Help & Getting Started

A step-by-step guide to understanding, selecting, and deploying Azure AI patterns. From prerequisites to production - everything you need to get started.

User Guide

What Is This Portal?

This portal provides seven enterprise-grade architectural blueprints for deploying AI workloads on Microsoft Azure. Each pattern includes:

Architecture diagrams - Mermaid-based visual reference
Bill of Materials - Every Azure service, SKU, and Bicep type
Cost estimates - Live pricing from Azure Retail API
SLA & WAF scores - Composite SLA and Well-Architected alignment
Deployment specs - GitHub Actions workflow + Bicep structure
RBAC requirements - Exact roles needed on Azure & GitHub
Three Core Sections
AI Patterns

7 architectural blueprints with full BOM, costs, SLA, comparison tables, and one-click deployment spec generation.

View Patterns
Landing Zone

CAF-aligned landing zone design with hub-spoke networking, subnet planning, governance, and a decision tree.

View Landing Zone
Education AI

Education vertical with 3 IQ engines, AI Academic Advisor, Dropout Predictor, and Learning Planner.

View Education

Prerequisites

Before deploying any pattern, ensure you have the following set up:

Azure Account
  • Active Azure subscription with sufficient spending limit
  • Azure OpenAI access - must be requested and approved
  • RBAC Role: Owner or Contributor + User Access Administrator on the subscription
  • Resource providers registered: Microsoft.CognitiveServices, Microsoft.Search, Microsoft.KeyVault
  • Quota: Check Azure Quota page for OpenAI TPM and GPU limits
GitHub Account
  • GitHub account with repository write access
  • GitHub Actions enabled on the target repository
  • Repository secret: AZURE_CREDENTIALS - Service Principal JSON
    {
      "clientId": "<sp-app-id>",
      "clientSecret": "<sp-secret>",
      "subscriptionId": "<sub-id>",
      "tenantId": "<tenant-id>"
    }
  • Create a Service Principal via:
    az ad sp create-for-rbac --name "sp-ai-deploy" --role Contributor --scopes /subscriptions/<sub-id>
Local Development
  • VS Code 1.85+ - Download
  • Azure CLI 2.60+ - az --version to check, then az login
  • Bicep CLI - az bicep install (or via VS Code extension)
  • Git - configured with push access to GitHub
  • Node.js 18+ (optional) - for Azure Functions patterns
VS Code Extensions
Requiredms-azuretools.vscode-bicepBicep language
Requiredms-vscode.azure-accountAzure sign-in
Recommendedms-azuretools.vscode-azureresourcegroupsResource explorer
RecommendedGitHub.copilotAI-assisted coding
Optionalhashicorp.terraformTerraform support
Optionalms-python.pythonPython for ML patterns

How to Choose a Pattern

Use this decision guide to pick the right architectural pattern for your scenario:

If You Need...ChooseWhyEst. Cost
Shared AI for the whole org, lowest costPattern 1 - Centralized HubSingle OpenAI behind APIM; central governance~$3,723/mo
Team-level data isolation, autonomyPattern 2 - Decentralized SpokeSeparate subscriptions & VNets per team~$7,360/mo
Shared models + team-specific RAGPattern 3 - Hybrid Central-SpokeCentral AOAI via APIM + spoke ML endpoints~$5,685/mo
Full ML lifecycle: train → deploy → monitorPattern 4 - AI Factory / MLOpsAzure ML workspace with CI/CD pipelines~$6,120/mo
Fast PoC, hackathon, minimal infraPattern 5 - Serverless AIFunctions + Logic Apps; no VNet, pay-per-use~$890/mo
Regulated data (HIPAA, PCI), zero trustPattern 6 - Secure Private AIFully private VNet, Firewall Premium, HSM~$10,240/mo
Data-heavy: Databricks, Synapse, FabricPattern 7 - Data-Centric LakehouseMedallion architecture + vector search~$8,350/mo
Tip: Use the Landing Zone Decision Tree for an interactive flowchart to guide your selection based on security, team structure, and data requirements.

Step-by-Step Deployment Guide

1
Select Your Pattern

Browse the 7 Patterns on the home page. Click any pattern card to see its overview, or click "View Full Details" to see the complete architecture diagram, BOM table, and service breakdown.

