Merge pull request #55 from microsoft/ai-foundry-main-dev-merge

feat: Down merge from main and conflicts resolved

Author: Prajwal-Microsoft

.devcontainer/devcontainer.json

@@ -4,8 +4,8 @@
     "image": "mcr.microsoft.com/devcontainers/python:3.10-bullseye",
     "features": {
         // See https://containers.dev/features for list of features
-        "ghcr.io/devcontainers/features/docker-in-docker:2": {
-        },
-        "ghcr.io/azure/azure-dev/azd:latest": {}
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+        "ghcr.io/azure/azure-dev/azd:latest": {},
+        "ghcr.io/devcontainers/features/azure-cli:1": {}
     }
 }

.github/workflows/azure-dev.yml

@@ -25,14 +25,19 @@ jobs:
         uses: actions/checkout@v4
       - name: Install azd
         uses: Azure/setup-azd@v2
-      - name: Log in with Azure (Federated Credentials)
+      - name: Azure Developer CLI Login
         run: |
           azd auth login `
             --client-id "$Env:AZURE_CLIENT_ID" `
             --federated-credential-provider "github" `
             --tenant-id "$Env:AZURE_TENANT_ID" 
         shell: pwsh
-
+      - name: Azure CLI Login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
       - name: Provision Infrastructure
         run: azd provision --no-prompt
         env:

.gitignore

@@ -1,2 +1,4 @@
 .vscode
-.vs
+.vs
+.venv
+__pycache__

CHANGELOG.md

@@ -35,4 +35,4 @@ All notable changes to this project will be documented in this file.
 
 ## [1.0] - 2025-03-10
 ### Added
-- Initial release of the template.
+- Initial release of the template.

README.md

@@ -50,10 +50,16 @@ Offers ability to [start with an existing Azure AI Project](docs/transfer_projec
 1. Have access to an Azure subscription and Entra ID account with Contributor permissions.
 2. Confirm the subscription you are deploying into has the [Required Roles and Scopes](docs/Required_roles_scopes_resources.md).
 3. The solution ensures secure access to the private VNET through a jump-box VM with Azure Bastion. By default, Bastion does not require an inbound NSG rule for network traffic. However, if your environment enforces specific policy rules, you can resolve access issues by entering your machine's IP address in the `allowedIpAddress` parameter when prompted during deployment. If not specified, all IP addresses are allowed to connect to Azure Bastion. 
-4. If deploying from your [local environment](docs/local_environment_steps.md), install the [Azure Developer CLI (AZD)](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/install-azd?tabs=winget-windows%2Cbrew-mac%2Cscript-linux&pivots=os-windows).
+4. If deploying from your [local environment](docs/local_environment_steps.md), install the [Azure CLI (AZ)](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) and the [Azure Developer CLI (AZD)](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/install-azd?tabs=winget-windows%2Cbrew-mac%2Cscript-linux&pivots=os-windows).
 5. If deploying via [GitHub Codespaces](docs/github_code_spaces_steps.md) - requires the user to be on a GitHub Team or Enterprise Cloud plan.
 6. If leveraging [GitHub Actions](docs/github_actions_steps.md).
 
+### Check Azure OpenAI Quota Availability  
+
+To ensure sufficient quota is available in your subscription, please follow **[quota check instructions guide](./docs/quota_check.md)** before deploying the solution.
+
+### Services Enabled
+
 For additional documentation of the default enabled services of this solution accelerator, please see:
 
 1. [Azure Open AI Service](https://learn.microsoft.com/en-us/azure/ai-services/openai/)
@@ -94,7 +100,7 @@ Follow the post deployment steps [Post Deployment Steps](docs/github_code_spaces
 
 ### Region Availability
 
-By default, this template uses AI models which may not be available in all Azure regions. Check for [up-to-date region availability](https://learn.microsoft.com/azure/ai-services/openai/concepts/models#standard-deployment-model-availability) and select a region during deployment accordingly.
+By default, this template uses AI models which may not be available in all Azure regions. Please follow [quota check instructions guide](./docs/quota_check.md) before deploying the solution. Additionally, check for [up-to-date region availability](https://learn.microsoft.com/azure/ai-services/openai/concepts/models#standard-deployment-model-availability) and select a region during deployment accordingly.
 
