Skip to content

asevillano/foundry-vnet-deploy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

2 Commits
modules-network-secured
modules-network-secured
Β 
Β 
README.md
README.md
Β 
Β 
SKILL.md
SKILL.md
Β 
Β 
main.bicep
main.bicep
Β 
Β 
main.bicepparam
main.bicepparam
Β 
Β 

Repository files navigation

Azure AI Foundry VNet Deploy Skill

A coding-agent skill that deploys Azure AI Foundry with Agent Setup inside a private Virtual Network using the Bicep templates from 15-private-network-standard-agent-setup.

The skill drives the user through a guided interview, generates a .bicepparam file from the answers, and runs az deployment group create end-to-end.

Overview

This skill enables your coding agent to:

  • πŸ”’ Deploy Azure AI Foundry (Agents) in a private VNet with private endpoints and private DNS zones
  • 🧩 Reuse existing VNets, subnets, DNS zones, AI Search, Storage and CosmosDB β€” or create them from scratch
  • πŸ› οΈ Auto-generate a main.bicepparam file tailored to the chosen scenario
  • πŸš€ Execute the deployment with az deployment group create using a fixed timestamp for safe retries
  • πŸ” Provide an anti-duplication retry path when the Account Capability Host times out
  • πŸ‘₯ Optionally assign hosted-agent developer RBAC (Managed Identity Operator + Network Contributor on the agent subnet)
  • πŸ“ˆ Optionally provision Application Insights + Log Analytics and wire them into the project (required by hosted agents)

Usage

The skill works with Claude Code, GitHub Copilot in VS Code, and GitHub Copilot CLI.

GitHub Copilot in VS Code

This skill is auto-discovered by GitHub Copilot in VS Code from c:\Users\angels\.copilot\skills\foundry-vnet-deploy\SKILL.md.

In Copilot Chat (Agent mode), trigger it with a natural-language request, for example:

Deploy Azure AI Foundry in a private VNet using the foundry-vnet-deploy skill.
Scenario: new VNet in swedencentral.

Or:

Use the foundry-vnet-deploy skill. I have an existing VNet and existing
private DNS zones in another resource group; reuse them.

Copilot will read SKILL.md, run the interview, write the .bicepparam file, and execute az deployment group create in the integrated terminal.

Claude Code

Reference the skill in your prompt:

Run the foundry-vnet-deploy skill to deploy Foundry with Agents in a private VNet.

Claude will follow the same step-by-step workflow defined in SKILL.md.

GitHub Copilot CLI (optional alternative to Claude Code)

GitHub Copilot CLI is an alternative terminal-based agent that consumes the same skill format as Claude Code. Use it if you want to run the skill from a plain shell instead of VS Code.

1. Install GitHub Copilot CLI

Requires Node.js 22+ and an active GitHub Copilot subscription.

# Install globally with npm
npm install -g @github/copilot

# Verify the install
copilot --version

# First-time sign in (opens a browser for device-code auth)
copilot
# Then inside the prompt:
/login

On macOS/Linux you can alternatively use the official install script:

curl -fsSL https://github.com/github/copilot-cli/releases/latest/download/install.sh | sh

2. Install this skill for GitHub Copilot CLI

GitHub Copilot CLI auto-discovers skills from the user-level skills folder:

OS Skills folder
Windows %USERPROFILE%\.copilot\skills\
macOS / Linux ~/.copilot/skills/

The folder must contain a subfolder per skill with at least a SKILL.md (and any companion files the skill needs β€” for this skill: main.bicep, main.bicepparam, modules-network-secured/).

If you cloned this repo, copy or symlink the skill folder:

# Windows β€” copy
Copy-Item -Recurse -Force `
  .\foundry-vnet-deploy `
  $env:USERPROFILE\.copilot\skills\foundry-vnet-deploy

# Windows β€” symlink (run as Administrator)
New-Item -ItemType SymbolicLink `
  -Path "$env:USERPROFILE\.copilot\skills\foundry-vnet-deploy" `
  -Target (Resolve-Path .\foundry-vnet-deploy)
# macOS / Linux β€” symlink
mkdir -p ~/.copilot/skills
ln -s "$(pwd)/foundry-vnet-deploy" ~/.copilot/skills/foundry-vnet-deploy

3. Run the skill

Start a Copilot CLI session from any directory and invoke the skill by name or with a natural-language request:

copilot

Then inside the session:

Use the foundry-vnet-deploy skill to deploy Azure AI Foundry in a private VNet.
Scenario: new VNet in swedencentral.

Copilot CLI will load SKILL.md, run the guided interview, generate the .bicepparam, and execute az deployment group create in your current shell.

Prerequisites

  • Azure CLI logged in (az login) with permissions to deploy at resource-group scope and create role assignments
  • Bicep CLI installed (az bicep version)
  • The skill folder contains the required templates: main.bicep, main.bicepparam, and modules-network-secured/

What the skill will ask you

The skill collects the following information through a guided interview. Defaults are provided where reasonable; you can accept them by pressing Enter.

