<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>Azure Infrastructure Blog articles</title>
    <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/bg-p/AzureInfrastructureBlog</link>
    <description>Azure Infrastructure Blog articles</description>
    <pubDate>Fri, 17 Jul 2026 18:43:26 GMT</pubDate>
    <dc:creator>AzureInfrastructureBlog</dc:creator>
    <dc:date>2026-07-17T18:43:26Z</dc:date>
    <item>
      <title>Azure Cobalt: Workload-Aware Power Management for More Efficient Datacenters</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/azure-cobalt-workload-aware-power-management-for-more-efficient/ba-p/4537049</link>
      <description>&lt;P class="lia-align-justify"&gt;&lt;SPAN data-contrast="auto"&gt;As cloud services and AI workloads continue to grow, power has become a key constraint in expanding compute capacity. Using available power more efficiently enables Azure to deploy more servers in each datacenter, helping meet growing customer demand while improving sustainability. To address this challenge, Microsoft has taken a vertically integrated approach to infrastructure, co-designing hardware and software to optimize performance and efficiency across the stack. &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335551550&amp;quot;:6,&amp;quot;335551620&amp;quot;:6}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;SPAN data-contrast="auto"&gt;With Azure Cobalt CPUs, Microsoft introduced an industry-first per-virtual machine (VM) power monitoring and capping capability, developed from the ground up and deployed in Azure. Bringing this capability into production required hardware/software co-design across the Azure stack, spanning silicon and firmware, virtualization, server agents, VM placement systems, and datacenter power management infrastructure. By managing power at the granularity of individual VMs, Azure can preserve performance for critical workloads while improving overall infrastructure efficiency.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335551550&amp;quot;:6,&amp;quot;335551620&amp;quot;:6}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN class="lia-text-color-15"&gt;&lt;STRONG&gt;The Need for Fine-Grained Power Management to Enhance Efficiency&lt;/STRONG&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P class="lia-align-justify"&gt;&lt;SPAN data-contrast="auto"&gt;A widely adopted strategy for improving datacenter power efficiency is &lt;/SPAN&gt;&lt;A href="https://www.microsoft.com/en-us/research/wp-content/uploads/2020/10/Per-VM-Capping-ATC21.pdf" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;o&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;versubscription&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt; &lt;SPAN data-contrast="auto"&gt;— adding more servers within the same power budget to harvest the unutilized power and relying on power capping when power draw exceeds the limit. However, conventional hardware-based capping applies uniform CPU throttling across all cores. While this ensures power safety, it degrades performance for all VMs, including critical customer-facing workloads. This limitation restricts how aggressively Azure can oversubscribe power, since higher oversubscription levels cause more frequent and severe throttling, thereby degrading customer workload performance.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335551550&amp;quot;:6,&amp;quot;335551620&amp;quot;:6}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;SPAN data-contrast="auto"&gt;To address these limitations, Azure initially introduced &lt;/SPAN&gt;&lt;A href="https://www.microsoft.com/en-us/research/wp-content/uploads/2020/10/Per-VM-Capping-ATC21.pdf" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;software-&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;only&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt; per-VM power capping&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;. This system uses VM metadata and workload predictions to selectively throttle non-critical VMs (e.g., non-production workloads, batch jobs) through a userspace Azure agent, helping protect the performance of customer-facing production applications; the figure below shows the criteria used for determining each VM’s priority.&amp;nbsp; However, software-based throttling is slow since it relies on fixed frequency change steps in a feedback loop that struggles to converge quickly.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335551550&amp;quot;:6,&amp;quot;335551620&amp;quot;:6}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN class="lia-text-color-15"&gt;&lt;STRONG&gt;Hardware/Software Co-design for Per-VM Power Management on Cobalt&amp;nbsp;&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P class="lia-align-justify"&gt;Building our own CPUs enabled Microsoft to extend software-only per-VM power capping into a more effective hardware/software co-design, with per-VM power monitoring and management built directly into Cobalt from the ground up. This industry-first capability, now deployed in Azure, preserves performance for critical customer workloads while enabling up to 20% more power oversubscription on Cobalt 200.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;In our implementation, the software provides VM identifiers (IDs) and each VM’s priority to the hardware. The hypervisor communicates a VM’s ID and priority to the hardware on VM core scheduling. CPU firmware uses VM priorities to maximize performance within a power budget. When power consumption exceeds the limit, it reduces power draw in priority order by lowering the voltage and frequency (&lt;A href="https://en.wikipedia.org/wiki/Dynamic_frequency_scaling" target="_blank" rel="noopener"&gt;DVFS&lt;/A&gt;) of each VM's cores. Since VM to core assignments can change due to context switches (at milliseconds scale), the firmware samples VM priorities of cores and re-evaluates power and core frequency every millisecond. The below figure illustrates the evolution of Azure's power management approach, from conventional hardware capping to per-VM (workload-aware) power management on Cobalt.&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-align-justify"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;SPAN data-contrast="none"&gt;Furthermore, the firmware uses the programmed IDs to monitor per-VM power and frequency. This telemetry is used to understand the throttling experienced by VMs, build VM power models, and support energy/carbon reporting.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335551550&amp;quot;:6,&amp;quot;335551620&amp;quot;:6}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN class="lia-text-color-15"&gt;&lt;STRONG&gt;Real-World Impact&amp;nbsp;&amp;nbsp;&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Co-designed per-VM power capping on Cobalt provides up to 24% higher performance&lt;/STRONG&gt; than software-only capping under the same power budget, based on SPEC CPU Integer benchmarks. Cobalt provides the best (100%) performance for the top 5 priorities while the software-based approach can only do so for the top priority. Overall, Cobalt provides 2 – 24% higher performance.&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Prioritized capping on Cobalt 200 provides up to 20% more power oversubscription&amp;nbsp;&lt;/STRONG&gt;for the evaluated scenarios while preserving performance of critical VMs. It allows a 35% reduction in power with no performance impact to the critical VMs whereas no prioritization only allows a reduction of 15%. Azure can choose power savings between 15 to 35% based on tolerable performance impact to the non-critical VMs.&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;P class="lia-align-justify"&gt;These results demonstrate that per-VM power management on Cobalt 200 helps preserve performance for critical workloads while improving efficiency. By applying power limits more selectively, Azure can use power more effectively &lt;SPAN data-contrast="auto"&gt;—&lt;/SPAN&gt; deploying more servers within its existing datacenter footprint to meet growing customer compute demand and improve sustainability.&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN class="lia-text-color-15"&gt;&lt;STRONG&gt;End-to-End Integration across the Azure Stack&amp;nbsp;&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P class="lia-align-justify"&gt;The figure below shows the end-to-end architecture for per-VM power management on Cobalt and highlights the hardware and software enhancements across the Azure stack. The VM scheduler places VMs in racks with available power and live migrates VMs from constrained racks using workload criticality and measured VM power. The node agent provides each VM’s ID and priority to the hypervisor, which tags the VM’s cores during scheduling. Each VM's ID enables per-VM telemetry, while its priority guides power management decisions. The per-VM telemetry is sent to Resource Central for building and refining prediction models. Finally, the power manager monitors power consumption across server groups, such as racks and rows. When a power limit is reached, it signals servers to reduce usage. The Cobalt CPU on each server then uses VM priorities to selectively throttle lower-priority workloads, preserving performance for critical applications while maintaining power safety.&lt;/P&gt;
&lt;img /&gt;
&lt;H3&gt;&lt;SPAN class="lia-text-color-15"&gt;&lt;STRONG&gt;Looking Ahead&amp;nbsp;&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P class="lia-align-justify"&gt;This work exemplifies the power of hardware/software co-design in cloud infrastructure and is a consequence of deep collaboration across many hardware and software teams within Microsoft. As cloud workloads continue to evolve, innovations like co-designed per-VM power management will be essential to balance performance, efficiency, and sustainability.&lt;/P&gt;</description>
      <pubDate>Thu, 16 Jul 2026 21:16:29 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/azure-cobalt-workload-aware-power-management-for-more-efficient/ba-p/4537049</guid>
      <dc:creator>redsa</dc:creator>
      <dc:date>2026-07-16T21:16:29Z</dc:date>
    </item>
    <item>
      <title>Building Practical Rowhammer Protection into Azure Cobalt 200</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/building-practical-rowhammer-protection-into-azure-cobalt-200/ba-p/4529297</link>
      <description>&lt;P&gt;As memory becomes central to cloud and AI infrastructure, so is the need to protect against memory-based vulnerabilities and attacks at cloud scale. With &lt;A href="https://techcommunity.microsoft.com/blog/AzureInfrastructureBlog/announcing-cobalt-200-azure%E2%80%99s-next-cloud-native-cpu/4469807" target="_blank" rel="noopener"&gt;Azure Cobalt 200&lt;/A&gt;, Microsoft’s second-generation Arm-based compute processor, we took the opportunity to re-think how to deliver advanced memory security defenses through deep hardware-software codesign, leveraging all parts of the system design, including silicon, platform, firmware and telemetry.&lt;/P&gt;
&lt;P&gt;&lt;SPAN style="color: #0078d4; font-size: 20px;"&gt;&lt;STRONG&gt;Rowhammer and the Need for End-to-End Memory Security&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;Hardware security vulnerabilities raise unique challenges to a hyperscaler. Unlike software, hardware vulnerabilities cannot be patched. Since hyperscalers deploy the same hardware design at massive scale, a single vulnerability affects a huge portion of cloud infrastructure.&lt;/P&gt;
&lt;P&gt;Rowhammer has been one of the most persistent hardware security vulnerabilities of the last decade. At its core, the problem is deceptively simple: a high rate of accesses to the same address in DRAM flips bits in data stored in nearby addresses. With Rowhammer, an attacker can corrupt memory outside their control, &lt;SPAN style="color: rgb(30, 30, 30);"&gt;potentially undermining isolation mechanisms relied upon by cloud software&lt;/SPAN&gt;. Even worse, Rowhammer could be leveraged as an attack vector by nation-state attack adversaries.&lt;/P&gt;
&lt;P&gt;For years, the industry has relied on proprietary DRAM mitigations that are approximate and do not eliminate all forms of Rowhammer attacks. These mitigations cannot be fully inspected, reasoned about, or tuned. This creates a form of security by obscurity, where a defense’s effectiveness depends in part on hardware vendors not disclosing how it works.&lt;/P&gt;
&lt;P&gt;With Azure Cobalt, Microsoft has an opportunity to re-think how to deliver advanced memory security defenses by leveraging all parts of the system design, from silicon to platform to firmware and telemetry.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;With Cobalt 200, Microsoft is using its custom cloud silicon to help address a low-level memory security challenge that is becoming more important as AI infrastructure scales, and doing it in a way that helps protect customer workloads without imposing the usual performance penalty.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;EM&gt;Selim Bilgin, Corporate Vice President, Silicon Engineering&lt;/EM&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&lt;SPAN style="color: #0078d4; font-size: 20px;"&gt;&lt;STRONG&gt;Advanced Rowhammer Protection in Azure Cobalt 200&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;For the past few years, Microsoft has helped lead the industry response to Rowhammer: making the risk concrete, driving standards discussions, and developing new mechanisms that give cloud providers better visibility, control, and defenses against memory-based attacks.&lt;/P&gt;
&lt;P&gt;With Azure Cobalt 200, Microsoft built Rowhammer protection directly into the SoC's memory controller. The goal was not simply to add another mitigation, but to design one that meets the operational requirements of a cloud platform. We ended up with a new, hybrid-based design that did not show measurable performance overhead in internal testing of commodity workloads, when the system is not under attack. The security guarantees provided can be tuned and configured for various memory configurations and DRAM media quality.&lt;/P&gt;
&lt;P&gt;We have described in depth the workings of this new Rowhammer protection in &lt;A href="https://www.microsoft.com/en-us/research/publication/from-lab-to-fleet-building-and-deploying-a-practical-rowhammer-defense-in-cloud-socs/" target="_blank" rel="noopener"&gt;our research paper&lt;/A&gt; published at the &lt;A href="https://iscaconf.org/isca2026/" target="_blank" rel="noopener"&gt;International Symposium on Computer Architecture (ISCA) 2026&lt;/A&gt; Industry Track. Our paper covers the design, implementation, software verification, configuration, related work, and evaluation of our new feature. To our knowledge, this is &lt;SPAN style="color: rgb(30, 30, 30);"&gt;one of the more detailed publicly available descriptions of a production-oriented Rowhammer defense to date, based on our review of the literature. &lt;/SPAN&gt;ISCA is widely regarded as a leading conference in computer architecture research. This work builds on multi-year research efforts within Microsoft Research on understanding and mitigating Rowhammer at cloud scale.&lt;/P&gt;
&lt;P&gt;&lt;SPAN style="color: #0078d4; font-size: 20px;"&gt;&lt;STRONG&gt;A New Hybrid-based Approach&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;During normal operation, the memory controller tracks frequently activated rows using small, efficient counter tables. These tables are intentionally lightweight: they are sized to &lt;SPAN style="color: rgb(30, 30, 30);"&gt;minimize performance impact in common operating conditions&lt;/SPAN&gt;. If the hardware detects that a portion of memory is seeing behavior that may overwhelm this lightweight tracking, only that portion transitions to a heavier form of protection.&lt;/P&gt;
&lt;P&gt;This distinction is important. A pure tracking design can become too expensive in hardware if it tries to account for every possible worst-case pattern. In contrast, a heavier protection imposes constant overhead even when nothing malicious is happening. The hybrid design combines the best of both worlds. It keeps the common case fast, while still providing a fallback path for adversarial behavior.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;At Azure scale,&amp;nbsp;security features must be both strong and economical. A protection that creates overhead for every workload, all the time, is hard to justify in production.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;EM&gt;Pat Stemen, Vice President, Azure Cobalt&lt;/EM&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;The graph below shows the DRAM bandwidth overhead of our defense under two Rowhammer attacks: one that targets a small number of DRAM regions and can be handled by light mode, and a more aggressive attack that targets the entire system. In internal evaluations, bandwidth overhead remained below 8% for the targeted test scenarios, and below 23% for more intensive simulated attack scenarios. In the normal case, when the system is not under attack, no additional DRAM bandwidth usage was observed.&lt;/P&gt;
&lt;img&gt;&lt;STRONG&gt;Key Takeaway: &lt;/STRONG&gt;&lt;STRONG&gt;Defense is idle in normal case and scales with attack intensity: &amp;lt;8% DRAM bandwidth overhead for targeted attacks and &amp;lt;23% overhead for full system attacks.&lt;/STRONG&gt;&lt;/img&gt;
&lt;P&gt;The defense also operates at fine granularity. Instead of forcing an entire memory bank or controller into a heavier mode, the transition happens independently for smaller regions. That means a suspicious access pattern in one region does not unnecessarily penalize unrelated traffic elsewhere. This is one of the practical design choices that makes the approach suitable for production hardware rather than only research evaluation.&lt;/P&gt;
&lt;P&gt;&lt;SPAN style="color: #0078d4; font-size: 20px;"&gt;&lt;STRONG&gt;An Unexpected Design Constraint: Telemetry and Confidential Computing&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;A surprising challenge we encountered was not in the Rowhammer mitigation itself, but in how to operate it at cloud scale.&lt;/P&gt;
&lt;P&gt;Azure relies on telemetry to run services with high reliability and security across its fleet. This operational visibility helps us detect anomalies, understand emerging risks, and maintain the trusted, resilient platform customers expect from Azure. For a Rowhammer defense, we initially expected detailed telemetry about protection events and affected memory regions to be useful for fleet operations.&lt;/P&gt;
&lt;P&gt;However, confidential computing guarantees introduce an important constraint: telemetry is designed to avoid exposing information about customer workloads or memory access patterns. As a result, we had to carefully balance operational visibility with privacy guarantees.&lt;/P&gt;
&lt;P&gt;In practice, the Cobalt 200 Rowhammer defense uses a more constrained telemetry approach than we first expected. This gives us enough visibility to detect unusual fleet-wide behavior while aligning with the principles of confidentiality computing environments.&lt;/P&gt;
&lt;P&gt;The experience highlights a broader lesson from building security features for Azure. Effective security is not only about detecting and mitigating threats. It is also about ensuring that the operational tooling around those protections respects the same privacy and security guarantees that customers rely on. This approach is enabled by Microsoft’s ability to design and operate across the full stack, from silicon and firmware to cloud services and fleet operations.&lt;/P&gt;
&lt;P&gt;&lt;SPAN style="color: #0078d4; font-size: 20px;"&gt;&lt;STRONG&gt;Looking Forward&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;Rowhammer is not a static problem. DRAM technology continues to evolve, and new disturbance mechanisms continue to appear. Standards-based mitigations such as Per-Row Activation Counting (PRAC) are an important direction for the industry, but adoption takes time, and early implementations may exhibit bugs. By building a configurable Rowhammer defense into Cobalt 200, Microsoft gains an additional layer of protection, an independent telemetry signal, and a way to help manage risk as DRAM devices and attacks continue to change.&lt;/P&gt;
&lt;P&gt;The broader lesson is that Rowhammer defenses can and should move beyond opaqueness and toward mechanisms that can be understood, reasoned about, and not rely on security by obscurity. Cobalt 200's Rowhammer defense reflects this philosophy.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 25 Jun 2026 15:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/building-practical-rowhammer-protection-into-azure-cobalt-200/ba-p/4529297</guid>
      <dc:creator>ssaroiu</dc:creator>
      <dc:date>2026-06-25T15:00:00Z</dc:date>
    </item>
    <item>
      <title>Ginkgo Bioworks and Microsoft Discovery: Bringing agentic AI to biological discovery</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/ginkgo-bioworks-and-microsoft-discovery-bringing-agentic-ai-to/ba-p/4526550</link>
      <description>&lt;H1&gt;&lt;SPAN class="lia-text-color-21"&gt;Introduction&lt;/SPAN&gt;&lt;/H1&gt;
&lt;P&gt;Biological discovery is inherently iterative and non-linear. Progress comes through cycles of hypothesis, experimentation, refinement, and review across data, tools, and teams. At Microsoft Build 2026, &lt;A href="https://azure.microsoft.com/en-us/blog/announcing-microsoft-discovery-general-availability-and-microsoft-discovery-app-preview/" target="_blank" rel="noopener"&gt;Microsoft announced general availability of &lt;/A&gt;&lt;A href="https://azure.microsoft.com/en-us/blog/announcing-microsoft-discovery-general-availability-and-microsoft-discovery-app-preview/" target="_blank" rel="noopener"&gt;Microsoft Discovery&lt;/A&gt; to support exactly this kind of work, as a comprehensive platform for building and governing agentic AI workflows across scientific and engineering disciplines. That vision becomes especially powerful in collaboration with &lt;A href="https://www.ginkgo.bio/" target="_blank" rel="noopener"&gt;Ginkgo Bioworks&lt;/A&gt;. The goal is to enable researchers to scope and plan experiments in Microsoft Discovery and run them directly on &lt;A href="https://cloud.ginkgo.bio/" target="_blank" rel="noopener"&gt;Ginkgo Cloud Lab&lt;/A&gt;, without requiring in-house automation.&lt;/P&gt;
&lt;P&gt;This collaboration brings together complementary strengths. Microsoft Discovery provides the reasoning, orchestration, and compute layer for scientific work: helping researchers turn goals into structured workflows that connect data, models, tools, and evidence. Ginkgo Bioworks contributes autonomous laboratory infrastructure that can execute those workflows and return results for analysis.&lt;/P&gt;
&lt;P&gt;Together, this creates a lab-in-the-loop model for biological research. This workflow is traditionally described as a continuous Design–Make–Test–Analyze loop, where scientists generate an experiment plan, hand off validated protocols for lab execution, and then learn from the resulting data to inform the next step. Rather than treating experimentation as a disconnected process, the interplay between Microsoft Discovery and Ginkgo agentic system is designed to create a tighter connection between scientific reasoning and real-world validation.&lt;/P&gt;
&lt;H1&gt;&lt;SPAN class="lia-text-color-21"&gt;Integration&lt;/SPAN&gt;&lt;/H1&gt;
&lt;P&gt;One example of this tighter reasoning loop under development is an RNA design-to-data workflow. In this scenario, Microsoft Discovery uses AI agents to help plan and scope the experiment, while Ginkgo’s automated lab synthesizes DNA templates, performs in vitro transcription, purifies, and quantitates yield and purity, and returns the resulting data for downstream analysis. In addition, Ginkgo Cloud Lab provides users with full transparency on the cost of the experiment before any lab experimentation.&amp;nbsp;&lt;/P&gt;
&lt;div data-video-id="https://www.youtube.com/shorts/4b_MCvIqzvE/1780954852794" data-video-remote-vid="https://www.youtube.com/shorts/4b_MCvIqzvE/1780954852794" class="lia-video-container lia-media-is-center lia-media-size-large"&gt;&lt;iframe src="https://www.youtube.com/embed/4b_MCvIqzvE?feature=oembed" allowfullscreen="" style="max-width: 100%"&gt;&lt;/iframe&gt;&lt;/div&gt;
&lt;P&gt;Here is a walk-through of a project aiming to estimate the cost of RNA design, illustrating how customers can use Microsoft Discovery with Ginkgo RNA production offering:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Describe the experiment in human language&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt; &lt;/STRONG&gt;Provide any additional information if required&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt; &lt;/STRONG&gt;Validate the cost estimate of the Ginkgo Cloud Lab service&lt;/LI&gt;
&lt;LI&gt;Place the order&lt;/LI&gt;
&lt;LI&gt;Store the results and share&lt;/LI&gt;
&lt;/OL&gt;
&lt;H1&gt;&lt;SPAN class="lia-text-color-21"&gt;Conclusion&lt;/SPAN&gt;&lt;/H1&gt;
&lt;P&gt;This is a real-world Design–Make–Test–Analyze use case that demonstrates how agentic workflows can adapt based on experimental results and accelerate R&amp;amp;D compared with more manual approaches. This matters because modern life sciences teams need more than isolated predictions. They need workflows that connect long term scientific context, biological data, experimental design, and validation while preserving transparency and keeping experts in control. The collaboration with Ginkgo Bioworks extends that approach into biological experimentation. It also reflects a broader principle behind Microsoft Discovery: extensibility. Microsoft Discovery is a platform that can connect Microsoft innovations with partner tools, models, and datasets. In this case, that means pairing Microsoft Discovery’s agentic orchestration with Ginkgo’s autonomous lab execution to support a more connected model for biological discovery.&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;“Together, agentic AI and autonomous labs will change every part of the scientific process. Iteration cycles will get faster, experiments will require less manual hands-on time, and computational analyses will become more systematic and exhaustive. By making both easier to use, Microsoft and Ginkgo aim to bring greater speed, scale and reproducibility to pre-clinical research.”&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;— Jason Kelly, CEO, Ginkgo Bioworks&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;By connecting agentic AI with autonomous experimentation, Ginkgo Bioworks and Microsoft are working toward a future in which researchers can move faster from hypothesis to insight and do so with greater speed, scale, and reproducibility.&lt;/P&gt;
&lt;P&gt;For more information on Microsoft Discovery, &lt;A href="https://azure.microsoft.com/en-us/solutions/discovery/" target="_blank" rel="noopener"&gt;click here&lt;/A&gt;.&lt;/P&gt;
&lt;P&gt;For more information on Ginkgo Bioworks, &lt;A href="https://www.ginkgo.bio/" target="_blank" rel="noopener"&gt;click here&lt;/A&gt;.&lt;/P&gt;</description>
      <pubDate>Tue, 09 Jun 2026 19:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/ginkgo-bioworks-and-microsoft-discovery-bringing-agentic-ai-to/ba-p/4526550</guid>
      <dc:creator>NihitPokhrel</dc:creator>
      <dc:date>2026-06-09T19:00:00Z</dc:date>
    </item>
    <item>
      <title>Kubernetes Center: Security &amp; LTS/Out-of-Support Version Insights Now Available</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/kubernetes-center-security-lts-out-of-support-version-insights/ba-p/4524567</link>
      <description>&lt;P&gt;&lt;STRONG&gt;What's New&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Security Insights:&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The new Security page in Kubernetes Center gives you an immediate, all clusters or Kubernetes Fleet Manager-wide view of your security posture without leaving the portal.&lt;/P&gt;
&lt;P&gt;At the summary level you can see:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Security vulnerabilities&lt;/STRONG&gt; broken down by risk level&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Runtime alerts&lt;/STRONG&gt;&amp;nbsp;categorized by severity&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Non-compliant regulatory standards&lt;/STRONG&gt;, with visibility into which benchmarks your clusters are falling short on&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Drilling deeper into the security detail view exposes four distinct panels:&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Security Vulnerabilities&lt;/STRONG&gt; show a total count of vulnerabilities across all clusters, broken down by risk tier.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Runtime Alerts&lt;/STRONG&gt; surfaces live alerts from Defender for Containers categorized by High, Medium, Low, and Informational severity. You can see at a glance whether any active threats require immediate attention, and drill into the full alert list with one click.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Misconfigurations&lt;/STRONG&gt; show a count of configuration issues detected across your clusters, again broken down by risk level.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Regulatory Compliance Standards&lt;/STRONG&gt; lets you see which compliance standards your clusters are enrolled in, which are passing, and which are failing. The view surfaces the lowest-performing standard with its pass rate, so you know exactly where to focus remediation effort.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Recommendations&lt;/STRONG&gt; are shown alongside these panels, providing actionable and prioritized guidance. Each recommendation shows affected resource counts and links directly to remediation details.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Note: Security insights require Microsoft Defender for Containers to be enabled. Kubernetes Center will confirm at a glance whether all your clusters have it enabled.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Cluster Version Support Status: Stay Ahead of End-of-Support&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Running an out-of-support Kubernetes version is one of the most common and preventable sources of risk in production environments. The new Cluster Version Support Status panel in Kubernetes Center gives you a clear picture of where every cluster stands.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The view breaks your clusters down into four states:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Status&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What it means&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;In support&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Running a supported Kubernetes version. No action needed.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Expiring soon&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Version support is ending soon. Plan your upgrade.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Out of support (LTS eligible)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Out of support but eligible for Long Term Support. An easy path to extend coverage.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Out of support&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;No longer supported and not LTS eligible. Upgrade required.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;You can filter the view by cluster tier (Premium, Standard, or Free) to understand exposure by tier and prioritize accordingly.&lt;/P&gt;
&lt;P&gt;For clusters that are out of support but LTS eligible, a single Enable LTS for Eligible Clusters button lets you act immediately without navigating away.&lt;/P&gt;
&lt;P&gt;Kubernetes Center brings this into a single, always-on view so platform teams can:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Catch version drift before it becomes an incident&lt;/LI&gt;
