Blog Post

Azure Architecture Blog
5 MIN READ

Azure OpenAI Landing Zone reference architecture

FreddyAyala's avatar
FreddyAyala
Icon for Microsoft rankMicrosoft
Jul 24, 2023
Azure Landing Zones provide a solid foundation for your cloud environment. When deploying complex AI services such as Azure OpenAI, using a Landing Zone approach helps you manage your resources in a ...
Updated Aug 04, 2023
Version 3.0
artificial intelligence
infrastructure
well architected
wmeints's avatar
wmeints
Copper Contributor
Sep 09, 2023

This looks super complicated and doesn't convey the information I need to make our Azure OpenAI implementation a success. I'm having an issue because you split up nearly every piece of the solution across separate subscriptions. The management overhead is much more significant than it would be with a single subscription. And it doesn't make sense since we can expect a single team to implement a ChatGPT-like solution. Why would they make the separate subscriptions? If they didn't own the identity solution, it could be an individual subscription managed by a different team, but that's not what you're telling us here.

 

Another thing that bothers me is the inclusion of many Azure services. You don't need all that to run a ChatGPT solution. You can start with a lot less if you're willing to use public networking. If you want private networking, you still don't need much of what's in your reference architecture. For example, why not use an Azure Web App behind Azure Frontdoor integrated with a Virtual Network that connects the OpenAI service through a private endpoint? It's just as secure but much less expensive.

 

I would love to see this split up in a few diagrams and add a better explanation of why it makes sense to include the components that you're proposing:

 

- A networking diagram explaining how to set up networking so that I can keep the connection between my web app and OpenAI private.

- A logical diagram that explains the relationship between the web app, OpenAI, and possibly Azure Cognitive Search. 

- A diagram that explains the authorization and authentication configuration.

 

I would skip everything around managing subscriptions, policies, etc. It's generic to Azure, and there are a lot of articles to explain how to set that up.

 

- A separate article to explain how to set up authentication from the web app to Azure AD with OpenID Connect

- A separate article to explain how to manage subscriptions in Azure.

- A separate article to explain how to set up cost management.

 

Sorry for the harsh feedback, but this sort of content from Microsoft bothers me a lot. I hope to see something a bit more refined soon.