Platform Access Requirement Request
How
This template is used to formally request the provisioning of Azure resources, user accounts, identity configurations, code repositories, CI/CD pipelines, and network access required to deploy and operate a platform as described in the Platform Architecture Document (PAD). This template should be completed by the calab.ai Solution Lead in collaboration with the client’s IT, Security, and Infrastructure teams. It serves as the single request artefact that captures all access and provisioning requirements across environments, and tracks their fulfilment status.
- Replace all
[bracketed placeholders]with project-specific content.- Remove or replace guidance text (blockquote format, lines starting with
>) once the section is populated.- Each request item includes a Status column to track provisioning progress. Use:
Not Started,Requested,In Progress,Completed,Blocked.- Cross-reference the PROJECT CODE – AI PLATFORM CODE – PAD for the full platform architecture, resource specifications, and network topology that these access requirements support.
- Submit this completed template to the client’s IT service management process (e.g. ServiceNow, Jira) as individual work items or as a consolidated request package, per the client’s preference.
- This template assumes two environments (DEV, UAT). Add or remove environment columns as required by the project’s environment strategy.
Document Metadata
| Field | Detail |
|---|---|
| Initiative code | [PROJECT CODE] |
| Platform title | [Platform Name] |
| Document type | Platform Access Requirement Request |
| PAD reference | PROJECT CODE – AI PLATFORM CODE – PAD |
| Status | [Draft / Submitted / In Progress / Complete] |
| Prepared by | [Author Name(s)] — calab.ai |
| Client IT contact | [Client IT Contact Name(s)] |
| Date submitted | [DD/MM/YYYY] |
| Target completion date | [DD/MM/YYYY] |
Document Version Control
| Date | Version | Change Description | Author |
|---|---|---|---|
| DD/MM/YYYY | 0.1 | Initial draft created | [Author Name] |
1 Request Summary
This document requests the provisioning of all access, accounts, and infrastructure prerequisites required to deploy the [Platform Name] within the [Client] Azure environment. The platform architecture is defined in the PROJECT CODE – AI PLATFORM CODE – PAD.
1.1 Environment Overview
| Environment | Resource Group Name | Purpose | Azure Region |
|---|---|---|---|
| DEV | [Platform Code]-DEV | Development and iterative testing | [Azure Region, e.g. Australia East] |
| UAT | [Platform Code]-UAT | User acceptance testing and validation | [Azure Region, e.g. Australia East] |
[If additional environments are required (e.g. PRD), add rows to this table and add corresponding columns to the request tables throughout this document.]
1.2 Request Fulfilment Tracking
| # | Category | Total Items | Completed | Blocked | Status |
|---|---|---|---|---|---|
| 1 | 2 Azure Subscription and Resource Groups | Not Started | |||
| 2 | 3 User Account Provisioning | Not Started | |||
| 3 | 4 Azure Portal Access — RBAC Role Assignments | Not Started | |||
| 4 | 5 App Registration and Service Principal | Not Started | |||
| 5 | 6 Code Repository Access | Not Started | |||
| 6 | 7 Code Pipeline Access | Not Started | |||
| 7 | 8 Networking and Firewall | Not Started | |||
| 8 | 9 DNS Configuration | Not Started | |||
| 9 | 10 Azure AD Security Groups | Not Started | |||
| 10 | 11 SSL and TLS Certificates | Not Started | |||
| 11 | 12 Service Quotas and Resource Provider Registration | Not Started | |||
| 12 | 13 Monitoring and Cost Management | Not Started | |||
| 13 | 14 Remote Access Configuration | Not Started |
1.3 Provisioning Process Overview
The following diagram illustrates the end-to-end provisioning process. Steps shown with double vertical borders (subprocess nodes) represent larger workflows that may require additional diagrams to explain in detail.
--- title: "Platform Access Provisioning — End-to-End Process" --- flowchart TB S1["Azure & DevOps<br>Foundations<br> (2, 6, 7)"] S2["User Account<br>Provisioning<br>(3)"] S3[["Identity &<br>Access Setup<br> (4, 5, 10)"]] S4[["Provisioning<br>(12, 13)"]] S5[["Networking &<br>Security Hardening<br>(8, 9, 11, 14)"]] S1 --> S3 S2 --> S3 S3 --> S4 --> S5 %% ── Styling ── classDef step fill:#dbeafe,stroke:#2563eb,stroke-width:2px,color:#1e3a5f classDef subprocess fill:#ede9fe,stroke:#7c3aed,stroke-width:2px,color:#3b0764 class S1,S2 step class S3,S4,S5 subprocess
2 Azure Subscription and Resource Groups
2.1 Subscription Access
[Request access to the Azure Subscription that will host the platform resources. This is typically an existing subscription managed by the client’s Cloud Platform team. The calab.ai deployment team requires sufficient access to provision and manage resources within this subscription.]
| Request Item | Detail | Status | Notes |
|---|---|---|---|
| Azure Subscription Name | [Platform Name] | ||
| Subscription ID | [To be provided by Client] | ||
| Azure Region | [e.g. Australia East] | ||
| Subscription-level Reader access for calab.ai team | Required for deployment validation and troubleshooting |
2.2 Resource Group Provisioning
[Request the creation of environment-specific Resource Groups. All platform resources are deployed within these Resource Groups. Naming should follow [Client]‘s Azure naming conventions.]
| Resource Group | Naming Convention | Environment | Purpose | Status | Notes |
|---|---|---|---|---|---|
| [Platform Code]-DEV | [Client naming convention] | DEV | Development and iterative testing | ||
| [Platform Code]-UAT | [Client naming convention] | UAT | User acceptance testing and validation |
Resource Group Tags
[Specify the tags to be applied to each Resource Group per [Client]‘s tagging policy. Common tags are listed below — adjust based on client requirements.]
| Tag Key | DEV Value | UAT Value |
|---|---|---|
Environment | Development | UAT |
Project | [PROJECT CODE] | [PROJECT CODE] |
CostCentre | [Cost Centre Code] | [Cost Centre Code] |
Owner | [Business Owner] | [Business Owner] |
ManagedBy | calab.ai | calab.ai |
Application | [Platform Name] | [Platform Name] |
3 User Account Provisioning
[Request Azure AD (Entra ID) user accounts or guest access for all calab.ai team members who require access to the client’s Azure environment. Include both portal access and application-level access requirements.]
| # | Full Name | Account Type | MFA Required | Purpose | Status | Notes | |
|---|---|---|---|---|---|---|---|
| 1 | [Name] | [email] | Guest (B2B) / Member | Yes | Solution Lead — deployment, architecture, troubleshooting | ||
| 2 | [Name] | [email] | Guest (B2B) / Member | Yes | Platform Engineer — IaC development, deployment, configuration | ||
| 3 | [Name] | [email] | Guest (B2B) / Member | Yes | Platform Engineer — application development, testing | ||
| [#] | [Name] | [email] | [Type] | Yes | [Purpose] |
[Guest (B2B) accounts are typically used for external vendor staff. Some clients require full Member accounts provisioned in their Azure AD tenant. Confirm with the client’s Identity team which approach is required.]
4 Azure Portal Access — RBAC Role Assignments
[Request Azure Role-Based Access Control (RBAC) assignments at the Resource Group level. The Owner role is required on both Resource Groups for the calab.ai deployment principal and key team members to provision and manage platform resources. Additional role assignments support day-to-day operations.]
[Refer to PROJECT CODE – AI PLATFORM CODE – PAD for the full RBAC matrix that applies once the platform is operational.]
4.1 Resource Group Owner Assignments
| # | Principal | Principal Type | Role | Scope (DEV) | Scope (UAT) | Purpose | Status |
|---|---|---|---|---|---|---|---|
| 1 | [calab.ai Solution Lead] | User | Owner | [Platform Code]-DEV | [Platform Code]-UAT | Full resource provisioning and management | |
| 2 | [calab.ai Platform Engineer] | User | Owner | [Platform Code]-DEV | [Platform Code]-UAT | Infrastructure deployment and configuration | |
| 3 | [Client IT Rep — Infrastructure] | User | Owner | [Platform Code]-DEV | [Platform Code]-UAT | Client-side resource management and oversight | |
| 4 | [Deployment Service Principal] | Service Principal | Owner | [Platform Code]-DEV | [Platform Code]-UAT | Automated IaC provisioning (see 5 App Registration and Service Principal) |
4.2 Additional RBAC Assignments
[Request additional role assignments for team members who require more granular access. These roles support development, testing, and operational activities.]