&lt;LI&gt;Spot misconfiguration patterns across clusters, not just within one&lt;/LI&gt;
&lt;LI&gt;Act on recommendations without switching tools&lt;/LI&gt;
&lt;LI&gt;Report on compliance posture without manual aggregation&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Try It Out&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;These features are available now in Kubernetes Center in the Azure portal.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;→ &lt;A class="lia-external-url" href="https://portal.azure.com/?Microsoft_Azure_KubernetesFleet=https%3A%2F%2Flocalhost#view/Microsoft_Azure_KubernetesFleet/KubernetesHub.MenuView/~/securityCenter" target="_blank" rel="noopener"&gt;Open Security -Kubernetes Center in the Azure portal&lt;/A&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;We'd love to hear what you think. Try the new security and version views with your clusters and share your feedback directly through the portal using the feedback button.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;FAQ&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Do I need Microsoft Defender for Containers enabled to use the security features?&lt;/STRONG&gt; Yes. Security vulnerabilities, runtime alerts, and misconfiguration data are powered by MS Defender for Containers. Kubernetes Center will show you if any clusters don't have it enabled so you can quickly close that gap.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Does this work across all my subscriptions and clusters?&lt;/STRONG&gt; Kubernetes Center aggregates data across all AKS clusters you have access to. Make sure you have the appropriate RBAC permissions across the subscriptions you want visibility into.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What is LTS and should I enable it for eligible clusters?&lt;/STRONG&gt; Long Term Support (LTS) extends the supported lifecycle of a Kubernetes version beyond its standard window. It's available for clusters on eligible versions running the Premium tier. If you have clusters showing "Out of support, LTS eligible," enabling LTS is the fastest way to restore support coverage while you plan a full version upgrade.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Is there a cost to use Kubernetes Center?&lt;/STRONG&gt; Kubernetes Center itself is part of the Azure portal experience and there is no additional charge. Note that Microsoft Defender for Containers, which powers the security features, is a paid add-on. See the &lt;A class="lia-external-url" href="https://azure.microsoft.com/pricing/details/defender-for-cloud/" target="_blank" rel="noopener"&gt;Defender for Containers pricing page&lt;/A&gt; for details.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Where can I learn more about the Kubernetes version lifecycle?&lt;/STRONG&gt; See the &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/aks/supported-kubernetes-versions" target="_blank" rel="noopener"&gt;AKS Kubernetes version support policy documentation&lt;/A&gt; for full details on version support windows, LTS eligibility, and upgrade guidance.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 01 Jun 2026 18:30:12 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/kubernetes-center-security-lts-out-of-support-version-insights/ba-p/4524567</guid>
      <dc:creator>Harsha_Nair</dc:creator>
      <dc:date>2026-06-01T18:30:12Z</dc:date>
    </item>
    <item>
      <title>Golden Image Refresh for Virtual Machines and VM Scale Sets: Driving Consistency at Scale</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/golden-image-refresh-for-virtual-machines-and-vm-scale-sets/ba-p/4521376</link>
      <description>&lt;P&gt;&lt;STRONG&gt;Overview:&lt;BR /&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;A&amp;nbsp;&lt;STRONG&gt;golden image&lt;/STRONG&gt; is a prebuilt, approved system template that represents the ideal baseline for deployment. It includes:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Hardened operating system configuration (e.g., RHEL)&lt;/LI&gt;
&lt;LI&gt;Preinstalled software and dependencies&lt;/LI&gt;
&lt;LI&gt;Security patches and updates&lt;/LI&gt;
&lt;LI&gt;Organizational compliance standards&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Architecture:&lt;/STRONG&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;SPAN data-teams="true"&gt;&lt;STRONG&gt;Golden Image Refresh for VM Scale Sets (VMSS):&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;Instead of updating instances individually:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;A &lt;STRONG&gt;new image version is published&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;The VMSS is updated to reference the new image&lt;/LI&gt;
&lt;LI&gt;Instances are gradually replaced through a controlled rollout&lt;/LI&gt;
&lt;LI&gt;New instances (based on updated image) are introduced&lt;/LI&gt;
&lt;LI&gt;Traffic is gradually shifted to these new instances&lt;/LI&gt;
&lt;LI&gt;Old instances are decommissioned in phases&lt;/LI&gt;
&lt;LI&gt;Minimizes service disruption&lt;/LI&gt;
&lt;LI&gt;Enables safe rollout of updated environments&lt;/LI&gt;
&lt;LI&gt;Allows real-time validation of new image versions&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Virtual Machine Scale Set (VMSS) deployments use a&amp;nbsp;&lt;STRONG&gt;custom image&lt;/STRONG&gt; that is baked on top of a &lt;STRONG&gt;Golden Image&lt;/STRONG&gt;.&lt;BR /&gt;The Golden Image version is pinned in the environment-specific &lt;STRONG&gt;Packer variables (&lt;/STRONG&gt;&lt;STRONG&gt;pkrvariables&lt;/STRONG&gt;&lt;STRONG&gt;) files&lt;/STRONG&gt;.&lt;BR /&gt;Refreshing a VMSS Golden Image involves baking a new custom image using an updated Golden Image version and deploying it via the VMSS pipelines.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Image Dependency Flow&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Golden Image&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;Published and versioned by the Golden Image Team.&lt;/LI&gt;
&lt;LI&gt;Source OS image, pinned in pkrvariables per environment.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Custom Image&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;Created by the &lt;STRONG&gt;custom image pipeline&lt;/STRONG&gt;.&lt;/LI&gt;
&lt;LI&gt;Built on top of the pinned Golden Image.&lt;/LI&gt;
&lt;LI&gt;Used by VMSS deployments.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;VMSS Deployment&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;Deploys or updates scale sets using the selected custom image version.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;STRONG&gt;Golden Image Version Management (VMSS)&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Each environment pins the Golden Image version in its respective pkrvariables file.&lt;/LI&gt;
&lt;LI&gt;Golden Image versions are selected from the same Golden Image Galleries:
&lt;UL&gt;
&lt;LI&gt;Dev&lt;/LI&gt;
&lt;LI&gt;PPR&lt;/LI&gt;
&lt;LI&gt;Prod&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;No automatic upgrades occur; changes are explicit and controlled via Git.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;VMSS Golden Image Refresh Procedure&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;1.Select Golden Image Version&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Navigate to the appropriate &lt;STRONG&gt;Golden Image Gallery&lt;/STRONG&gt; for the target environment.&lt;/LI&gt;
&lt;LI&gt;Identify the Golden Image version to be used for the refresh.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;2. Update Packer Variables&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Create a &lt;STRONG&gt;feature branch&lt;/STRONG&gt;.&lt;/LI&gt;
&lt;LI&gt;Update the pinned Golden Image version in the environment-specific pkrvariables file.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;3.Merge Changes&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Raise a &lt;STRONG&gt;Merge Request (MR)&lt;/STRONG&gt; for the updated version.&lt;/LI&gt;
&lt;LI&gt;After approval, merge the MR into the target branch.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Custom Image Creation&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Trigger the &lt;STRONG&gt;custom image pipeline&lt;/STRONG&gt;.&lt;/LI&gt;
&lt;LI&gt;This pipeline:
&lt;UL&gt;
&lt;LI&gt;Uses the updated Golden Image version&lt;/LI&gt;
&lt;LI&gt;Bakes a &lt;STRONG&gt;new custom image&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Publishes a new custom image version for VMSS consumption&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;VMSS Deployment&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Once the custom image is successfully created, deploy it using one of the following approaches:&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Option 1: Operational Pipeline&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Use the&amp;nbsp;&lt;STRONG&gt;operational pipeline&lt;/STRONG&gt; to deploy the newly created custom image to the VMSS. Operational Pipeline is separate pipeline which will refresh the image.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;option 2: Infrastructure Pipeline Update&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Update the infrastructure (Terraform) pipeline code with the new custom image version.&lt;/LI&gt;
&lt;LI&gt;Run:
&lt;UL&gt;
&lt;LI&gt;terraform plan to review VMSS updates&lt;/LI&gt;
&lt;LI&gt;terraform apply to roll out the new image&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Terraform Behavior&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;VMSS instances are updated to use the newly created custom image.&lt;/LI&gt;
&lt;LI&gt;The same remote Terraform backend is used to preserve state consistency.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Validation and Verification&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;After deployment:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Validate VMSS instance health&lt;/LI&gt;
&lt;LI&gt;Confirm successful instance provisioning&lt;/LI&gt;
&lt;LI&gt;Verify application and service functionality&lt;/LI&gt;
&lt;LI&gt;Monitor scale set upgrade status and error metrics&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Image Team will provide the golden image and then we need to create custom image.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;After retrieval of Custom image used in Infra code.&lt;/P&gt;
&lt;P&gt;The Golden image refresh in infra code, requires a activity which is called upgrade and there are 2 kinds of upgrade in VMSS :&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Automatic upgrade -&amp;nbsp;&lt;/STRONG&gt;VMSS instances will upgrade automatically, and this requires downtime.&lt;/P&gt;
&lt;P&gt;All VMSS instances will start upgrading simultaneously and application will be down till VMSS instances is up and running.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Manual upgrade -&amp;nbsp;&lt;/STRONG&gt;VMSS instances need to be manually upgraded, and this requires 10 - 15 minutes of degradation.&lt;/P&gt;
&lt;P&gt;As part of this Upgrade - we need to manually upgrade VMSS instance one by one and so other instances will be up. There will be no downtime for the application.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Bydefault VMSS will consider automatic upgrade which requires downtime. If we do not require Automatic upgrade then we need to change the setting in provider like below.&lt;/P&gt;
&lt;P&gt;provider "azurerm" {&lt;BR /&gt;&amp;nbsp; features {&lt;BR /&gt;&lt;STRONG&gt;virtual_machine_scale_set {&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; reimage_on_manual_upgrade &amp;nbsp; &amp;nbsp;= false&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; roll_instances_when_required = false&lt;/STRONG&gt;&lt;BR /&gt;&amp;nbsp; &amp;nbsp; }&lt;BR /&gt;&amp;nbsp; }&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;After updating above code in provider.tf as part of manual upgrade then update the terraform code for new golden image.&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Create a New Image: Start by creating a new golden image with the latest updates and configurations using YAML pipeline.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;Update Terraform Configuration: Modify your Terraform configuration to reference the new image. This involves updating the source_image_id or image_reference in your azurerm_virtual_machine_scale_set resource to point to the new image version.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Example:&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;source_image_id = "/subscriptions/subscriptionid/resourceGroups/rgname/providers/Microsoft.Compute/images/confluence-prd-v-24052450"&lt;/STRONG&gt;&lt;BR /&gt;&lt;BR /&gt;data_disks = [&lt;BR /&gt;&amp;nbsp; &amp;nbsp; {&lt;BR /&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; storage_account_type &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; = "Premium_LRS"&lt;BR /&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; caching &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;= "ReadWrite"&lt;BR /&gt;&lt;STRONG&gt; create_option &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;= "FromImage"&lt;/STRONG&gt;&lt;BR /&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; lun &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;= 0&lt;BR /&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; disk_size_gb &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; = "500"&lt;BR /&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; disk_encryption_set_id &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; = null&lt;BR /&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; ultra_ssd_disk_iops_read_write = null&lt;BR /&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; ultra_ssd_disk_mbps_read_write = null&lt;BR /&gt;&amp;nbsp; &amp;nbsp; }&lt;BR /&gt;&amp;nbsp; ]&lt;BR /&gt;instances = 3&amp;nbsp;&lt;BR /&gt;automatic_instance_repair = [{&lt;BR /&gt;&amp;nbsp; &amp;nbsp; enabled &amp;nbsp; &amp;nbsp; &amp;nbsp;= false&lt;BR /&gt;&amp;nbsp; &amp;nbsp; grace_period = "PT30M"&lt;BR /&gt;&amp;nbsp; }]&lt;BR /&gt;computer_name_prefix &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; = "Appname-prd"&lt;BR /&gt;overprovision &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;= false&lt;BR /&gt;edge_zone &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;= null&lt;BR /&gt;health_probe_id &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;= null&lt;BR /&gt;&lt;STRONG&gt;upgrade_mode &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; = "Manual"&lt;/STRONG&gt;&lt;BR /&gt;single_placement_group &amp;nbsp; &amp;nbsp; &amp;nbsp; = true&lt;BR /&gt;secure_boot_enabled &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;= false&lt;/P&gt;
&lt;P&gt;&lt;BR /&gt;Apply Terraform Configuration: Run terraform apply to apply the updated configuration. This will update the scale set to use the new image.&lt;/P&gt;
&lt;P&gt;After the Apply - Upgrade type is Manual then upgrade the VMSS instances one by one to make the service up and running.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-teams="true"&gt;Golden Image Refresh for VM Scale Sets (VM)&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-teams="true"&gt;Scope&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Linux VMs:
&lt;UL&gt;
&lt;LI&gt;VMs use&amp;nbsp;&lt;STRONG&gt;RHEL 7.9&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;VMs use&amp;nbsp;&lt;STRONG&gt;RHEL 8.10&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;For RHEL 7.9 , there is no golden image hence needs to create custom image. To refresh the image, change the image from (example from 1.0 to 1.1)&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Resource Changes (VMTRF):&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;VM: &lt;STRONG&gt;will be replaced&lt;/STRONG&gt; (source_image_id changed)&lt;/LI&gt;
&lt;LI&gt;OS disk: azapi_update_resource.disk ⇒ &lt;STRONG&gt;replaced&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Data disk attachments: &lt;STRONG&gt;will be replaced&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Network interface: &lt;STRONG&gt;updated in-place&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Disk encryption set: &lt;STRONG&gt;updated in-place&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Role assignments: &lt;STRONG&gt;will be replaced&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;VM extension (Custom Script Extension): &lt;STRONG&gt;will be replaced&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;RHEL 8.10&lt;/P&gt;
&lt;P&gt;To refresh the image, change the image from (example from 1.0 to 1.1)&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Resource Changes (VM STD):&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;VM: &lt;STRONG&gt;will be replaced&lt;/STRONG&gt; (source_image_id changed)&lt;/LI&gt;
&lt;LI&gt;OS disk: azapi_update_resource.disk ⇒ &lt;STRONG&gt;replaced&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Data disk attachments: &lt;STRONG&gt;will be replaced&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Network interface: &lt;STRONG&gt;updated in-place&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Disk encryption set: &lt;STRONG&gt;updated in-place&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Role assignments: &lt;STRONG&gt;will be replaced&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;VM extension (Custom Script): &lt;STRONG&gt;will be replaced&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 20 May 2026 02:56:39 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/golden-image-refresh-for-virtual-machines-and-vm-scale-sets/ba-p/4521376</guid>
      <dc:creator>ranjsharma</dc:creator>
      <dc:date>2026-05-20T02:56:39Z</dc:date>
    </item>
    <item>
      <title>Building AI Guardian Extension: AI Detection and Enterprise AI Security</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/building-ai-guardian-extension-ai-detection-and-enterprise-ai/ba-p/4521125</link>
      <description>&lt;H2&gt;&lt;STRONG&gt;Introduction&lt;/STRONG&gt;&lt;/H2&gt;
&lt;P&gt;Generative AI tools such as &lt;STRONG&gt;ChatGPT, GitHub Copilot, and Google Gemini&lt;/STRONG&gt; are rapidly becoming part of everyday enterprise workflows. Teams use them for code generation, documentation, analysis, support automation, and productivity enhancement.&lt;/P&gt;
&lt;P&gt;However, this accelerated adoption has also created a significant governance and security challenge: &lt;STRONG&gt;Shadow AI&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;Shadow AI refers to the &lt;STRONG&gt;unauthorized, unmanaged, or unmonitored use of AI tools inside an organization&lt;/STRONG&gt;. Employees may unknowingly paste sensitive enterprise information into external AI platforms, exposing:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;API keys&lt;/LI&gt;
&lt;LI&gt;Source code&lt;/LI&gt;
&lt;LI&gt;Customer data&lt;/LI&gt;
&lt;LI&gt;Credentials&lt;/LI&gt;
&lt;LI&gt;Internal business documents&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;At the same time, enterprise AI usage is increasingly exposed to:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Prompt injection attacks&lt;/LI&gt;
&lt;LI&gt;Malicious API manipulation&lt;/LI&gt;
&lt;LI&gt;Unsafe model outputs&lt;/LI&gt;
&lt;LI&gt;Compliance violations&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Security and compliance teams currently lack centralized visibility and governance over enterprise AI usage.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Existing tools are fragmented and do not provide unified protection across the complete AI attack surface including Data, Prompt/API, and Model layers.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Organizations require an intelligent, autonomous platform capable of&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;detecting Shadow AI usage,&lt;BR /&gt;preventing sensitive data leakage,&lt;BR /&gt;securing AI interactions,&lt;BR /&gt;enforcing governance policies,&lt;BR /&gt;and maintaining compliance in real time.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Proposed Solution:&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;AI Guardian is an intelligent security and governance platform designed to secure enterprise AI adoption and mitigate Shadow AI risks.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;1) The platform continuously monitors AI interactions across enterprise environments and provides autonomous protection across multiple AI attack surfaces.&lt;/STRONG&gt;&lt;BR /&gt;&lt;BR /&gt;Core Capabilities&lt;BR /&gt;Shadow AI Detection&lt;BR /&gt;Detects unauthorized AI tool usage&lt;BR /&gt;Monitors risky AI interactions&lt;BR /&gt;Identifies sensitive data exposure&lt;BR /&gt;Multi-Layer AI Security&lt;BR /&gt;Data Layer Protection&lt;BR /&gt;PII detection&lt;BR /&gt;API key and credential scanning&lt;BR /&gt;Confidential data leakage prevention&lt;BR /&gt;Prompt/API Layer Protection&lt;BR /&gt;Prompt injection detection&lt;BR /&gt;Malicious prompt analysis&lt;BR /&gt;API abuse detection&lt;BR /&gt;Model Layer Protection&lt;BR /&gt;Unsafe response monitoring&lt;BR /&gt;AI Compliance Copilot&lt;BR /&gt;Generates governance reports&lt;BR /&gt;Recommends remediation actions&lt;BR /&gt;&lt;BR /&gt;&lt;STRONG&gt;2.AI Guardian Extension Automatically performs:&lt;/STRONG&gt;&lt;BR /&gt;prompt blocking,&lt;BR /&gt;redaction,&lt;BR /&gt;SOC alerting,&lt;BR /&gt;incident creation,&lt;BR /&gt;and compliance logging.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;3.AI Guardian Extension Business Value:&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;This AI Guardian delivers measurable business value by enabling secure and governed enterprise AI adoption.&lt;BR /&gt;&lt;STRONG&gt;4.Key Business Benefits&lt;/STRONG&gt;&lt;BR /&gt;1. Prevents Sensitive Data Leakage&lt;BR /&gt;2. Enables Safe Enterprise AI Adoption&lt;BR /&gt;3. Reduces Compliance Risks and helps align enterprise AI usage with:&lt;BR /&gt;SOC2&lt;BR /&gt;ISO27001&lt;BR /&gt;GDPR&lt;BR /&gt;Internal security policies&lt;/P&gt;
&lt;P&gt;&lt;BR /&gt;&lt;STRONG&gt;5. Improves Security Visibility and provides centralized visibility into:&lt;/STRONG&gt;&lt;BR /&gt;&lt;BR /&gt;AI usage patterns&lt;BR /&gt;risky prompts&lt;BR /&gt;Shadow AI activity&lt;BR /&gt;policy violations&lt;BR /&gt;&lt;BR /&gt;&lt;STRONG&gt;6. Strengthens Enterprise AI Security Posture and protects multiple AI attack surfaces including:&lt;/STRONG&gt;&lt;BR /&gt;&lt;BR /&gt;Data Layer&lt;BR /&gt;Prompt/API Layer&lt;BR /&gt;Model Layer&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Customer Involvement&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-teams="true"&gt;No Customer Involvement added.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Scenario: Employee pastes confidential code into ChatGPT&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;User opens ChatGPT in the browser&lt;/LI&gt;
&lt;LI&gt;AI Guardian Extension detects site access&lt;/LI&gt;
&lt;LI&gt;User pastes source code containing an API key&lt;/LI&gt;
&lt;LI&gt;Content script captures prompt text&lt;/LI&gt;
&lt;LI&gt;Sensitive data detector finds the API key&lt;/LI&gt;
&lt;LI&gt;Policy engine classifies the action as high risk&lt;/LI&gt;
&lt;LI&gt;Extension redacts the key and blocks original submission&lt;/LI&gt;
&lt;LI&gt;User sees a notification explaining the action&lt;/LI&gt;
&lt;LI&gt;Event is logged to AI Guardian backend&lt;/LI&gt;
&lt;LI&gt;SOC alert and compliance log are generated if required&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;The rise of Shadow AI means enterprises can no longer rely solely on backend monitoring or post-event analysis. Security controls must move closer to the &lt;STRONG&gt;user interaction point&lt;/STRONG&gt;, where prompts are created and data is shared.&lt;/P&gt;
&lt;P&gt;Building an &lt;STRONG&gt;AI Guardian Browser Extension&lt;/STRONG&gt; provides that control plane.&lt;/P&gt;
&lt;P&gt;It enables organizations to:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;detect unauthorized AI usage&lt;/LI&gt;
&lt;LI&gt;inspect prompts in real time&lt;/LI&gt;
&lt;LI&gt;prevent sensitive data leakage&lt;/LI&gt;
&lt;LI&gt;block malicious interactions&lt;/LI&gt;
&lt;LI&gt;enforce governance policies&lt;/LI&gt;
&lt;LI&gt;generate audit-ready logs&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;In a world where AI adoption is accelerating faster than governance, the AI Guardian Extension becomes a practical and scalable way to make enterprise AI usage &lt;STRONG&gt;secure, visible, and compliant&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 19 May 2026 11:41:31 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/building-ai-guardian-extension-ai-detection-and-enterprise-ai/ba-p/4521125</guid>
      <dc:creator>ranjsharma</dc:creator>
      <dc:date>2026-05-19T11:41:31Z</dc:date>
    </item>
    <item>
      <title>Rundeck – AWS Enterprise Rundeck Integration with Azure Runner</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/rundeck-aws-enterprise-rundeck-integration-with-azure-runner/ba-p/4521080</link>
      <description>&lt;H2&gt;Architecture Overview&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Rundeck Server (AWS)&lt;/STRONG&gt; → https://dev.rundeck.xyz.com&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Rundeck Runner (Azure Linux VM)&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Secure Communication&lt;/STRONG&gt; over HTTPS (Port 4432)&lt;/LI&gt;
&lt;LI&gt;Optional Proxy for enterprise networks&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;1.Ensure that network connectivity is established between the Rundeck endpoint (dev.rundeck.xyz.com) and the Azure subnet over port 443.&lt;/P&gt;
&lt;P&gt;2.Request the customer to create a Runner within a new or existing project in the Rundeck portal by providing a suitable name and tags and&amp;nbsp;then proceed to download the corresponding Runner JAR file.&lt;/P&gt;
&lt;P&gt;3.Provision an Azure Linux Virtual Machine and deploy the downloaded Runner JAR using a VM extension or through a CI/CD pipeline integrated with BAMS/Artifactory. Below all prerequisite steps are mentioned which needs to be run on Azure VM to ensure Rundeck runner is ready.&lt;/P&gt;
&lt;P&gt;4.Additionally, make sure all required prerequisites are installed on the Azure Linux VM that will host the Rundeck Runner.&lt;/P&gt;
&lt;P&gt;5.After installation it will establish the connectivity between azure Rundeck runner and Aws Enterprise Rundeck.&lt;/P&gt;
&lt;P&gt;6.We can trigger any Rundeck jobs on Azure virtual machines.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;By deploying the Rundeck Runner on Azure, enterprises can seamlessly bridge AWS-hosted orchestration with Azure-based execution environments. This setup enables robust, scalable, and secure automation across hybrid cloud ecosystems.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;All prerequiste needs to be run on the Azure vm.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Step 1: Network Connectivity Prerequisites:&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Ensure proper network connectivity between Rundeck and Azure:&lt;/P&gt;
&lt;P&gt;Allow outbound/inbound access: Source: Azure Subnet Destination: dev.rundeck.xyz.com Port: 443 Protocol: HTTP&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Step 2: Create Rundeck Runner&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Login to Rundeck Portal&lt;/P&gt;
&lt;P&gt;Navigate to a project → Runner Management&lt;/P&gt;
&lt;P&gt;Create a new runner:&lt;/P&gt;
&lt;P&gt;Provide Name&lt;/P&gt;
&lt;P&gt;Add Tags&lt;/P&gt;
&lt;P&gt;Download the Runner JAR file&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Step 3: Azure VM setup&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Create a Linux VM (RHEL/CentOS) in Azure.&lt;/P&gt;
&lt;P&gt;Deploy the runner jar via:&lt;/P&gt;
&lt;P&gt;CI/CD pipeline (BAMS/Artifactory)&lt;/P&gt;
&lt;P&gt;VM Extension for automation&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Step 4: Install Prerequisites on Azure VM&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Install Java 11&lt;/P&gt;
&lt;P&gt;sudo bash&lt;/P&gt;
&lt;P&gt;yum install java-11-openjdk.x86_64&lt;/P&gt;
&lt;P&gt;rpm -qa | grep java-11&lt;/P&gt;
&lt;P&gt;java --version&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Step 5: Start the Runner -&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;useradd rundeck&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Step 6: Create Rundeck User-&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;mkdir /opt/rundeck/&lt;/P&gt;
&lt;P&gt;chown -R rundeck:rundeck /opt/rundeck/&lt;/P&gt;
&lt;P&gt;cp runner-*.jar /opt/rundeck/&lt;/P&gt;
&lt;P&gt;ll /opt/rundeck/&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Step 7: Start the Runner -&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;without proxy&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;/bin/java -jar /opt/rundeck/runner-&amp;lt;id&amp;gt;.jar&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;With proxy:&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;/bin/java \&lt;/P&gt;
&lt;P&gt;-Dmicronaut.http.client.proxy-type=http \&lt;/P&gt;
&lt;P&gt;-Dmicronaut.http.client.proxy-address=webproxy.lo5.mgmt.services:80 \&lt;/P&gt;
&lt;P&gt;-jar /opt/rundeck/runner-&amp;lt;id&amp;gt;.jar&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Step 8: Configure Runner as a Service&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;vi /etc/systemd/system/runner.service&lt;/P&gt;
&lt;P&gt;Add Configuration&lt;/P&gt;
&lt;P&gt;[Unit]&lt;/P&gt;
&lt;P&gt;Description=Process Automation Runner&lt;/P&gt;
&lt;P&gt;[Service]&lt;/P&gt;
&lt;P&gt;WorkingDirectory=/opt/rundeck/&lt;/P&gt;
&lt;P&gt;Type=simple&lt;/P&gt;
&lt;P&gt;User=rundeck&lt;/P&gt;
&lt;P&gt;Group=rundeck&lt;/P&gt;
&lt;P&gt;ExecStart=/bin/java -jar /opt/rundeck/runner-&amp;lt;id&amp;gt;.jar&lt;/P&gt;
&lt;P&gt;Restart=on-failure&lt;/P&gt;
&lt;P&gt;[Install]&lt;/P&gt;
&lt;P&gt;WantedBy=multi-user.target&lt;/P&gt;
&lt;P&gt;Enable and start service:&lt;/P&gt;
&lt;P&gt;chmod 0640 /etc/systemd/system/runner.service&lt;/P&gt;
&lt;P&gt;systemctl daemon-reload&lt;/P&gt;
&lt;P&gt;systemctl enable runner.service&lt;/P&gt;
&lt;P&gt;systemctl start runner.service&lt;/P&gt;
&lt;P&gt;systemctl status runner.service&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Step 9: Verify Runner Process&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;ps aux | grep rundeck&lt;/P&gt;
&lt;P&gt;systemctl status runner.service&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Step 10: Configure Log Rotation&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;create configuration:&lt;/P&gt;
&lt;P&gt;vi /etc/logrotate.d/rundeck_runnerd&lt;/P&gt;
&lt;P&gt;/opt/rundeck/runner/logs/operations.log&lt;/P&gt;
&lt;P&gt;{&lt;/P&gt;
&lt;P&gt;&amp;nbsp;daily&lt;/P&gt;
&lt;P&gt;&amp;nbsp;missingok&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; rotate 8&lt;/P&gt;
&lt;P&gt;&amp;nbsp; &amp;nbsp; compress&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; copytruncate&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; maxsize 150M&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; create 644 root root&lt;/P&gt;
&lt;P&gt;}&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Step 11: Runner Upgrade Process&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Regenerate credentials:&lt;/P&gt;
&lt;P&gt;curl -k -X POST https://dev.rundeck.xyz.com/api/42/runnerManagement/runner/&amp;lt;runner-id&amp;gt;/regenerateCreds \&lt;/P&gt;
&lt;P&gt;--header "Content-Type: application/json" \&lt;/P&gt;
&lt;P&gt;--header "X-Rundeck-Auth-Token: &amp;lt;token&amp;gt;"&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Step 12: Download Updated runner&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;curl -k -X GET https://dev.rundeck.xyz.com/api/41/runnerManagement/download/&amp;lt;downloadTk&amp;gt; \&lt;/P&gt;
&lt;P&gt;--header "X-Rundeck-Auth-Token: &amp;lt;token&amp;gt;" \&lt;/P&gt;
&lt;P&gt;--output runner-${runner_id}.jar&lt;/P&gt;</description>
