetRule: Enable NSG for any subnet you're using.
Required when: deployToggles.virtualNetwork: true
"vNetDefinition": {
"value": {
"name": "vnet-ai-landing-zone",
"addressPrefixes": [
"10.0.0.0/16"
],
"subnets": [
{
"name": "snet-agents",
"addressPrefix": "10.0.1.0/24",
"role": "agents"
},
{
"name": "snet-private-endpoints",
"addressPrefix": "10.0.2.0/24",
"role": "private-endpoints"
},
{
"name": "snet-container-apps",
"addressPrefix": "10.0.3.0/23",
"role": "container-apps-environment"
}
]
}
}| Role | Required | Purpose | Minimum Size |
|---|---|---|---|
agents |
✅ Yes | Workload VMs, compute | /26 (64 IPs) |
private-endpoints |
✅ Yes | Private endpoint NICs | /26 (64 IPs) |
container-apps-environment |
If containerEnv: true |
Container Apps | /23 (512 IPs) |
application-gateway |
If applicationGateway: true |
App Gateway | /27 (32 IPs) |
api-management |
If apiManagement: true |
APIM | /27 (32 IPs) |
jumpbox |
If jumpVm: true |
Jump VM | /28 (16 IPs) |
bastion |
If bastionHost: true |
Azure Bastion | /26 (64 IPs) |
devops-build-agents |
If buildVm: true |
Build VMs | /28 (16 IPs) |
"addressPrefixes": ["10.0.0.0/16"],
"subnets": [
{
"name": "snet-agents",
"addressPrefix": "10.0.1.0/26",
"role": "agents"
},
{
"name": "snet-private-endpoints",
"addressPrefix": "10.0.2.0/26",
"role": "private-endpoints"
}
]"addressPrefixes": ["10.0.0.0/16"],
"subnets": [
{
"name": "snet-agents",
"addressPrefix": "10.0.1.0/24",
"role": "agents"
},
{
"name": "snet-private-endpoints",
"addressPrefix": "10.0.2.0/24",
"role": "private-endpoints"
},
{
"name": "snet-container-apps",
"addressPrefix": "10.0.3.0/23",
"role": "container-apps-environment"
},
{
"name": "snet-app-gateway",
"addressPrefix": "10.0.5.0/27",
"role": "application-gateway"
},
{
"name": "snet-apim",
"addressPrefix": "10.0.6.0/27",
"role": "api-management"
},
{
"name": "snet-bastion",
"addressPrefix": "10.0.7.0/26",
"role": "bastion"
},
{
"name": "snet-jumpbox",
"addressPrefix": "10.0.8.0/28",
"role": "jumpbox"
},
{
"name": "snet-build-agents",
"addressPrefix": "10.0.9.0/28",
"role": "devops-build-agents"
}
]Controls AI Foundry hub/project and model deployments.
"aiFoundryDefinition": {
"value": {
"includeAssociatedResources": true,
"aiFoundryConfiguration": {
"disableLocalAuth": false
},
"aiModelDeployments": [...]
}
}Type: boolean
Default: true
Description: Create dedicated AI Search, Cosmos DB, Key Vault, and Storage for AI Foundry.
Set to false if you want to use shared resources.
Type: boolean
Default: false
Description: Require Entra ID authentication (no API keys).
Set to true for maximum security in production.
Array of OpenAI models to deploy.
{
"name": "gpt-4o",
"model": {
"format": "OpenAI",
"name": "gpt-4o",
"version": "2024-08-06"
},
"sku": {
"name": "Standard",
"capacity": 10
}
}// GPT-4o (latest)
{
"name": "gpt-4o",
"model": {"format": "OpenAI", "name": "gpt-4o", "version": "2024-08-06"},
"sku": {"name": "Standard", "capacity": 10}
}
// GPT-4o mini (cost-effective)
{
"name": "gpt-4o-mini",
"model": {"format": "OpenAI", "name": "gpt-4o-mini", "version": "2024-07-18"},
"sku": {"name": "Standard", "capacity": 10}
}
// GPT-4 Turbo
{
"name": "gpt-4-turbo",
"model": {"format": "OpenAI", "name": "gpt-4", "version": "turbo-2024-04-09"},
"sku": {"name": "Standard", "capacity": 10}
}
// GPT-3.5 Turbo
{
"name": "gpt-35-turbo",
"model": {"format": "OpenAI", "name": "gpt-35-turbo", "version": "0125"},
"sku": {"name": "Standard", "capacity": 10}
}// text-embedding-3-small (recommended)
{
"name": "text-embedding-3-small",
"model": {"format": "OpenAI", "name": "text-embedding-3-small", "version": "1"},
"sku": {"name": "Standard", "capacity": 10}
}
// text-embedding-3-large (higher dimensions)
{
"name": "text-embedding-3-large",
"model": {"format": "OpenAI", "name": "text-embedding-3-large", "version": "1"},
"sku": {"name": "Standard", "capacity": 10}
}
// text-embedding-ada-002
{
"name": "text-embedding-ada-002",
"model": {"format": "OpenAI", "name": "text-embedding-ada-002", "version": "2"},
"sku": {"name": "Standard", "capacity": 10}
}// DALL-E 3
{
"name": "dall-e-3",
"model": {"format": "OpenAI", "name": "dall-e-3", "version": "3.0"},
"sku": {"name": "Standard", "capacity": 1}
}| Capacity | TPM (K) | Use Case |
