Important
See the new bootstrap template repository - even more automated way to setup Enterprise Scale AIFactory's. (This section is still valid and good to read) Enterprise Scale AIFactory - Template repo, using the AI Factory as submodule
- Option A) Setup AIFactory - Infra Automation (AzureDevops YAML + BICEP)
- Option B) Setup AIFactory - Infra Automation (GithubActions+BICEP)
- *Option C) Setup AIFactory - Infra Automation (GithubActions+Terraform)
- TODO: Joakim
Just for information: Setup AIFactory - Infra Automation (AzureDevops classic + BICEP)
This is what you will get:
AIFactory architecture diagrams
Recommended approach is to combine BYOvNet with Hub-Connected & Centralized private DNZ zones. This enables all 4 access modes: Peering, VPN, Bastion, Whitelistlisting user IP's, and separates the networking from the AI Factory common area, to your centralized Hub (Hub/Spoke).
- Scenarios: Production scenario.
But if you want simplicty or want to setup an AI Factory in an isolated bubble - not involving your Hub, choose Standalone mode.
- Standalone mode is still secured with private networking, and you can reach the UI portals (Azure AI Foundry, Azure Machine Learning) via either:
VPN, Bastion, Whitelistlisting user IP's - Scenarios:
- Testing out the AI Factory accelerator
- Setup an AIFactory for a temporary workshop, that needs to have high security.
- If it is not possible to connect it to your HUB, for various reasons.
For Standalone mode using the AI Factory common resource group for both Virtual Network, Network Security Groups, Private DNS zones set the values as below: true, subscriptionId and resourcegroupNam where your centralized Private DNS zones resides. This is usually your Hub subscriptiom and platform-connectivity resource group.
"centralDnsZoneByPolicyInHub": {
"value": false
},
"privDnsSubscription_param": {
"value": ""
},
"privDnsResourceGroup_param": {
"value": ""
},For Hub-connected mode using your own Hub resource group for both Private DNS zones
Set values as below, e.g. where your centralized Private DNS zones resides. This is usually your Hub subscription and platform-connectivity resource group.
Docs-link: 10-esml-globals-4-13_21_22.json | Local-repo-link
"centralDnsZoneByPolicyInHub": {
"value": true
},
"privDnsSubscription_param": {
"value": "1asdfasdf-1234-134fd-123-1243123412341"
},
"privDnsResourceGroup_param": {
"value": "rg-platform-connectivity"
},
For Bring your own vNet, e.g. NOT using the AI Factory common resource group for Virtual Network, Network Security Groups location, set the parameters as below.
Docs-link: 10-esml-globals-override.json | Local-repo-link
"vnetResourceGroup_param": {
"value": "rg-where-vnet-resides"
},
"vnetNameFull_param": {
"value": "vnet-name-inside-of-resourcegroup"
},How-to Create EntraID groups, Connect to Personas, Add info to seeding keyvault:
Ask your AI Factory core team to read this
- Identity provider: Microsoft EntraID
- Client secret setting:
- Service principal: Project specific, see project keyvault
esml-project-sp-003
- Service principal: Project specific, see project keyvault
- Issuer URL: https://sts.windows.net/`your_tenantId`/v2.0
- See project keyvault for tenant id.
- Tenant requirement
- Allow requestes only from the issuer tenant
- The service principle,Authentication page for, `esml-project-sp-003, Needs to have API permissions, delegated, in Microsoft Graph:
- User.Read
- Sign in an read user profile
- offline_access
- Maintain data you have given it access to (such as login token, if offline)
- User.Read
Redirect url is on the same page, where checkbox is, and should be:
https://webapp-prj003-your-web-app-name-001.azurewebsites.net/.auth/login/aad/callback
- You can choose to run the WebApp within the subnet:
snet-esml-cmn-001-scoring