Part 5: Building Your First Azure AI Foundry Landing Zone - Managed VNet Approach
Part 5 of 13: Building Your First Azure AI Foundry Landing Zone - Managed VNet Approach
Published by: Azure User Group Nepal
Series: Enterprise AI Governance, Security & Infrastructure with Azure AI Foundry
Introduction
You've learned the architecture (Part 1), security controls (Part 2), governance framework (Part 3), and operating model (Part 4). Now comes the practical question: How do I actually deploy this?
A landing zone is a pre-configured Azure environment that's ready for workloads. It includes networking, security, governance, and compliance controls. For Azure AI Foundry, a landing zone includes the Hub, Projects, Connections, and all supporting infrastructure.
There are two approaches to building an Azure AI Foundry landing zone:
- Managed VNet Approach (Part 5 - this post): Microsoft manages the VNet, you focus on the Hub
- Customer-Managed VNet Approach (Part 7 - advanced): You manage the VNet, maximum control
This post covers the Managed VNet Approach, which is simpler and faster for pilots and early-stage deployments.
What you'll learn in this post:
- What a landing zone is
- How Managed VNet works
- How to deploy a landing zone with Terraform
- How to configure the Hub
- How to create your first Project
- How to create your first Connection
Prerequisites: Parts 1-4 (Architecture, Security, Governance, Operating Model)
Complexity Level: Medium-High
What is a Landing Zone?
A landing zone is a pre-configured Azure environment that's ready for workloads. It includes:
- Networking: VNet, subnets, network security
- Compute: Compute resources for training and inference
- Storage: Storage accounts for data and models
- Identity: Azure AD integration, managed identities, RBAC
- Encryption: Key Vault, encryption keys, encryption policies
- Audit: Log Analytics, activity logs, diagnostic logs
- Governance: Azure Policy, compliance controls, cost management
In your retail scenario, your landing zone includes:
- Hub: Central workspace for AI projects
- Projects: Isolated workspaces for chatbot and other initiatives
- Connections: Secure connections to Azure OpenAI, HR system, Data Lake
- Compute: Training and inference compute
- Storage: Model artifacts, training data, inference data
- Key Vault: Encryption keys, connection credentials
- Log Analytics: Audit logs, diagnostic logs
Terraform Implementation: Managed VNet Landing Zone
Here's how to deploy a landing zone with Managed VNet using Terraform:
# 1. Create Resource Group
resource "azurerm_resource_group" "aif_rg" {
name = "rg-aif-retail-prod"
location = "eastus"
tags = {
environment = "production"
project = "chatbot"
owner = "hr-team"
}
}
# 2. Create Storage Account for model artifacts
resource "azurerm_storage_account" "aif_storage" {
name = "staifretailprod"
resource_group_name = azurerm_resource_group.aif_rg.name
location = azurerm_resource_group.aif_rg.location
account_tier = "Standard"
account_replication_type = "GRS"
# Enable encryption with CMK
identity {
type = "SystemAssigned"
}
tags = {
environment = "production"
}
}
# 3. Create Key Vault for encryption keys and credentials
resource "azurerm_key_vault" "aif_kv" {
name = "kv-aif-retail-prod"
location = azurerm_resource_group.aif_rg.location
resource_group_name = azurerm_resource_group.aif_rg.name
sku_name = "premium"
# Enable purge protection for compliance
purge_protection_enabled = true
# Enable soft delete for recovery
soft_delete_retention_days = 90
tags = {
environment = "production"
}
}
# 4. Create Log Analytics Workspace for audit logs
resource "azurerm_log_analytics_workspace" "aif_logs" {
name = "law-aif-retail-prod"
location = azurerm_resource_group.aif_rg.location
resource_group_name = azurerm_resource_group.aif_rg.name
sku = "PerGB2018"
retention_in_days = 90
tags = {
environment = "production"
}
}
# 5. Create Azure AI Foundry Hub (with Managed VNet)
resource "azurerm_machine_learning_workspace" "aif_hub" {
name = "aif-hub-retail-prod"
location = azurerm_resource_group.aif_rg.location
resource_group_name = azurerm_resource_group.aif_rg.name
# Hub identity for secure service-to-service communication
identity {
type = "SystemAssigned"
}
# Reference to Key Vault for encryption keys
key_vault_id = azurerm_key_vault.aif_kv.id
# Reference to Storage Account for model artifacts
storage_account_id = azurerm_storage_account.aif_storage.id
# Enable managed VNet
managed_network_settings {
mode = "Managed"
}
tags = {
environment = "production"
project = "chatbot"
}
}
# 6. Create diagnostic setting to log Hub activity
resource "azurerm_monitor_diagnostic_setting" "aif_hub_logs" {
name = "aif-hub-logs"
target_resource_id = azurerm_machine_learning_workspace.aif_hub.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.aif_logs.id
log {
category = "AmlComputeClusterEvent"
enabled = true
}
log {