      <pubDate>Tue, 19 May 2026 10:08:59 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/rundeck-aws-enterprise-rundeck-integration-with-azure-runner/ba-p/4521080</guid>
      <dc:creator>ranjsharma</dc:creator>
      <dc:date>2026-05-19T10:08:59Z</dc:date>
    </item>
    <item>
      <title>Building a Terraform Drift Validator for Azure with Live Portal Verification</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/building-a-terraform-drift-validator-for-azure-with-live-portal/ba-p/4520952</link>
      <description>&lt;P&gt;&lt;STRONG&gt;Architecture:&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;This blog describes how to build a practical &lt;STRONG&gt;Terraform Drift Validator for Azure&lt;/STRONG&gt; that compares &lt;STRONG&gt;three sources of truth&lt;/STRONG&gt;:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Excel sheet or design document&lt;/STRONG&gt; containing expected Azure configuration&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Terraform state file&lt;/STRONG&gt; representing IaC-managed deployed intent&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Live Azure configuration&lt;/STRONG&gt;, verified both programmatically and through &lt;STRONG&gt;Azure Portal step-by-step checks&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;The solution can be exposed as a lightweight validation application. Below is the link of agent created for drift validator for infra.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;A class="lia-external-url" href="https://ca-aiv-agent.livelyhill-f6d3be20.eastus.azurecontainerapps.io/" target="_blank" rel="noopener"&gt;https://ca-aiv-agent.livelyhill-f6d3be20.eastus.azurecontainerapps.io/&lt;/A&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;H2&gt;Key Takeaways&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;Terraform drift detection is valuable but &lt;STRONG&gt;Terraform alone is not enough&lt;/STRONG&gt; when enterprises also rely on design documents, migration inventories, and operational portal validations.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;Azure attributes such as &lt;STRONG&gt;SKU, tags, accelerated networking, managed disk type, and zone placement&lt;/STRONG&gt; can all be validated using a mix of Terraform state parsing, Azure APIs/Resource Graph, and portal verification.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Azure Resource Graph&lt;/STRONG&gt; is especially useful for fast, large-scale live validation because it can query resource properties across subscriptions without calling every resource provider one by one.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Managed Identity&lt;/STRONG&gt; is the preferred enterprise authentication model for a read-only validator because it removes credential handling and supports token-based access to downstream Azure services.&lt;/LI&gt;
&lt;LI&gt;Manual &lt;STRONG&gt;Azure Portal verification with documented steps and screenshot placeholders&lt;/STRONG&gt; makes the solution feel audit-ready, migration-ready, and operationally trustworthy.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;1. Introduction&lt;/H2&gt;
&lt;P&gt;Terraform drift in Azure happens when what is actually deployed no longer matches what Terraform thinks exists or what the original design intended. In practice, drift appears after portal edits, partial manual changes, external scripts, policy remediation, or emergency operational actions that never get folded back into code. HashiCorp recommends automated drift detection because unmanaged divergence can create operational inconsistency, security exposure, and compliance risk.&lt;/P&gt;
&lt;P&gt;Azure environments make this especially important because infrastructure is often governed by multiple teams: architects define the target design, DevOps teams deploy through Terraform, and operations teams may validate or troubleshoot through Azure Portal. Azure Resource Graph itself exists to support large-scale governance and current-state visibility across subscriptions, which makes it a strong foundation for live verification.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;That is why an enterprise-grade drift validator should not compare only &lt;STRONG&gt;Terraform vs Azure&lt;/STRONG&gt;. It should compare:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Design intent&lt;/STRONG&gt; from Excel or architecture documentation&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Terraform state&lt;/STRONG&gt; as the IaC-managed representation&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Azure live configuration&lt;/STRONG&gt; as the real runtime state&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;2. Problem Statement&lt;/H2&gt;
&lt;P&gt;Many organizations still maintain infrastructure specifications in Excel, migration trackers, or design documents. Those documents often contain the details that matter most to governance and operations: VM sizes, storage SKUs, disk performance expectations, tags, zones, and network settings. Terraform state, on the other hand, reflects what Terraform knows about deployed resources. Azure live state reflects what is actually running.&lt;/P&gt;
&lt;P&gt;These three sources diverge for common reasons:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;A VM was resized manually in Azure Portal&lt;/LI&gt;
&lt;LI&gt;Accelerated networking was expected in design, defined in Terraform, but the actual NIC does not reflect it&lt;/LI&gt;
&lt;LI&gt;Tags were defined in a workbook but never applied consistently&lt;/LI&gt;
&lt;LI&gt;Storage or disk settings changed during production troubleshooting&lt;/LI&gt;
&lt;LI&gt;Zone placement differs from the architecture baseline&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;3. Solution Overview&lt;/H2&gt;
&lt;P&gt;The proposed solution is a &lt;STRONG&gt;Terraform Drift Validator for Azure with Live Portal Verification&lt;/STRONG&gt;. At a high level, it works like this:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;The user uploads an &lt;STRONG&gt;Excel sheet&lt;/STRONG&gt; or &lt;STRONG&gt;design document&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;The solution extracts expected resource configuration&lt;/LI&gt;
&lt;LI&gt;It ingests the &lt;STRONG&gt;Terraform state file&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;It queries &lt;STRONG&gt;Azure live resources&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;It normalizes values across all three sources&lt;/LI&gt;
&lt;LI&gt;It compares attributes and generates a structured drift report&lt;/LI&gt;
&lt;LI&gt;It optionally presents portal validation steps for manual verification&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This can run as a &lt;STRONG&gt;web application, API service, or agent-based validator&lt;/STRONG&gt;, exposed through:&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;https://ca-aiv-agent.livelyhill-f6d3be20.eastus.azurecontainerapps.io/&lt;/STRONG&gt;&lt;/P&gt;
&lt;H2&gt;4. Supported Validation Parameters&lt;/H2&gt;
&lt;P&gt;A useful validator should support the following checks:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;SKU&lt;/STRONG&gt;&lt;BR /&gt;Validate expected SKU from design against Terraform and live Azure. This is critical for cost and performance.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;IOPS&lt;/STRONG&gt;&lt;BR /&gt;Validate disk performance expectations. Azure documents that some disk types—particularly Ultra Disk and Premium SSD v2—allow direct performance tuning, making IOPS a meaningful validation parameter. &lt;A href="https://learn.microsoft.com/en-us/azure/virtual-machines/disks-performance-options" target="_blank" rel="noopener"&gt;[&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Accelerated Networking&lt;/STRONG&gt;&lt;BR /&gt;Azure states that accelerated networking improves VM network performance by reducing latency and CPU utilization via SR-IOV on supported VM sizes. This is exactly the kind of feature that is frequently missed or changed during deployments.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Tags&lt;/STRONG&gt;&lt;BR /&gt;Azure tags are key-value metadata used for governance, organization, and cost management. Azure also warns that tags are stored as plain text and should not contain sensitive data.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Availability Zones&lt;/STRONG&gt;&lt;BR /&gt;Validate whether resources are placed in the expected zone(s) or zone-resilient configuration.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Region&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;VM Size&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Disk Type&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Resource Group&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;NIC and network configuration&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Optional controls&lt;/STRONG&gt; such as NSG expectations, public/private exposure, backup status, or monitoring configuration&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;a { text-decoration: none; color: #464feb; } tr th, tr td { border: 1px solid #e6e6e6; } tr th { background-color: #f5f5f5; }&lt;/P&gt;
&lt;H2&gt;7. Workflow&lt;/H2&gt;
&lt;OL&gt;
&lt;LI&gt;User uploads an Excel sheet or design document&lt;/LI&gt;
&lt;LI&gt;System extracts expected fields such as resource type, name, SKU, IOPS, tags, zones, region, VM size, and network settings&lt;/LI&gt;
&lt;LI&gt;Terraform state file is parsed into resource objects&lt;/LI&gt;
&lt;LI&gt;Azure live resources are queried using Resource Graph and targeted API calls&lt;/LI&gt;
&lt;LI&gt;Attribute names and values are normalized&lt;/LI&gt;
&lt;LI&gt;Comparison engine calculates:
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Match&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Design vs Terraform drift&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Terraform vs Azure drift&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Design vs Azure drift&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;Final report is generated with severity and remediation recommendations&lt;/LI&gt;
&lt;/OL&gt;
&lt;H2&gt;8. Drift Report Output&lt;/H2&gt;
&lt;P&gt;A report should look like this:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;th&gt;Resource&lt;/th&gt;&lt;th&gt;Attribute&lt;/th&gt;&lt;th&gt;Expected&lt;/th&gt;&lt;th&gt;Terraform&lt;/th&gt;&lt;th&gt;Azure Live&lt;/th&gt;&lt;th&gt;Status&lt;/th&gt;&lt;th&gt;Severity&lt;/th&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;vm-prod-01&lt;/td&gt;&lt;td&gt;VM Size&lt;/td&gt;&lt;td&gt;Standard_D8s_v5&lt;/td&gt;&lt;td&gt;Standard_D8s_v5&lt;/td&gt;&lt;td&gt;Standard_D4s_v5&lt;/td&gt;&lt;td&gt;Drift&lt;/td&gt;&lt;td&gt;High&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;nic-prod-01&lt;/td&gt;&lt;td&gt;Accelerated Networking&lt;/td&gt;&lt;td&gt;Enabled&lt;/td&gt;&lt;td&gt;Enabled&lt;/td&gt;&lt;td&gt;Disabled&lt;/td&gt;&lt;td&gt;Drift&lt;/td&gt;&lt;td&gt;High&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;disk-prod-01&lt;/td&gt;&lt;td&gt;Disk SKU&lt;/td&gt;&lt;td&gt;Premium SSD&lt;/td&gt;&lt;td&gt;Premium_LRS&lt;/td&gt;&lt;td&gt;StandardSSD_LRS&lt;/td&gt;&lt;td&gt;Drift&lt;/td&gt;&lt;td&gt;High&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;vm-prod-01&lt;/td&gt;&lt;td&gt;Tags.Environment&lt;/td&gt;&lt;td&gt;Production&lt;/td&gt;&lt;td&gt;Production&lt;/td&gt;&lt;td&gt;Prod&lt;/td&gt;&lt;td&gt;Drift&lt;/td&gt;&lt;td&gt;Medium&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;vm-prod-01&lt;/td&gt;&lt;td&gt;Zone&lt;/td&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;1&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 14.29%" /&gt;&lt;col style="width: 14.29%" /&gt;&lt;col style="width: 14.29%" /&gt;&lt;col style="width: 14.29%" /&gt;&lt;col style="width: 14.29%" /&gt;&lt;col style="width: 14.29%" /&gt;&lt;col style="width: 14.29%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;9. Creating agents for same and uploading entire python code on the chrysalis&lt;/H2&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;10. Future Enhancements&lt;/H2&gt;
&lt;P&gt;Next-step enhancements could include:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Scheduled drift monitoring&lt;/LI&gt;
&lt;LI&gt;CI/CD integration after deployment&lt;/LI&gt;
&lt;LI&gt;ServiceNow or Teams notifications&lt;/LI&gt;
&lt;LI&gt;AI-generated remediation summaries&lt;/LI&gt;
&lt;LI&gt;Policy-aware scoring&lt;/LI&gt;
&lt;LI&gt;Compliance dashboards&lt;/LI&gt;
&lt;LI&gt;FinOps insights tied to SKU variance&lt;/LI&gt;
&lt;LI&gt;Historical trend tracking of drift across subscriptions&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Tue, 19 May 2026 06:18:13 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/building-a-terraform-drift-validator-for-azure-with-live-portal/ba-p/4520952</guid>
      <dc:creator>ranjsharma</dc:creator>
      <dc:date>2026-05-19T06:18:13Z</dc:date>
    </item>
    <item>
      <title>Modernizing TCP Applications with Azure Application Gateway Layer 4 TCP/TLS Proxy</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/modernizing-tcp-applications-with-azure-application-gateway/ba-p/4519840</link>
      <description>&lt;H1 data-section-id="133azgn" data-start="1212" data-end="1239"&gt;Why TCP/TLS Proxy Matters&lt;/H1&gt;
&lt;P data-start="1241" data-end="1359"&gt;Modern cloud architectures commonly focus on HTTP/HTTPS traffic management, but many enterprise systems still rely on:&lt;/P&gt;
&lt;UL data-start="1360" data-end="1511"&gt;
&lt;LI data-section-id="lqalmf" data-start="1360" data-end="1387"&gt;Proprietary TCP protocols&lt;/LI&gt;
&lt;LI data-section-id="kw8ng3" data-start="1388" data-end="1419"&gt;Financial transaction systems&lt;/LI&gt;
&lt;LI data-section-id="149c7m2" data-start="1420" data-end="1441"&gt;Messaging platforms&lt;/LI&gt;
&lt;LI data-section-id="1d2gpeg" data-start="1442" data-end="1474"&gt;Legacy middleware applications&lt;/LI&gt;
&lt;LI data-section-id="1y88zqm" data-start="1475" data-end="1511"&gt;Secure client-server communication&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="1513" data-end="1559"&gt;Traditionally, these workloads often required:&lt;/P&gt;
&lt;UL data-start="1560" data-end="1693"&gt;
&lt;LI data-section-id="832oea" data-start="1560" data-end="1595"&gt;Network Virtual Appliances (NVAs)&lt;/LI&gt;
&lt;LI data-section-id="2rmb87" data-start="1596" data-end="1621"&gt;Hardware load balancers&lt;/LI&gt;
&lt;LI data-section-id="17r2cfx" data-start="1622" data-end="1654"&gt;Custom reverse proxy solutions&lt;/LI&gt;
&lt;LI data-section-id="e6od9g" data-start="1655" data-end="1693"&gt;Dedicated TCP ingress infrastructure&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="1695" data-end="1823"&gt;Managing these components across large environments can increase operational complexity and infrastructure maintenance overhead.&lt;/P&gt;
&lt;P data-start="1825" data-end="1999"&gt;The Layer 4 proxy capability in Azure Application Gateway helps organizations standardize ingress management for both HTTP and non-HTTP workloads using Azure-native services.&lt;/P&gt;
&lt;P data-start="1825" data-end="1999"&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1 data-section-id="xnn57e" data-start="2006" data-end="2043"&gt;Understanding Layer 4 TCP/TLS Proxy&lt;/H1&gt;
&lt;H2 data-section-id="hf7hzx" data-start="2045" data-end="2085"&gt;Layer 7 vs Layer 4 Traffic Management&lt;/H2&gt;
&lt;H3 data-section-id="l48jsf" data-start="2087" data-end="2111"&gt;Layer 7 (HTTP/HTTPS)&lt;/H3&gt;
&lt;P data-start="2113" data-end="2183"&gt;Layer 7 routing focuses on application-aware traffic handling such as:&lt;/P&gt;
&lt;UL data-start="2184" data-end="2277"&gt;
&lt;LI data-section-id="1qtxb7" data-start="2184" data-end="2203"&gt;URL-based routing&lt;/LI&gt;
&lt;LI data-section-id="wp28qx" data-start="2204" data-end="2223"&gt;Header inspection&lt;/LI&gt;
&lt;LI data-section-id="1bl2sj2" data-start="2224" data-end="2241"&gt;Cookie affinity&lt;/LI&gt;
&lt;LI data-section-id="hld52i" data-start="2242" data-end="2277"&gt;Web Application Firewall policies&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3 data-section-id="1s39voz" data-start="2279" data-end="2300"&gt;Layer 4 (TCP/TLS)&lt;/H3&gt;
&lt;P data-start="2302" data-end="2371"&gt;Layer 4 proxy focuses on connection-level traffic handling including:&lt;/P&gt;
&lt;UL data-start="2372" data-end="2472"&gt;
&lt;LI data-section-id="1wzd7zt" data-start="2372" data-end="2396"&gt;TCP traffic forwarding&lt;/LI&gt;
&lt;LI data-section-id="149w76x" data-start="2397" data-end="2423"&gt;TLS traffic pass-through&lt;/LI&gt;
&lt;LI data-section-id="1jf2ogh" data-start="2424" data-end="2444"&gt;Port-based routing&lt;/LI&gt;
&lt;LI data-section-id="n3893k" data-start="2445" data-end="2472"&gt;Backend load distribution&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="2474" data-end="2597"&gt;This approach is useful for applications that do not use HTTP protocols but still require centralized ingress architecture.&lt;/P&gt;
&lt;P data-start="2474" data-end="2597"&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1 data-section-id="iu56ur" data-start="2604" data-end="2630"&gt;Key Feature Capabilities&lt;/H1&gt;
&lt;H2 data-section-id="ug22m8" data-start="2632" data-end="2662"&gt;TCP and TLS Traffic Support&lt;/H2&gt;
&lt;P data-start="2664" data-end="2702"&gt;The Layer 4 proxy capability supports:&lt;/P&gt;
&lt;UL data-start="2703" data-end="2794"&gt;
&lt;LI data-section-id="15nuh0i" data-start="2703" data-end="2718"&gt;TCP listeners&lt;/LI&gt;
&lt;LI data-section-id="q56hce" data-start="2719" data-end="2734"&gt;TLS listeners&lt;/LI&gt;
&lt;LI data-section-id="lje7s9" data-start="2735" data-end="2762"&gt;Secure traffic forwarding&lt;/LI&gt;
&lt;LI data-section-id="12my7u1" data-start="2763" data-end="2794"&gt;Backend connection management&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="2796" data-end="2888"&gt;This enables organizations to expose non-HTTP workloads through a centralized ingress layer.&lt;/P&gt;
&lt;H2 data-section-id="11y619i" data-start="2895" data-end="2922"&gt;TLS Pass-Through Support&lt;/H2&gt;
&lt;P data-start="2924" data-end="3034"&gt;In TLS pass-through scenarios, encrypted traffic remains encrypted between the client and backend application.&lt;/P&gt;
&lt;P data-start="3036" data-end="3065"&gt;Potential advantages include:&lt;/P&gt;
&lt;UL data-start="3066" data-end="3187"&gt;
&lt;LI data-section-id="1r6b8xf" data-start="3066" data-end="3097"&gt;End-to-end encryption support&lt;/LI&gt;
&lt;LI data-section-id="gh5n1u" data-start="3098" data-end="3137"&gt;Backend-managed certificate ownership&lt;/LI&gt;
&lt;LI data-section-id="wrs1m9" data-start="3138" data-end="3187"&gt;Reduced application-layer processing at ingress&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="3189" data-end="3281"&gt;This model can be useful for applications with strict encryption or compliance requirements.&lt;/P&gt;
&lt;H2 data-section-id="v2gw2f" data-start="3288" data-end="3316"&gt;Proxy Protocol v1 Support&lt;/H2&gt;
&lt;P data-start="3318" data-end="3418"&gt;One important capability available in TCP/TLS backend settings is support for &lt;STRONG data-start="3396" data-end="3417"&gt;Proxy Protocol v1&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P data-start="3420" data-end="3523"&gt;Proxy Protocol v1 helps pass original client connection information to backend applications, including:&lt;/P&gt;
&lt;UL data-start="3524" data-end="3601"&gt;
&lt;LI data-section-id="oi6kfu" data-start="3524" data-end="3543"&gt;Source IP address&lt;/LI&gt;
&lt;LI data-section-id="k0ecwr" data-start="3544" data-end="3568"&gt;Destination IP address&lt;/LI&gt;
&lt;LI data-section-id="iyiqcs" data-start="3569" data-end="3582"&gt;Source port&lt;/LI&gt;
&lt;LI data-section-id="1pc8dfx" data-start="3583" data-end="3601"&gt;Destination port&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="3603" data-end="3639"&gt;This capability can be valuable for:&lt;/P&gt;
&lt;UL data-start="3640" data-end="3757"&gt;
&lt;LI data-section-id="4nmdm1" data-start="3640" data-end="3670"&gt;Backend logging and auditing&lt;/LI&gt;
&lt;LI data-section-id="1w3hg6k" data-start="3671" data-end="3690"&gt;Security analysis&lt;/LI&gt;
&lt;LI data-section-id="vv7hsq" data-start="3691" data-end="3711"&gt;Connection tracing&lt;/LI&gt;
&lt;LI data-section-id="hotpyn" data-start="3712" data-end="3757"&gt;Applications requiring client IP visibility&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="3759" data-end="3900"&gt;Without Proxy Protocol support, backend applications may only see the Application Gateway frontend IP rather than the original client source.&lt;/P&gt;
&lt;P data-start="3902" data-end="4121"&gt;When enabling Proxy Protocol v1, backend applications must also support parsing the Proxy Protocol header. Organizations should validate application compatibility before enabling this setting in production environments.&lt;/P&gt;
&lt;H2 data-section-id="1aj6vc3" data-start="4128" data-end="4155"&gt;Backend Pool Integration&lt;/H2&gt;
&lt;P data-start="4157" data-end="4210"&gt;Layer 4 proxy supports backend pool integration with:&lt;/P&gt;
&lt;UL data-start="4211" data-end="4336"&gt;
&lt;LI data-section-id="olznun" data-start="4211" data-end="4229"&gt;Virtual machines&lt;/LI&gt;
&lt;LI data-section-id="1yj71np" data-start="4230" data-end="4258"&gt;Virtual machine scale sets&lt;/LI&gt;
&lt;LI data-section-id="qz11mi" data-start="4259" data-end="4278"&gt;IP-based backends&lt;/LI&gt;
&lt;LI data-section-id="lsm4d4" data-start="4279" data-end="4336"&gt;Kubernetes workloads hosted on Azure Kubernetes Service&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="4338" data-end="4444"&gt;This flexibility allows organizations to standardize ingress architecture across different workload types.&lt;/P&gt;
&lt;P data-start="4338" data-end="4444"&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1 data-section-id="16jv0hm" data-start="4451" data-end="4480"&gt;Common Enterprise Use Cases&lt;/H1&gt;
&lt;H2 data-section-id="z0yi2j" data-start="4482" data-end="4517"&gt;Legacy Application Modernization&lt;/H2&gt;
&lt;P data-start="4519" data-end="4654"&gt;Organizations migrating traditional applications to Azure may need TCP ingress without redesigning application communication protocols.&lt;/P&gt;
&lt;H2 data-section-id="1hrem5w" data-start="4656" data-end="4683"&gt;Kubernetes TCP Workloads&lt;/H2&gt;
&lt;P data-start="4685" data-end="4773"&gt;Applications running on Azure Kubernetes Service frequently expose TCP services such as:&lt;/P&gt;
&lt;UL data-start="4774" data-end="4871"&gt;
&lt;LI data-section-id="13cqjzq" data-start="4774" data-end="4793"&gt;Messaging brokers&lt;/LI&gt;
&lt;LI data-section-id="1o956xp" data-start="4794" data-end="4814"&gt;Database endpoints&lt;/LI&gt;
&lt;LI data-section-id="cyi6wq" data-start="4815" data-end="4835"&gt;Streaming services&lt;/LI&gt;
&lt;LI data-section-id="13fupbe" data-start="4836" data-end="4871"&gt;Proprietary application protocols&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="4873" data-end="4946"&gt;Layer 4 proxy can help centralize ingress management for these workloads.&lt;/P&gt;
&lt;H2 data-section-id="wvk8ce" data-start="4948" data-end="4974"&gt;Secure TLS Pass-Through&lt;/H2&gt;
&lt;P data-start="4976" data-end="5115"&gt;Some enterprise applications require end-to-end encryption where TLS termination remains on backend services rather than the ingress layer.&lt;/P&gt;
&lt;H2 data-section-id="19l81tj" data-start="5117" data-end="5148"&gt;Hybrid Connectivity Patterns&lt;/H2&gt;
&lt;P data-start="5150" data-end="5277"&gt;Enterprises integrating on-premises applications with Azure workloads may also benefit from centralized TCP traffic management.&lt;/P&gt;
&lt;P data-start="5150" data-end="5277"&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1 data-section-id="h3bfrs" data-start="5284" data-end="5308"&gt;Architecture Pattern&lt;/H1&gt;
&lt;P data-start="5352" data-end="5392"&gt;A typical architecture pattern includes:&lt;/P&gt;
&lt;OL data-start="5394" data-end="5655"&gt;
&lt;LI data-section-id="vihet8" data-start="5394" data-end="5444"&gt;Client application initiates TCP/TLS connection&lt;/LI&gt;
&lt;LI data-section-id="6so9fm" data-start="5445" data-end="5498"&gt;Azure Application Gateway receives inbound traffic&lt;/LI&gt;
&lt;LI data-section-id="1bev247" data-start="5499" data-end="5551"&gt;Layer 4 listener forwards traffic to backend pool&lt;/LI&gt;
&lt;LI data-section-id="16yz9cj" data-start="5552" data-end="5595"&gt;Backend applications process TCP traffic&lt;/LI&gt;
&lt;LI data-section-id="1p5ximt" data-start="5596" data-end="5655"&gt;Traffic routing is managed based on backend availability&lt;/LI&gt;
&lt;/OL&gt;
&lt;P data-start="5657" data-end="5695"&gt;Core Azure services commonly involved:&lt;/P&gt;
&lt;UL data-start="5696" data-end="5774"&gt;
&lt;LI data-section-id="144zwnn" data-start="5696" data-end="5723"&gt;Azure Application Gateway&lt;/LI&gt;
&lt;LI data-section-id="139c5xq" data-start="5724" data-end="5750"&gt;Azure Kubernetes Service&lt;/LI&gt;
&lt;LI data-section-id="1lt2pm6" data-start="5751" data-end="5774"&gt;Azure Virtual Network&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1 data-section-id="lvctv2" data-start="6471" data-end="6509"&gt;Benefits of Azure-Native TCP Ingress&lt;/H1&gt;
&lt;P data-start="6511" data-end="6578"&gt;Potential advantages of using Azure-native Layer 4 ingress include:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;Area&lt;/th&gt;&lt;th&gt;Potential Benefit&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;Operations&lt;/td&gt;&lt;td&gt;Reduced infrastructure management overhead&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Scalability&lt;/td&gt;&lt;td&gt;Managed platform scaling capabilities&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Architecture&lt;/td&gt;&lt;td&gt;Centralized ingress management&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Integration&lt;/td&gt;&lt;td&gt;Native Azure networking compatibility&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Availability&lt;/td&gt;&lt;td&gt;Support for resilient deployment patterns&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1 data-section-id="12hrzbf" data-start="7007" data-end="7028"&gt;Key Recommendations&lt;/H1&gt;
&lt;P data-start="7030" data-end="7070"&gt;When implementing Layer 4 TCP/TLS proxy:&lt;/P&gt;
&lt;UL data-start="7071" data-end="7346"&gt;
&lt;LI data-section-id="vjrs23" data-start="7071" data-end="7149"&gt;Validate backend application compatibility with Proxy Protocol v1 if enabled&lt;/LI&gt;
&lt;LI data-section-id="loen5f" data-start="7150" data-end="7186"&gt;Monitor long-lived TCP connections&lt;/LI&gt;
&lt;LI data-section-id="1wcwst6" data-start="7187" data-end="7219"&gt;Test backend scaling scenarios&lt;/LI&gt;
&lt;LI data-section-id="dwjdie" data-start="7220" data-end="7274"&gt;Validate TLS handling requirements before deployment&lt;/LI&gt;
&lt;LI data-section-id="uzt5na" data-start="7275" data-end="7346"&gt;Align ingress architecture with application connectivity requirements&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="7348" data-end="7411"&gt;For enterprise deployments, organizations should also evaluate:&lt;/P&gt;
&lt;UL data-start="7412" data-end="7493"&gt;
&lt;LI data-section-id="1vuz5rc" data-start="7412" data-end="7444"&gt;Disaster recovery requirements&lt;/LI&gt;
&lt;LI data-section-id="q43szl" data-start="7445" data-end="7464"&gt;Capacity planning&lt;/LI&gt;
&lt;LI data-section-id="mwy9gj" data-start="7465" data-end="7493"&gt;Operational support models&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Thu, 14 May 2026 18:51:33 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/modernizing-tcp-applications-with-azure-application-gateway/ba-p/4519840</guid>
      <dc:creator>rbhatia</dc:creator>
      <dc:date>2026-05-14T18:51:33Z</dc:date>
    </item>
    <item>
      <title>From Pipelines to Agents: Self-Healing CI/CD Workflow</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/from-pipelines-to-agents-self-healing-ci-cd-workflow/ba-p/4519494</link>
      <description>&lt;H3 data-path-to-node="4"&gt;&amp;nbsp;&lt;/H3&gt;
&lt;H3 data-path-to-node="4"&gt;&amp;nbsp;&lt;/H3&gt;
&lt;H3 data-path-to-node="4"&gt;&lt;STRONG data-path-to-node="4" data-index-in-node="0"&gt;The Brain of the Operation: Azure OpenAI.&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P data-path-to-node="5"&gt;When building a DevOps agent, following are the points which can be considered to select Azure OpenAI as the ideal choice for logical engine:&lt;/P&gt;
&lt;OL data-path-to-node="6"&gt;
&lt;LI&gt;&lt;STRONG data-path-to-node="6,0,0" data-index-in-node="0"&gt;Native Tool Use:&lt;/STRONG&gt; It is specifically optimized for function calling, allowing the agent to interact with Azure DevOps APIs and Github seamlessly.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG data-path-to-node="6,1,0" data-index-in-node="0"&gt;Cost Efficiency:&lt;/STRONG&gt; As a first-party service, Azure OpenAI is the most cost-effective way to run production-grade agents.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG data-path-to-node="6,2,0" data-index-in-node="0"&gt;Speed and Context:&lt;/STRONG&gt; GPT-4o processes complex logs in seconds, identifying the error much faster.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3 data-path-to-node="8"&gt;&lt;STRONG data-path-to-node="8" data-index-in-node="0"&gt;The Architecture: A Self-Healing Loop&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P data-path-to-node="9"&gt;A self-healing workflow is an agentic loop consisting of three phases: &lt;STRONG data-path-to-node="9" data-index-in-node="71"&gt;Observe, Analyze, and Act.&lt;/STRONG&gt;&lt;/P&gt;
&lt;H4 data-path-to-node="10"&gt;&lt;STRONG data-path-to-node="10" data-index-in-node="0"&gt;1. Observe (The Trigger)&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P data-path-to-node="11"&gt;The process begins with an event-driven trigger. When an Azure DevOps pipeline fails, a webhook sends the telemetry and build logs to an Azure Function.&lt;/P&gt;
&lt;H4 data-path-to-node="12"&gt;&lt;STRONG data-path-to-node="12" data-index-in-node="0"&gt;2. Analyze (The Reasoning)&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P data-path-to-node="13"&gt;The logs are passed to GPT-4o via the Microsoft AI Foundry endpoint. The model doesn't just look for error codes; it understands the infrastructure context.&lt;/P&gt;
&lt;P data-path-to-node="14"&gt;&lt;STRONG data-path-to-node="14" data-index-in-node="0"&gt;The Prompt:&lt;/STRONG&gt;&lt;/P&gt;
&lt;P data-path-to-node="15,0"&gt;&lt;EM data-path-to-node="15,0" data-index-in-node="0"&gt;"You are a DevOps Engineer. Analyze this build log from our Azure Internal Load Balancer deployment. Determine if the failure is a logic error in Terraform or a connectivity issue in the VNET. Suggest the exact code fix in JSON format."&lt;/EM&gt;&lt;/P&gt;
&lt;H4 data-path-to-node="16"&gt;&lt;STRONG data-path-to-node="16" data-index-in-node="0"&gt;3. Act (The Execution)&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P data-path-to-node="17"&gt;This is where the agent becomes "autonomous." Using function calling, the agent can take the following action as an example:&lt;/P&gt;
&lt;UL data-path-to-node="18"&gt;
&lt;LI&gt;&lt;STRONG data-path-to-node="18,0,0" data-index-in-node="0"&gt;The Action:&lt;/STRONG&gt; If GPT-4o identifies a missing Health Probe in your ILB config, it invokes a tool to checkout the code branch, apply the fix, and open a Pull Request (PR) for your approval.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3 data-path-to-node="20"&gt;&lt;STRONG data-path-to-node="20" data-index-in-node="0"&gt;Technical Implementation: Unified Inference&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P data-path-to-node="21"&gt;Microsoft AI Foundry provides a standardized way to call Azure OpenAI. This makes the agent code clean and portable:&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from azure.ai.inference import ChatCompletionsClient
from azure.core.credentials import AzureKeyCredential