 ### Costs
 
@@ -104,16 +110,12 @@ You can estimate the cost of this project's architecture with [Azure's pricing c
 
 This template has [Managed Identity](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview) built in to eliminate the need for developers to manage these credentials. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.
 
-
 ## Resources
 
 - [Azure AI Foundry documentation](https://learn.microsoft.com/en-us/azure/ai-foundry/)
 - [Azure Well Architecture Framework documentation](https://learn.microsoft.com/en-us/azure/well-architected/)
 - [Azure OpenAI Service - Documentation, quickstarts, API reference - Azure AI services | Microsoft Learn](https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/use-your-data)
 - [Azure AI Content Understanding documentation](https://learn.microsoft.com/en-us/azure/ai-services/content-understanding/)
-
-
-
 ---
 
 ## Disclaimers

azure.yaml

@@ -1,12 +1,28 @@
-name: deploy-your-ai-application-in-production
-infra:
-    provider: "bicep"
-metadata:
-  template: deploy-your-ai-application-in-production@1.0
-hooks:
-   preup:
-      windows:
-        shell: pwsh
-        run: ./scripts/SetConnectionsEnvironmentVariables.ps1
-        interactive: true
-        continueOnError: false
+name: deploy-your-ai-application-in-production
+infra:
+    provider: "bicep"
+metadata:
+  template: deploy-your-ai-application-in-production@1.0
+hooks:
+  preup:
+    windows:
+      shell: pwsh
+      run: ./scripts/set_conns_env_vars.ps1
+      interactive: true
+      continueOnError: false
+    posix:
+      shell: sh
+      run: chmod u+r+x ./scripts/set_conns_env_vars.sh; ./scripts/set_conns_env_vars.sh
+      interactive: true
+      continueOnError: false
+  preprovision:
+    posix:
+      shell: sh
+      run: chmod u+r+x ./scripts/validate_model_deployment_quotas.sh; chmod u+r+x ./scripts/validate_model_quota.sh; ./scripts/validate_model_deployment_quotas.sh --subscription $AZURE_SUBSCRIPTION_ID --location $AZURE_LOCATION --models-parameter "aiModelDeployments"
+      interactive: false
+      continueOnError: false
+    windows:
+      shell: pwsh
+      run: ./scripts/validate_model_deployment_quotas.ps1 -Subscription $env:AZURE_SUBSCRIPTION_ID -Location $env:AZURE_LOCATION -ModelsParameter "aiModelDeployments"
+      interactive: false
+      continueOnError: false

docs/Verify_Services_On_Network.md

@@ -6,7 +6,7 @@ This guide will walk you through using a secure jump-box virtual machine to inst
 
 ### 1. Copy Testing Script to Virtual Machine
 
-Copy [TestConnections.ps1](./scripts/TestConnections.ps1) to the Virtual Machine.
+Copy [test_azure_resource_conns.ps1](./scripts/test_azure_resource_conns.ps1) to the Virtual Machine.
 