|---|---|---|
| 1 | 1,000 | Development/testing |
| 10 | 10,000 | Small production |
| 50 | 50,000 | Medium production |
| 100 | 100,000 | Large production |
| 240 | 240,000 | Enterprise (max for Standard) |
Check quota:
az cognitiveservices account list-usage \
--name <account-name> \
--resource-group <rg-name>"storageAccountDefinition": {
"value": {
"name": "stmyaiapp",
"sku": "Standard_LRS",
"allowBlobPublicAccess": false
}
}"keyVaultDefinition": {
"value": {
"name": "kv-myaiapp",
"enableRbacAuthorization": true,
"enablePurgeProtection": true,
"softDeleteRetentionInDays": 90
}
}"cosmosDbDefinition": {
"value": {
"name": "cosmos-myaiapp",
"sqlDatabases": [
{
"name": "chatdb",
"containers": [
{
"name": "conversations",
"partitionKeyPath": "/userId"
}
]
}
]
}
}"aiSearchDefinition": {
"value": {
"name": "search-myaiapp",
"sku": "standard",
"semanticSearch": "free"
}
}{
"location": {"value": "eastus2"},
"baseName": {"value": "dev-ai"},
"deployToggles": {
"value": {
"logAnalytics": true,
"appInsights": true,
"containerEnv": true,
"containerRegistry": true,
"cosmosDb": true,
"keyVault": true,
"storageAccount": true,
"searchService": true,
"virtualNetwork": true,
"agentNsg": true,
"peNsg": true,
"acaEnvironmentNsg": true,
// All others false
}
},
"aiFoundryDefinition": {
"value": {
"includeAssociatedResources": true,
"aiModelDeployments": [
{
"name": "gpt-4o-mini",
"model": {
"format": "OpenAI",
"name": "gpt-4o-mini",
"version": "2024-07-18"
},
"sku": {"name": "Standard", "capacity": 1}
}
]
}
}
}{
"location": {"value": "eastus2"},
"baseName": {"value": "prod-ai"},
"deployToggles": {
"value": {
"logAnalytics": true,
"appInsights": true,
"containerEnv": true,
"containerRegistry": true,
"cosmosDb": true,
"keyVault": true,
"storageAccount": true,
"searchService": true,
"virtualNetwork": true,
"apiManagement": true,
"applicationGateway": true,
"firewall": true,
"bastionHost": true,
"agentNsg": true,
"peNsg": true,
"acaEnvironmentNsg": true,
"apiManagementNsg": true,
"applicationGatewayNsg": true,
"bastionNsg": true
}
},
"aiFoundryDefinition": {
"value": {
"includeAssociatedResources": true,
"aiFoundryConfiguration": {
"disableLocalAuth": true
},
"aiModelDeployments": [
{
"name": "gpt-4o",
"model": {
"format": "OpenAI",
"name": "gpt-4o",
"version": "2024-08-06"
},
"sku": {"name": "Standard", "capacity": 100}
},
{
"name": "text-embedding-3-large",
"model": {
"format": "OpenAI",
"name": "text-embedding-3-large",
"version": "1"
},
"sku": {"name": "Standard", "capacity": 50}
}
]
}
}
}{
"deployToggles": {
"value": {
"logAnalytics": false, // Using existing
"keyVault": false, // Using existing
"virtualNetwork": false, // Using existing
// ... other services true
}
},
"resourceIds": {
"value": {
"logAnalyticsWorkspaceResourceId": "/subscriptions/.../Microsoft.OperationalInsights/workspaces/my-workspace",
"keyVaultResourceId": "/subscriptions/.../Microsoft.KeyVault/vaults/my-keyvault",
"virtualNetworkResourceId": "/subscriptions/.../Microsoft.Network/virtualNetworks/my-vnet"
}
}
}{
"aiFoundryDefinition": {
"value": {
"includeAssociatedResources": true,
"aiModelDeployments": [
{
"name": "gpt-4o",
"model": {"format": "OpenAI", "name": "gpt-4o", "version": "2024-08-06"},
"sku": {"name": "Standard", "capacity": 50}
},
{
"name": "gpt-4o-mini",
"model": {"format": "OpenAI", "name": "gpt-4o-mini", "version": "2024-07-18"},
"sku": {"name": "Standard", "capacity": 10}
},
{
"name": "text-embedding-3-small",
"model": {"format": "OpenAI", "name": "text-embedding-3-small", "version": "1"},
"sku": {"name": "Standard", "capacity": 20}
},
{
"name": "dall-e-3",
"model": {"format": "OpenAI", "name": "dall-e-3", "version": "3.0"},
"sku": {"name": "Standard", "capacity": 1}
}
]
}
}
}# Validate JSON syntax
cat infra/main.parameters.json | jq .
# Validate Bicep compilation
cd infra
az bicep build --file main.bicepazd provision --what-ifaz deployment group what-if \
--resource-group <rg-name> \
--template-file infra/main.bicep \
--parameters infra/main.parameters.json- Parameter errors: Check JSON syntax with
jq - Deployment errors: Run with
--debugflag - Quota errors: Check regional quotas with
az vm list-usage - Network errors: Verify CIDR ranges don't overlap
📖 Deployment Guide: docs/DeploymentGuide.md