category = "AmlComputeInstanceEvent"
enabled = true
}
metric {
category = "AllMetrics"
enabled = true
}
}
# 7. Create RBAC role assignment for Hub Admin
resource "azurerm_role_assignment" "hub_admin" {
scope = azurerm_machine_learning_workspace.aif_hub.id
role_definition_name = "Owner"
principal_id = "00000000-0000-0000-0000-000000000000" # Replace with Hub Admin group ID
}
# 8. Create RBAC role assignment for Project Owner
resource "azurerm_role_assignment" "project_owner" {
scope = azurerm_machine_learning_workspace.aif_hub.id
role_definition_name = "Contributor"
principal_id = "00000000-0000-0000-0000-000000000000" # Replace with Project Owner group ID
}
What this does:
- Creates a Resource Group for all resources
- Creates a Storage Account for model artifacts
- Creates a Key Vault for encryption keys and credentials
- Creates a Log Analytics Workspace for audit logs
- Creates an Azure AI Foundry Hub with Managed VNet
- Creates diagnostic settings to log Hub activity
- Creates RBAC role assignments for Hub Admin and Project Owner
For complete Terraform code with all parameters, see:
- Terraform Azure Provider - Machine Learning Workspace
- Terraform Azure Provider - Storage Account
- Terraform Azure Provider - Key Vault
- Terraform Azure Provider - Log Analytics Workspace
Creating Your First Project
Once the Hub is deployed, create your first Project:
# Create a Project within the Hub
resource "azurerm_machine_learning_compute" "chatbot_compute" {
name = "chatbot-compute"
location = azurerm_machine_learning_workspace.aif_hub.location
machine_learning_workspace_id = azurerm_machine_learning_workspace.aif_hub.id
# Compute configuration
vm_priority = "Dedicated"
vm_size = "Standard_D4s_v3"
# Minimum and maximum nodes
scale_settings {
min_node_count = 0
max_node_count = 4
}
tags = {
project = "chatbot"
}
}
What this does:
- Creates compute resources for the chatbot Project
- Configures auto-scaling (0-4 nodes)
- Tags resources for cost tracking
Creating Your First Connection
Create a Connection to Azure OpenAI:
# Create a Connection to Azure OpenAI
# Note: Connections are created through Azure AI Foundry UI or SDK
# Terraform support for Connections is limited, so use Azure CLI or SDK
# Example using Azure CLI:
# az ml connection create \
# --file connection.yml \
# --workspace-name aif-hub-retail-prod \
# --resource-group rg-aif-retail-prod
For complete instructions on creating Connections, see:
Compliance & Governance Implications
This landing zone enables compliance:
GDPR Compliance
- Data Residency: Hub deployed in EU region for EU data
- Encryption: All data encrypted with CMK
- Audit: All activity logged in Log Analytics
- Access Control: RBAC controls who can access data
PCI-DSS Compliance
- Network Isolation: Managed VNet isolates payment data
- Encryption: All payment data encrypted with CMK
- Access Control: RBAC controls who can access payment data
- Audit: All payment data access logged
SOC 2 Type II Compliance
- Access Control: RBAC controls access
- Audit: All activity logged
- Encryption: All data encrypted
- Change Management: All changes logged
Operational Considerations
Deployment Time
- Managed VNet: 1-2 hours
- Customer-Managed VNet: 1-2 days
Cost Estimation
- Hub: $500-1,000/month
- Compute: $100-500/month (depends on usage)
- Storage: $10-50/month (depends on data volume)
- Key Vault: $0.6/month
- Log Analytics: $30-100/month (depends on data volume)
Total: $640-1,650/month for pilot
Scaling Considerations
- Managed VNet is suitable for pilots and early-stage deployments
- For production with complex networking, migrate to Customer-Managed VNet (Part 7)
- For multi-region deployments, create separate Hubs per region
Conclusion & Next Steps
You now understand how to build a landing zone with Managed VNet:
- Simple deployment: Fewer networking decisions
- Fast to get started: Good for pilots
- Built-in security: Microsoft manages VNet
- Built-in compliance: Audit logging and encryption
This landing zone is suitable for pilots and early-stage deployments. For production with complex networking, migrate to Customer-Managed VNet (Part 7).
In Part 6, we'll dive deeper into security hardening: how to harden your Hub with advanced security controls.
Next steps:
- Review the Terraform code and customize for your environment
- Deploy the landing zone using Terraform
- Create your first Project
- Create your first Connection
- Read Part 6 to understand security hardening
Relevant Azure documentation:
Connect & Questions
Want to discuss Azure AI Foundry landing zones, share feedback, or ask questions?
Reach out on X (Twitter) @sakaldeep
Or connect with me on LinkedIn: https://www.linkedin.com/in/sakaldeep/
I look forward to connecting with fellow cloud professionals and learners.
Published by: Azure User Group Nepal
Series: Enterprise AI Governance, Security & Infrastructure with Azure AI Foundry
Part: 5 of 13