## Description # Azure OpenAI Platform Architecture This secure architecture isolates Azure OpenAI services in a private network, accessible only through API Management connected via Private Endpoints. Azure Front Door serves as the single public entry point, protected by WAF policies, while all internal communication occurs through private networking. The design ensures high availability with dual OpenAI instances, incorporates security best practices with zero-trust principles, and provides monitoring through Log Analytics and Application Insights. **N.B:** - The Terraform code is automatically generated with best practices and contains variables that you can customize to fir your needs. - You have full control to change, add, delete resources or their configuration. The newly generated code will reflect these changes. - You can replace some resources with Terraform modules. > terraform apply status: successful > ## Architecture components | Component | Description | |-----------|-------------| | `Resource Group` | Logical container for all Azure resources in this solution | | `Virtual Network` | Core network infrastructure with segregated subnets | | `Subnet AI Services` | Dedicated subnet hosting Private Endpoints for OpenAI services | | `Subnet APIM` | Subnet containing API Management instance | | `Subnet VM` | Subnet for management VM and additional Private Endpoints | | `AzureBastionSubnet` | Standard subnet for Azure Bastion service | | `Network Security Group` | Controls inbound and outbound traffic to APIM and other resources | | `OpenAI Services (East/West)` | Dual region OpenAI instances for high availability | | `OpenAI Model Deployment` | GPT-4o model deployment on both OpenAI instances | | `API Management` | Central gateway for OpenAI API traffic management | | `API Management API` | API definition for OpenAI services | | `API Management Backend` | Backend configurations for OpenAI instances | | `API Management Policy` | XML-based policies for authentication and routing | | `API Management Subscription` | Subscription for OpenAI API access | | `Private Endpoints` | Secure connections to OpenAI and API Management services | | `Private DNS Zones` | DNS resolution for private endpoints | | `Front Door` | Global entry point with Premium tier features | | `Front Door WAF Policy` | Web Application Firewall rules and protections | | `Front Door Security Policy` | Security policy applying WAF rules to endpoints | | `Front Door Origin Group` | Origin configuration with health probes | | `Front Door Route` | Routing rules for traffic management | | `Jump Box VM` | Ubuntu-based management virtual machine | | `Azure Bastion` | Secure access service for the VM | | `Log Analytics Workspace` | Central logging repository | | `Application Insights` | Application monitoring for API Management | | `Diagnostic Settings` | Configuration for resource logs and metrics collection | ## Requirements | Name | Configuration | | --- | --- | | Terraform | all versions | | Provider | AZURE| | Provider version | >= 5.33.0 | | Access | Admin access | ## How to use the architecture Clone the architecture and modify the following variables according to your needs: | Variable Name | Description | |---------------|-------------| | `resource_group_name` | Name of the resource group | | `location` | Azure region where resources will be created | | `apim_sku` | SKU for API Management | | `openai_config` | Configuration for OpenAI instances | | `openai_model_name` | Name of the OpenAI model | | `openai_model_version` | Version of the OpenAI model | | `openai_deployment_name` | Name of the OpenAI deployment | | `openai_sku` | SKU for OpenAI service | | `openai_api_path` | The relative path of the APIM API for OpenAI API | | `openai_api_spec_url` | Full URL for the OpenAI API spec | | `openai_subscription_name` | The name of the APIM Subscription for OpenAI API | | `openai_backend_pool_name` | The name of the OpenAI backend pool | | `openai_api_name` | The name of the APIM API for OpenAI API | | `apim_public_network_access` | Public network access for APIM | | `front_door_endpoint_name` | The name of the Front Door endpoint to create | | `front_door_sku_name` | The name of the SKU to use when creating the Front Door profile | | `vm_name` | Name of the virtual machine | | `vm_admin_username` | The admin username for the virtual machine | | `vm_admin_password` | The admin password for the virtual machine | | `tags` | Tags to apply to all resources | | | | **N.B:** - Feel free to remove the resources that are not relevant to your use-case. - Some variables have default values, please change it if it doesn't fit your deployment. ## Maintainer(s) You can reach out to these maintainers if you need help or assistance: - [Brainboard team](mailto:support@brainboard.co)