# Initialize the Foundry Client for GPT-4o
client = ChatCompletionsClient(
    endpoint="https://your-gpt4o-deployment.eastus2.models.ai.azure.com",
    credential=AzureKeyCredential("YOUR_FOUNDRY_API_KEY")
)

def self_heal_pipeline(error_logs):
    response = client.complete(
        messages=[
            {"role": "system", "content": "You are an autonomous DevOps assistant."},
            {"role": "user", "content": f"Analyze and propose a fix for this log: {error_logs}"}
        ],
        model="gpt-4o"
    )
    
    # Logic to trigger a GitHub PR or an Azure DevOps Update
    return response.choices[0].message.content&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3 data-path-to-node="23"&gt;&lt;STRONG data-path-to-node="23" data-index-in-node="0"&gt;Practical Example: The Migration Headache&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P data-path-to-node="24"&gt;In our example we had a task of mapping legacy load balancer settings (like &lt;EM data-path-to-node="24" data-index-in-node="139"&gt;fastest-app-response&lt;/EM&gt; or &lt;EM data-path-to-node="24" data-index-in-node="163"&gt;source-address persistence&lt;/EM&gt;) to Azure ILB rules.&lt;/P&gt;
&lt;P data-path-to-node="25"&gt;One small typo in a backend pool member IPs can tank a deployment. We have tested our agent to now scan these configs, flags mismatches, and suggests the correct Azure-native equivalent before the pipeline even runs. It’s saved us days of "trial and error" debugging.&lt;/P&gt;
&lt;P data-path-to-node="25"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-path-to-node="25"&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3 data-path-to-node="28"&gt;&lt;STRONG data-path-to-node="28" data-index-in-node="0"&gt;Final Thoughts: Stability on Autopilot&lt;/STRONG&gt;&lt;/H3&gt;
&lt;P data-path-to-node="29"&gt;We’ve spent years trying to build the "perfect" pipeline, but the reality is that infrastructure is messy and code is human. By shifting the burden of initial troubleshooting to automated agents, we aren't just saving time; we’re increasing the reliability of our entire stack. Microsoft AI Foundry provides the secure sandbox we need to let these agents work safely.&lt;/P&gt;</description>
      <pubDate>Wed, 13 May 2026 20:21:28 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/from-pipelines-to-agents-self-healing-ci-cd-workflow/ba-p/4519494</guid>
      <dc:creator>RavinderGupta</dc:creator>
      <dc:date>2026-05-13T20:21:28Z</dc:date>
    </item>
    <item>
      <title>Azure Arc AKS Explained: Run Kubernetes Beyond Azure Cloud</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/azure-arc-aks-explained-run-kubernetes-beyond-azure-cloud/ba-p/4518443</link>
      <description>&lt;P data-start="62" data-end="192"&gt;Modern enterprises are no longer running workloads only inside a centralized cloud environment. Applications today operate across:&lt;/P&gt;
&lt;UL data-start="194" data-end="335"&gt;
&lt;LI data-section-id="1qarze" data-start="194" data-end="221"&gt;On-premises datacenters&lt;/LI&gt;
&lt;LI data-section-id="1xa8d57" data-start="222" data-end="247"&gt;Remote branch offices&lt;/LI&gt;
&lt;LI data-section-id="u3fi1o" data-start="248" data-end="272"&gt;Manufacturing plants&lt;/LI&gt;
&lt;LI data-section-id="3n6ibn" data-start="273" data-end="290"&gt;Retail stores&lt;/LI&gt;
&lt;LI data-section-id="1k15smd" data-start="291" data-end="309"&gt;Edge locations&lt;/LI&gt;
&lt;LI data-section-id="m3w92b" data-start="310" data-end="335"&gt;Hybrid infrastructure&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="337" data-end="506"&gt;While Kubernetes has become the standard for container orchestration, managing Kubernetes consistently across distributed environments introduces operational complexity.&lt;/P&gt;
&lt;P data-start="508" data-end="675"&gt;This is where Azure Arc and Azure Kubernetes Service extend the Azure control plane beyond traditional Azure cloud boundaries.&lt;/P&gt;
&lt;P data-start="677" data-end="776"&gt;Azure Arc enables organizations to deploy, govern, monitor, and manage Kubernetes clusters running:&lt;/P&gt;
&lt;UL data-start="777" data-end="892"&gt;
&lt;LI data-section-id="kh4cjm" data-start="777" data-end="790"&gt;On-premises&lt;/LI&gt;
&lt;LI data-section-id="10py7rb" data-start="791" data-end="804"&gt;At the edge&lt;/LI&gt;
&lt;LI data-section-id="131svgx" data-start="805" data-end="833"&gt;In multicloud environments&lt;/LI&gt;
&lt;LI data-section-id="xxmf6y" data-start="834" data-end="863"&gt;On virtualization platforms&lt;/LI&gt;
&lt;LI data-section-id="og2vx7" data-start="864" data-end="892"&gt;On physical infrastructure&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="894" data-end="925"&gt;In this guide, we will explore:&lt;/P&gt;
&lt;UL data-start="926" data-end="1144"&gt;
&lt;LI data-section-id="11dzh54" data-start="926" data-end="949"&gt;What Azure Arc AKS is&lt;/LI&gt;
&lt;LI data-section-id="1omdu9y" data-start="950" data-end="978"&gt;How the architecture works&lt;/LI&gt;
&lt;LI data-section-id="ee8krs" data-start="979" data-end="1011"&gt;Core infrastructure components&lt;/LI&gt;
&lt;LI data-section-id="1siqtlk" data-start="1012" data-end="1042"&gt;Step-by-step deployment flow&lt;/LI&gt;
&lt;LI data-section-id="rif47n" data-start="1043" data-end="1070"&gt;Networking considerations&lt;/LI&gt;
&lt;LI data-section-id="f99et" data-start="1071" data-end="1093"&gt;Operational insights&lt;/LI&gt;
&lt;LI data-section-id="ige9s6" data-start="1094" data-end="1144"&gt;Common challenges and troubleshooting approaches&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-section-id="fjleg9" data-start="1151" data-end="1195"&gt;Understanding the Problem Azure Arc Solves&lt;/H2&gt;
&lt;P data-start="1197" data-end="1314"&gt;Traditionally, Kubernetes management becomes fragmented when infrastructure exists outside public cloud environments.&lt;/P&gt;
&lt;P data-start="1316" data-end="1341"&gt;Organizations often face:&lt;/P&gt;
&lt;UL data-start="1342" data-end="1569"&gt;
&lt;LI data-section-id="gvekr" data-start="1342" data-end="1391"&gt;Separate tooling for on-prem and cloud clusters&lt;/LI&gt;
&lt;LI data-section-id="1hh25z5" data-start="1392" data-end="1417"&gt;Inconsistent governance&lt;/LI&gt;
&lt;LI data-section-id="1sd3pfd" data-start="1418" data-end="1449"&gt;Manual onboarding of clusters&lt;/LI&gt;
&lt;LI data-section-id="1e51i8d" data-start="1450" data-end="1479"&gt;Complex identity management&lt;/LI&gt;
&lt;LI data-section-id="1al36kq" data-start="1480" data-end="1528"&gt;Disconnected monitoring and policy enforcement&lt;/LI&gt;
&lt;LI data-section-id="1wm2du6" data-start="1529" data-end="1569"&gt;Operational overhead at edge locations&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="1571" data-end="1674"&gt;Azure Arc addresses this by extending Azure management capabilities to infrastructure running anywhere.&lt;/P&gt;
&lt;P data-start="1676" data-end="1800"&gt;Instead of moving all infrastructure into Azure, Azure Arc brings Azure’s operational model to your existing infrastructure.&lt;/P&gt;
&lt;H2 data-section-id="dp1dvd" data-start="1807" data-end="1831"&gt;What is Azure Arc AKS?&lt;/H2&gt;
&lt;P data-start="1833" data-end="1955"&gt;Azure Arc-enabled Kubernetes allows Kubernetes clusters running outside Azure to become manageable resources inside Azure.&lt;/P&gt;
&lt;P data-start="1957" data-end="1968"&gt;This means:&lt;/P&gt;
&lt;UL data-start="1969" data-end="2172"&gt;
&lt;LI data-section-id="1jq6us7" data-start="1969" data-end="2006"&gt;Clusters appear inside Azure Portal&lt;/LI&gt;
&lt;LI data-section-id="1o2q47h" data-start="2007" data-end="2034"&gt;Azure RBAC can be applied&lt;/LI&gt;
&lt;LI data-section-id="t7g6bl" data-start="2035" data-end="2071"&gt;Policies can be enforced centrally&lt;/LI&gt;
&lt;LI data-section-id="1mri60b" data-start="2072" data-end="2119"&gt;Monitoring and governance become standardized&lt;/LI&gt;
&lt;LI data-section-id="1ok3m97" data-start="2120" data-end="2172"&gt;GitOps and extensions can be deployed consistently&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="2174" data-end="2317"&gt;AKS Arc extends this further by enabling an AKS-like Kubernetes deployment and lifecycle management experience on local or edge infrastructure.&lt;/P&gt;
&lt;H2 data-section-id="1lwh98m" data-start="2324" data-end="2349"&gt;High-Level Architecture&lt;/H2&gt;
&lt;P data-start="2351" data-end="2407"&gt;The deployment architecture typically follows this flow:&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-start="2643" data-end="2659"&gt;At a high level:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;th class="lia-align-center"&gt;Layer&lt;/th&gt;&lt;th class="lia-align-center"&gt;Purpose&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td class="lia-align-center"&gt;Infrastructure Layer&lt;/td&gt;&lt;td class="lia-align-center"&gt;Physical server or virtual machine&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td class="lia-align-center"&gt;Connectivity Layer&lt;/td&gt;&lt;td class="lia-align-center"&gt;Azure Arc agents and registration&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td class="lia-align-center"&gt;Kubernetes Layer&lt;/td&gt;&lt;td class="lia-align-center"&gt;Kubernetes runtime and orchestration&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td class="lia-align-center"&gt;Azure Integration Layer&lt;/td&gt;&lt;td class="lia-align-center"&gt;Governance, monitoring, policies&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td class="lia-align-center"&gt;Operations Layer&lt;/td&gt;&lt;td class="lia-align-center"&gt;Cluster lifecycle and workload management&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H3 data-section-id="aetk3l" data-start="3006" data-end="3034"&gt;Core Components of AKS Arc&lt;/H3&gt;
&lt;P data-start="3036" data-end="3115"&gt;Before deployment, it is important to understand the major components involved.&lt;/P&gt;
&lt;H5 data-section-id="qi94wj" data-start="3122" data-end="3137"&gt;1. Azure Arc&lt;/H5&gt;
&lt;P data-start="3139" data-end="3238"&gt;Azure Arc acts as the bridge between Azure and external infrastructure.&lt;/P&gt;
&lt;P data-start="3240" data-end="3251"&gt;It enables:&lt;/P&gt;
&lt;UL data-start="3252" data-end="3375"&gt;
&lt;LI data-section-id="f9l62b" data-start="3252" data-end="3275"&gt;Resource registration&lt;/LI&gt;
&lt;LI data-section-id="1clmywa" data-start="3276" data-end="3295"&gt;Hybrid governance&lt;/LI&gt;
&lt;LI data-section-id="edeocs" data-start="3296" data-end="3316"&gt;Policy enforcement&lt;/LI&gt;
&lt;LI data-section-id="jqae90" data-start="3317" data-end="3329"&gt;Monitoring&lt;/LI&gt;
&lt;LI data-section-id="1up2gso" data-start="3330" data-end="3352"&gt;Extension deployment&lt;/LI&gt;
&lt;LI data-section-id="bstjrl" data-start="3353" data-end="3375"&gt;Inventory management&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5 data-section-id="1jdsms7" data-start="3382" data-end="3408"&gt;2. Arc-Enabled Machines&lt;/H5&gt;
&lt;P data-start="3410" data-end="3420"&gt;These are:&lt;/P&gt;
&lt;UL data-start="3421" data-end="3473"&gt;
&lt;LI data-section-id="nqwudn" data-start="3421" data-end="3439"&gt;Physical servers&lt;/LI&gt;
&lt;LI data-section-id="olznun" data-start="3440" data-end="3458"&gt;Virtual machines&lt;/LI&gt;
&lt;LI data-section-id="3gobq8" data-start="3459" data-end="3473"&gt;Edge devices&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="3475" data-end="3543"&gt;Once connected to Azure Arc, they become manageable Azure resources.&lt;/P&gt;
&lt;H5 data-section-id="lzl3f4" data-start="3550" data-end="3574"&gt;3. Kubernetes Cluster&lt;/H5&gt;
&lt;P data-start="3576" data-end="3606"&gt;The Kubernetes layer provides:&lt;/P&gt;
&lt;UL data-start="3607" data-end="3700"&gt;
&lt;LI data-section-id="krguxg" data-start="3607" data-end="3632"&gt;Container orchestration&lt;/LI&gt;
&lt;LI data-section-id="12s2yqw" data-start="3633" data-end="3645"&gt;Scheduling&lt;/LI&gt;
&lt;LI data-section-id="fhbifq" data-start="3646" data-end="3658"&gt;Networking&lt;/LI&gt;
&lt;LI data-section-id="1tzulud" data-start="3659" data-end="3668"&gt;Scaling&lt;/LI&gt;
&lt;LI data-section-id="1vd8rwq" data-start="3669" data-end="3700"&gt;Workload lifecycle management&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5 data-section-id="rfskz5" data-start="3707" data-end="3728"&gt;4. Custom Location&lt;/H5&gt;
&lt;P data-start="3730" data-end="3820"&gt;Custom Locations create a logical mapping between Azure resources and edge infrastructure.&lt;/P&gt;
&lt;P data-start="3822" data-end="3909"&gt;They allow Azure services to target workloads to specific on-prem or edge environments.&lt;/P&gt;
&lt;H5 data-section-id="1seohwa" data-start="3916" data-end="3933"&gt;5. Device Pool&lt;/H5&gt;
&lt;P data-start="3935" data-end="4003"&gt;A device pool groups machines participating in a cluster deployment.&lt;/P&gt;
&lt;P data-start="4005" data-end="4066"&gt;This becomes especially important in multi-node environments.&lt;/P&gt;
&lt;H5 data-section-id="dvk4xe" data-start="4073" data-end="4101"&gt;6. Logical Network (LNET)&lt;/H5&gt;
&lt;P data-start="4103" data-end="4131"&gt;The Logical Network defines:&lt;/P&gt;
&lt;UL data-start="4132" data-end="4207"&gt;
&lt;LI data-section-id="1wszun0" data-start="4132" data-end="4152"&gt;Cluster networking&lt;/LI&gt;
&lt;LI data-section-id="1ltd9ep" data-start="4153" data-end="4168"&gt;IP allocation&lt;/LI&gt;
&lt;LI data-section-id="1cjy0ww" data-start="4169" data-end="4192"&gt;Gateway configuration&lt;/LI&gt;
&lt;LI data-section-id="t45k4d" data-start="4193" data-end="4207"&gt;DNS behavior&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="4209" data-end="4280"&gt;Networking is one of the most critical parts of any AKS Arc deployment.&lt;/P&gt;
&lt;H3 data-section-id="cjbzdo" data-start="4287" data-end="4330"&gt;Infrastructure Planning Before Deployment&lt;/H3&gt;
&lt;P data-start="4332" data-end="4398"&gt;Before starting deployment, infrastructure readiness is essential.&lt;/P&gt;
&lt;H4 data-section-id="b266xu" data-start="4405" data-end="4431"&gt;Hardware Recommendations&lt;/H4&gt;
&lt;P data-start="4433" data-end="4474"&gt;For a lab or proof-of-concept deployment:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;Component&lt;/th&gt;&lt;th&gt;Recommended&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;CPU&lt;/td&gt;&lt;td&gt;4+ vCPUs&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;RAM&lt;/td&gt;&lt;td&gt;16 GB minimum&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Disk&lt;/td&gt;&lt;td&gt;256 GB SSD&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Network&lt;/td&gt;&lt;td&gt;Stable internet connectivity&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P data-start="4623" data-end="4650"&gt;For production deployments:&lt;/P&gt;
&lt;UL data-start="4651" data-end="4801"&gt;
&lt;LI data-section-id="1m7csgx" data-start="4651" data-end="4673"&gt;Redundant networking&lt;/LI&gt;
&lt;LI data-section-id="gs08sq" data-start="4674" data-end="4700"&gt;High-performance storage&lt;/LI&gt;
&lt;LI data-section-id="183resm" data-start="4701" data-end="4724"&gt;Multi-node clustering&lt;/LI&gt;
&lt;LI data-section-id="1d010z2" data-start="4725" data-end="4743"&gt;Power redundancy&lt;/LI&gt;
&lt;LI data-section-id="19zc7z3" data-start="4744" data-end="4773"&gt;Secure network segmentation&lt;/LI&gt;
&lt;LI data-section-id="vrrp5v" data-start="4774" data-end="4801"&gt;Monitoring infrastructure&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="4803" data-end="4828"&gt;should all be considered.&lt;/P&gt;
&lt;H4 data-section-id="10dr634" data-start="4835" data-end="4871"&gt;Physical vs Virtual Infrastructure&lt;/H4&gt;
&lt;P data-start="4873" data-end="4895"&gt;AKS Arc supports both:&lt;/P&gt;
&lt;UL data-start="4896" data-end="4942"&gt;
&lt;LI data-section-id="1ujho1v" data-start="4896" data-end="4915"&gt;Physical hardware&lt;/LI&gt;
&lt;LI data-section-id="1l84vgd" data-start="4916" data-end="4942"&gt;Virtualized environments&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="4944" data-end="4971"&gt;Many engineers begin using:&lt;/P&gt;
&lt;UL data-start="4972" data-end="5053"&gt;
&lt;LI data-section-id="1etlrsl" data-start="4972" data-end="5011"&gt;Hyper-V&lt;/LI&gt;
&lt;LI data-section-id="9xdms2" data-start="5012" data-end="5020"&gt;VMware&lt;/LI&gt;
&lt;LI data-section-id="e2aq7j" data-start="5021" data-end="5053"&gt;Other virtualization platforms&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="5055" data-end="5086"&gt;for lab simulation and testing.&lt;/P&gt;
&lt;H4 data-section-id="1d7cdzt" data-start="5093" data-end="5122"&gt;Virtual Machine Advantages&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;Benefit&lt;/th&gt;&lt;th&gt;Explanation&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;Faster setup&lt;/td&gt;&lt;td&gt;Easier experimentation&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Lower cost&lt;/td&gt;&lt;td&gt;No dedicated hardware needed&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Flexible snapshots&lt;/td&gt;&lt;td&gt;Quick rollback capability&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Easier automation&lt;/td&gt;&lt;td&gt;Infrastructure reproducibility&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H4 data-section-id="1hq3w1i" data-start="5360" data-end="5391"&gt;Physical Hardware Advantages&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;Benefit&lt;/th&gt;&lt;th&gt;Explanation&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;Realistic edge testing&lt;/td&gt;&lt;td&gt;Accurate network behavior&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Hardware validation&lt;/td&gt;&lt;td&gt;BIOS, TPM, drivers&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Production readiness&lt;/td&gt;&lt;td&gt;Real deployment conditions&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2 data-section-id="1rbfmqn" data-start="5589" data-end="5627"&gt;Step-by-Step AKS Arc Deployment Flow&lt;/H2&gt;
&lt;P data-start="5629" data-end="5678"&gt;Now let us walk through the deployment lifecycle.&lt;/P&gt;
&lt;H4 data-section-id="4usi1c" data-start="5685" data-end="5718"&gt;Step 1 – Prepare Infrastructure&lt;/H4&gt;
&lt;P data-start="5720" data-end="5739"&gt;Create or identify:&lt;/P&gt;
&lt;UL data-start="5740" data-end="5792"&gt;
&lt;LI data-section-id="nqwudn" data-start="5740" data-end="5758"&gt;Physical servers&lt;/LI&gt;
&lt;LI data-section-id="3gobq8" data-start="5759" data-end="5773"&gt;Edge devices&lt;/LI&gt;
&lt;LI data-section-id="olznun" data-start="5774" data-end="5792"&gt;Virtual machines&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="5794" data-end="5801"&gt;Ensure:&lt;/P&gt;
&lt;UL data-start="5802" data-end="5942"&gt;
&lt;LI data-section-id="1g56do6" data-start="5802" data-end="5832"&gt;Internet connectivity exists&lt;/LI&gt;
&lt;LI data-section-id="1banxur" data-start="5833" data-end="5866"&gt;Static IP planning is completed&lt;/LI&gt;
&lt;LI data-section-id="1qqr2w6" data-start="5867" data-end="5899"&gt;DNS resolution works correctly&lt;/LI&gt;
&lt;LI data-section-id="uiiqm3" data-start="5900" data-end="5942"&gt;Firewall rules allow Azure communication&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3 data-section-id="1wn9cyw" data-start="5949" data-end="6007"&gt;Step 2 – Configure Virtualization Environment (Optional)&lt;/H3&gt;
&lt;P data-start="6009" data-end="6033"&gt;If using virtualization:&lt;/P&gt;
&lt;P data-start="6035" data-end="6042"&gt;Enable:&lt;/P&gt;
&lt;UL data-start="6043" data-end="6113"&gt;
&lt;LI data-section-id="tfyj74" data-start="6043" data-end="6064"&gt;Hypervisor platform&lt;/LI&gt;
&lt;LI data-section-id="113fwmv" data-start="6065" data-end="6085"&gt;Virtual networking&lt;/LI&gt;
&lt;LI data-section-id="zlhmvf" data-start="6086" data-end="6113"&gt;NAT or bridged networking&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="6115" data-end="6122"&gt;Create:&lt;/P&gt;
&lt;UL data-start="6123" data-end="6190"&gt;
&lt;LI data-section-id="1uh4yqk" data-start="6123" data-end="6148"&gt;Internal virtual switch&lt;/LI&gt;
&lt;LI data-section-id="c6syv5" data-start="6149" data-end="6171"&gt;DHCP-enabled network&lt;/LI&gt;
&lt;LI data-section-id="1hi5khb" data-start="6172" data-end="6190"&gt;Internet routing&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="6192" data-end="6281"&gt;A stable network configuration is critical because cluster deployment depends heavily on:&lt;/P&gt;
&lt;UL data-start="6282" data-end="6376"&gt;
&lt;LI data-section-id="p0lnow" data-start="6282" data-end="6301"&gt;API communication&lt;/LI&gt;
&lt;LI data-section-id="mx6uqo" data-start="6302" data-end="6322"&gt;Agent registration&lt;/LI&gt;
&lt;LI data-section-id="hn1mdy" data-start="6323" data-end="6344"&gt;Extension downloads&lt;/LI&gt;
&lt;LI data-section-id="1z9mh6" data-start="6345" data-end="6376"&gt;Kubernetes node communication&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3 data-section-id="11m4wal" data-start="6383" data-end="6423"&gt;Step 3 – Install Operating Environment&lt;/H3&gt;
&lt;P data-start="6425" data-end="6482"&gt;Install the operating system image on the target machine.&lt;/P&gt;
&lt;P data-start="6484" data-end="6513"&gt;Typical requirements include:&lt;/P&gt;
&lt;UL data-start="6514" data-end="6650"&gt;
&lt;LI data-section-id="1nuy7hl" data-start="6514" data-end="6549"&gt;Linux-based edge operating system&lt;/LI&gt;
&lt;LI data-section-id="bf5br0" data-start="6550" data-end="6577"&gt;Container runtime support&lt;/LI&gt;
&lt;LI data-section-id="wdzqjz" data-start="6578" data-end="6604"&gt;Kubernetes prerequisites&lt;/LI&gt;
&lt;LI data-section-id="11r4mvg" data-start="6605" data-end="6633"&gt;Secure boot considerations&lt;/LI&gt;
&lt;LI data-section-id="5bu1e" data-start="6634" data-end="6650"&gt;TPM enablement&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="6652" data-end="6674"&gt;Recommended VM sizing:&lt;/P&gt;
&lt;UL data-start="6675" data-end="6726"&gt;
&lt;LI data-section-id="17dzm5w" data-start="6675" data-end="6686"&gt;16 GB RAM&lt;/LI&gt;
&lt;LI data-section-id="1xdchgv" data-start="6687" data-end="6709"&gt;4 processors minimum&lt;/LI&gt;
&lt;LI data-section-id="ujlntx" data-start="6710" data-end="6726"&gt;256 GB storage&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Get Image Reference to know where to Download Azure Local OS (ROE) and Azure Local Configurator App -&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3 data-section-id="ssr3ug" data-start="6733" data-end="6779"&gt;Step 4 – Connect Infrastructure to Azure Arc&lt;/H3&gt;
&lt;P data-start="6781" data-end="6813"&gt;Once the machine is operational:&lt;/P&gt;
&lt;UL data-start="6814" data-end="6916"&gt;
&lt;LI data-section-id="94219c" data-start="6814" data-end="6851"&gt;Install Arc connectivity components&lt;/LI&gt;
&lt;LI data-section-id="1j7qzie" data-start="6852" data-end="6885"&gt;Register the machine with Azure&lt;/LI&gt;
&lt;LI data-section-id="bg5cfs" data-start="6886" data-end="6916"&gt;Verify successful onboarding&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="6918" data-end="6948"&gt;After successful registration:&lt;/P&gt;
&lt;UL data-start="6949" data-end="7047"&gt;
&lt;LI data-section-id="vh0vej" data-start="6949" data-end="6998"&gt;The machine becomes visible inside Azure Portal&lt;/LI&gt;
&lt;LI data-section-id="1m9ho5v" data-start="6999" data-end="7047"&gt;Azure governance capabilities become available&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="7049" data-end="7093"&gt;At this stage, the machine transitions from:&lt;/P&gt;
&lt;P data-start="7096" data-end="7123"&gt;“Standalone infrastructure”&lt;/P&gt;
&lt;P data-start="7125" data-end="7128"&gt;to:&lt;/P&gt;
&lt;P data-start="7132" data-end="7163"&gt;“Azure-managed hybrid resource”&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;LI-CODE lang=""&gt;Login to Azure and Set Subscription

az login
az account set \
  --subscription "&amp;lt;subscription-id&amp;gt;"

Install Connected Machine Agent

#Install Azure Arc agent on Linux machine.
wget https://aka.ms/azcmagent -O ~/install_linux_azcmagent.sh
bash ~/install_linux_azcmagent.sh

Connect Machine to Azure Arc

#Register machine as Arc-enabled server.
sudo azcmagent connect \
  --resource-group "&amp;lt;resource-group&amp;gt;" \
  --tenant-id "&amp;lt;tenant-id&amp;gt;" \
  --location "&amp;lt;azure-region&amp;gt;" \
  --subscription-id "&amp;lt;subscription-id&amp;gt;"

Verify Arc Agent Status

#Confirm successful Arc onboarding.
azcmagent show
Agent Status : Connected


Verify Arc Machine in Azure

#List Arc-enabled servers.
az connectedmachine list \ 
  --resource-group "&amp;lt;resource-group&amp;gt;"&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3 data-section-id="muyrgt" data-start="7170" data-end="7206"&gt;Step 5 – Create the Azure Arc Site&lt;/H3&gt;
&lt;P data-start="7208" data-end="7275"&gt;The Arc Site acts as the logical container for edge infrastructure.&lt;/P&gt;
&lt;P data-start="7277" data-end="7290"&gt;During setup:&lt;/P&gt;
&lt;UL data-start="7291" data-end="7386"&gt;
&lt;LI data-section-id="9ustf" data-start="7291" data-end="7312"&gt;Select subscription&lt;/LI&gt;
&lt;LI data-section-id="12ydzvk" data-start="7313" data-end="7336"&gt;Choose resource group&lt;/LI&gt;
&lt;LI data-section-id="jblogl" data-start="7337" data-end="7352"&gt;Define region&lt;/LI&gt;
&lt;LI data-section-id="b96cnt" data-start="7353" data-end="7386"&gt;Register machines into the site&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="7388" data-end="7419"&gt;This enables Azure to organize:&lt;/P&gt;
&lt;UL data-start="7420" data-end="7498"&gt;
&lt;LI data-section-id="z5zsff" data-start="7420" data-end="7441"&gt;Provisioned devices&lt;/LI&gt;
&lt;LI data-section-id="l8u2oh" data-start="7442" data-end="7452"&gt;Clusters&lt;/LI&gt;
&lt;LI data-section-id="v6bfhr" data-start="7453" data-end="7475"&gt;Networking resources&lt;/LI&gt;
&lt;LI data-section-id="knwc71" data-start="7476" data-end="7498"&gt;Operational metadata&lt;/LI&gt;
&lt;/UL&gt;
&lt;LI-CODE lang=""&gt;Create Resource Group

