TenantZero AI¶
Private-by-default Azure infrastructure baseline for AI workloads.
TenantZero AI deploys networking, identity, model access, retrieval/data services, observability, and optional private AKS across isolated dev, staging, and prod environments — entirely within your Azure subscription.
What This Solution Provides¶
- Infrastructure Blueprint — Reusable Terraform modules for secure Azure AI primitives
- AI Landing Zone Accelerator — Private networking, identity, observability, and policy baseline
- AI Governance Platform — Policy enforcement, RBAC, diagnostics, cost controls, and governed extension points
Scope¶
This repository is infrastructure-only. No application code, UI, workflow logic, or shared hosting model.
Architecture Principles¶
- Private endpoints for all platform PaaS services
- Public network access disabled where supported
- Microsoft Entra ID + managed identities (no shared keys)
- Customer-owned subscription, data, keys, and state
- Contract-driven modules with explicit input/output contracts
- Composition over conditionals — root stacks compose, modules don't assume context
- Environment isolation with separate state files
Maturity Tiers¶
| Tier | Capabilities |
|---|---|
| Foundation | VNet, private endpoints, OpenAI, AI Search, data profile, Key Vault |
| Enterprise | + Managed identity, diagnostics, Log Analytics, alerts, Azure Policy baseline, Defender for Cloud |
| Regulated | + CMK everywhere, private AKS, APIM, firewall routing, egress control, region restriction, role segmentation |
New capabilities extend the stack. They do not modify it.
Module Structure¶
modules/
foundation/ naming, tags, resource_group
networking/ vnet, private_dns, private_endpoint
security/ key_vault
ai/ openai, ai_search
data/ cosmos, postgres
observability/ log_analytics, diagnostics
governance/ policy_baseline
compute/ aks_private
Quick Links¶
| Resource | Description |
|---|---|
| Architecture Overview | Implementation target and building blocks |
| Module Map & Data Flow | Detailed module contracts and composition |
| Security Controls | Identity, network, secrets, logging, controls mapping |
| Cost Model | Service costs, tier estimates, optimization levers |
| Blueprints | Tier composition references (Foundation, Enterprise, Regulated) |
| Getting Started | Bootstrap, configure, and deploy |
| Decisions | Architectural decision records (ADR-001 through ADR-013) |