1. Subscription & Resource Group

  • Subscription: keep the current one or provide a different subscriptionId
  • Resource Group: name; whether it exists or must be created; location if creating

2. Region (location)

One of the regions allowed by the template, e.g. swedencentral (recommended), westus, eastus2, francecentral, westeurope, uksouth, japaneast, australiaeast…

3. Foundry account & project naming

  • aiServices β€” prefix for the AI Services account (default foundry, a unique suffix is appended)
  • firstProjectName β€” project name (default project)
  • displayName β€” visible project name
  • projectDescription β€” free-text description
  • accountCapHost β€” name of the account-level capability host (default caphostacct)

4. Model deployment

  • modelName β€” e.g. gpt-4.1, gpt-4o, gpt-4o-mini, gpt-4.1-mini, gpt-4.1-nano
  • modelFormat β€” provider (default OpenAI)
  • modelVersion β€” depends on the model
  • modelSkuName β€” GlobalStandard (default), Standard or ProvisionedManaged
  • modelCapacity β€” TPM in thousands (default 30 = 30K TPM)

5. Virtual Network

Option A β€” New VNet

  • vnetName (default agent-vnet)
  • vnetAddressPrefix (default 192.168.0.0/16; also supports 10.x.x.x/16, 172.16.x.x/16)
  • agentSubnetPrefix and peSubnetPrefix (auto-calculated as the first two /24 blocks if left empty)
  • agentSubnetName (default agent-subnet) and peSubnetName (default pe-subnet)

Option B β€” Existing VNet

  • existingVnetResourceId β€” full ARM ID of the VNet
  • agentSubnetName and peSubnetName β€” created if missing
  • agentSubnetPrefix and peSubnetPrefix β€” required if the subnets do not yet exist (must not overlap with existing subnets)
  • The agent subnet must allow delegation to Microsoft.App/environments

6. Existing resources to reuse (optional)

For each of the following, you can supply a full ARM resource ID to reuse it, or skip to have it created:

  • aiSearchResourceId
  • azureStorageAccountResourceId
  • azureCosmosDBAccountResourceId

7. Private DNS zones (optional)

You can reuse existing private DNS zones (in the same or a different subscription) or have all six created automatically:

  • privatelink.services.ai.azure.com
  • privatelink.openai.azure.com
  • privatelink.cognitiveservices.azure.com
  • privatelink.search.windows.net
  • privatelink.blob.core.windows.net
  • privatelink.documents.azure.com

If reusing, the skill asks for dnsZonesSubscriptionId and the resource group of each zone.

8. Hosted-agent developer RBAC (optional, recommended)

Users / groups / service principals that will create hosted agents on this Foundry need:

  • Managed Identity Operator on the Foundry account
  • Network Contributor on the agent subnet

The skill asks for:

  • agentDeveloperPrincipalIds β€” list of AAD object IDs (get yours with az ad signed-in-user show --query id -o tsv)
  • agentDeveloperPrincipalType β€” User (default), Group, or ServicePrincipal

9. Application Insights + Log Analytics (recommended)

Required by the hosted agent permissions doc for traces, logs, metrics and evaluations. Auto-named unless you provide:

  • logAnalyticsWorkspaceName
  • appInsightsName

What gets deployed

Component Notes
Virtual Network New or existing; agent subnet delegated to Container Apps
AI Services (Foundry) account SKU S0, public access disabled, network injection
AI Foundry project System-assigned MI, capability host Agents, project connections
AI Search Standard SKU, public access disabled (if created)
Storage Account StorageV2, ZRS, public + shared key disabled (if created)
CosmosDB (SQL) Public + local auth disabled (if created)
Private endpoints AI Services, AI Search, Storage (blob), CosmosDB (SQL)
Private DNS zones 6 zones, new or reused
Account & Project Capability Hosts Replace the manual createCapHost.sh step
Role assignments Project SMI gets the data-plane roles needed for agents
App Insights + Log Analytics Optional, wired as appinsights connection on the project

Deployment behavior

  • The skill generates a descriptive file name (e.g. deploy-{resourceGroup}.bicepparam) so the original main.bicepparam is not overwritten.
  • A fixed timestamp (deploymentTimestamp) is generated and reused on retries. The Bicep uses uniqueString(resourceGroup().id + deploymentTimestamp) to derive the unique suffix for all resource names β€” changing the timestamp creates duplicate resources.
  • The deployment typically takes 45–90 minutes; the Account Capability Host (network injection / Container Apps Environment) is the slowest step.
  • A built-in retry path handles the case where ARM reports a timeout but the Account Capability Host actually completed in the background.

Files

References

About

This Skill deploys Azure AI Foundry with Agent Setup in a private VNet. Generates the .bicepparam file and runs the deployment with az deployment group create. Supports new or existing VNets, existing resources (CosmosDB, Storage, AI Search) and existing private DNS zones.

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages