## Description ### Azure Chat Solution Accelerator powered by Azure OpenAI Service This architecture establishes a secure, scalable infrastructure for an AI-powered chat application on Azure. The solution combines several Azure AI services to create a comprehensive conversational experience with advanced capabilities. The infrastructure deploys: 1. **Intelligent Conversational AI**: The core of the application uses Azure OpenAI's GPT-4o models for natural language understanding and generation, providing high-quality conversational interactions. 2. **Multimodal Capabilities**: Integration with DALL-E 3 for image generation, Azure Speech Services for voice interaction, and Document Intelligence for processing uploaded files creates a versatile multimodal experience. 3. **Knowledge Management**: The solution uses Azure Cognitive Search with vector embeddings to enable semantic search across an organization's data, allowing the AI to reference relevant information in conversations. 4. **Private Network Architecture**: All Azure services are connected via private endpoints in a secure virtual network, minimizing public exposure and enhancing security. 5. **Modern Web Frontend**: Hosted on Azure App Service with Linux containers, the application uses a modern Node.js application stack. 6. **Persistent Storage**: Chat history and user preferences are stored in Azure Cosmos DB with a serverless configuration for cost efficiency and automatic scaling. This architecture is designed for enterprise applications requiring secure, compliant AI chat capabilities with connections to organizational knowledge. It follows Azure best practices for security, scalability, and private networking to ensure reliable performance and data protection. **N.B:** - The Terraform code is automatically generated with best practices and contains variables that you can customize to fir your needs. - You have full control to change, add, delete resources or their configuration. The newly generated code will reflect these changes. - You can replace some resources with Terraform modules. > terraform apply status: successful > ## Architecture components | **Component** | **Description** | |---------------|-----------------| | Resource Group | Container for all Azure resources in the deployment | | Azure OpenAI Service | GPT-4o model deployment for chat functionality | | Azure OpenAI Embedding Service | Text embedding model for vector search capabilities | | DALL-E Service | Image generation capabilities via DALL-E 3 model | | Document Intelligence | Form recognition and document processing (formerly Form Recognizer) | | Speech Service | Speech-to-text and text-to-speech capabilities | | Azure Cognitive Search | Vector search service for semantic document retrieval | | Cosmos DB | NoSQL database for chat history and configuration (serverless mode) | | Azure Storage Account | Blob storage for uploaded images and generated content | | Key Vault | Secure storage of API keys and secrets with RBAC authorization | | App Service Plan | Premium hosting plan for the web application | | Linux Web App | Node.js web application hosting the frontend interface | | Virtual Network | Network infrastructure with separate subnets for application and private endpoints | | Private Endpoints | Secure private connections to Azure services | | Private DNS Zones | DNS resolution for private endpoints | | Log Analytics Workspace | Centralized logging and monitoring | | Application Insights | Application performance monitoring and analytics | ## Requirements | Requirement | Configuration | |-------------|--------------| | Terraform | >= 1.0.0 | | AzureRM Provider | = 4.17.0 | | Random Provider | ~> 3.5.0 | | Azure Subscription | Valid subscription with required resource providers registered | | Permissions | Contributor role on subscription | | Regions | Support for OpenAI services in selected regions (e.g., francecentral, eastus, swedencentral) | | Resource Quotas | Sufficient quota for OpenAI models (GPT-4o, embeddings, DALL-E 3) | | Network | Ability to create VNets, subnets, and private endpoints | | Domain Names | (Optional) For custom domain configuration | | Access | Admin access | ## How to use the architecture ### Entra ID Authentication Provider #### 🟢 Production App Setup 1. Navigate to [Azure AD Apps setup](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) 2. Create a [New Registration](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false) 3. Fill in the following details ```default Application name: Production Supported account types: Accounts in this organizational directory only Redirect URI Platform: Web Redirect URI: https://YOUR-WEBSITE-NAME.azurewebsites.net/api/auth/callback/azure-ad ``` ### ☁️ Deploy to Azure #### GitHub Actions The following steps describes how the application can be deployed to Azure App service using GitHub Actions. ##### 🧬 Fork the repository If you haven't already, fork this repository to your own organisation so that you can execute GitHub Actions against your own Azure Subscription. This allows you to edit the code, customise it to your needs, and maintain control over the deployment process. https://github.com/microsoft/azurechat?tab=readme-ov-file#azure-portal-deployment ##### 🗝️ Configure secrets in your GitHub repository ###### 1. AZURE_CREDENTIALS The GitHub workflow requires a secret named `AZURE_CREDENTIALS` to authenticate with Azure. The secret contains the credentials for a Service Principal with the Contributor role on the resource group containing the Azure App Service. 1. Create a Service Principal with the Contributor role on the resource group that contains the Azure App Service. ```console az ad sp create-for-rbac --name --role contributor --scopes /subscriptions//resourceGroups/ --sdk-auth --output json ``` **⚠️ Deprecation:** You may be presented with a warning that `--sdk-auth` is deprecated and will be removed in future versions. For now, you can ignore this warning or check out [#359](https://github.com/microsoft/azurechat/issues/359#issuecomment-2650632190) for more details. **💡 Good to know:** The Service Principal secret generated in this step has a default lifespan of 1 year. This can be modified by adding the `--years n` flag to the command above, or generating a new secret for the Service Principal through the Azure Portal. In either case, be sure to update the GitHub secret accordingly. 3. Copy the JSON output from the command. 4. In the GitHub repository, navigate to Settings > Secrets > Actions and select **New repository secret**. 5. Enter `AZURE_CREDENTIALS` as the name and paste the contents of the JSON output as the value. 6. Select **Add secret**. ###### 2. AZURE_APP_SERVICE_NAME Under the same repository secrets add a new variable `AZURE_APP_SERVICE_NAME` to deploy to your Azure Web app. The value of this secret is the name of your Azure Web app e.g. `my-web-app-name` from the domain https://my-web-app-name.azurewebsites.net/ ###### 3. Run GitHub Actions Once the secrets are configured, the GitHub Actions will be triggered for every code push to the repository. Alternatively, you can manually run the workflow by clicking on the "Run Workflow" button in the Actions tab of your GitHub repository. ### Clone the architecture and modify the following variables according to your needs: | Variable | Description | |---------------|-------------| | `chat_gpt_deployment_capacity` | Capacity for the ChatGPT deployment | | `chat_gpt_deployment_name` | Name of the ChatGPT deployment | | `chat_gpt_model_name` | Name of the ChatGPT model | | `chat_gpt_model_version` | Version of the ChatGPT model | | `dalle_api_version` | DALL-E API version | | `dalle_deployment_capacity` | Capacity for the DALL-E deployment | | `dalle_deployment_name` | Name of the DALL-E deployment | | `dalle_location` | Location for the DALL-E 3 instance | | `dalle_model_name` | Name of the DALL-E model | | `db_username` | Username for database access | | `disable_local_auth` | Disable local authentication and use Azure AD authentication instead | | `embedding_deployment_capacity` | Capacity for the embeddings model deployment | | `embedding_deployment_name` | Name of the embeddings model deployment | | `embedding_model_name` | Name of the embeddings model | | `form_recognizer_sku_name` | SKU for Azure Document Intelligence (Form Recognizer) | | `instance_port` | Port for instance communication | | `lb_path` | Path for load balancer health checks | | `lb_port` | Port for load balancer | | `location` | Main location for all resources | | `name` | Environment name used to generate a short unique hash used in all resources | | `office_ip` | Office IP address for security rules | | `openai_api_version` | OpenAI API version | | `openai_location` | Location for OpenAI resources | | `openai_sku` | Azure OpenAI SKU | | `resource_group_name` | Resource group name | | `search_service_index_name` | Name of the Azure Cognitive Search index | | `search_service_sku_name` | SKU for Azure Cognitive Search | | `speech_service_sku_name` | SKU for Azure Speech Service | | `storage_service_image_container_name` | Name of the images container in the storage account | | `storage_service_sku` | SKU for the Azure storage account | | `tags` | Default tags to apply to all resources | | | | **N.B:** - Feel free to remove the resources that are not relevant to your use-case. - Some variables have default values, please change it if it doesn't fit your deployment. ## Maintainer(s) You can reach out to these maintainers if you need help or assistance: - [Brainboard team](mailto:support@brainboard.co)