 ### 2. Install Azure CLI
 
@@ -41,7 +41,7 @@ $containerRegistry = "your-container-registry-name"
 ### 5. Execute Testing PowerShell Script
 
 ```powershell
-.\TestConnections.ps1 `
+.\test_azure_resource_conns.ps1 `
     -SubscriptionId $subscriptionId `
     -ResourceGroup $resourceGroup `
     -KeyVault $keyvault `

docs/github_code_spaces_steps.md

@@ -32,31 +32,40 @@ You can run this solution using GitHub Codespaces. The button will open a web-ba
 
    ![Image showing the password prompt for azure](../img/provisioning/enterpassword.png)
 
-   **Prompting for MFA**
+7. Return to the codespaces window and type “az login”. The [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/what-is-azure-cli?view=azure-cli-latest) is used to validate available AI model quota.
+     ![image showing theaz login in the vs code terminal](../img/provisioning/az_login.png)  
 
-   ![Image showing the pop up window in the web browser for azd auth](../img/provisioning/azdauthpopup.png)
-
-7. Return to the codespaces window now. In the terminal window, begin by initializing the environment by typing the command “azd init”
+8. Return to the codespaces window now. In the terminal window, begin by initializing the environment by typing the command “azd init”
 
    ![image showing the initial screen in the vs code terminal](../img/provisioning/azd_init_terminal.png)
 
-8. Enter the name for your environment
+9. Enter the name for your environment
 
    ![aImage showing entering a new environment name](../img/provisioning/enter_evn_name.png)
 
-9. Now start the deployment of the infrastructure by typing the command “azd provision”
+10. Now start the deployment of the infrastructure by typing the command “azd up”
+
+    ![image showing the terminal in vs code](../img/provisioning/azd_provision_terminal.png)
+
+    This step will allow you to choose from the subscriptions you have available, based on the account you logged in with in the login step. Next it will prompt you for the region to deploy the resources into as well as any additional Azure resources to be provisioned and configured.
+
+    **Be sure to remember the vm password. This will be used in a later step. You are still required to log into Azure once you connect through the virtual machine.
+
+
+11. The automated model quota check will run, and will check if the location selected will have the necessary quota for the AI Models that are listed in the parameters file prior to deploying any resources. 
+    ![image showing model quota pre-provision code executing](../img/provisioning/preprovision_output.png)
+
+
+    If the location selected has sufficient quota for the models you plan to deploy, the provisioning will begin without notification.
 
-   ![image showing the terminal in vs code](../img/provisioning/azd_provision_terminal.png)
+    ![image showing model quota pre-provision pass](../img/provisioning/preprovision_success.png)
 
-   This step will allow you to choose from the subscriptions you have available, based on the account you logged in with in the azd auth login step. Next it will prompt you for the region to deploy the resources into.
+    If the location selected does not have the available quota for the models selected in your parameters, there will be a message back to the user, prior to any provisioning of resources. This will allow the developer to change the location of the provisiong and try again. Note that in our example, Italy North had capacity for gpt-4o but not for text-embedding-ada-002. This terminated the entire provisioning, because both models could not be deployed due to a quota issue.
 
-   ![image showing region selection](../img/provisioning/azdprovision_select_location.png)
+    ![image showing model quota pre-provision fail](../img/provisioning/preprovision_fail.png)
 
-10. Next you will be prompted for values to enable additional features outside of the AI Foundry required features. They are false by default.
-    ![image of prompts](../img/provisioning/prompts.png)
-    **Be sure to remember the vm password and vm username. This will be used in a later step. Because we are using FDPO subscriptions, we do not have access to Entra to create the SSO to the jump box at this time. You are still required to log into Azure once you connect to the virtual machine.
+12. After completeing the required paramters that you were prompted for, and a successful model quota validation, the provisioning of resources will run and deploy the Network Isolated AI Foundry development portal and dependent resources in about 20 minutes.
 
-11. After completeing the required paramters that you were prompted for, the provisioning of resources will run and deploy the Network Isolated AI hub, project and dependent resources in about 20 minutes.
 
 # Post Deployment Steps:
 These steps will help to check that the isolated environment was set up correctly.

docs/local_environment_steps.md

@@ -7,16 +7,22 @@ git clone https://github.com/microsoft/Deploy-Your-AI-Application-In-Production.
 cd Deploy-Your-AI-Application-In-Production
 ```
 
-### Establish AZD Environment
+### Establish Environment
 
-This solution uses the [Azure Developer CLI](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/overview) to quickly provision and deploy infrastructure and applications to Azure.
+This solution uses the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/what-is-azure-cli?view=azure-cli-latest) and the [Azure Developer CLI](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/overview) to quickly provision and deploy infrastructure and applications to Azure.
 
