TL;DR
- Azure Foundry Blueprints — Open source IaC for the new Microsoft Foundry experience
- Terraform + Bicep — Both flavors deploy identical architectures
- New architecture — Uses
Microsoft.CognitiveServices/accountswithallowProjectManagement: true - Private by default — VNet, NSGs, 4 private endpoints, 12 DNS zones
- ~15 minutes — From clone to working Foundry portal
- For learning — Use Azure Verified Modules + AI Landing Zones for production
If you've tried to deploy Microsoft Foundry recently, you've probably noticed something: the official templates use the old Azure ML workspace model. The portal creates something different—the new Cognitive Services-based architecture that unlocks the actual Foundry experience.
We got tired of the disconnect, so we built what we needed and open-sourced it.
→ Azure Foundry Blueprints on GitHub
Why We Built This
Microsoft introduced a new Foundry experience that moves away from the classic Azure Machine Learning workspace model. The difference matters:
| Classic (Old) | New Foundry |
|---|---|
Microsoft.MachineLearningServices/workspaces (kind: Hub) |
Microsoft.CognitiveServices/accounts (kind: AIServices) |
Microsoft.MachineLearningServices/workspaces (kind: Project) |
Microsoft.CognitiveServices/accounts/projects |
| Requires Key Vault, Storage, App Insights linked | Standalone — no required linked resources |
| Classic AI Studio portal | New Foundry portal with agents, evaluations, AI apps |
The key enabler is allowProjectManagement: true. This single property unlocks the modern Foundry portal where you can build AI agents, run evaluations, create AI applications, and manage projects as first-class citizens.
Problem: Most IaC templates out there still deploy the old architecture. The new properties aren't even in the AzureRM or Bicep type schemas yet.
Solution: We use AzAPI provider in Terraform and direct ARM properties in Bicep to deploy exactly what the Azure portal creates.
What Gets Deployed
The blueprint deploys a complete, production-patterned environment in about 15 minutes:
| Resource | Purpose |
|---|---|
| Resource Group | Container for all resources |
| Virtual Network | 4 segmented subnets (/16) |
| Network Security Groups | Default-deny microsegmentation |
| Log Analytics Workspace | Centralized logging |
| Application Insights | Foundry telemetry |
| User-Assigned Managed Identity | Least-privilege identity |
| Key Vault | Secrets, RBAC-authorized |
| Storage Account | Foundry workspace storage |
| Microsoft Foundry | AI Services account (allowProjectManagement: true) |
| Foundry Project | Team/workload isolation boundary |
| 12 Private DNS Zones | Private endpoint name resolution |
| 4 Private Endpoints | Key Vault, Blob, File, Foundry |
This isn't a minimal "hello world" deployment. It's enterprise patterns preserved for a dev environment—so when you're ready to move to production, the architecture concepts transfer directly.
Quick Start
Prerequisites: Azure CLI ≥ 2.50, Terraform ≥ 1.5 (or Bicep CLI ≥ 0.28), and Owner or Contributor + User Access Administrator on your subscription.
Deploy with Terraform
git clone https://github.com/codetocloudorg/azure-foundry-blueprints.git
cd azure-foundry-blueprints/terraform/dev
terraform init
terraform plan -var-file="dev.tfvars"
terraform apply -var-file="dev.tfvars"Deploy with Bicep
git clone https://github.com/codetocloudorg/azure-foundry-blueprints.git
cd azure-foundry-blueprints/bicep/dev
az deployment sub create \
--location eastus2 \
--template-file main.bicep \
--parameters main.bicepparamBoth paths get you to the same architecture. Pick the IaC tool your team already uses.
Design Principles
We built these blueprints around six principles that we apply to all our platform engineering work:
- Private networking first — All PaaS services accessed via private endpoints. No public internet exposure.
- Secure by default — RBAC authorization, managed identities, encryption enabled from the start.
- Observable — Log Analytics + Application Insights deployed before the workloads that depend on them.
- Modular — Single-responsibility modules, reusable across environments. Compose what you need.
- Terraform/Bicep parity — Both flavors deploy identical architectures. No surprises when switching tools.
- Enterprise patterns — Layered architecture preserved even for dev. Learning on realistic infrastructure makes production easier.
For a deeper dive into enterprise AI patterns, see our article on Azure AI Landing Zones and the Cloud Adoption Framework.
When to Use This (And When Not To)
This is an important distinction. We built these blueprints for specific use cases:
| Use Case | Recommendation |
|---|---|
| Learning the new Foundry experience | ✅ Use this repo |
| Dev/sandbox environment for AI experimentation | ✅ Use this repo |
| Platform engineering reference implementation | ✅ Use this repo |
| Production AI workloads | ❌ Use Azure AI Landing Zone |
| Enterprise-grade, supported modules | ❌ Use Azure Verified Modules |
| Compliance-ready deployments | ❌ Use AVM + ALZ |
For production workloads, Microsoft's official resources are the right choice:
- Azure AI Landing Zone — Enterprise reference architecture for AI workloads
- Azure Verified Modules — Production-ready, Microsoft-supported Terraform/Bicep modules
- Azure Landing Zones — Enterprise-scale foundation for Azure
Our blueprints are for getting hands-on fast—understanding the new architecture, experimenting with Foundry capabilities, and building reference implementations your team can learn from.
What's Next After Deployment
Once deployed, navigate to ai.azure.com and select your project. From there you can:
- Build AI agents — Use the agent builder to create conversational AI
- Run evaluations — Test and benchmark your models
- Deploy models — Deploy OpenAI or custom models to your Foundry resource
- Connect from code — Use the endpoint URL from the deployment outputs
# Get the Foundry endpoint (Terraform)
terraform output foundry_endpoint
# Get the Foundry endpoint (Bicep)
az deployment sub show --name <deployment-name> --query properties.outputs.foundryEndpoint.valueContributing
This is an open source project and contributions are welcome. The repo includes GitHub Actions CI/CD workflows that validate both Terraform and Bicep on every PR.
- 🐛 Found a bug? Open an issue
- 💡 Have an idea? Start a discussion
- 📖 Questions? Check the docs or join our Discord community
Wrapping Up
The new Microsoft Foundry experience is genuinely better than the old AI Studio model. But the IaC ecosystem hasn't caught up yet. These blueprints bridge that gap so you can learn and experiment with the real architecture, not the deprecated one.
→ Clone it, deploy it, break it, learn from it
Questions about deploying Foundry or designing your AI platform architecture? Join us on Discord or book a call below.
— Kevin Evans