Compare patterns side-by-side using the Comparison Table - it shows service count, SLA, cost, and networking model for all 7 patterns.
2
Review the Architecture

Each pattern detail page includes:

  • Mermaid architecture diagram - visual flow of all services and connections (click Enlarge for fullscreen view)
  • Bill of Materials table - every Azure service, SKU, monthly cost, and Bicep resource type
  • Service breakdown cards - deep-dive into each service's role, configuration, and security posture
  • Security considerations - networking, encryption, RBAC, private endpoints
  • Use cases & constraints - when to use and when to avoid this pattern
3
Generate a Deployment Spec

Click the Generate Deployment Spec button inside any pattern modal or detail page. This opens a form where you provide:

GitHub Info
  • Organization / Username
  • Repository name
  • Branch (default: main)
  • Target folder path (default: infra/patternN)
Azure Info
  • Subscription ID
  • Region (default: Canada Central)
  • Resource group name (auto-generated)
  • Environment (dev / staging / prod)

The spec auto-fills pattern-specific defaults for folder path and resource group name.

4
Download & Deploy

The generator produces three downloadable artifacts:

Spec Sheet (.md)

Full deployment spec with BOM, RBAC, checklist, and file structure

Workflow (.yml)

GitHub Actions CI/CD pipeline with validate → deploy stages

Clipboard

One-click copy to paste the spec into a GitHub issue or PR

5
Create Your Bicep Files

Using the generated file structure as a guide, create your Bicep modules:

infra/pattern1/
â"œâ"€â"€ main.bicep                  # Main orchestrator
â"œâ"€â"€ parameters.dev.bicepparam   # Dev parameters
â"œâ"€â"€ parameters.prod.bicepparam  # Prod parameters
â"œâ"€â"€ modules/
â",   â"œâ"€â"€ openai.bicep            # Azure OpenAI + model deployments
â",   â"œâ"€â"€ search.bicep            # Azure AI Search
â",   â"œâ"€â"€ keyvault.bicep          # Key Vault with RBAC
â",   â"œâ"€â"€ monitoring.bicep        # Log Analytics + App Insights
â",   â"œâ"€â"€ storage.bicep           # Storage Account(s)
â",   â"œâ"€â"€ networking.bicep        # VNet, subnets, NSGs, PEs
â",   â""â"€â"€ rbac.bicep              # Role assignments
â""â"€â"€ .github/workflows/
    â""â"€â"€ deploy-pattern1.yml     # CI/CD workflow
Pro Tip: Use GitHub Copilot in VS Code to scaffold Bicep modules. Type a comment like // Azure OpenAI with S0 SKU and private endpoint and Copilot will generate the resource definition.
6
Push & Watch It Deploy

Commit your Bicep files and the GitHub Actions workflow, then push to trigger the pipeline:

git add infra/ .github/
git commit -m "Add Pattern 1 infrastructure"
git push origin main

The workflow will: validate Biceprun what-ifcreate resource groupdeploy resourcesverify deployment.

Using the Landing Zone Guide

The Landing Zone Architecture page provides an enterprise foundation before deploying any AI pattern. Here's how to use it:

Understand the CAF Hierarchy

Review the Management Group structure - Root → Platform / Landing Zones / Sandbox. The AI & ML management group sits under Landing Zones with Prod and NonProd subscriptions. This enables AI-specific Azure Policies, quota isolation, and cost tracking.

Design Your Network

Use the Hub-Spoke topology diagram and Subnet Design table to plan your VNet layout. The AI spoke VNet (10.10.0.0/16) needs subnets for: AI services, private endpoints, compute (AKS/Databricks), data, and management.

Use the Decision Tree

The interactive Decision Tree asks questions about security, team structure, and data needs to recommend the right pattern + landing zone type. Follow the flowchart to find your best match.

Complete the Checklist

The 24-item deployment checklist covers Foundation, Networking, Security & Identity, and AI-specific readiness. Check off each item as you set up your landing zone - it's divided into 4 categories for easy tracking.

Using the Education Platform

The Education Platform is a specialized AI vertical for higher education institutions. Here's how to navigate it:

Three AI Crawler Engines
Work IQ

Crawls LMS data (Canvas, Moodle, Blackboard), student interactions, assignment submissions, and engagement signals to build a behavioral profile per student.

Foundry IQ

Indexes institutional knowledge: course catalogs, policies, research publications, faculty expertise, and accreditation documents for RAG retrieval.

Fabric IQ

Aggregates analytics: GPA trends, course outcomes, graduation rates, retention metrics, and institutional benchmarks for data-driven decisions.