#Logical container for Arc resources.
az group create \
  --name "&amp;lt;resource-group&amp;gt;" \
  --location "&amp;lt;azure-region&amp;gt;"


Register Required Providers

#Enable Arc and AKS Arc services.
az provider register --namespace Microsoft.HybridCompute
az provider register --namespace Microsoft.Kubernetes
az provider register --namespace Microsoft.KubernetesConfiguration
az provider register --namespace Microsoft.ExtendedLocation
az provider register --namespace Microsoft.ResourceConnector
az provider register --namespace Microsoft.ContainerService


Verify Provider Registration

#Ensure providers are fully available.
az provider show \
  --namespace Microsoft.Kubernetes \
  --query registrationState


Install Arc Extensions

#Enable AKS Arc management capabilities.
az extension add --name connectedk8s
az extension add --name customlocation
az extension add --name k8s-extension
az extension add --name aksarc


Create Custom Location

#Map Azure services to edge infrastructure.
az customlocation create \
  --name "&amp;lt;custom-location-name&amp;gt;" \
  --resource-group "&amp;lt;resource-group&amp;gt;" \
  --host-resource-id "&amp;lt;connected-cluster-resource-id&amp;gt;" \
  --namespace "&amp;lt;namespace&amp;gt;" \
  --cluster-extension-ids "&amp;lt;extension-id&amp;gt;"


&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3 data-section-id="nvws37" data-start="7505" data-end="7540"&gt;Step 6 – Verify Machine Readiness&lt;/H3&gt;
&lt;P data-start="7542" data-end="7559"&gt;After onboarding:&lt;/P&gt;
&lt;UL data-start="7560" data-end="7670"&gt;
&lt;LI data-section-id="jg6rdj" data-start="7560" data-end="7591"&gt;Machines undergo provisioning&lt;/LI&gt;
&lt;LI data-section-id="1m07fey" data-start="7592" data-end="7611"&gt;Agents initialize&lt;/LI&gt;
&lt;LI data-section-id="d1bmxp" data-start="7612" data-end="7644"&gt;Connectivity validation occurs&lt;/LI&gt;
&lt;LI data-section-id="1jw63em" data-start="7645" data-end="7670"&gt;Extensions are deployed&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="7672" data-end="7731"&gt;Eventually the machine reaches a healthy operational state.&lt;/P&gt;
&lt;P data-start="7733" data-end="7752"&gt;Typical indicators:&lt;/P&gt;
&lt;UL data-start="7753" data-end="7790"&gt;
&lt;LI data-section-id="279fiv" data-start="7753" data-end="7764"&gt;Connected&lt;/LI&gt;
&lt;LI data-section-id="179ha6b" data-start="7765" data-end="7772"&gt;Ready&lt;/LI&gt;
&lt;LI data-section-id="16qgd07" data-start="7773" data-end="7790"&gt;Cluster-capable&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="7792" data-end="7846"&gt;Provisioning time may vary significantly depending on:&lt;/P&gt;
&lt;UL data-start="7847" data-end="7948"&gt;
&lt;LI data-section-id="autmjf" data-start="7847" data-end="7864"&gt;Network quality&lt;/LI&gt;
&lt;LI data-section-id="ki2mvi" data-start="7865" data-end="7887"&gt;Hardware performance&lt;/LI&gt;
&lt;LI data-section-id="1km1oe0" data-start="7888" data-end="7917"&gt;Extension installation time&lt;/LI&gt;
&lt;LI data-section-id="utzz1h" data-start="7918" data-end="7948"&gt;Azure synchronization delays&lt;/LI&gt;
&lt;/UL&gt;
&lt;LI-CODE lang=""&gt;Check Arc Machine Connectivity

#Verify machine connection status.
az connectedmachine show \
  --name "&amp;lt;machine-name&amp;gt;" \
  --resource-group "&amp;lt;resource-group&amp;gt;"

#Look for:
#status : Connected&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3 data-section-id="1f9c35t" data-start="7955" data-end="7992"&gt;Step 7 – Deploy the AKS Arc Cluster&lt;/H3&gt;
&lt;P data-start="7994" data-end="8049"&gt;Once infrastructure is ready:&lt;BR /&gt;begin cluster deployment.&lt;/P&gt;
&lt;P data-start="8051" data-end="8093"&gt;Deployment configuration usually includes:&lt;/P&gt;
&lt;UL data-start="8094" data-end="8209"&gt;
&lt;LI data-section-id="r5m8bp" data-start="8094" data-end="8108"&gt;Cluster name&lt;/LI&gt;
&lt;LI data-section-id="1yvcs88" data-start="8109" data-end="8125"&gt;Node selection&lt;/LI&gt;
&lt;LI data-section-id="16gc1uu" data-start="8126" data-end="8152"&gt;Networking configuration&lt;/LI&gt;
&lt;LI data-section-id="1yp6rpe" data-start="8153" data-end="8168"&gt;IP assignment&lt;/LI&gt;
&lt;LI data-section-id="1lmic01" data-start="8169" data-end="8188"&gt;DNS configuration&lt;/LI&gt;
&lt;LI data-section-id="1591g1x" data-start="8189" data-end="8209"&gt;Gateway definition&lt;/LI&gt;
&lt;/UL&gt;
&lt;LI-CODE lang=""&gt;Create Logical Network (LNET)

#Define networking for AKS Arc cluster.
az aksarc network create \
  --name "&amp;lt;lnet-name&amp;gt;" \
  --resource-group "&amp;lt;resource-group&amp;gt;"


Create AKS Arc Cluster

#Deploy Kubernetes cluster on Arc infrastructure.
az aksarc create \
  --name "&amp;lt;cluster-name&amp;gt;" \
  --resource-group "&amp;lt;resource-group&amp;gt;" \
  --custom-location "&amp;lt;custom-location-id&amp;gt;" \
  --vnet-ids "&amp;lt;logical-network-id&amp;gt;"


Verify Kubernetes Connectivity

#Check Arc-enabled Kubernetes status.
az connectedk8s list \
  --resource-group "&amp;lt;resource-group&amp;gt;"

Check Installed Extensions

#Validate required Arc extensions.
az k8s-extension list \
  --cluster-name "&amp;lt;cluster-name&amp;gt;" \
  --resource-group "&amp;lt;resource-group&amp;gt;" \
  --cluster-type connectedClusters


Check Node Readiness

#Validate Kubernetes node health.
kubectl get nodes&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3 data-section-id="pif6ue" data-start="8216" data-end="8253"&gt;Understanding Networking Parameters&lt;/H3&gt;
&lt;P data-start="8255" data-end="8326"&gt;Networking is often the most misunderstood area in AKS Arc deployments.&lt;/P&gt;
&lt;P data-start="8328" data-end="8369"&gt;Let us simplify the important parameters.&lt;/P&gt;
&lt;H4&gt;Subnet&lt;/H4&gt;
&lt;P data-start="8387" data-end="8416"&gt;Defines the IP range used by:&lt;/P&gt;
&lt;UL data-start="8417" data-end="8479"&gt;
&lt;LI data-section-id="1qhiux" data-start="8417" data-end="8435"&gt;Kubernetes nodes&lt;/LI&gt;
&lt;LI data-section-id="1ohe2y4" data-start="8436" data-end="8454"&gt;Cluster services&lt;/LI&gt;
&lt;LI data-section-id="rn0npr" data-start="8455" data-end="8479"&gt;Internal communication&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="8481" data-end="8489"&gt;Example:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;192.168.1.0/24&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4 data-section-id="1nnffbt" data-start="8523" data-end="8536"&gt;DNS Server&lt;/H4&gt;
&lt;P data-start="8538" data-end="8547"&gt;Used for:&lt;/P&gt;
&lt;UL data-start="8548" data-end="8637"&gt;
&lt;LI data-section-id="4haqu9" data-start="8548" data-end="8565"&gt;Name resolution&lt;/LI&gt;
&lt;LI data-section-id="mgpuic" data-start="8566" data-end="8586"&gt;Azure connectivity&lt;/LI&gt;
&lt;LI data-section-id="ily5ed" data-start="8587" data-end="8606"&gt;Package downloads&lt;/LI&gt;
&lt;LI data-section-id="frwrul" data-start="8607" data-end="8637"&gt;Kubernetes service discovery&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="8639" data-end="8659"&gt;Public DNS examples:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;8.8.8.8&lt;BR /&gt;1.1.1.1&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P data-start="8689" data-end="8751"&gt;Production environments typically use internal enterprise DNS.&lt;/P&gt;
&lt;H4 data-section-id="kpve8m" data-start="8758" data-end="8776"&gt;Default Gateway&lt;/H4&gt;
&lt;P data-start="8778" data-end="8830"&gt;The gateway routes traffic outside the local subnet.&lt;/P&gt;
&lt;P data-start="8832" data-end="8870"&gt;Without correct gateway configuration:&lt;/P&gt;
&lt;UL data-start="8871" data-end="8959"&gt;
&lt;LI data-section-id="pascat" data-start="8871" data-end="8897"&gt;Azure connectivity fails&lt;/LI&gt;
&lt;LI data-section-id="mdi7dp" data-start="8898" data-end="8926"&gt;Agent communication breaks&lt;/LI&gt;
&lt;LI data-section-id="14virko" data-start="8927" data-end="8959"&gt;Cluster provisioning may stall&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4 data-section-id="1gpkrx8" data-start="8966" data-end="8976"&gt;Host IP&lt;/H4&gt;
&lt;P data-start="8978" data-end="9019"&gt;Each machine requires a unique static IP.&lt;/P&gt;
&lt;P data-start="9021" data-end="9040"&gt;This IP identifies:&lt;/P&gt;
&lt;UL data-start="9041" data-end="9107"&gt;
&lt;LI data-section-id="1qhiux" data-start="9041" data-end="9059"&gt;Kubernetes nodes&lt;/LI&gt;
&lt;LI data-section-id="17t5ssx" data-start="9060" data-end="9075"&gt;Cluster hosts&lt;/LI&gt;
&lt;LI data-section-id="1bcu38c" data-start="9076" data-end="9107"&gt;Edge infrastructure endpoints&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4 data-section-id="tlagml" data-start="9114" data-end="9133"&gt;Control Plane IP&lt;/H4&gt;
&lt;P data-start="9135" data-end="9188"&gt;The Kubernetes API server requires a stable endpoint.&lt;/P&gt;
&lt;P data-start="9190" data-end="9242"&gt;This becomes the cluster management address used by:&lt;/P&gt;
&lt;UL data-start="9243" data-end="9287"&gt;
&lt;LI data-section-id="1r9sa4q" data-start="9243" data-end="9252"&gt;kubectl&lt;/LI&gt;
&lt;LI data-section-id="1o1o398" data-start="9253" data-end="9271"&gt;automation tools&lt;/LI&gt;
&lt;LI data-section-id="kfco0s" data-start="9272" data-end="9287"&gt;CI/CD systems&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3 data-section-id="6cuwik" data-start="9294" data-end="9325"&gt;Step 8 – Cluster Provisioning by Azure&amp;nbsp;&lt;/H3&gt;
&lt;P data-start="9327" data-end="9365"&gt;Once deployment begins, Azure creates:&lt;/P&gt;
&lt;UL data-start="9366" data-end="9487"&gt;
&lt;LI data-section-id="1gccy5b" data-start="9366" data-end="9380"&gt;Device pools&lt;/LI&gt;
&lt;LI data-section-id="1gjbklx" data-start="9381" data-end="9399"&gt;Custom locations&lt;/LI&gt;
&lt;LI data-section-id="5zzsqu" data-start="9400" data-end="9418"&gt;Logical networks&lt;/LI&gt;
&lt;LI data-section-id="42gz42" data-start="9419" data-end="9455"&gt;Kubernetes control plane resources&lt;/LI&gt;
&lt;LI data-section-id="1cv0xol" data-start="9456" data-end="9487"&gt;Cluster integration resources&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="9489" data-end="9511"&gt;Provisioning can take:&lt;/P&gt;
&lt;UL data-start="9512" data-end="9551"&gt;
&lt;LI data-section-id="10i1g89" data-start="9512" data-end="9551"&gt;1 to 2 hours depending on environment&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="9553" data-end="9599"&gt;This duration surprises many first-time users.&lt;/P&gt;
&lt;P data-start="9601" data-end="9654"&gt;Unlike cloud-native AKS:&lt;BR /&gt;AKS Arc deployments involve:&lt;/P&gt;
&lt;UL data-start="9655" data-end="9779"&gt;
&lt;LI data-section-id="1qdtdnv" data-start="9655" data-end="9676"&gt;Hybrid coordination&lt;/LI&gt;
&lt;LI data-section-id="121001w" data-start="9677" data-end="9704"&gt;Infrastructure validation&lt;/LI&gt;
&lt;LI data-section-id="utwb09" data-start="9705" data-end="9727"&gt;Edge synchronization&lt;/LI&gt;
&lt;LI data-section-id="kdzfm0" data-start="9728" data-end="9746"&gt;Agent deployment&lt;/LI&gt;
&lt;LI data-section-id="ex6pfv" data-start="9747" data-end="9779"&gt;Local networking configuration&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3 data-section-id="37qexy" data-start="9786" data-end="9824"&gt;Step 9 – Verify Cluster Connectivity&lt;/H3&gt;
&lt;P data-start="9826" data-end="9866"&gt;After deployment:&lt;BR /&gt;verify cluster health.&lt;/P&gt;
&lt;P data-start="9868" data-end="9892"&gt;Common validation steps:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;az aksarc get-credentials \
--name &amp;lt;cluster-name&amp;gt; \
--resource-group &amp;lt;resource-group&amp;gt;&lt;/LI-CODE&gt;
&lt;P data-start="9997" data-end="10043"&gt;This retrieves Kubernetes credentials locally.&lt;/P&gt;
&lt;P data-start="10050" data-end="10068"&gt;Then verify nodes:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;kubectl get nodes&lt;/LI-CODE&gt;
&lt;P data-start="10101" data-end="10132"&gt;Healthy output typically shows:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;STATUS = Ready&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P data-start="10162" data-end="10190"&gt;for all participating nodes.&lt;/P&gt;
&lt;H2 data-section-id="6j9rmi" data-start="10197" data-end="10230"&gt;Operational Benefits of AKS Arc&lt;/H2&gt;
&lt;P data-start="10232" data-end="10292"&gt;Once operational, AKS Arc provides several major advantages.&lt;/P&gt;
&lt;H3 data-section-id="dt1ry1" data-start="10299" data-end="10323"&gt;Centralized Governance&lt;/H3&gt;
&lt;P data-start="10325" data-end="10344"&gt;Using Azure Policy:&lt;/P&gt;
&lt;UL data-start="10345" data-end="10424"&gt;
&lt;LI data-section-id="efp9na" data-start="10345" data-end="10365"&gt;Security baselines&lt;/LI&gt;
&lt;LI data-section-id="1yennrc" data-start="10366" data-end="10384"&gt;Compliance rules&lt;/LI&gt;
&lt;LI data-section-id="ujsl05" data-start="10385" data-end="10404"&gt;Tagging standards&lt;/LI&gt;
&lt;LI data-section-id="z2sgfq" data-start="10405" data-end="10424"&gt;Resource controls&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="10426" data-end="10455"&gt;can be enforced consistently.&lt;/P&gt;
&lt;H3 data-section-id="1fun186" data-start="10462" data-end="10482"&gt;Unified Monitoring&lt;/H3&gt;
&lt;P data-start="10484" data-end="10501"&gt;Integration with:&lt;/P&gt;
&lt;UL data-start="10502" data-end="10554"&gt;
&lt;LI data-section-id="1rbp5z1" data-start="10502" data-end="10517"&gt;Azure Monitor&lt;/LI&gt;
&lt;LI data-section-id="15ynm8q" data-start="10518" data-end="10538"&gt;Container Insights&lt;/LI&gt;
&lt;LI data-section-id="pg3mqi" data-start="10539" data-end="10554"&gt;Log Analytics&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="10556" data-end="10622"&gt;provides operational visibility across distributed infrastructure.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;az k8s-extension create \
  --name azuremonitor-containers \
  --cluster-name "&amp;lt;cluster-name&amp;gt;" \
  --resource-group "&amp;lt;resource-group&amp;gt;" \
  --cluster-type connectedClusters \
  --extension-type Microsoft.AzureMonitor.Containers&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3 data-section-id="1xyqznq" data-start="10629" data-end="10655"&gt;GitOps-Based Deployments&lt;/H3&gt;
&lt;P data-start="10657" data-end="10697"&gt;AKS Arc supports GitOps workflows where:&lt;/P&gt;
&lt;UL data-start="10698" data-end="10758"&gt;
&lt;LI data-section-id="1t3wzdi" data-start="10698" data-end="10720"&gt;Kubernetes manifests&lt;/LI&gt;
&lt;LI data-section-id="t9wvej" data-start="10721" data-end="10734"&gt;Helm charts&lt;/LI&gt;
&lt;LI data-section-id="1dtspga" data-start="10735" data-end="10758"&gt;Configuration updates&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="10760" data-end="10816"&gt;can be synchronized automatically from Git repositories.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;az k8s-configuration flux create \
  --cluster-name "&amp;lt;cluster-name&amp;gt;" \
  --resource-group "&amp;lt;resource-group&amp;gt;" \
  --name "&amp;lt;gitops-config&amp;gt;"&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3 data-section-id="hkepes" data-start="10823" data-end="10843"&gt;Hybrid Consistency&lt;/H3&gt;
&lt;P data-start="10845" data-end="10891"&gt;Teams can operate Kubernetes similarly across:&lt;/P&gt;
&lt;UL data-start="10892" data-end="10939"&gt;
&lt;LI data-section-id="cz545c" data-start="10892" data-end="10905"&gt;Azure cloud&lt;/LI&gt;
&lt;LI data-section-id="kh4cjm" data-start="10906" data-end="10919"&gt;On-premises&lt;/LI&gt;
&lt;LI data-section-id="b2pswd" data-start="10920" data-end="10939"&gt;Edge environments&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="10941" data-end="10980"&gt;This reduces operational fragmentation.&lt;/P&gt;
&lt;H2 data-section-id="1ut8ri7" data-start="10987" data-end="11029"&gt;Common Challenges in AKS Arc Deployments&lt;/H2&gt;
&lt;P data-start="11031" data-end="11078"&gt;Real-world deployments are rarely frictionless.&lt;/P&gt;
&lt;P data-start="11080" data-end="11137"&gt;Here are some practical issues engineers often encounter.&lt;/P&gt;
&lt;H3 data-section-id="bjyijk" data-start="11144" data-end="11176"&gt;1. Networking Misconfiguration&lt;/H3&gt;
&lt;P data-start="11178" data-end="11187"&gt;Symptoms:&lt;/P&gt;
&lt;UL data-start="11188" data-end="11252"&gt;
&lt;LI data-section-id="b3nxy3" data-start="11188" data-end="11208"&gt;Provisioning stuck&lt;/LI&gt;
&lt;LI data-section-id="1harq6h" data-start="11209" data-end="11233"&gt;Cluster not connecting&lt;/LI&gt;
&lt;LI data-section-id="1ph9zzw" data-start="11234" data-end="11252"&gt;Agents unhealthy&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="11254" data-end="11266"&gt;Root causes:&lt;/P&gt;
&lt;UL data-start="11267" data-end="11342"&gt;
&lt;LI data-section-id="15rybze" data-start="11267" data-end="11285"&gt;Incorrect subnet&lt;/LI&gt;
&lt;LI data-section-id="6auc1t" data-start="11286" data-end="11303"&gt;Invalid gateway&lt;/LI&gt;
&lt;LI data-section-id="1quvqf6" data-start="11304" data-end="11318"&gt;DNS failures&lt;/LI&gt;
&lt;LI data-section-id="sjkqe9" data-start="11319" data-end="11342"&gt;Firewall restrictions&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3 data-section-id="10t2z1w" data-start="11349" data-end="11371"&gt;2. Slow Provisioning&lt;/H3&gt;
&lt;P data-start="11373" data-end="11404"&gt;Provisioning delays are common.&lt;/P&gt;
&lt;P data-start="11406" data-end="11422"&gt;Reasons include:&lt;/P&gt;
&lt;UL data-start="11423" data-end="11528"&gt;
&lt;LI data-section-id="1vwzrh9" data-start="11423" data-end="11450"&gt;Extension deployment time&lt;/LI&gt;
&lt;LI data-section-id="lwvdbc" data-start="11451" data-end="11468"&gt;Image downloads&lt;/LI&gt;
&lt;LI data-section-id="1gy3l2e" data-start="11469" data-end="11496"&gt;Edge connectivity latency&lt;/LI&gt;
&lt;LI data-section-id="1i6j1vj" data-start="11497" data-end="11528"&gt;Infrastructure initialization&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="11530" data-end="11583"&gt;Patience becomes important during initial deployment.&lt;/P&gt;
&lt;H3 data-section-id="xlhdhj" data-start="11590" data-end="11615"&gt;3. Resource Constraints&lt;/H3&gt;
&lt;P data-start="11617" data-end="11630"&gt;Insufficient:&lt;/P&gt;
&lt;UL data-start="11631" data-end="11652"&gt;
&lt;LI data-section-id="1o4tjq" data-start="11631" data-end="11636"&gt;RAM&lt;/LI&gt;
&lt;LI data-section-id="1o4e26" data-start="11637" data-end="11642"&gt;CPU&lt;/LI&gt;
&lt;LI data-section-id="1p4gu1d" data-start="11643" data-end="11652"&gt;Storage&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="11654" data-end="11697"&gt;can destabilize the Kubernetes environment.&lt;/P&gt;
&lt;P data-start="11699" data-end="11762"&gt;Edge clusters still require enterprise-grade resource planning.&lt;/P&gt;
&lt;H3 data-section-id="31dc02" data-start="11769" data-end="11801"&gt;4. Hybrid Debugging Complexity&lt;/H3&gt;
&lt;P data-start="11803" data-end="11825"&gt;Troubleshooting spans:&lt;/P&gt;
&lt;UL data-start="11826" data-end="11895"&gt;
&lt;LI data-section-id="16ywf75" data-start="11826" data-end="11833"&gt;Azure&lt;/LI&gt;
&lt;LI data-section-id="1hb2fca" data-start="11834" data-end="11846"&gt;Kubernetes&lt;/LI&gt;
&lt;LI data-section-id="fhbifq" data-start="11847" data-end="11859"&gt;Networking&lt;/LI&gt;
&lt;LI data-section-id="z408si" data-start="11860" data-end="11882"&gt;Local infrastructure&lt;/LI&gt;
&lt;LI data-section-id="piehxu" data-start="11883" data-end="11895"&gt;Arc agents&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="11897" data-end="11951"&gt;This requires multidisciplinary operational knowledge.&lt;/P&gt;
&lt;H2 data-section-id="kky646" data-start="11958" data-end="11998"&gt;Best Practices for AKS Arc Deployments&lt;/H2&gt;
&lt;H3 data-section-id="1ca0z1n" data-start="12005" data-end="12029"&gt;Plan Networking Early&lt;/H3&gt;
&lt;P data-start="12031" data-end="12086"&gt;Most deployment issues originate from poor IP planning.&lt;/P&gt;
&lt;P data-start="12088" data-end="12097"&gt;Document:&lt;/P&gt;
&lt;UL data-start="12098" data-end="12148"&gt;
&lt;LI data-section-id="1l2c08w" data-start="12098" data-end="12107"&gt;Subnets&lt;/LI&gt;
&lt;LI data-section-id="1o4e9d" data-start="12108" data-end="12113"&gt;DNS&lt;/LI&gt;
&lt;LI data-section-id="a2ymub" data-start="12114" data-end="12124"&gt;Gateways&lt;/LI&gt;
&lt;LI data-section-id="1lpdutm" data-start="12125" data-end="12148"&gt;Static IP allocations&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="12150" data-end="12175"&gt;before deployment begins.&lt;/P&gt;
&lt;H3 data-section-id="1c49g24" data-start="12182" data-end="12212"&gt;Start with Single-Node Labs&lt;/H3&gt;
&lt;P data-start="12214" data-end="12226"&gt;Begin small:&lt;/P&gt;
&lt;UL data-start="12227" data-end="12303"&gt;
&lt;LI data-section-id="1449diz" data-start="12227" data-end="12250"&gt;Validate architecture&lt;/LI&gt;
&lt;LI data-section-id="1f60tef" data-start="12251" data-end="12274"&gt;Learn deployment flow&lt;/LI&gt;
&lt;LI data-section-id="1c0fpqz" data-start="12275" data-end="12303"&gt;Test operational processes&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="12305" data-end="12349"&gt;Then scale toward production-grade clusters.&lt;/P&gt;
&lt;H3 data-section-id="6ouqw8" data-start="12356" data-end="12377"&gt;Monitor Everything&lt;/H3&gt;
&lt;P data-start="12379" data-end="12387"&gt;Collect:&lt;/P&gt;
&lt;UL data-start="12388" data-end="12460"&gt;
&lt;LI data-section-id="8tqeai" data-start="12388" data-end="12401"&gt;System logs&lt;/LI&gt;
&lt;LI data-section-id="1tr3o45" data-start="12402" data-end="12421"&gt;Kubernetes events&lt;/LI&gt;
&lt;LI data-section-id="1kshp9y" data-start="12422" data-end="12438"&gt;Arc agent logs&lt;/LI&gt;
&lt;LI data-section-id="9c7naa" data-start="12439" data-end="12460"&gt;Network diagnostics&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="12462" data-end="12511"&gt;Hybrid environments require strong observability.&lt;/P&gt;
&lt;H3 data-section-id="1jdva3j" data-start="12518" data-end="12562"&gt;Treat Edge Like Production Infrastructure&lt;/H3&gt;
&lt;P data-start="12564" data-end="12603"&gt;Even lab environments should implement:&lt;/P&gt;
&lt;UL data-start="12604" data-end="12683"&gt;
&lt;LI data-section-id="d2hv9m" data-start="12604" data-end="12623"&gt;Security controls&lt;/LI&gt;
&lt;LI data-section-id="32sb1" data-start="12624" data-end="12645"&gt;Identity management&lt;/LI&gt;
&lt;LI data-section-id="15j0o4b" data-start="12646" data-end="12663"&gt;Backup planning&lt;/LI&gt;
&lt;LI data-section-id="uv89gi" data-start="12664" data-end="12683"&gt;Access governance&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3 data-section-id="dqht4n" data-start="12690" data-end="12712"&gt;Real-World Use Cases&lt;/H3&gt;
&lt;P data-start="12714" data-end="12813"&gt;AKS Arc is especially valuable in environments where low latency or disconnected operations matter.&lt;/P&gt;
&lt;P data-start="12815" data-end="12832"&gt;Examples include:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;Industry&lt;/th&gt;&lt;th&gt;Use Case&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;Manufacturing&lt;/td&gt;&lt;td&gt;Factory automation&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Retail&lt;/td&gt;&lt;td&gt;Store analytics&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Energy&lt;/td&gt;&lt;td&gt;Remote substations&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Healthcare&lt;/td&gt;&lt;td&gt;Local processing&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Logistics&lt;/td&gt;&lt;td&gt;Warehouse orchestration&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Telecom&lt;/td&gt;&lt;td&gt;Edge compute platforms&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H3 data-section-id="1329ug4" data-start="13085" data-end="13101"&gt;Final Thoughts&lt;/H3&gt;
&lt;P data-start="13103" data-end="13219"&gt;Azure Arc fundamentally changes how organizations think about infrastructure management.&lt;/P&gt;
&lt;P data-start="13221" data-end="13368"&gt;Instead of forcing workloads entirely into the cloud, Azure Arc extends Azure’s operational capabilities to wherever infrastructure already exists.&lt;/P&gt;
&lt;P data-start="13370" data-end="13442"&gt;Combined with Azure Kubernetes Service, organizations gain:&lt;/P&gt;
&lt;UL data-start="13443" data-end="13591"&gt;
&lt;LI data-section-id="m38zic" data-start="13443" data-end="13467"&gt;Kubernetes consistency&lt;/LI&gt;
&lt;LI data-section-id="1clmywa" data-start="13468" data-end="13487"&gt;Hybrid governance&lt;/LI&gt;
&lt;LI data-section-id="j0hglb" data-start="13488" data-end="13512"&gt;Centralized operations&lt;/LI&gt;
&lt;LI data-section-id="uirybm" data-start="13513" data-end="13541"&gt;Edge deployment capability&lt;/LI&gt;
&lt;LI data-section-id="1t3pfoy" data-start="13542" data-end="13591"&gt;Cloud-native management beyond cloud boundaries&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="13593" data-end="13729" data-is-last-node="" data-is-only-node=""&gt;As edge computing adoption grows, AKS Arc is becoming an increasingly important platform for modern hybrid infrastructure architectures.&lt;/P&gt;
&lt;P data-start="2351" data-end="2407"&gt;Azure Arc extends Azure management capabilities beyond Azure cloud boundaries, while AKS Arc enables Kubernetes clusters to run consistently across edge, on-premises, and hybrid environments.&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;Tags:&amp;nbsp;&lt;/P&gt;
&lt;P data-pm-slice="1 1 []"&gt;Azure Arc&lt;BR /&gt;Azure Kubernetes Service&lt;BR /&gt;Azure Arc AKS&lt;BR /&gt;Hybrid Cloud&lt;BR /&gt;Edge Computing&lt;BR /&gt;Azure Local&lt;/P&gt;</description>
      <pubDate>Tue, 12 May 2026 02:57:30 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/azure-arc-aks-explained-run-kubernetes-beyond-azure-cloud/ba-p/4518443</guid>
      <dc:creator>mohit-kanojia</dc:creator>
      <dc:date>2026-05-12T02:57:30Z</dc:date>
    </item>
    <item>
      <title>Scaling GitHub Advanced Security in Azure DevOps with a single reusable YAML template</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/scaling-github-advanced-security-in-azure-devops-with-a-single/ba-p/4518410</link>
      <description>&lt;H2&gt;Scaling GitHub Advanced Security in Azure DevOps with a single reusable YAML template&lt;/H2&gt;
&lt;P&gt;Managing security scanning across dozens of repositories can quickly become complex—especially when each repository uses different languages, frameworks, and infrastructure patterns.&lt;/P&gt;
&lt;P&gt;In our environment, we needed a scalable way to apply &lt;STRONG&gt;GitHub Advanced Security (GHAS)&lt;/STRONG&gt; consistently across:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Application code (Python, C#, Java, JavaScript)&lt;/LI&gt;
&lt;LI&gt;Infrastructure as Code (Terraform, ARM, Bicep)&lt;/LI&gt;
&lt;LI&gt;Mixed (polyglot) repositories&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Instead of maintaining multiple pipelines, we built a &lt;STRONG&gt;single reusable Azure DevOps YAML template&lt;/STRONG&gt; that dynamically adapts to any repository.&lt;/P&gt;
&lt;H2&gt;The problem&lt;/H2&gt;
&lt;P&gt;Most teams struggle with:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Multiple pipelines for different tech stacks&lt;/LI&gt;
&lt;LI&gt;Inconsistent security coverage&lt;/LI&gt;
&lt;LI&gt;Maintenance overhead across repositories&lt;/LI&gt;
&lt;LI&gt;Unnecessary scans increasing build time&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;We needed a solution that:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Detects repository content automatically&lt;/LI&gt;
&lt;LI&gt;Runs only relevant scans&lt;/LI&gt;
&lt;LI&gt;Standardizes security across all repos&lt;/LI&gt;
&lt;LI&gt;Minimizes duplication&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Solution overview&lt;/H2&gt;
&lt;P&gt;The solution is a &lt;STRONG&gt;single-stage pipeline template&lt;/STRONG&gt; with three key jobs:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Detect repository content&lt;/LI&gt;
&lt;LI&gt;Run CodeQL for application code&lt;/LI&gt;
&lt;LI&gt;Run IaC security scanning&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;Scanning behavior is driven entirely by detection outputs.&lt;/P&gt;
&lt;H2&gt;Architecture&lt;/H2&gt;
&lt;H3&gt;🟦 High-level flow&lt;/H3&gt;
&lt;img /&gt;&lt;img /&gt;
&lt;H2&gt;Key design patterns&lt;/H2&gt;
&lt;H3&gt;1. Detection-driven execution&lt;/H3&gt;
&lt;P&gt;Instead of hardcoding logic, the pipeline first detects repository content.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;✅ Runs only when code is present&lt;BR /&gt;✅ Avoids unnecessary execution&lt;/P&gt;
&lt;H3&gt;2. Single template for all repositories&lt;/H3&gt;
&lt;P&gt;A single YAML template works for:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Backend services&lt;/LI&gt;
&lt;LI&gt;Frontend apps&lt;/LI&gt;
&lt;LI&gt;IaC repositories&lt;/LI&gt;
&lt;LI&gt;Mixed projects&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;No duplication. No branching logic across repos.&lt;/P&gt;
&lt;H3&gt;3. Dynamic CodeQL configuration&lt;/H3&gt;
&lt;P&gt;The pipeline generates a &lt;STRONG&gt;runtime CodeQL config file&lt;/STRONG&gt;:&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;✅ Keeps configuration centralized&lt;BR /&gt;✅ Avoids scan failures due to irrelevant directories&lt;/P&gt;
&lt;H3&gt;4. Language-aware setup&lt;/H3&gt;
&lt;P&gt;The pipeline dynamically prepares environments:&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;✅ No need for separate pipelines&lt;BR /&gt;✅ Works across polyglot repos&lt;/P&gt;
&lt;H3&gt;5. Correct CodeQL build strategy&lt;/H3&gt;
&lt;P&gt;For compiled languages like C#, the pipeline performs build tracing:&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;✅ Ensures proper CodeQL extraction&lt;BR /&gt;✅ Avoids empty-database failures&lt;/P&gt;
&lt;H3&gt;6. Integrated IaC security scanning&lt;/H3&gt;
&lt;P&gt;Infrastructure scanning is handled in the same pipeline:&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;✅ Covers Terraform, ARM, Bicep&lt;BR /&gt;✅ Unified reporting across code and infrastructure&lt;/P&gt;
&lt;H3&gt;7. Centralized reporting&lt;/H3&gt;
&lt;P&gt;Artifacts are published for traceability:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Code scanning results → CodeScanningReports&lt;/LI&gt;
&lt;LI&gt;IaC results → IaCSecurityReports&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;✅ Easy audit and troubleshooting&lt;BR /&gt;✅ Retains SARIF outputs&lt;/P&gt;
&lt;H2&gt;Benefits&lt;/H2&gt;
&lt;P&gt;This approach delivers:&lt;/P&gt;
&lt;P&gt;✔ One pipeline for all repositories&lt;BR /&gt;✔ Reduced maintenance overhead&lt;BR /&gt;✔ Consistent security enforcement&lt;BR /&gt;✔ Faster pipeline execution&lt;BR /&gt;✔ Scalable DevSecOps model&lt;/P&gt;
&lt;H2&gt;Lessons learned&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;Detection-first pipelines are critical for scale&lt;/LI&gt;
&lt;LI&gt;Config-driven CodeQL execution prevents failures&lt;/LI&gt;
&lt;LI&gt;Build tracing must be handled explicitly for compiled languages&lt;/LI&gt;
&lt;LI&gt;IaC scanning should not be a separate workflow&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Conclusion&lt;/H2&gt;
&lt;P&gt;Scaling GitHub Advanced Security across Azure DevOps doesn’t require multiple pipelines—it requires the right architecture.&lt;/P&gt;
&lt;P&gt;By combining:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Detection-driven execution&lt;/LI&gt;
&lt;LI&gt;Dynamic configuration&lt;/LI&gt;
&lt;LI&gt;Conditional setup&lt;/LI&gt;
&lt;LI&gt;Unified scanning&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;You can operationalize security at scale with a &lt;STRONG&gt;single reusable YAML template&lt;/STRONG&gt;.&lt;/P&gt;</description>
      <pubDate>Mon, 11 May 2026 10:47:04 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/scaling-github-advanced-security-in-azure-devops-with-a-single/ba-p/4518410</guid>
      <dc:creator>Paulams732</dc:creator>
      <dc:date>2026-05-11T10:47:04Z</dc:date>
    </item>
    <item>
      <title>Understanding the deployment quota limitation (800) Error in Azure Bicep and ARM Deployments</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/understanding-the-deployment-quota-limitation-800-error-in-azure/ba-p/4518262</link>
      <description>&lt;P&gt;&lt;STRONG&gt;Understanding deployment quota limitation (800) Error in Azure Deployments (Bicep/ARM)&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Introduction&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;When working with Infrastructure as Code (IaC) using Azure Bicep or ARM templates, deployment failures are a common part of day-to-day operations—especially in large-scale enterprise environments.&lt;/P&gt;
&lt;P&gt;One such frequently encountered but often misunderstood issue is the quota limitation (800) error, which typically occurs during repeated or automated deployments.&lt;/P&gt;
&lt;img /&gt;&lt;img&gt;Figure: Azure Bicep deployment failure showing DeploymentQuotaExceeded error after reaching the 800 deployment history limit, with reference to aka.ms/800 for remediation.&lt;/img&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;LI-CODE lang="yaml"&gt;{
  "code": "DeploymentFailed",
  "target": "/subscriptions/cxxx8e00-0add-4f8a-8709-xxxxxxxxxxxx/resourceGroups/pxs-azure-connectivity-d-gwc-dnszone-rg/providers/Microsoft.Resources/deployments/ppiwwpkn7kkla-pdns-zone-deployment",
  "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
  "details": [
    {
      "code": "DeploymentQuotaExceeded",
      "message": "Creating the deployment '46d3xbcp.res.network-privatednszone.0-6-0.rysq' would exceed the quota of '800'. The current deployment count is '800'. Please delete some deployments before creating a new one, or see https://aka.ms/800LimitFix for information on managing deployment limits."
    }
  ]
}&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;This blog explains:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;What this error means&lt;/LI&gt;
&lt;LI&gt;A practical Bicep deployment use case&lt;/LI&gt;
&lt;LI&gt;Root causes&lt;/LI&gt;
&lt;LI&gt;Resolution approaches&lt;/LI&gt;
&lt;LI&gt;Preventive best practices&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;What is the quota limitation (800) Error?&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The quota limitation (800) reference is commonly associated with a deployment quota limitation in Azure Resource Manager (ARM).&lt;/P&gt;
&lt;P&gt;In simple terms:&lt;BR /&gt;Azure limits the number of deployment records that can be stored per resource group.&lt;/P&gt;
&lt;P&gt;Key detail:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Maximum allowed deployment history entries per resource group:&amp;nbsp;&lt;STRONG&gt;800&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Once this limit is exceeded:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;New deployments fail&lt;/LI&gt;
&lt;LI&gt;Error messages such as the following are observed:&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;“DeploymentQuotaExceeded”&lt;/P&gt;
&lt;P&gt;The current deployment count is '800'. Please delete some deployments before creating a new one.&lt;/P&gt;
&lt;P&gt;This happens because Azure maintains deployment history for auditing, tracking, and troubleshooting purposes. [aka.ms/800]&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Use Case: Bicep Deployment Failure in CI/CD&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Scenario&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;An organization is deploying infrastructure using a Bicep template through an automated pipeline.&lt;/P&gt;
&lt;P&gt;Example command:&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;az deployment group create \
  --resource-group prod-rg \
  --template-file main.bicep \
  --parameters @params.bicepparam&lt;/LI-CODE&gt;
&lt;P&gt;&lt;STRONG&gt;Environment Characteristics&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Continuous deployment using pipelines (Azure DevOps / GitHub Actions)&lt;/LI&gt;
&lt;LI&gt;Multiple deployments triggered daily&lt;/LI&gt;
&lt;LI&gt;Incremental deployment mode enabled&lt;/LI&gt;
&lt;LI&gt;A shared resource group used across multiple deployments&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Issue Encountered&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;After repeated deployments over time, the following failure occurs:&lt;/P&gt;
&lt;P&gt;Error: DeploymentQuotaExceeded&lt;/P&gt;
&lt;P&gt;The current deployment count is '800'&lt;/P&gt;
&lt;P&gt;See aka.ms/800 for more information&lt;/P&gt;
&lt;P&gt;At this point, no further deployments succeed in that resource group.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Root Cause Analysis&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Deployment History Limit&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;Azure stores every deployment execution as a record under:&lt;/P&gt;
&lt;P&gt;Resource Group → Deployments&lt;/P&gt;
&lt;P&gt;These records accumulate over time, and once the count reaches 800, new deployments are blocked.&lt;/P&gt;
&lt;P&gt;Important clarification:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;This is not a resource limit (VMs, VNets, etc.)&lt;/LI&gt;
&lt;LI&gt;This is a metadata limit related to deployment history&lt;/LI&gt;
&lt;/UL&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;High Frequency CI/CD Deployments&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;In enterprise environments, pipelines may run frequently due to:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Minor configuration updates&lt;/LI&gt;
&lt;LI&gt;Validation runs&lt;/LI&gt;
&lt;LI&gt;Automated releases&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Each run contributes to the deployment count.&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Absence of Cleanup Mechanism&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;Although Azure manages some cleanup automatically, it is not always sufficient in high-frequency environments. Manual or automated cleanup is often required.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Resolution Approaches&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Option 1: Manual Cleanup from Azure Portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Navigate to:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Azure Portal&lt;/LI&gt;
&lt;LI&gt;Resource Group&lt;/LI&gt;
&lt;LI&gt;Deployments&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Delete older deployment entries manually to free up space.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Option 2: Cleanup Using Azure CLI&lt;/STRONG&gt;&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;#List deployments:

az deployment group list \
  --resource-group prod-rg \
  --query "[].name" -o tsv

#Delete a deployment:

az deployment group delete \
  --resource-group prod-rg \
  --name &amp;lt;deployment-name&amp;gt;&lt;/LI-CODE&gt;
&lt;P&gt;&lt;STRONG&gt;Option 3: Automated Cleanup (Recommended)&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Example PowerShell approach:&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;$deployments = Get-AzResourceGroupDeployment -ResourceGroupName "prod-rg"

if ($deployments.Count -gt 700) {
    $deployments | Sort-Object Timestamp | Select-Object -First 100 | ForEach-Object {
        Remove-AzResourceGroupDeployment -ResourceGroupName "prod-rg" -Name $_.DeploymentName
    }
}&lt;/LI-CODE&gt;
&lt;P&gt;This approach ensures that older deployments are periodically removed, preventing quota exhaustion.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Option 4: Use Multiple Resource Groups&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Instead of using a single resource group for all deployments:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Separate environments (Dev, Test, Prod)&lt;/LI&gt;
&lt;LI&gt;Temporary or experimental deployments&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This helps distribute deployment records across multiple scopes.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Best Practices&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Implement Deployment Retention Policy&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;UL&gt;
&lt;LI&gt;Maintain only recent deployments (for example, last 100–200)&lt;/LI&gt;
&lt;LI&gt;Automate deletion of older entries&lt;/LI&gt;
&lt;/UL&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Control Deployment Frequency&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;UL&gt;
&lt;LI&gt;Avoid unnecessary pipeline triggers&lt;/LI&gt;
&lt;LI&gt;Batch multiple changes into a single deployment&lt;/LI&gt;
&lt;/UL&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Use Predictable Deployment Naming&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;Example:&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;name: 'deploy-${utcNow()}'&lt;/LI-CODE&gt;
&lt;P&gt;This improves traceability and cleanup management.&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Monitor Deployment Count&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;Example:&lt;/P&gt;
&lt;LI-CODE lang="powershell"&gt;az deployment group list \
  --resource-group prod-rg \
  --query "length(@)"&lt;/LI-CODE&gt;
&lt;P&gt;Set alerts or monitoring thresholds if required.&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Understand Deployment Mode Behavior&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;Incremental deployments prevent unwanted deletions of resources but still increase the deployment history count.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Common Misconceptions&lt;/STRONG&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Misconception&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Reality&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Resource quota exceeded&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The issue is related to deployment history&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Template is invalid&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The template can be valid but blocked by quota&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Permission issue&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Not related to RBAC&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Regional limitation&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Independent of region&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;STRONG&gt;Related Deployment Errors&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;While troubleshooting deployments, other common errors may appear, such as:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Authorization failures (insufficient permissions)&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/common-deployment-errors" target="_blank"&gt;[learn.microsoft.com]&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Invalid template errors (syntax or parameter mismatch)&lt;/LI&gt;
&lt;LI&gt;Concurrent deployment conflicts&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;It is important to analyze deployment logs to identify the exact failure reason.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Summary&lt;/STRONG&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Area&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Key Insight&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Error Type&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Deployment quota limitation&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Limit&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;800 deployments per resource group&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Primary Cause&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Frequent CI/CD executions&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Resolution&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Delete older deployment history&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Prevention&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Automate cleanup and monitor usage&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;STRONG&gt;Closing Thoughts&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;For teams operating at scale with Azure Bicep and automated pipelines, this issue is common but preventable.&lt;/P&gt;
&lt;P&gt;The key takeaway is to treat deployment history as an actively managed component of your environment. Without proper governance, it can become a blocking factor for ongoing automation efforts.&lt;/P&gt;</description>
      <pubDate>Mon, 11 May 2026 05:12:56 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/understanding-the-deployment-quota-limitation-800-error-in-azure/ba-p/4518262</guid>
      <dc:creator>ranjan_ashish</dc:creator>
      <dc:date>2026-05-11T05:12:56Z</dc:date>
    </item>
    <item>
      <title>CHERIoT-Ibex: Closing the door on memory safety vulnerabilities with hardware-enforced protection</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/cheriot-ibex-closing-the-door-on-memory-safety-vulnerabilities/ba-p/4517904</link>
      <description>&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Memory safety vulnerabilities—largely arising&amp;nbsp;from widely used programming languages such as C and C++—remain&amp;nbsp;a leading cause of exploitable software defects across systems, from embedded devices to&amp;nbsp;cloud-scale&amp;nbsp;infrastructure. In simple terms, memory safety ensures that software accesses only the data it is intended to use; when this protection fails, attackers can exploit these defects to gain control of devices or disrupt critical services. &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Industry data shows that&amp;nbsp;about 70 percent&amp;nbsp;of the vulnerabilities Microsoft assigns as&amp;nbsp;Common Vulnerabilities and Exposures (CVE)&amp;nbsp;each year are memory safety issues, highlighting how&amp;nbsp;frequently&amp;nbsp;these software defects translate into&amp;nbsp;real-world&amp;nbsp;security risk (&lt;/SPAN&gt;&lt;A href="https://www.cisa.gov/news-events/news/urgent-need-memory-safety-software-products" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;CISA – The Urgent Need for Memory Safety in Software Products&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;). Hardware-enforced&amp;nbsp;protections such&amp;nbsp;as&amp;nbsp;CHERIoT&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;-&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Ibex&amp;nbsp;can help&amp;nbsp;eliminate&amp;nbsp;these vulnerabilities at their source, reducing the likelihood that low-level software flaws can be exploited to compromise devices or disrupt workloads, supporting more trustworthy infrastructure by design. &lt;/SPAN&gt;&amp;nbsp;&lt;BR /&gt;&amp;nbsp;&lt;BR /&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;An open and certified foundation for memory-safe embedded systems&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;CHERIoT-Ibex is the first open-source production-quality implementation of the&amp;nbsp;CHERIoT&amp;nbsp;instruction set architecture and among the first cores certified by the CHERI Alliance (&lt;/SPAN&gt;&lt;A href="https://cheri-alliance.org/cheri-enabled/cheriot/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;CHERI Alliance – CHERIoT&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;). CHERIoT is an extension of&amp;nbsp;the&amp;nbsp;CHERI&amp;nbsp;(Capability Hardware Enhanced RISC Instructions)&amp;nbsp;instruction&amp;nbsp;set,&amp;nbsp;with&amp;nbsp;a focus on embedded and Internet of Things (IoT) applications.&amp;nbsp;Ibex is&amp;nbsp;an&amp;nbsp;open&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;source&amp;nbsp;32&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;bit RISC&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;V core developed by&amp;nbsp;LowRISC.&amp;nbsp;CHERIoT&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;Ibex&amp;nbsp;builds on Ibex by including CHERIoT capability extensions to provide&amp;nbsp;hardware&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;enforced&amp;nbsp;memory safety and&amp;nbsp;fine&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;grained&amp;nbsp;compartmentalization.&amp;nbsp;It&amp;nbsp;is the result of a close partnership between Microsoft Research and Azure Hardware Systems &amp;amp; Infrastructure, combining advanced research innovation with industry-leading silicon IP development expertise. &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;In 2023, Microsoft&amp;nbsp;open-sourced&amp;nbsp;the CHERIoT&amp;nbsp;Platform&amp;nbsp;to bring hardware-enforced memory safety to embedded systems, including an instruction set architecture, toolchain, real-time operating system, and the&amp;nbsp;RTL implementation of the CHERIoT-Ibex core. The CHERI Alliance certification recognizes its ability to provide spatial and temporal memory safety, fine-grained compartmentalization, and compatibility with the broader CHERI ecosystem. Critically, CHERIoT-Ibex achieves these security guarantees with power and area efficiency comparable to low-cost microcontrollers,&amp;nbsp;demonstrating&amp;nbsp;that security&amp;nbsp;doesn’t&amp;nbsp;have to come at a premium. &lt;/SPAN&gt;&amp;nbsp;&lt;BR /&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Why memory safety&amp;nbsp;remains&amp;nbsp;a&amp;nbsp;foundational security challenge&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Traditional embedded and&amp;nbsp;microcontroller-class&amp;nbsp;designs rely on software hardening and&amp;nbsp;coarse-grained&amp;nbsp;hardware protections that struggle to prevent attacks such as buffer overflows and&amp;nbsp;use-after-free&amp;nbsp;vulnerabilities, often adding complexity while still leaving gaps in protection. &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Consider a controller that runs privileged firmware responsible for device initialization, telemetry, and system health monitoring, while also hosting networking functionality exposed to external inputs. A&amp;nbsp;memory-safe&amp;nbsp;vulnerability in the networking stack could allow attackers to execute unauthorized code within the firmware environment, potentially affecting other critical services on the device. In tightly integrated&amp;nbsp;systems,&amp;nbsp;these failures can propagate beyond a single&amp;nbsp;component, increasing overall risk.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;BR /&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Constraining failures with&amp;nbsp;hardware-enforced&amp;nbsp;isolation&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;CHERIoT-Ibex&amp;nbsp;enables&amp;nbsp;hardware-enforced&amp;nbsp;isolation between these components, helping ensure that even if the networking stack is compromised, its ability to&amp;nbsp;impact&amp;nbsp;system initialization or telemetry functions&amp;nbsp;remains&amp;nbsp;constrained. By limiting the blast radius of software failures,&amp;nbsp;CHERIoT-Ibex&amp;nbsp;supports a system-level approach to security rather than relying on individual components to defend themselves in isolation.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;BR /&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Advancing&amp;nbsp;memory-safe&amp;nbsp;infrastructure by design&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;CHERIoT-Ibex’s certification by the CHERI Alliance marks an important milestone for open-source&amp;nbsp;memory-safe solutions. It&amp;nbsp;validates&amp;nbsp;that strong security guarantees can coexist with efficiency and transparency, reflecting Microsoft’s broader silicon-to-systems strategy&amp;nbsp;of&amp;nbsp;embedding&amp;nbsp;security into&amp;nbsp;the&amp;nbsp;foundational hardware infrastructure.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Explore and engage with the open-source CHERIoT ecosystem by visiting the CHERIoT Platform and the CHERIoT-Ibex GitHub repository (&lt;/SPAN&gt;&lt;A href="https://github.com/microsoft/cheriot-ibex" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;microsoft/cheriot-ibex&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;). The repositories enable developers and researchers to experiment with, contribute to, and&amp;nbsp;build on&amp;nbsp;memory-safe hardware and software foundations. &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Sat, 09 May 2026 05:08:11 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/cheriot-ibex-closing-the-door-on-memory-safety-vulnerabilities/ba-p/4517904</guid>
      <dc:creator>kunyanliu</dc:creator>
      <dc:date>2026-05-09T05:08:11Z</dc:date>
    </item>
    <item>
      <title>Safely Migrating Terraform Managed Disks on Azure Using Stable Keys and Copilot</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/safely-migrating-terraform-managed-disks-on-azure-using-stable/ba-p/4517509</link>
      <description>&lt;H2&gt;&lt;SPAN style="color: rgb(30, 30, 30); font-size: 32px;"&gt;The Root Cause: Index-Based "for_each" Keys:&lt;/SPAN&gt;&lt;/H2&gt;
&lt;H4&gt;Many Terraform modules flatten VM and disk definitions into a list and use the list index as the for_each key:&lt;/H4&gt;
&lt;H4&gt;&lt;STRONG&gt;for_each = { for index, sp in local.managed_disks : index =&amp;gt; sp }&lt;/STRONG&gt;&lt;/H4&gt;
&lt;H4&gt;This pattern looks harmless, but the index is not stable:&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;Adding a disk to one VM shifts downstream indices&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Reordering environment JSON changes flatten order&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Terraform treats shifted indices as new resources&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;The result: Terraform plans to destroy and recreate all affected managed disks—even though nothing changed in Azure.&lt;/H4&gt;
&lt;H2&gt;Why This Is Especially Risky on Azure:&lt;/H2&gt;
&lt;H4&gt;Azure managed disks are often:&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;Attached to stateful application tiers&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Used for databases, middleware, or batch workloads&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Deployed across zones for resiliency&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;A forced disk replacement can mean:&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;Data loss&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Extended outages&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Failed change windows&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;This makes state stability a first-class design concern—not an implementation detail.&lt;/H4&gt;
&lt;H2&gt;The Stable Key Pattern:&lt;/H2&gt;
&lt;H4&gt;The fix is conceptually simple: use a domain-stable identifier for each disk.&lt;/H4&gt;
&lt;H4&gt;A proven pattern is:&lt;/H4&gt;
&lt;H4&gt;&lt;STRONG&gt;"${sp.vm}-${sp.data_disk.lun}"&lt;/STRONG&gt;&lt;/H4&gt;
&lt;H4&gt;This key is:&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Deterministic&lt;/LI&gt;
&lt;LI&gt;Independent of ordering&lt;/LI&gt;
&lt;LI&gt;Human-readable&lt;/LI&gt;
&lt;LI&gt;Stable across environments&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Example:&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;VM&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;LUN&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Stable Key&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;vm1&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;0&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;vm1-0&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;vm1&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;1&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;vm1-1&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;vm2&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;0&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;vm2-0&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H4&gt;Once applied, adding a new disk results in exactly one new resource, with zero churn.&lt;/H4&gt;
&lt;H2&gt;The Migration Challenge: Terraform State:&lt;/H2&gt;
&lt;H4&gt;Changing &lt;STRONG&gt;for_each&lt;/STRONG&gt; keys alone is not enough.&lt;/H4&gt;
&lt;H4&gt;Terraform tracks resources by their state address, not by Azure resource ID. When keys change, Terraform believes:&lt;/H4&gt;
&lt;H4&gt;&lt;STRONG&gt;“The old disks were deleted, and new ones must be created.”&lt;/STRONG&gt;&lt;/H4&gt;
&lt;H4&gt;To prevent this, we must move the state, not recreate the resource.&lt;/H4&gt;
&lt;H4&gt;That is where terraform state mv comes in.&lt;/H4&gt;
&lt;H2&gt;Automating the Migration with GitHub Copilot Skills:&lt;/H2&gt;
&lt;H4&gt;To remove risk and human error, the team created a reusable Copilot skill for managed disk key migration.&lt;/H4&gt;
&lt;H3&gt;What the Skill Does:&lt;/H3&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;Inspects Terraform modules for index-based for_each&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Reads environment JSON files (such as ALZ variable abstractions)&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Reconstructs the exact flatten order used by Terraform&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Generates precise terraform state mv commands&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5&gt;This ensures:&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;No guessing&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;No manual address mapping&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;No production surprises&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5&gt;The skill is stored directly inside the repository under .github/skills, making it:&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;Discoverable&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Versioned&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Shareable across teams&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Example: Generating State Move Commands:&lt;/H2&gt;
&lt;H4&gt;Based on environment JSON, Copilot can generate commands like:&lt;/H4&gt;
&lt;P&gt;&lt;STRONG&gt;terraform state mv \&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp; 'module.managed_disk_windowsvm_app["0"]' \&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp; 'module.managed_disk_windowsvm_app["vm1-0"]'&lt;/STRONG&gt;&lt;/P&gt;
&lt;H4&gt;This is repeated deterministically for every existing disk—before any plan or apply.&lt;/H4&gt;
&lt;H2&gt;Recommended Migration Workflow:&lt;/H2&gt;
&lt;OL&gt;
&lt;LI&gt;
&lt;H5&gt;Confirm clean state&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;terraform plan shows no pending changes&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;H5&gt;Update the module&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;Replace index-based keys with stable keys&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;H4&gt;Back up the state&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;Especially critical with remote backends (Azure Storage)&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;H4&gt;Run terraform state mv&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;Only after terraform init is connected to the correct backend&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;H4&gt;Re-run plan&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;Existing disks should show no changes&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;H4&gt;Add new disks safely&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;Terraform creates only the new disk&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;H2&gt;CI/CD and Remote Backend Considerations:&lt;/H2&gt;
&lt;H4&gt;A critical finding from this migration:&lt;/H4&gt;
&lt;H4&gt;&lt;STRONG&gt;terraform state mv&lt;/STRONG&gt; always modifies the currently initialized backend.&lt;/H4&gt;
&lt;H4&gt;In pipeline-driven environments:&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;Ensure the correct environment is initialized&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Run migrations once per environment&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Never merge stable-key code before migrating all environments&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Failing to align code and state can cause disk destruction in production.&lt;/H4&gt;
&lt;H2&gt;Key Takeaways:&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;EM&gt;Index-based for_each keys are unsafe for long-lived Azure disks&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Stable keys such as vm-lun eliminate accidental resource churn&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;State migration is mandatory—not optional&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Copilot skills are powerful for institutionalizing safe patterns&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;EM&gt;Small Terraform design choices can have enterprise-scale impact&lt;/EM&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Closing Thoughts:&lt;/H2&gt;
&lt;H4&gt;This pattern is broadly applicable beyond disks—to NICs, extensions, and any resource where identity must outlive ordering.&lt;/H4&gt;
&lt;H4&gt;By combining:&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;
&lt;P&gt;&lt;EM&gt;Stable Terraform design&lt;/EM&gt;&lt;/P&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;P&gt;&lt;EM&gt;State-aware migrations&lt;/EM&gt;&lt;/P&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;P&gt;&lt;EM&gt;GitHub Copilot automation&lt;/EM&gt;&lt;/P&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Teams can make infrastructure changes boring again—and that is the ultimate reliability goal.&lt;/H4&gt;</description>
      <pubDate>Fri, 08 May 2026 16:02:01 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/safely-migrating-terraform-managed-disks-on-azure-using-stable/ba-p/4517509</guid>
      <dc:creator>shwetayadav</dc:creator>
      <dc:date>2026-05-08T16:02:01Z</dc:date>
    </item>
    <item>
      <title>Building Secure AI Platforms in Banking Using Azure Enterprise Architecture</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/building-secure-ai-platforms-in-banking-using-azure-enterprise/ba-p/4517531</link>
      <description>&lt;H4&gt;&lt;STRONG&gt;1. Introduction: AI in Banking Is Not Just a Model Problem&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Modern banking institutions are no longer asking &lt;EM data-start="1449" data-end="1467"&gt;“Can we use AI?”&lt;/EM&gt;&lt;BR data-start="1467" data-end="1470" /&gt;The real question is:&lt;BR /&gt;&lt;STRONG data-start="1496" data-end="1587"&gt;“Can we use AI without violating regulatory, security, and data residency constraints?”&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Unlike public AI applications, banking systems must ensure:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;No public internet exposure&lt;/LI&gt;
&lt;LI&gt;Strict identity-based access control&lt;/LI&gt;
&lt;LI&gt;End-to-end auditability&lt;/LI&gt;
&lt;LI&gt;Data residency compliance&lt;/LI&gt;
&lt;LI&gt;Fully controlled inference pipelines&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;👉 In enterprise environments, &lt;STRONG&gt;AI success is driven by secure infrastructure—not just model accuracy&lt;/STRONG&gt;.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;2. Core Design Principle: Controlled Intelligence System&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Every AI request must follow a &lt;STRONG&gt;security-enforced execution pipeline&lt;/STRONG&gt;:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;User Request
   ↓
Secure Edge (Application Gateway + WAF)
   ↓
API Governance Layer (API Management - Internal Mode)
   ↓
AI Orchestration Layer (AKS / App Services)
   ↓
Retrieval + Policy Layer (RAG + Guardrails)
   ↓
Private AI Services (Azure OpenAI)
   ↓
Observability Layer (AMPLS)
   ↓
Final Response&lt;/LI-CODE&gt;
&lt;P&gt;&lt;STRONG&gt;Key Insight:&lt;/STRONG&gt;&lt;BR /&gt;This is not just an architecture—it is a &lt;STRONG&gt;controlled and auditable execution model&lt;/STRONG&gt;.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;3. Azure Enterprise AI Architecture (Production-Ready Pattern)&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;A real-world architecture used in banking environments:&lt;/P&gt;
&lt;img /&gt;
&lt;H4&gt;&lt;STRONG&gt;4. Private Connectivity Model (Critical for Compliance)&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Key components:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Private Endpoints&lt;/STRONG&gt; → Secure PaaS isolation&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Private DNS Zones&lt;/STRONG&gt; → Controlled name resolution&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;VNet Integration&lt;/STRONG&gt; → Internal service communication&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Azure Firewall&lt;/STRONG&gt; → Traffic inspection and control&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;⚠️ &lt;STRONG&gt;Common Production Failure:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;AKS pods fail to resolve Azure OpenAI private endpoint&lt;/LI&gt;
&lt;LI&gt;Root cause:
&lt;UL&gt;
&lt;LI&gt;Missing Private DNS links&lt;/LI&gt;
&lt;LI&gt;Incorrect VNet configuration&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;👉 This is one of the most frequent failures in enterprise AI deployments.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt; “Debugging Private Endpoint Failures” &lt;/STRONG&gt;&lt;/P&gt;
&lt;P data-start="2681" data-end="2689"&gt;Include:&lt;/P&gt;
&lt;UL data-start="2691" data-end="2800"&gt;
&lt;LI data-start="2691" data-end="2717"&gt;nslookup behavior in AKS&lt;/LI&gt;
&lt;LI data-start="2718" data-end="2742"&gt;DNS zone linking check&lt;/LI&gt;
&lt;LI data-start="2743" data-end="2772"&gt;VNet integration validation&lt;/LI&gt;
&lt;LI data-start="2773" data-end="2800"&gt;UDR / Firewall inspection&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;&lt;STRONG&gt;5. Identity-First Security Model (No Secrets Architecture)&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Modern banking architectures eliminate static credentials entirely.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Authentication Flow:&lt;/STRONG&gt;&lt;/P&gt;
&lt;LI-CODE lang=""&gt;AKS Workload → Managed Identity → Azure AD → Azure Services&lt;/LI-CODE&gt;
&lt;P&gt;&lt;STRONG&gt;Key Principle:&lt;/STRONG&gt;&lt;BR /&gt;👉 &lt;EM&gt;Identity is the new security perimeter.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Benefits:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;No API keys or secrets&lt;/LI&gt;
&lt;LI&gt;Simplified access management&lt;/LI&gt;
&lt;LI&gt;RBAC-based governance&lt;/LI&gt;
&lt;LI&gt;Fully auditable access&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;&lt;STRONG&gt;6. Secure AI Inference Pipeline&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;A production AI request flow:&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;def process_request(user_request):
    # 1. Authenticate user via Azure AD
    identity = authenticate_aad(user_request.token)
    if not identity or not identity.is_valid:
        return "ACCESS_DENIED"
    # 2. Enforce rate limiting per identity
    if not rate_limit(identity):
        return "RATE_LIMIT_EXCEEDED"
    # 3. Apply prompt security guardrails (injection protection)
    safe_prompt = apply_prompt_guardrails(user_request.prompt)
    # 4. Content safety filtering (PII / harmful content detection)
    if not content_filter(safe_prompt):
        return "CONTENT_BLOCKED"
    # 5. Retrieve secure RAG context