 To get started, authenticate with an Azure Subscription ([details](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/reference#azd-auth-login)):
 
 ```powershell
 azd auth login
 ```
 
+Also authenticate with the Azure CLI ([details](https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest)):
+
+```powershell
+az login
+```
+
 Establish a new environment. Provide a name that represents the application domain:
 
 ```powershell

docs/post_deployment_steps.md

@@ -4,54 +4,54 @@ Follow these steps to check the creation of the required private endpoints in th
 
 One way to check if the access is private to the hub is to launch the AI Foundry hub from the portal. 
 
-![Image showing if network isolation is checked](img/provisioning/checkNetworkIsolation3.png)
+![Image showing if network isolation is checked](../img/provisioning/checkNetworkIsolation3.png)
 
 When a user that is not connected through the virtual network via an RDP approved connection will see the following screen in their browser. This is the intended behavior! 
 
-![Image showing the virtual machine in the browser](img/provisioning/checkNetworkIsolation4.png)
+![Image showing the virtual machine in the browser](../img/provisioning/checkNetworkIsolation4.png)
 
 A more thorough check is to look for the networking settings and checking for private endpoints.
 1. Go to the Azure Portal and select your Azure AI hub that was just created.
 
 2.	Click on Settings and then Networking.
 
-    ![Image showing the Azure Portal for AI Foundry Hub and the settings blade](img/provisioning/checkNetworkIsolation1.png)
+    ![Image showing the Azure Portal for AI Foundry Hub and the settings blade](../img/provisioning/checkNetworkIsolation1.png)
 
 3.	Open the Workspace managed outbound access tab.
 
-    ![Image showing the Azure Portal for AI Foundry Hub and the Workspace managed outbound access tab](img/provisioning/checkNetworkIsolation2.png)
+    ![Image showing the Azure Portal for AI Foundry Hub and the Workspace managed outbound access tab](../img/provisioning/checkNetworkIsolation2.png)
 
     Here, you will find the private endpoints that are connected to the resources within the hub managed virtual network. Ensure that these private endpoints are active.
     The hub should show that Public access is ‘disabled’.
 
 ## Connecting to the isolated network via RDP
 1.	Navigate to the resource group where the isolated AI Foundry was deployed to and select the virtual machine.
 
-    ![Image showing the Azure Portal for the virtual machine](img/provisioning/checkNetworkIsolation5.png)
+    ![Image showing the Azure Portal for the virtual machine](../img/provisioning/checkNetworkIsolation5.png)
 
 2.	Be sure that the Virtual Machine is running. If not, start the VM.
 
-    ![Image showing the Azure Portal VM and the start/stop button](img/provisioning/checkNetworkIsolation6.png)
+    ![Image showing the Azure Portal VM and the start/stop button](../img/provisioning/checkNetworkIsolation6.png)
 
 3.	Select “Bastion” under the ‘Connect’ heading in the VM resource.
 
-    ![Image showing the bastion blade selected](img/provisioning/checkNetworkIsolation7.png)
+    ![Image showing the bastion blade selected](../img/provisioning/checkNetworkIsolation7.png)
 
 4.	Supply the username and the password you created as environment variables and press the connect button.
 
-    ![Image showing the screen to enter the VM Admin info and the connect to bastion button](img/provisioning/checkNetworkIsolation8.png)
+    ![Image showing the screen to enter the VM Admin info and the connect to bastion button](../img/provisioning/checkNetworkIsolation8.png)
 
 5.	Your virtual machine will launch and you will see a different screen.
 
-    ![Image showing the opening of the Virtual machine in another browser tab](img/provisioning/checkNetworkIsolation9.png)
+    ![Image showing the opening of the Virtual machine in another browser tab](../img/provisioning/checkNetworkIsolation9.png)
 
 6.	Launch Edge browser and navigate to your AI Foundry Hub. https://ai.azure.com Sign in using your credentials.
 
 
 7.	You are challenged by MFA to connect.
 
-    ![Image showing the Multi Factor Authentication popup](img/provisioning/checkNetworkIsolation10.png)
+    ![Image showing the Multi Factor Authentication popup](../img/provisioning/checkNetworkIsolation10.png)
 
 8.	You will now be able to view the Foundry Hub which is contained in an isolated network.
 
-    ![Image showing the Azure Foundry AI Hub with a private bubble icon](img/provisioning/checkNetworkIsolation11.png)
+    ![Image showing the Azure Foundry AI Hub with a private bubble icon](../img/provisioning/checkNetworkIsolation11.png)