Three AI Applications
AI Academic Advisor
  • Conversational chatbot for course guidance
  • Policy Q&A with RAG over Foundry IQ data
  • Career mapping based on major + electives
  • Prerequisite chain visualization
  • Uses: Azure OpenAI + AI Search + Cosmos DB
Dropout Risk Predictor
  • ML model trained on Work IQ + Fabric IQ features
  • 4-tier risk scoring: Low / Moderate / High / Critical
  • Early warning alerts to advisors
  • Intervention recommendations
  • Uses: Azure ML + AutoML + Power BI
Learning Planner
  • Personalized semester-by-semester schedule
  • Adaptive plans based on GPA & workload
  • Summer/intersession optimization
  • Pre-med / pre-law / honors track support
  • Uses: Azure OpenAI + Cosmos DB + Functions

Deploy Spec Generator - Detailed Walkthrough

The deployment spec generator creates a complete infrastructure-as-code plan tailored to your chosen pattern. Here's a detailed walkthrough:

There are two ways to open it:

  • From the home page: Click any pattern card → in the modal, click the green "Generate Deployment Spec" button at the bottom
  • From a pattern detail page: Scroll to the green "Ready to Deploy This Pattern?" section and click the button

The generator will auto-detect which pattern you're viewing and pre-fill the pattern-specific defaults.

The form has two sections:

All fields have sensible defaults - you can generate a spec without filling in anything. Override only what you need:

FieldDefaultDescription
GitHub Org / Usernamemy-orgYour GitHub organization or personal username
Repository Nameazure-ai-patternNJust the repo name (not the full URL)
BranchmainTarget branch for the workflow trigger
Target Folder Pathinfra/patternNWhere the Bicep files will live
Subscription ID00000000-...Azure subscription GUID - replace with yours
RegionCanada CentralAzure region for deployment
Resource Grouprg-ai-<env>-<region>-001CAF-compliant name auto-generated
EnvironmentProductionAffects naming and parameter files

The right side of the generator form shows exactly what you need before deploying:

  • Azure RBAC Roles - Owner/Contributor, Cognitive Services Contributor, Network Contributor, etc.
  • GitHub Requirements - Write access, Actions enabled, AZURE_CREDENTIALS secret
  • VS Code Extensions - Bicep, Azure Account, Azure CLI 2.60+
  • Quota Pre-Checks - OpenAI access, GPU quota, TPM/RPM limits, PE limits

These are specific to each pattern - Pattern 6 (Secure) will show HSM roles; Pattern 4 (MLOps) will show ML-specific roles.

Click "Generate Deployment Spec Sheet". The output follows a logical Microsoft CAF lifecycle across 6 phases and 15 sections:

Phase 1 - CAF Ready: Landing Zone Foundation
  1. Target Environment - subscription, region, resource group, GitHub repo, and CAF management group hierarchy
  2. CAF Resource Naming Convention - auto-generated names using <abbreviation>-<workload>-<env>-<region>-<instance> (CAF reference)
  3. CAF Tagging Strategy - 6 required + 6 recommended tags, tags.bicep module, and Azure Policy JSON (CAF reference)
Phase 2 - CAF Adopt: Resource Provisioning
  1. Azure Services BOM - full Bill of Materials with SKUs, Bicep resource types, model deployments, and network topology
  2. Network & Connectivity - topology, private DNS, NSG rules, firewall, and forced tunneling guidance
Phase 3 - CAF Secure: Identity, Security & Compliance
  1. Identity & Access Management - RBAC roles, Managed Identities, Zero Trust principles
  2. Data Protection & Encryption - encryption at rest/transit, Key Vault, compliance frameworks, Azure Policy
  3. GitHub & DevOps Access - repo access, OIDC credentials, branch protection
Phase 4 - CAF Manage: Operations & Resilience
  1. Monitoring & Diagnostics - Log Analytics, alerts, dashboards
  2. High Availability - HA strategy, composite SLA calculation with per-service breakdown
  3. Disaster Recovery - DR strategy, RPO/RTO targets, failover checklist
Phase 5 - CAF Govern: Cost Management
  1. Cost Management - budget alerts, optimization best practices, VS Code tooling
Phase 6 - Deployment Execution
  1. Pre-Deployment Checklist - 25+ items across Azure, governance, networking, security, and DevOps readiness
  2. GitHub Actions CI/CD Workflow - validate → deploy pipeline YAML with CAF tags
  3. Bicep File Structure - modules for tags, identity, networking, monitoring, policies, and tests

The spec ends with a CAF Alignment Summary table mapping each CAF pillar (Strategy, Plan, Ready, Adopt, Govern, Manage, Secure) to its corresponding sections.

Tools & Services Reference

Azure OpenAI Service

The core of every pattern - provides GPT-4o, text-embedding-3-large, and other models.

Documentation →
Azure AI Search

Vector + keyword hybrid search for RAG patterns. Indexes documents for retrieval.

Documentation →
API Management

Gateway for centralized patterns (1, 3). Rate limiting, auth, caching, load balancing.

Documentation →
Key Vault / Managed HSM

Secure key, secret, and certificate storage. HSM for regulated patterns (6).

Documentation →
Azure Machine Learning

End-to-end ML platform for training, deployment, MLOps. Pattern 3, 4, 7.