    context = retrieve_rag_context(
        query=safe_prompt,
        secure_mode=True
    )
    # 6. Build final prompt
    final_prompt = merge_prompt_and_context(safe_prompt, context)
    # 7. Call Azure OpenAI with circuit breaker protection
    response = circuit_breaker(
        lambda: call_openai(
            prompt=final_prompt,
            identity=ManagedIdentity()
        )
    )
    # 8. Validate and sanitize model output
    validated_output = sanitize(response)
    # 9. Log everything for audit + compliance (AMPLS / SIEM)
    log_to_ampls(
        identity=identity,
        request=user_request,
        response=validated_output
    )
    return validated_output&lt;/LI-CODE&gt;
&lt;P&gt;&lt;STRONG&gt;Security controls include:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Prompt injection filtering&lt;/LI&gt;
&lt;LI&gt;Context grounding (RAG)&lt;/LI&gt;
&lt;LI&gt;Output sanitization&lt;/LI&gt;
&lt;LI&gt;Full audit logging&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;&lt;STRONG&gt;7. RAG Architecture: Enterprise AI Backbone&lt;/STRONG&gt;&lt;/H4&gt;
&lt;LI-CODE lang=""&gt;User Query → Embedding Model → Azure AI Search (Vector Store) → Context Retrieval → Azure OpenAI → Final Response&lt;/LI-CODE&gt;
&lt;P&gt;&lt;STRONG&gt;Why RAG is preferred in banking:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;No model retraining required&lt;/LI&gt;
&lt;LI&gt;Controlled data exposure&lt;/LI&gt;
&lt;LI&gt;Easier compliance validation&lt;/LI&gt;
&lt;LI&gt;Real-time knowledge updates&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;In banking systems, retrieval is not just about relevance—it is about &lt;STRONG data-start="3993" data-end="4039"&gt;controlled disclosure of sensitive context&lt;/STRONG&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;8. Observability with AMPLS (A Critical Yet Overlooked Layer)&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;AI telemetry flows through:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;Azure Services → Private Link → AMPLS → Log Analytics / App Insights&lt;/LI-CODE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this matters:&lt;/STRONG&gt; Logs may contain:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Sensitive financial data&lt;/LI&gt;
&lt;LI&gt;PII&lt;/LI&gt;
&lt;LI&gt;Prompt inputs&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;👉 AMPLS ensures &lt;STRONG&gt;telemetry remains private and compliant&lt;/STRONG&gt;.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;9. Regulatory Mapping: Banking Requirements to Azure Capabilities&lt;/STRONG&gt;&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;Requirement&lt;/th&gt;&lt;th&gt;Azure Implementation&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;No public exposure&lt;/td&gt;&lt;td&gt;Private Endpoints&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Identity-based security&lt;/td&gt;&lt;td&gt;Azure AD + Managed Identity&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Audit compliance&lt;/td&gt;&lt;td&gt;Log Analytics + AMPLS&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Data protection&lt;/td&gt;&lt;td&gt;Customer-Managed Keys (CMK)&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Network isolation&lt;/td&gt;&lt;td&gt;VNet + Firewall&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Access governance&lt;/td&gt;&lt;td&gt;RBAC + PIM&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;
&lt;H4&gt;&lt;STRONG&gt;10. Real-World Production Challenges&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Common failure points in enterprise AI systems:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;DNS Misconfiguration&lt;/STRONG&gt; – Private endpoints fail resolution&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Latency Chains&lt;/STRONG&gt; – Excessive service hops&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;OpenAI Rate Limits&lt;/STRONG&gt; – High enterprise load&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Identity Propagation Issues&lt;/STRONG&gt; – Cross-subscription failures&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Observability Gaps&lt;/STRONG&gt; – Missing distributed tracing&lt;/LI&gt;
&lt;/OL&gt;
&lt;H4&gt;&lt;STRONG&gt;11. Enterprise Architecture Best Practices&lt;/STRONG&gt;&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Design with &lt;STRONG&gt;zero-trust principles&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Treat AI as a &lt;STRONG&gt;distributed system&lt;/STRONG&gt;, not a single component&lt;/LI&gt;
&lt;LI&gt;Centralize governance using API Management&lt;/LI&gt;
&lt;LI&gt;Never expose AI services publicly&lt;/LI&gt;
&lt;LI&gt;Use &lt;STRONG&gt;identity everywhere—no secrets&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Separate:
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Control Plane&lt;/STRONG&gt; (governance)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Data Plane&lt;/STRONG&gt; (inference execution)&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;&lt;STRONG&gt;12. Azure Service Mapping (Quick Reference)&lt;/STRONG&gt;&lt;/H4&gt;
&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;Layer&lt;/th&gt;&lt;th&gt;Azure Services&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;Edge Security&lt;/td&gt;&lt;td&gt;Application Gateway (WAF)&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;API Layer&lt;/td&gt;&lt;td&gt;API Management&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Compute&lt;/td&gt;&lt;td&gt;AKS / App Services&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;AI Services&lt;/td&gt;&lt;td&gt;Azure OpenAI&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Retrieval&lt;/td&gt;&lt;td&gt;Azure AI Search&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Data&lt;/td&gt;&lt;td&gt;Azure Storage / SQL&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Identity&lt;/td&gt;&lt;td&gt;Azure AD + Managed Identity&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Networking&lt;/td&gt;&lt;td&gt;Private Link + VNet&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Observability&lt;/td&gt;&lt;td&gt;AMPLS + Log Analytics&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;
&lt;H4&gt;&lt;STRONG&gt;13. Common Failure Patterns&lt;/STRONG&gt;&lt;/H4&gt;
&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;th&gt;Issue&lt;/th&gt;&lt;th&gt;Root Cause&lt;/th&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;AI endpoint unreachable&lt;/td&gt;&lt;td&gt;DNS / Private endpoint misconfig&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Data leakage risk&lt;/td&gt;&lt;td&gt;Missing prompt filtering&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;High latency&lt;/td&gt;&lt;td&gt;Over-layered architecture&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Unauthorized access&lt;/td&gt;&lt;td&gt;Identity misconfiguration&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Poor response quality&lt;/td&gt;&lt;td&gt;Weak RAG implementation&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;
&lt;H4&gt;&lt;STRONG&gt;14. Final Thought&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;In enterprise banking AI systems:&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Models are replaceable. Architecture is not.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The real challenge is designing a system where AI is:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Secure&lt;/LI&gt;
&lt;LI&gt;Controlled&lt;/LI&gt;
&lt;LI&gt;Observable&lt;/LI&gt;
&lt;LI&gt;Fully compliant&lt;/LI&gt;
&lt;/UL&gt;
&lt;/DIV&gt;</description>
      <pubDate>Thu, 07 May 2026 16:03:01 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/building-secure-ai-platforms-in-banking-using-azure-enterprise/ba-p/4517531</guid>
      <dc:creator>divyanshi_varshney</dc:creator>
      <dc:date>2026-05-07T16:03:01Z</dc:date>
    </item>
    <item>
      <title>How Validation‑Driven Terraform Made Our Azure Function Deployments Predictable</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/how-validation-driven-terraform-made-our-azure-function/ba-p/4517375</link>
      <description>&lt;P&gt;When Terraform deploys Azure Functions, the most expensive failures are rarely “syntax” problems. They’re environmental mismatches discovered too late—during&amp;nbsp;&lt;STRONG&gt;terraform apply&lt;/STRONG&gt;, after approvals, after a change window starts, and often after multiple teams are already watching the pipeline.&lt;/P&gt;
&lt;P&gt;After a few painful production-grade rollouts, we shifted to a &lt;STRONG&gt;validation-driven&lt;/STRONG&gt; approach: instead of letting Azure reject misconfigurations at apply time, we &lt;STRONG&gt;fail fast at PR/plan time&lt;/STRONG&gt; with clear messages that engineers can fix immediately.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What we mean by “validation‑driven”&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Validation-driven Terraform uses three guardrails together:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;PR checks&lt;/STRONG&gt;: formatting, linting, security scanning, module contract tests&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Pre-flight checks&lt;/STRONG&gt;: quick Azure sanity checks (provider registration, storage prerequisites, RBAC basics)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Terraform-native validations&lt;/STRONG&gt;: input validations + preconditions that stop invalid configurations before they reach Azure&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;The idea is simple: &lt;STRONG&gt;apply should be boring&lt;/STRONG&gt;. If something is going to fail, it should fail &lt;EM&gt;earlier&lt;/EM&gt; with &lt;EM&gt;better&lt;/EM&gt; errors.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Azure Functions as the example: where failures actually happen&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Azure Functions bring a few recurring “gotchas” that tend to show up late:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;mismatch between &lt;STRONG&gt;plan/SKU&lt;/STRONG&gt; and features (e.g., VNET integration expectations)&lt;/LI&gt;
&lt;LI&gt;missing or inaccessible &lt;STRONG&gt;storage account settings&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;unsupported/incorrect &lt;STRONG&gt;runtime stack/version&lt;/STRONG&gt; for a chosen hosting model/region/policy&lt;/LI&gt;
&lt;LI&gt;inconsistent &lt;STRONG&gt;app settings&lt;/STRONG&gt; required by your org platform standards&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;We converted these into guardrails with &lt;STRONG&gt;minimal code&lt;/STRONG&gt; and clearer pipeline signals.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Case study 1: Wrong plan SKU causing runtime capability failures&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Problem&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;A team deployed a Function App expecting network integration behavior, but the selected plan/SKU didn’t align with what the workload required. The pipeline failed late, after approvals, and the rollback discussion took longer than the fix.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What we changed&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;We added a small validation/precondition rule: if a team enables a capability that requires a certain class of plan, Terraform fails early with a targeted message.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Outcome&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Failure moved from apply-time → plan-time&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;2+ hours&lt;/STRONG&gt; saved per failed deployment cycle&lt;/LI&gt;
&lt;LI&gt;Zero repeat incidents for that class of issue&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Case study 2: Missing storage configuration blocking deployments&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Problem&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Function Apps depend heavily on storage configuration. We saw intermittent failures when storage settings pointed to deleted/incorrect resources, or when access expectations didn’t match reality.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What we changed&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;We introduced a &lt;STRONG&gt;pre-flight check&lt;/STRONG&gt; step in Azure DevOps: verify storage existence/access and fail fast before plan/apply.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Outcome&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Deployments stopped failing mid-run&lt;/LI&gt;
&lt;LI&gt;Fewer “investigation loops” across teams&lt;/LI&gt;
&lt;LI&gt;Reduced incident noise (the pipeline became self-explanatory)&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Case study 3: Unsupported runtime version (region/org guardrails mismatch)&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Problem&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Engineers selected a runtime stack/version that was valid in isolation, but not aligned with platform support or readiness in the target environment. Failures appeared in apply or after release.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What we changed&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;We centralized an “allowed runtime list” (per org standards) and validated runtime inputs at plan time.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Outcome&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Plan failed fast with clear explanation&lt;/LI&gt;
&lt;LI&gt;No redeploy cycles&lt;/LI&gt;
&lt;LI&gt;Better compliance posture (standards became enforceable code)&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Why this matters (beyond “fewer red pipelines”)&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Validation-driven Terraform improved more than deployment success rate:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Developer experience&lt;/STRONG&gt;: errors became precise and actionable&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Operational safety&lt;/STRONG&gt;: fewer emergency approvals and late-night fixes&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Standardization&lt;/STRONG&gt;: platform rules stopped living in tribal knowledge and wikis&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Manager-visible impact&lt;/STRONG&gt;: less delivery friction, fewer escalations, faster releases&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;The best part: this wasn’t achieved by writing massive frameworks. It was achieved by adding &lt;STRONG&gt;small, high-leverage validations&lt;/STRONG&gt; in the right places.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Minimal code approach (what we actually used)&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;We intentionally kept Terraform code small:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;A few &lt;STRONG&gt;input validations&lt;/STRONG&gt; (environment, runtime, naming contracts)&lt;/LI&gt;
&lt;LI&gt;A few &lt;STRONG&gt;preconditions&lt;/STRONG&gt; (must-have settings and plan constraints)&lt;/LI&gt;
&lt;LI&gt;A light &lt;STRONG&gt;Azure DevOps pre-flight&lt;/STRONG&gt; step for checks Terraform can’t reliably infer (like “does this dependency exist and is it accessible?”)&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This way, the module stays readable, and the pipeline remains fast.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Conclusion&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;In one of our Azure Function platforms, repeated deployment failures were not caused by bugs in application code or gaps in Terraform itself—they were caused by &lt;STRONG&gt;discovering platform constraints too late&lt;/STRONG&gt;. Each failed terraform apply triggered rework, additional approvals, and unnecessary operational noise across teams.&lt;/P&gt;
&lt;P&gt;By introducing a validation‑driven approach—combining Terraform input validations, targeted preconditions, and lightweight Azure DevOps pre‑flight checks—we moved failure discovery to the right place: &lt;STRONG&gt;pull requests and plan stages&lt;/STRONG&gt;. Azure Function‑specific issues such as incorrect plan capabilities, unsupported runtimes, and missing storage prerequisites were surfaced early, with clear, actionable messages.&lt;/P&gt;
&lt;P&gt;If your Azure DevOps pipelines still use terraform apply as a discovery mechanism, validation is not an optimization—it’s a foundational platform capability.&lt;/P&gt;</description>
      <pubDate>Thu, 07 May 2026 05:12:06 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/how-validation-driven-terraform-made-our-azure-function/ba-p/4517375</guid>
      <dc:creator>AkshitaBajpai</dc:creator>
      <dc:date>2026-05-07T05:12:06Z</dc:date>
    </item>
    <item>
      <title>Operationalizing Responsible AI in Microsoft Foundry within Enterprise Network Boundaries</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/operationalizing-responsible-ai-in-microsoft-foundry-within/ba-p/4516869</link>
      <description>&lt;H2&gt;Strategic Overview&lt;/H2&gt;
&lt;P class="lia-align-justify"&gt;&lt;SPAN data-teams="true"&gt;Deploying &lt;STRONG&gt;Microsoft Foundry&lt;/STRONG&gt; within a VNet-integrated landing zone requires a thoughtful balance between innovation and enterprise-grade security, especially in highly regulated industries like banking. This architecture enforces Responsible AI (RAI) principles and robust content safety controls while aligning with stringent security and compliance requirements. &lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;SPAN data-teams="true"&gt;By adopting a dual-stream design - comprising an AI Platform Layer and a Data Integration Layer, you can decouple model orchestration from data ingestion, enabling flexibility and scalability. Leveraging private networking constructs such as VNets, subnets, NSGs, and controlled routing ensures that all AI workloads operate within secure boundaries, while seamless integration with services like Azure AI Search, Azure Cosmos DB, Azure SQL Database, and Azure Document Intelligence enhances data accessibility and intelligence. &lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;SPAN data-teams="true"&gt;Event-driven ingestion patterns powered by Azure Data Factory and Azure Event Grid further enable real-time responsiveness. At the same time, real-world constraints - such as IP range allowlisting for Microsoft Foundry and private networking limitations—must be carefully accounted for. Ultimately, this approach ensures a secure, compliant, and scalable foundation for enterprise AI adoption.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P class="lia-align-justify"&gt;&lt;SPAN data-teams="true"&gt;Below are the pointers that this blog focuses:&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;
&lt;DIV class="lia-align-justify"&gt;Deploy Azure Microsoft Foundry in a &lt;STRONG&gt;VNet-integrated landing zone&lt;/STRONG&gt;&lt;/DIV&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;DIV class="lia-align-justify"&gt;Enforce &lt;STRONG&gt;Responsible AI (RAI) policies and content safety controls&lt;/STRONG&gt;&lt;/DIV&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;DIV class="lia-align-justify"&gt;Align AI architecture with &lt;STRONG&gt;enterprise (banking) security requirements&lt;/STRONG&gt;&lt;/DIV&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;DIV class="lia-align-justify"&gt;Implement a dual-stream architecture:
&lt;UL data-spread="false"&gt;
&lt;LI&gt;&lt;STRONG&gt;AI Platform Layer&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Data Integration Layer&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/DIV&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;DIV class="lia-align-justify"&gt;Use private networking with &lt;STRONG&gt;VNet, subnets, NSGs, and routing&lt;/STRONG&gt;&lt;/DIV&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;DIV class="lia-align-justify"&gt;Integrate with &lt;STRONG&gt;Azure AI Search, Cosmos DB, SQL, and Document Intelligence&lt;/STRONG&gt;&lt;/DIV&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;DIV class="lia-align-justify"&gt;Enable event-driven ingestion using &lt;STRONG&gt;Azure Data Factory and Event Grid&lt;/STRONG&gt;&lt;/DIV&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;DIV class="lia-align-justify"&gt;Account for real-world constraints:
&lt;UL data-spread="false"&gt;
&lt;LI&gt;&lt;STRONG&gt;IP range allowlisting for Microsoft Foundry&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Private networking limitations&lt;/LI&gt;
&lt;/UL&gt;
&lt;/DIV&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;DIV class="lia-align-justify"&gt;Design for &lt;STRONG&gt;secure, compliant, and scalable AI consumption&lt;/STRONG&gt;&lt;/DIV&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Problem Statement&lt;/H2&gt;
&lt;P&gt;Operationalizing Responsible AI in enterprise environments requires more than defining policies.&lt;/P&gt;
&lt;P&gt;Key challenges include:&lt;/P&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Translating Responsible AI principles into &lt;STRONG&gt;enforceable platform controls&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Deploying AI services within &lt;STRONG&gt;private, enterprise-grade networks&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Managing &lt;STRONG&gt;network constraints and service limitations&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Ensuring consistent integration across:
&lt;UL data-spread="false"&gt;
&lt;LI&gt;AI services&lt;/LI&gt;
&lt;LI&gt;Data pipelines&lt;/LI&gt;
&lt;LI&gt;Application layers&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Without a structured approach, AI platforms risk being &lt;STRONG&gt;non-compliant, insecure, or difficult to scale&lt;/STRONG&gt;.&lt;/P&gt;
&lt;H2&gt;Goals&lt;/H2&gt;
&lt;P&gt;Design an AI landing zone that:&lt;/P&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Enforces &lt;STRONG&gt;Responsible AI at the platform level&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Enables &lt;STRONG&gt;secure model deployment and access&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Operates fully within &lt;STRONG&gt;private network boundaries&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Integrates &lt;STRONG&gt;AI and Data services seamlessly&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Provides &lt;STRONG&gt;governed and controlled AI consumption&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Architecture Overview&lt;/H2&gt;
&lt;P&gt;Structure the platform into four layers:&lt;/P&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;&lt;STRONG&gt;Network Layer&lt;/STRONG&gt; → VNet, subnets, NSGs, routing&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;AI Platform Layer&lt;/STRONG&gt; → Microsoft Foundry, models, RAI policies&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Data Layer&lt;/STRONG&gt; → ADF, SHIR, Event Grid&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Application Layer&lt;/STRONG&gt; → Function Apps, Web Apps&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;H2&gt;Microsoft Foundry Setup in Enterprise Context&lt;/H2&gt;
&lt;P&gt;Set up Azure Microsoft Foundry as the &lt;STRONG&gt;core AI platform layer&lt;/STRONG&gt;.&lt;/P&gt;
&lt;H3&gt;Key steps:&lt;/H3&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Create Microsoft&lt;STRONG&gt;&amp;nbsp;Foundry projects&lt;/STRONG&gt; to isolate use cases&lt;/LI&gt;
&lt;LI&gt;Deploy models within controlled project boundaries&lt;/LI&gt;
&lt;LI&gt;Restrict access using:
&lt;UL data-spread="false"&gt;
&lt;LI&gt;VNet integration&lt;/LI&gt;
&lt;LI&gt;Private endpoints&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;Disable public access wherever possible&lt;/LI&gt;
&lt;LI&gt;Integrate with supporting services:
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Azure AI Search (retrieval)&lt;/LI&gt;
&lt;LI&gt;Cosmos DB / SQL (data storage)&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;Design Principle&lt;/H3&gt;
&lt;P&gt;Treat AI services as &lt;STRONG&gt;governed platform components&lt;/STRONG&gt;, not standalone resources.&lt;/P&gt;
&lt;H2&gt;Responsible AI Implementation&lt;/H2&gt;
&lt;H3&gt;1. RAI Policies&lt;/H3&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Define policies at the &lt;STRONG&gt;model interaction layer&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Configure controls for:
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Output moderation&lt;/LI&gt;
&lt;LI&gt;Prompt handling&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;Align policies with &lt;STRONG&gt;organizational compliance requirements&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;2. Content Safety&lt;/H3&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Integrate content safety as a &lt;STRONG&gt;mandatory runtime layer&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Ensure all model outputs pass through filtering before reaching applications&lt;/LI&gt;
&lt;/UL&gt;
&lt;img&gt;&lt;STRONG&gt; Content Safety Flow&lt;/STRONG&gt;&lt;/img&gt;
&lt;H3&gt;3. Model Governance&lt;/H3&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Control model deployment via Microsoft Foundry&lt;/LI&gt;
&lt;LI&gt;Restrict direct access to models&lt;/LI&gt;
&lt;LI&gt;Route all interactions through:
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Function Apps&lt;/LI&gt;
&lt;LI&gt;API layers&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Handling VNet-Integrated Deployment Challenges&lt;/H2&gt;
&lt;P&gt;Enterprise deployments introduce constraints that must be addressed early.&lt;/P&gt;
&lt;H5&gt;Challenge 1: Microsoft Foundry VNet Integration&lt;/H5&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Microsoft Foundry requires &lt;STRONG&gt;careful network planning&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Standard enterprise patterns may not work without validation&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5&gt;Challenge 2: IP Range Constraints&lt;/H5&gt;
&lt;P&gt;When designing the VNet:&lt;/P&gt;
&lt;UL data-spread="true"&gt;
&lt;LI&gt;10.x.x.x range&lt;BR /&gt;→ Not GA for all Azure regions by default&lt;/LI&gt;
&lt;LI&gt;Requires:&lt;BR /&gt;→ &lt;STRONG&gt;Allowlisting via Microsoft Product Group&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Supported ranges (commonly observed):
&lt;UL data-spread="false"&gt;
&lt;LI&gt;172.x.x.x&lt;/LI&gt;
&lt;LI&gt;192.x.x.x&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;Recommended Approach&lt;/H3&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Validate supported IP ranges &lt;STRONG&gt;before finalizing network design&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Avoid assuming default enterprise CIDR blocks will work&lt;/LI&gt;
&lt;LI&gt;Plan subnets specifically for &lt;STRONG&gt;AI workloads&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5&gt;Challenge 3: Platform Constraints&lt;/H5&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;AI services may behave differently compared to traditional PaaS services&lt;/LI&gt;
&lt;LI&gt;Validate:
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Private endpoint compatibility&lt;/LI&gt;
&lt;LI&gt;Service integration within VNet&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5&gt;Challenge 4: Security vs Accessibility&lt;/H5&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Private deployments improve security but add complexity&lt;/LI&gt;
&lt;LI&gt;Address this by:
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Providing controlled access paths&lt;/LI&gt;
&lt;LI&gt;Using jump hosts or secure access mechanisms&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Key Design Considerations&lt;/H2&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Treat networking as a &lt;STRONG&gt;core dependency for AI platforms&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Enforce Responsible AI across:
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Model layer&lt;/LI&gt;
&lt;LI&gt;Platform layer&lt;/LI&gt;
&lt;LI&gt;Runtime layer&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;Use &lt;STRONG&gt;layered security architecture&lt;/STRONG&gt;:
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Network isolation&lt;/LI&gt;
&lt;LI&gt;Policy enforcement&lt;/LI&gt;
