A scalable, secure, and well-governed framework for deploying AI workloads across multiple subscriptions in an enterprise environment
This architecture diagram illustrates a Microsoft Azure AI Landing Zone Pattern β a scalable, secure, and well-governed framework for deploying AI workloads across multiple subscriptions in an enterprise environment. Let's walk through it end-to-end, breaking down each section, the flow, and key Azure services involved.
π§ Overview: The architecture is split into 4 major landing zones:
- Connectivity Subscription
- AI Apps Landing Zone Subscription
- AI Hub Landing Zone Subscription
- AI Services Landing Zone Subscription
π Step-by-Step Breakdown
πΉ 1. Users β Application Gateway (WAF)
- Users (e.g., enterprise employees or external users) access the system via the Application Gateway with Web Application Firewall (WAF).
- This is part of the Connectivity Subscription and provides:
- Centralized ingress control
- Zone redundancy
- Protection against common exploits
πΉ 2. Route to AI Apps Landing Zone Subscription
- Traffic is routed to the AI Apps Landing Zone Subscription via the Application Gateway.
- This subscription hosts applications that use AI services, typically in a containerized or App Service-based architecture.
πΉ 3. AI Apps Workload Components
This section includes:
- App Hosting:
- Azure App Services
- Container Apps (with Container Registry)
- Networking:
- Private Endpoints
- Subnets
- Network Security Groups
- Monitoring:
- Log Analytics Workspaces
- Diagnostic Settings
- App Agents:
- Represent container/app service instances (Agent 1, 2, 3)
πΉ 4. Integration with AI Services & Secrets Management
- These apps securely connect to:
- Azure Key Vault (secrets, credentials)
- Azure AI Search
- Azure Cosmos DB
- Azure Storage
- Azure OpenAI
- App Insights is used for application performance monitoring.
- Logic Apps & Functions handle:
- Knowledge Management Processing
- LLM Integration Workflows
πΉ 5 & 6. Connectivity to Centralized Services
- Virtual Network Peering connects AI Apps Landing Zone with:
- Connectivity Subscription
- Hub Virtual Network in the Platform Landing Zone Subscription
- These provide access to shared infrastructure:
- Azure Firewall
- Azure Bastion
- VPN Gateway / ExpressRoute
- Azure DNS / Private Resolver
- Azure DDoS Protection
πΉ 7. AI Hub Landing Zone Subscription
This acts as a centralized workload processing zone with components like:
- Event Hubs
- Azure Key Vault
- App Insights
- Power BI
- Cosmos DB
- API Management (OpenAI Endpoints)
Used for:
- Observability
- Usage processing
- API integration
πΉ 8 & 9. FTU Usage Processing & Reporting
- Function Apps & Logic Apps:
- Process usage data (e.g., for chargebacks, monitoring)
- FTU = "Fair Tenant Usage"
- Reporting is done using Power BI and stored in Cosmos DB
πΉ 10 & 11. Network Peering to Platform Zone
- AI Hub connects back to Platform Landing Zone via Virtual Network Peering
- Provides access to shared DNS zones and network services
πΉ 12. AI Services Landing Zone Subscription
This is where core AI capabilities live, such as:
- Azure OpenAI
- Azure AI Services:
- Speech
- Vision
- Language
- Machine Learning
- Foundry Project:
- OpenAI Agents
- Agent Service Dependencies
- Models hosted in Azure (e.g., GPT)
This zone is accessed securely via:
- Private Endpoints
- Azure Key Vault
- Network rules
π¦ Subscription Vending (All Zones)
Each subscription includes a Subscription Vending Framework for:
- Spoke VNet placement
- Route configurations
- Policy/role assignments
- Defender for Cloud & cost management
This ensures a consistent and compliant environment across the enterprise.
π Key Architectural Benefits
|
Feature |
Purpose |
|
π Zero Trust Network |
Controlled access via WAF, private endpoints |
|
π‘ Scalable AI Apps |
Container Apps & App Services |
|
π§ Central AI Services |
Managed in isolated subscriptions |
|
π Monitoring |
Deep insights via App Insights, Log Analytics |
|
π§Ύ Governance |
Role-based access, policy enforcement |
|
π Secure Integration |
VNet Peering, Azure Key Vault, API Management |
π End-to-End Data Flow Summary
- Users access app through Application Gateway (WAF)
- Apps in AI Apps Landing Zone process input
- Apps call AI services (OpenAI, Cognitive) via private endpoints
- Data usage and insights flow to AI Hub for logging and analysis
- FTU and usage metrics processed and stored
- Platform services support routing, DNS, security
π― Goal of the User Journey
The user interacts with an AI-powered application (e.g., chatbot, document summarizer, recommendation engine) deployed on Azure. The app is secure, scalable, and integrated with advanced Azure AI services (like OpenAI).
π£ User Journey: Step-by-Step Breakdown
β 1. User Access (Public Entry Point)
- The user (browser or mobile app) sends a request (e.g., opens an AI web app or sends a prompt to a chatbot).