Documentation →
Azure Firewall Premium

TLS inspection, threat intel, application rules. Patterns 2, 3, 6.

Documentation →

Troubleshooting

ProblemSolution
Azure OpenAI quota exceeded
429 Too Many Requests
  • Check your TPM (Tokens Per Minute) quota in Azure Portal → Azure OpenAI → Deployment → Quotas
  • Request a quota increase or use Provisioned Throughput (PTU) for guaranteed capacity
  • For Pattern 1/3, use APIM rate limiting to distribute load
Private Endpoint DNS not resolving
  • Ensure Private DNS Zone is linked to the Hub VNet (Connectivity sub)
  • Verify DNS proxy is enabled on Azure Firewall
  • Check nslookup <service>.privatelink.openai.azure.com resolves to private IP
  • For on-prem resolution, configure DNS Private Resolver forwarding rules
Bicep deployment fails
DeploymentFailed
  • Run az bicep build --file main.bicep locally to check syntax
  • Use az deployment group what-if before deploying to see planned changes
  • Check resource provider registration: az provider register --namespace Microsoft.CognitiveServices
  • Verify naming conventions - some resources (Storage, ACR) require globally unique names
GitHub Actions workflow fails
  • Verify AZURE_CREDENTIALS secret is correctly formatted JSON
  • Check Service Principal hasn't expired: az ad sp show --id <app-id>
  • Ensure the SP has Contributor role on the target subscription
  • For federated credentials, check the id-token: write permission in workflow
GPU quota not available
(Patterns 4, 6)
  • Request GPU quota increase via Quotas page
  • Try a different region - GPU availability varies by location
  • Use Spot Instances for training workloads to reduce cost
Mermaid diagrams not rendering
  • Mermaid.js v11 is loaded from CDN - check your network/firewall isn't blocking cdn.jsdelivr.net
  • Try refreshing the page or switching browsers (Chrome/Edge recommended)
  • Click the Enlarge button for a cleaner fullscreen view

Frequently Asked Questions

Pattern 5 - Serverless AI at ~$890/month. It uses Azure Functions (Consumption), Logic Apps, and pay-per-token OpenAI - no VNet, no Firewall, no VMs. Ideal for PoCs and internal tools. See the Cost Comparison for all patterns.

Pattern 6 - Secure Private AI. Fully private VNet with zero public endpoints, Azure Firewall Premium with TLS inspection, Managed HSM for keys, DDoS Protection, Azure Bastion for management access. Required for HIPAA, PCI-DSS, and ITAR workloads.

Yes! Pattern 3 (Hybrid) is specifically designed as a combination of Pattern 1 (hub) and Pattern 2 (spokes). You can also layer Pattern 6 security on top of any other pattern by adding private endpoints, firewall, and HSM. The Landing Zone guide shows how to architect multi-pattern environments.

Yes. Azure OpenAI requires an access request that must be approved before you can create an Azure OpenAI resource. Approval typically takes 1-2 business days. All 7 patterns require Azure OpenAI.

Both are Infrastructure-as-Code (IaC) tools. Bicep is Azure-native (by Microsoft), compiles to ARM templates, and has first-class VS Code support. Terraform is multi-cloud (by HashiCorp) and uses HCL syntax. This portal focuses on Bicep but all patterns work equally well with Terraform. The generated spec sheets use Bicep resource types for reference.

  1. Use the Live Pricing section on the home page for real-time Azure Retail API prices
  2. Use the Azure Pricing Calculator for custom configurations
  3. Check the BOM table on each pattern detail page - it lists per-service monthly costs
  4. For OpenAI tokens, estimate: tokens Ã- price_per_1k_tokens / 1000

Absolutely. The Education Platform is built on the same Azure AI patterns. It uses Pattern 1 (Centralized Hub) or Pattern 4 (AI Factory) as its foundation, then adds education-specific layers: Work IQ, Foundry IQ, Fabric IQ crawlers, plus three AI applications (Academic Advisor, Dropout Risk Predictor, Learning Planner). FERPA compliance is built into the architecture.

Run these commands in Azure CLI:

# Create Service Principal with Contributor role
az ad sp create-for-rbac \
  --name "sp-ai-deploy" \
  --role Contributor \
  --scopes /subscriptions/<subscription-id> \
  --json-auth

# Copy the JSON output and add it as a GitHub secret:
# Repo → Settings → Secrets → Actions → New: AZURE_CREDENTIALS

For additional RBAC roles (Cognitive Services Contributor, etc.), assign them separately: az role assignment create --assignee <sp-app-id> --role "Cognitive Services Contributor" --scope /subscriptions/<sub-id>

Quick Links