&lt;LI&gt;Content filtering&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;Validate constraints early to avoid redesign&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Best Practices&lt;/H2&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Plan IP addressing specifically for &lt;STRONG&gt;AI workloads&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Use &lt;STRONG&gt;private endpoints and VNet integration by default&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Centralize model access through &lt;STRONG&gt;application layers&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Apply Responsible AI controls as &lt;STRONG&gt;mandatory, not optional&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Design AI platforms with &lt;STRONG&gt;governance built-in from the start&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Conclusion&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-teams="true"&gt;Operationalizing Responsible AI in Microsoft Azure goes beyond defining policies—it demands tight alignment across AI services, infrastructure, networking, and governance controls. A well-architected AI landing zone provides the foundation for securely deploying models, enforcing content filtering on outputs, and ensuring that access remains strictly within enterprise-defined boundaries.&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;AI services&lt;/LI&gt;
&lt;LI&gt;Infrastructure&lt;/LI&gt;
&lt;LI&gt;Networking&lt;/LI&gt;
&lt;LI&gt;Governance controls&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;A well-designed AI landing zone ensures that:&lt;/P&gt;
&lt;UL data-spread="false"&gt;
&lt;LI&gt;Models are deployed securely&lt;/LI&gt;
&lt;LI&gt;Outputs are governed and filtered&lt;/LI&gt;
&lt;LI&gt;Access is controlled within enterprise boundaries&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Responsible AI is not just a policy—it is an &lt;STRONG&gt;architectural outcome driven by platform design, network constraints, and enforcement mechanisms&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-teams="true"&gt;This holistic approach transforms Responsible AI from a conceptual guideline into a practical, enforceable outcome of system design. Crucially, early architectural decisions—particularly those related to networking, private access, and service compatibility—have a lasting impact on how effectively Responsible AI can be scaled across the organization.&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 06 May 2026 05:23:44 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/operationalizing-responsible-ai-in-microsoft-foundry-within/ba-p/4516869</guid>
      <dc:creator>Shruti9162</dc:creator>
      <dc:date>2026-05-06T05:23:44Z</dc:date>
    </item>
    <item>
      <title>Deploying Azure Resources with Managed HSM Keys Using Bicep</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/deploying-azure-resources-with-managed-hsm-keys-using-bicep/ba-p/4516971</link>
      <description>&lt;H2 data-section-id="14kwlto" data-start="766" data-end="793"&gt;Architecture Overview&lt;/H2&gt;
&lt;P data-start="795" data-end="819"&gt;The deployment includes:&lt;/P&gt;
&lt;UL data-start="821" data-end="1029"&gt;
&lt;LI data-section-id="12vqy4y" data-start="821" data-end="845"&gt;Managed HSM instance&lt;/LI&gt;
&lt;LI data-section-id="16xrtlo" data-start="846" data-end="873"&gt;Key creation inside HSM&lt;/LI&gt;
&lt;LI data-section-id="8xx89z" data-start="874" data-end="928"&gt;User-assigned managed identity / service principal&lt;/LI&gt;
&lt;LI data-section-id="19unc8k" data-start="929" data-end="964"&gt;Role assignments for key access&lt;/LI&gt;
&lt;LI data-section-id="1ulu1bd" data-start="965" data-end="1029"&gt;Azure resource (e.g., Storage / Databricks / Disk) using CMK&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="1031" data-end="1040"&gt;&lt;STRONG data-start="1031" data-end="1040"&gt;Flow:&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL data-start="1041" data-end="1155"&gt;
&lt;LI data-section-id="1xiu8q5" data-start="1041" data-end="1064"&gt;Create Managed HSM&lt;/LI&gt;
&lt;LI data-section-id="bt4lol" data-start="1065" data-end="1091"&gt;Create encryption key&lt;/LI&gt;
&lt;LI data-section-id="q080sh" data-start="1092" data-end="1115"&gt;Assign permissions&lt;/LI&gt;
&lt;LI data-section-id="7f9jyq" data-start="1116" data-end="1155"&gt;Deploy resource with CMK reference&lt;/LI&gt;
&lt;/OL&gt;
&lt;H2 data-section-id="16qpaeu" data-start="1162" data-end="1181"&gt;Prerequisites&lt;/H2&gt;
&lt;P data-start="1183" data-end="1207"&gt;Before starting, ensure:&lt;/P&gt;
&lt;UL data-start="1208" data-end="1352"&gt;
&lt;LI data-section-id="1qk79he" data-start="1208" data-end="1254"&gt;Azure subscription with proper permissions&lt;/LI&gt;
&lt;LI data-section-id="6c9rgg" data-start="1255" data-end="1287"&gt;Access to create Managed HSM&lt;/LI&gt;
&lt;LI data-section-id="1i2075y" data-start="1288" data-end="1328"&gt;Knowledge of RBAC vs access policies&lt;/LI&gt;
&lt;LI data-section-id="lccr77" data-start="1329" data-end="1352"&gt;Bicep CLI installed&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-section-id="18wqp5s" data-start="1359" data-end="1392"&gt;Step 1: Deploy Managed HSM&lt;/H2&gt;
&lt;P data-start="1394" data-end="1442"&gt;Managed HSM is different from regular Key Vault:&lt;/P&gt;
&lt;UL data-start="1443" data-end="1530"&gt;
&lt;LI data-section-id="zmvddo" data-start="1443" data-end="1484"&gt;Uses &lt;STRONG data-start="1450" data-end="1463"&gt;RBAC only&lt;/STRONG&gt; (no access policies)&lt;/LI&gt;
&lt;LI data-section-id="lmut00" data-start="1485" data-end="1530"&gt;Requires &lt;STRONG data-start="1496" data-end="1530"&gt;security domain initialization&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="1532" data-end="1550"&gt;&lt;STRONG data-start="1532" data-end="1550"&gt;Bicep snippet:&lt;/STRONG&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 100%; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;EM&gt;resource managedHsm 'Microsoft.KeyVault/managedHSMs@2023-02-01' = {&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;name: hsmName&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;location: location&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;sku: {&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;name: 'Standard_B1'&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;family: 'B'&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;}&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;properties: {&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;tenantId: tenant().tenantId&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;initialAdminObjectIds: [&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;adminObjectId&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;]&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;}&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;}&lt;/EM&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2 data-section-id="18wqp5s" data-start="1359" data-end="1392"&gt;Step 2: Create Key in Managed HSM&lt;/H2&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 100%; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;EM&gt;resource key 'Microsoft.KeyVault/managedHSMs/keys@2023-02-01' = {&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;name: '${managedHsm.name}/cmk-key'&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;properties: {&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;kty: 'RSA-HSM'&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;keySize: 2048&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;}&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;}&lt;/EM&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2 data-section-id="daskzu" data-start="2059" data-end="2091"&gt;Step 3: Assign Permissions&lt;/H2&gt;
&lt;P data-start="2093" data-end="2140"&gt;Since Managed HSM uses RBAC, assign roles like:&lt;/P&gt;
&lt;UL data-start="2142" data-end="2204"&gt;
&lt;LI data-section-id="ttxtbd" data-start="2142" data-end="2171"&gt;&lt;STRONG data-start="2144" data-end="2171"&gt;Managed HSM Crypto User&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI data-section-id="h48emi" data-start="2172" data-end="2204"&gt;&lt;STRONG data-start="2174" data-end="2204"&gt;Managed HSM Crypto Officer&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 100%; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;EM&gt;resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;name: guid(resourceGroup().id, principalId, roleDefinitionId)&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;properties: {&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;principalId: principalId&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;roleDefinitionId: roleDefinitionId&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;scope: managedHsm&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;}&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;}&lt;/EM&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H2 data-section-id="1da8j2j" data-start="2482" data-end="2523"&gt;Step 4: Configure Resource with CMK&lt;/H2&gt;
&lt;P data-start="2525" data-end="2560"&gt;Example: Storage Account encryption&lt;/P&gt;
&lt;P data-start="2525" data-end="2560"&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 100%; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;EM&gt;resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = {&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;name: storageName&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;location: location&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;kind: 'StorageV2'&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;sku: {&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;name: 'Standard_LRS'&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;}&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;properties: {&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;encryption: {&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;keySource: 'Microsoft.Keyvault'&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;keyvaultproperties: {&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;keyname: key.name&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;keyvaulturi: managedHsm.properties.hsmUri&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;}&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;}&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;}&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;}&lt;/EM&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2 data-section-id="8bi4hj" data-start="2944" data-end="2967"&gt;Common Challenges&lt;/H2&gt;
&lt;H3 data-section-id="161slp4" data-start="2969" data-end="2993"&gt;1. Permission Issues&lt;/H3&gt;
&lt;UL data-start="2994" data-end="3081"&gt;
&lt;LI data-section-id="ijcy0f" data-start="2994" data-end="3043"&gt;Resource identity must have access to HSM key&lt;/LI&gt;
&lt;LI data-section-id="jwzwfn" data-start="3044" data-end="3081"&gt;Missing role → deployment failure&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3 data-section-id="11r9wu3" data-start="3083" data-end="3109"&gt;2. Key Rotation Impact&lt;/H3&gt;
&lt;P data-start="3110" data-end="3132"&gt;When keys are rotated:&lt;/P&gt;
&lt;UL data-start="3133" data-end="3242"&gt;
&lt;LI data-section-id="1j42t7b" data-start="3133" data-end="3189"&gt;Resource may &lt;STRONG data-start="3148" data-end="3189"&gt;not automatically pick latest version&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI data-section-id="11i2ju7" data-start="3190" data-end="3242"&gt;You may need to redeploy or update configuration&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3 data-section-id="1g57nqh" data-start="3244" data-end="3268"&gt;3. Deployment Errors&lt;/H3&gt;
&lt;P data-start="3269" data-end="3283"&gt;Typical issue:&lt;/P&gt;
&lt;P data-start="3286" data-end="3328"&gt;Storage/Databricks cannot access HSM key&lt;/P&gt;
&lt;P data-start="3330" data-end="3334"&gt;Fix:&lt;/P&gt;
&lt;UL data-start="3335" data-end="3427"&gt;
&lt;LI data-section-id="1og5zq1" data-start="3335" data-end="3376"&gt;Ensure correct &lt;STRONG data-start="3352" data-end="3376"&gt;RBAC role assignment&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI data-section-id="lhn1m4" data-start="3377" data-end="3427"&gt;Validate &lt;STRONG data-start="3388" data-end="3427"&gt;principal ID used during deployment&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2 data-section-id="j8by84" data-start="3434" data-end="3461"&gt;Key Rotation Strategy&lt;/H2&gt;
&lt;P data-start="3463" data-end="3484"&gt;Managed HSM supports:&lt;/P&gt;
&lt;UL data-start="3485" data-end="3526"&gt;
&lt;LI data-section-id="xlgvnq" data-start="3485" data-end="3504"&gt;Manual rotation&lt;/LI&gt;
&lt;LI data-section-id="jetw2i" data-start="3505" data-end="3526"&gt;Rotation policies&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="3528" data-end="3542"&gt;Best practice:&lt;/P&gt;
&lt;UL data-start="3543" data-end="3619"&gt;
&lt;LI data-section-id="yh468d" data-start="3543" data-end="3584"&gt;Use version-less key URI if supported&lt;/LI&gt;
&lt;LI data-section-id="2lnggm" data-start="3585" data-end="3619"&gt;Automate redeployment pipeline&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2 data-section-id="1im216t" data-start="3898" data-end="3940"&gt;When to Use Managed HSM vs Key Vault&lt;/H2&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;Feature&lt;/th&gt;&lt;th&gt;Managed HSM&lt;/th&gt;&lt;th&gt;Key Vault&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;FIPS Level&lt;/td&gt;&lt;td&gt;Level 3&lt;/td&gt;&lt;td&gt;Level 2&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Multi-tenant isolation&lt;/td&gt;&lt;td&gt;No (dedicated)&lt;/td&gt;&lt;td&gt;Yes&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;RBAC only&lt;/td&gt;&lt;td&gt;Yes&lt;/td&gt;&lt;td&gt;Optional&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Cost&lt;/td&gt;&lt;td&gt;Higher&lt;/td&gt;&lt;td&gt;Lower&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2 data-section-id="20nd6j" data-start="4163" data-end="4179"&gt;Conclusion&lt;/H2&gt;
&lt;P data-start="4181" data-end="4218"&gt;Using Managed HSM with Bicep enables:&lt;/P&gt;
&lt;UL data-start="4219" data-end="4345"&gt;
&lt;LI data-section-id="11thqyt" data-start="4219" data-end="4266"&gt;Stronger security with hardware-backed keys&lt;/LI&gt;
&lt;LI data-section-id="1w99h6q" data-start="4267" data-end="4313"&gt;Full automation via Infrastructure as Code&lt;/LI&gt;
&lt;LI data-section-id="1dqn9x4" data-start="4314" data-end="4345"&gt;Enterprise-grade compliance&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="4347" data-end="4388"&gt;However, it requires careful handling of:&lt;/P&gt;
&lt;UL data-start="4389" data-end="4451"&gt;
&lt;LI data-section-id="16zsxky" data-start="4389" data-end="4409"&gt;RBAC permissions&lt;/LI&gt;
&lt;LI data-section-id="1yu906j" data-start="4410" data-end="4426"&gt;Key rotation&lt;/LI&gt;
&lt;LI data-section-id="vs4gxo" data-start="4427" data-end="4451"&gt;Resource integration&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Tue, 05 May 2026 09:30:46 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/deploying-azure-resources-with-managed-hsm-keys-using-bicep/ba-p/4516971</guid>
      <dc:creator>Roslin_Nivetha</dc:creator>
      <dc:date>2026-05-05T09:30:46Z</dc:date>
    </item>
    <item>
      <title>Building an AI Agent for Azure Infrastructure Validation</title>
      <link>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/building-an-ai-agent-for-azure-infrastructure-validation/ba-p/4516936</link>
      <description>&lt;img&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;1. Introduction&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;Infrastructure consistency is critical in large-scale Azure environments, especially in migration programs and DevOps-driven deployments. While Infrastructure as Code (IaC) using Terraform improves reproducibility, it does not fully eliminate:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Manual errors in design specifications&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Drift between Terraform and deployed resources&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Misalignment between approved design (Excel/architecture docs) and deployed state&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;To address this, we propose building an AI-powered Infrastructure Validation Agent that continuously validates and reconciles:&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Excel (Source of Truth)&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Terraform (.tf files)&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Azure Deployed Resources&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;STRONG&gt;This blog explains the architecture, implementation, validation logic, and real-world applicability of such an agent.&lt;/STRONG&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;H2&gt;2. Problem Statement&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;In enterprise environments, infrastructure data flows through multiple stages:&lt;/STRONG&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;
&lt;TABLE style="" border="1"&gt;
&lt;TBODY&gt;
&lt;TR style=""&gt;
&lt;TH style=""&gt;&lt;STRONG&gt;Source&lt;/STRONG&gt;&lt;/TH&gt;
&lt;TH style=""&gt;&lt;STRONG&gt;Purpose&lt;/STRONG&gt;&lt;/TH&gt;
&lt;/TR&gt;
&lt;TR style=""&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Excel / Design Sheets&lt;/STRONG&gt;&lt;/TD&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Approved architecture specifications&lt;/STRONG&gt;&lt;/TD&gt;
&lt;/TR&gt;
&lt;TR style=""&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Terraform&lt;/STRONG&gt;&lt;/TD&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Infrastructure as Code implementation&lt;/STRONG&gt;&lt;/TD&gt;
&lt;/TR&gt;
&lt;TR style=""&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Azure Portal&lt;/STRONG&gt;&lt;/TD&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Actual deployed infrastructure&lt;/STRONG&gt;&lt;/TD&gt;
&lt;/TR&gt;
&lt;/TBODY&gt;
&lt;COLGROUP&gt;&lt;COL style="width: 50.00%" /&gt;&lt;COL style="width: 50.00%" /&gt;&lt;/COLGROUP&gt;&lt;/TABLE&gt;
&lt;/DIV&gt;
&lt;H3&gt;3.Common Challenges&lt;/H3&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Configuration mismatches across stages&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Drift due to manual portal changes&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Incorrect SKU, region, or configuration deployment&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Lack of automated validation before and after deployment&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;The absence of unified validation leads to compliance risks, deployment errors, and operational inefficiencies.&lt;/STRONG&gt;&lt;/P&gt;
&lt;H2&gt;4. Solution Overview&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;The proposed solution is an AI-powered validation agent that:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Ingests Excel as configuration input&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Parses Terraform configurations&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Fetches deployed resource details from Azure&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;5. Architecture Overview&lt;/H2&gt;
&lt;H3&gt;High-Level Architecture Components&lt;/H3&gt;
&lt;OL&gt;
&lt;LI&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Input Layer&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Excel file (configuration source)&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Processing Layer&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Terraform Parser&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Azure Resource Fetcher&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;AI-based Validator (optional reasoning layer)&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Comparison Engine&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Schema-based comparison&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Drift detection logic&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Output Layer&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Validation report (JSON / Excel / HTML)&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Hosting&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Azure Function App&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Optional Enhancements&lt;/STRONG&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Azure AI Search for semantic matching and reasoning&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;H2&gt;6. Agent Design (Modular Components)&lt;/H2&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;
&lt;TABLE style="" border="1"&gt;
&lt;TBODY&gt;
&lt;TR style=""&gt;
&lt;TH style=""&gt;&lt;STRONG&gt;Module&lt;/STRONG&gt;&lt;/TH&gt;
&lt;TH style=""&gt;&lt;STRONG&gt;Description&lt;/STRONG&gt;&lt;/TH&gt;
&lt;/TR&gt;
&lt;TR style=""&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Excel Reader&lt;/STRONG&gt;&lt;/TD&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Reads and standardizes input&lt;/STRONG&gt;&lt;/TD&gt;
&lt;/TR&gt;
&lt;TR style=""&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Terraform Parser&lt;/STRONG&gt;&lt;/TD&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Extracts resource configuration&lt;/STRONG&gt;&lt;/TD&gt;
&lt;/TR&gt;
&lt;TR style=""&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Azure Fetcher&lt;/STRONG&gt;&lt;/TD&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Queries deployed resources&lt;/STRONG&gt;&lt;/TD&gt;
&lt;/TR&gt;
&lt;TR style=""&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Comparator Engine&lt;/STRONG&gt;&lt;/TD&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Identifies mismatches&lt;/STRONG&gt;&lt;/TD&gt;
&lt;/TR&gt;
&lt;TR style=""&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;AI Validator&lt;/STRONG&gt;&lt;/TD&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Enhances validation and recommendations&lt;/STRONG&gt;&lt;/TD&gt;
&lt;/TR&gt;
&lt;TR style=""&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Report Generator&lt;/STRONG&gt;&lt;/TD&gt;
&lt;TD style=""&gt;&lt;STRONG&gt;Produces actionable outputs&lt;/STRONG&gt;&lt;/TD&gt;
&lt;/TR&gt;
&lt;/TBODY&gt;
&lt;COLGROUP&gt;&lt;COL style="width: 50.00%" /&gt;&lt;COL style="width: 50.00%" /&gt;&lt;/COLGROUP&gt;&lt;/TABLE&gt;
&lt;/DIV&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;
&lt;P&gt;`&lt;/P&gt;
&lt;/DIV&gt;
&lt;H2&gt;7. Agent Design&lt;BR /&gt;Step 1: Read Excel Input&lt;/H2&gt;
&lt;P&gt;import pandas as pd&lt;/P&gt;
&lt;P&gt;ef read_excel(file_path):&lt;/P&gt;
&lt;P&gt;df = pd.read_excel(file_path)&lt;/P&gt;
&lt;P&gt;df.columns = df.columns.str.strip()&lt;/P&gt;
&lt;P&gt;return df&lt;/P&gt;
&lt;P&gt;excel_df = read_excel("infra_config.xlsx")&lt;/P&gt;
&lt;P&gt;print(excel_df.head())&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;H2&gt;Step 2:Parse Terraform Files&lt;/H2&gt;
&lt;P&gt;import hcl2&lt;/P&gt;
&lt;P&gt;def parse_terraform(file_path):&lt;/P&gt;
&lt;P&gt;with open(file_path, 'r') as file:&lt;/P&gt;
&lt;P&gt;data = hcl2.load(file)&lt;/P&gt;
&lt;P&gt;resources = []&lt;/P&gt;
&lt;P&gt;for resource_type in data.get('resource', []):&lt;/P&gt;
&lt;P&gt;for rtype, instances in resource_type.items():&lt;/P&gt;
&lt;P&gt;for name, config in instances.items():&lt;/P&gt;
&lt;P&gt;resource = {&lt;/P&gt;
&lt;P&gt;"resource_type": rtype,&lt;/P&gt;
&lt;P&gt;"resource_name": name,&lt;/P&gt;
&lt;P&gt;"config": config&lt;/P&gt;
&lt;P&gt;}&lt;/P&gt;
&lt;P&gt;resources.append(resource)&lt;/P&gt;
&lt;P&gt;return resources&lt;/P&gt;
&lt;P&gt;tf_resources = parse_terraform("main.tf")&lt;/P&gt;
&lt;P&gt;print(tf_resources)&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;Step 3:Parse Terraform Files&lt;/H2&gt;
&lt;P&gt;from azure.identity import DefaultAzureCredential&lt;/P&gt;
&lt;P&gt;from azure.mgmt.resource import ResourceManagementClient&lt;/P&gt;
&lt;P&gt;credential = DefaultAzureCredential()&lt;/P&gt;
&lt;P&gt;subscription_id = "your-subscription-id"&lt;/P&gt;
&lt;P&gt;resource_client = ResourceManagementClient(credential, subscription_id)&lt;/P&gt;
&lt;P&gt;def fetch_azure_resources():&lt;/P&gt;
&lt;P&gt;resources = []&lt;/P&gt;
&lt;P&gt;for resource in resource_client.resources.list():&lt;/P&gt;
&lt;P&gt;res = {&lt;/P&gt;
&lt;P&gt;"name": resource.name,&lt;/P&gt;
&lt;P&gt;"type": resource.type,&lt;/P&gt;
&lt;P&gt;"location": resource.location,&lt;/P&gt;
&lt;P&gt;"id": resource.id&lt;/P&gt;
&lt;P&gt;}&lt;/P&gt;
&lt;P&gt;resources.append(res)&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;return resources&lt;/P&gt;
&lt;P&gt;azure_resources = fetch_azure_resources()&lt;/P&gt;
&lt;P&gt;print(azure_resources)&lt;/P&gt;
&lt;H2&gt;Step 4:Normalize Data&lt;/H2&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;def normalize_excel(df):&lt;/P&gt;
&lt;P&gt;return df.to_dict(orient='records')&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;def normalize_tf(tf_resources):&lt;/P&gt;
&lt;P&gt;normalized = []&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;for res in tf_resources:&lt;/P&gt;
&lt;P&gt;normalized.append({&lt;/P&gt;
&lt;P&gt;"resource_name": res["resource_name"],&lt;/P&gt;
&lt;P&gt;"resource_type": res["resource_type"],&lt;/P&gt;
&lt;P&gt;"config": res["config"]&lt;/P&gt;
&lt;P&gt;})&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;return normalized&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;def normalize_azure(azure_resources):&lt;/P&gt;
&lt;P&gt;normalized = []&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;for res in azure_resources:&lt;/P&gt;
&lt;P&gt;normalized.append({&lt;/P&gt;
&lt;P&gt;"resource_name": res["name"],&lt;/P&gt;
&lt;P&gt;"resource_type": res["type"],&lt;/P&gt;
&lt;P&gt;"location": res["location"]&lt;/P&gt;
&lt;P&gt;})&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;return normalized&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;Step 5: Validation Logic (Drift Detection)&lt;/H2&gt;
&lt;P&gt;def compare_resources(excel_data, tf_data, azure_data):&lt;/P&gt;
&lt;P&gt;issues = []&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;for excel_res in excel_data:&lt;/P&gt;
&lt;P&gt;name = excel_res['resource_name']&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;tf_match = next((r for r in tf_data if r['resource_name'] == name), None)&lt;/P&gt;
&lt;P&gt;az_match = next((r for r in azure_data if r['resource_name'] == name), None)&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;if not tf_match:&lt;/P&gt;
&lt;P&gt;issues.append({&lt;/P&gt;
&lt;P&gt;"resource": name,&lt;/P&gt;
&lt;P&gt;"issue": "Missing in Terraform",&lt;/P&gt;
&lt;P&gt;"severity": "High"&lt;/P&gt;
&lt;P&gt;})&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;if not az_match:&lt;/P&gt;
&lt;P&gt;issues.append({&lt;/P&gt;
&lt;P&gt;"resource": name,&lt;/P&gt;
&lt;P&gt;"issue": "Missing in Azure",&lt;/P&gt;
&lt;P&gt;"severity": "Critical"&lt;/P&gt;
&lt;P&gt;})&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;if tf_match and az_match:&lt;/P&gt;
&lt;P&gt;if excel_res['region'] != az_match.get('location'):&lt;/P&gt;
&lt;P&gt;issues.append({&lt;/P&gt;
&lt;P&gt;"resource": name,&lt;/P&gt;
&lt;P&gt;"issue": "Region mismatch",&lt;/P&gt;
&lt;P&gt;"expected": excel_res['region'],&lt;/P&gt;
&lt;P&gt;"actual": az_match.get('location')&lt;/P&gt;
&lt;P&gt;})&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;return issues&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;drift_report = compare_resources(&lt;/P&gt;
&lt;P&gt;normalize_excel(excel_df),&lt;/P&gt;
&lt;P&gt;normalize_tf(tf_resources),&lt;/P&gt;
&lt;P&gt;normalize_azure(azure_resources)&lt;/P&gt;
&lt;P&gt;)&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;print(drift_report)&lt;/P&gt;
&lt;H2&gt;Step 6: Export Report to Excel&lt;/H2&gt;
&lt;P&gt;Sample validation&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;
&lt;TABLE style="" border="1"&gt;
&lt;THEAD&gt;
&lt;TR style=""&gt;
&lt;TH style=""&gt;Resource&lt;/TH&gt;
&lt;TH style=""&gt;Issue&lt;/TH&gt;
&lt;TH style=""&gt;Expected&lt;/TH&gt;
&lt;TH style=""&gt;Actual&lt;/TH&gt;
&lt;TH style=""&gt;Severity&lt;/TH&gt;
&lt;/TR&gt;
&lt;/THEAD&gt;
&lt;TBODY&gt;
&lt;TR style=""&gt;
&lt;TD style=""&gt;func-app-01&lt;/TD&gt;
&lt;TD style=""&gt;Missing in Terraform&lt;/TD&gt;
&lt;TD style=""&gt;-&lt;/TD&gt;
&lt;TD style=""&gt;-&lt;/TD&gt;
&lt;TD style=""&gt;High&lt;/TD&gt;
&lt;/TR&gt;
&lt;TR style=""&gt;
&lt;TD style=""&gt;search-01&lt;/TD&gt;
&lt;TD style=""&gt;SKU mismatch&lt;/TD&gt;
&lt;TD style=""&gt;Standard&lt;/TD&gt;
&lt;TD style=""&gt;Basic&lt;/TD&gt;
&lt;TD style=""&gt;Medium&lt;/TD&gt;
&lt;/TR&gt;
&lt;TR style=""&gt;
&lt;TD style=""&gt;webapp-01&lt;/TD&gt;
&lt;TD style=""&gt;Region mismatch&lt;/TD&gt;
&lt;TD style=""&gt;East US&lt;/TD&gt;
&lt;TD style=""&gt;West Europe&lt;/TD&gt;
&lt;TD style=""&gt;High&lt;/TD&gt;
&lt;/TR&gt;
&lt;/TBODY&gt;
&lt;COLGROUP&gt;&lt;COL style="width: 20.00%" /&gt;&lt;COL style="width: 20.00%" /&gt;&lt;COL style="width: 20.00%" /&gt;&lt;COL style="width: 20.00%" /&gt;&lt;COL style="width: 20.00%" /&gt;&lt;/COLGROUP&gt;&lt;/TABLE&gt;
&lt;/DIV&gt;
&lt;BR /&gt;&lt;BR /&gt;&lt;/img&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 05 May 2026 06:05:23 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/azure-infrastructure-blog/building-an-ai-agent-for-azure-infrastructure-validation/ba-p/4516936</guid>
      <dc:creator>ranjsharma</dc:creator>
      <dc:date>2026-05-05T06:05:23Z</dc:date>
    </item>
  </channel>
</rss>