- The request hits the Azure Application Gateway with Web Application Firewall (WAF).
- β Filters and protects against malicious traffic.
- β Ensures high availability with zone redundancy.
π§ Think of it as the front door to the AI platform.
β 2. Routing to AI Application
- The Application Gateway securely routes the request to the AI Apps Landing Zone Subscription.
- The user request reaches the App Service or Container App hosting the AI-based application logic.
Example: A user submits a product question via a chatbot UI hosted here.
β 3. Processing the Request (App Logic)
- The app receives the input and begins processing:
- App uses App Insights for performance telemetry.
- Secrets or config (API keys, connection strings) are securely pulled from Azure Key Vault.
- Based on the business logic, the app needs to call an AI model (e.g., OpenAI).
β 4. Calling AI Services (via Private Endpoints)
- The app securely connects (using private endpoints) to the AI Services Landing Zone to:
- πΉ Call Azure OpenAI (e.g., ChatGPT, DALLΒ·E, embeddings)
- πΉ Use Azure Cognitive Services (e.g., speech, vision, search)
- These services are isolated in their own subscription for security, scalability, and cost governance.
π§ Hereβs where the βAI magicβ happens.
β 5. Retrieval-Augmented Generation (Optional)
- If the AI needs additional knowledge (RAG pattern), the app can:
- Query Azure AI Search for documents.
- Pull knowledge from Azure Cosmos DB or Azure Storage.
- AI results are processed via Logic Apps / Functions (e.g., post-processing, formatting).
β 6. Return the Response to the User
- The application receives the AI-generated output.
- It formats the result (e.g., chatbot message, visual, PDF, etc.) and returns it to the user via the original secure path.
β 7. Observability & Usage Logging
- App, AI service usage, and telemetry are logged in:
- Log Analytics / App Insights
- Event Hub β Streamed to AI Hub Landing Zone
- This enables centralized monitoring and analytics (Power BI dashboards, anomaly detection, etc.)
β 8. Usage Reporting & Governance
- Function App & Logic App in the AI Hub Landing Zone process usage logs.
- Usage is stored in Azure Cosmos DB.
- FTU (Fair Tenant Usage) policies are enforced and reported via Power BI dashboards.
β 9. Admin/Platform Layer
- All resources and subscriptions are governed via the Platform Landing Zone:
- Shared services like DNS, security policies, firewalls
- Cost controls, Defender for Cloud, DDoS protection
- Subscription vending and network segmentation
πΊοΈ Visual Recap: User Journey Flow
User β App Gateway (WAF) β App in AI Apps Landing Zone β Call to Azure OpenAI / AI Services β (Optional: Knowledge retrieval) β AI Response βReturned to User β Usage logged & monitored β Usage reporting in AI Hub
User Workflow
π Security Throughout the Journey
|
Step |
Security Feature |
|
App Gateway |
Web Application Firewall |
|
App Hosting |
Private Endpoints, Managed Identity |
|
Secrets |
Azure Key Vault |
|
Network |
Virtual Network Peering, NSGs |
|
Governance |
Role-based access, Policy Assignments |
π§ Example: Real-World Use Case
Scenario: A doctor uses a medical AI assistant to analyze patient notes.
- Logs in via secure portal (WAF gateway)
- Submits patient notes (App Service)
- App calls OpenAI with prompt: "Summarize this diagnosis."
- App also queries internal document store (RAG)
- OpenAI returns result β displayed in UI
- Usage tracked for audit and reporting
π§ User Journey Flow
- Users
- End users initiate a request (e.g., accessing an AI-powered app).
- Application Gateway + WAF (Connectivity Subscription)
- Request is routed through the Application Gateway with Web Application Firewall for security and traffic filtering.
- AI Apps Landing Zone Subscription
- Request enters the AI Apps subscription.
- Workloads run on App Services or Container Apps (Agents 1, 2, 3).
- Secure Access
- Application services authenticate and securely retrieve data from Azure Key Vault, Cosmos DB, Azure Storage, and Azure AI Search.
- Knowledge Management Processing
- Logic Apps / Function Apps process the request, enabling workflows, integrations, and knowledge enrichment.
- AI Hub Gateway Application
- Requests requiring AI services are routed to the AI Hub for centralized management.
- API Management (OpenAI Endpoints)
- APIs handle communication with downstream AI services.
- Event Hub + App Insights
- Telemetry and logs are captured for monitoring and troubleshooting.
- Power BI + Cosmos DB
- Usage data is aggregated and analyzed for reporting (FTU usage tracking).
- AI Services Subscription
- API calls are directed to the AI Services subscription.
- Azure AI Models Execution
- Requests hit Azure OpenAI, Azure AI Foundry, Cognitive Services (Speech, Vision, Search, etc.).
- Foundry/Agent services provide additional AI processing.
- Response back to User
- Processed AI output is routed back through the pipeline β API β Hub β Apps β Application Gateway β returned to the user.
High Level Architecture Diagram
Security & Governance Overview
AI Landing Zone Lifecycle Workflow
URL Reference Architectures:
Microsoft