| # | Principal | Principal Type | Role | DEV | UAT | Purpose | Status |
|---|---|---|---|---|---|---|---|
| 1 | [calab.ai team members] | User | Contributor | Yes | Yes | Resource configuration and deployment | |
| 2 | [Client IT Rep — Security] | User | Reader | Yes | Yes | Security review and audit | |
| 3 | [Client IT Rep — Architecture] | User | Reader | Yes | Yes | Architecture review | |
| 4 | [Client Business Sponsor] | User | Reader | No | Yes | UAT environment review | |
| 5 | [Deployment Service Principal] | Service Principal | Key Vault Secrets Officer | Yes | Yes | Secret management during provisioning | |
| 6 | [Deployment Service Principal] | Service Principal | Storage Blob Data Contributor | Yes | Yes | Storage configuration during provisioning | |
| 7 | [Deployment Service Principal] | Service Principal | Cognitive Services Contributor | Yes | Yes | AI service provisioning and configuration | |
| [#] | [Principal] | [Type] | [Role] | [Purpose] |
5 App Registration and Service Principal
[Request the creation of an Azure AD App Registration and associated Service Principal. This identity is used by CI/CD pipelines (GitHub Actions) to authenticate to Azure and execute infrastructure deployments via Deployment Stacks. The Service Principal requires Subscription-level access to create and manage Deployment Stacks, and Resource Group-level Owner access to provision resources within each environment.]
[Federated credentials (OIDC) are the preferred authentication method — no client secrets are stored in CI/CD pipelines. See PROJECT CODE – AI PLATFORM CODE – PAD for the full deployment model.]
5.1 App Registration
| Request Item | Detail | Status | Notes |
|---|---|---|---|
| App Registration Name | [Platform Code]-deployment-principal | Naming per [Client] convention | |
| Application (Client) ID | [To be provided after creation] | ||
| Object ID | [To be provided after creation] | ||
| Managed in | Azure AD (Entra ID) | ||
| Client Secret required | No — federated credentials (OIDC) preferred | See 5.3 Federated Credentials | |
| Multi-tenant | No — single tenant | ||
| API Permissions | None required (uses RBAC role assignments) |
5.2 Service Principal Role Assignments
| # | Role | Scope | Scope Detail | Purpose | Status | Notes |
|---|---|---|---|---|---|---|
| 1 | Deployment Stack Owner | Subscription | [Subscription Name / ID] | Create and manage Deployment Stacks at Subscription level, enabling IaC provisioning of Resource Groups and resources | Custom role or built-in Azure Deployment Stack Owner | |
| 2 | Owner | Resource Group | [Platform Code]-DEV | Full resource provisioning within DEV Resource Group | ||
| 3 | Owner | Resource Group | [Platform Code]-UAT | Full resource provisioning within UAT Resource Group | ||
| 4 | Contributor | Subscription | [Subscription Name / ID] | Register resource providers and manage subscription-level resources if Deployment Stack Owner is insufficient | May be required depending on [Client] policy |
[The Deployment Stack Owner role at Subscription level is required because Azure Deployment Stacks are created at the Subscription scope to manage resources across Resource Groups. This role grants permissions to create, update, and delete Deployment Stacks and their managed resources. If [Client] does not permit Subscription-level role assignments, discuss alternative deployment approaches with the IT team.]
5.3 Federated Credentials (OIDC)
[Request the configuration of federated credentials on the App Registration to enable GitHub Actions to authenticate to Azure without stored secrets. Each federated credential maps a specific GitHub repository, branch, or environment to the App Registration.]
| # | Credential Name | Issuer | Subject Identifier | Audience | Purpose | Status |
|---|---|---|---|---|---|---|
| 1 | [Platform Code]-github-main | https://token.actions.githubusercontent.com | repo:[GitHub Org]/[Infra Repo]:ref:refs/heads/main | api://AzureADTokenExchange | Main branch deployments | |
| 2 | [Platform Code]-github-develop | https://token.actions.githubusercontent.com | repo:[GitHub Org]/[Infra Repo]:ref:refs/heads/develop | api://AzureADTokenExchange | Develop branch deployments | |
| 3 | [Platform Code]-github-env-dev | https://token.actions.githubusercontent.com | repo:[GitHub Org]/[Infra Repo]:environment:dev | api://AzureADTokenExchange | DEV environment deployments | |
| 4 | [Platform Code]-github-env-uat | https://token.actions.githubusercontent.com | repo:[GitHub Org]/[Infra Repo]:environment:uat | api://AzureADTokenExchange | UAT environment deployments | |
| [#] | [Name] | [Issuer] | [Subject] | [Audience] | [Purpose] |
[The Subject Identifier must exactly match the GitHub Actions workflow context. Common patterns:]
- Branch:
repo:{org}/{repo}:ref:refs/heads/{branch}- Environment:
repo:{org}/{repo}:environment:{environment-name}- Tag:
repo:{org}/{repo}:ref:refs/tags/{tag-pattern}- Pull Request:
repo:{org}/{repo}:pull_request
6 Code Repository Access
[Request access to the code repositories that host the platform infrastructure code (IaC), application source code, and CI/CD pipeline definitions. This is typically a GitHub organisation managed by calab.ai or a client-managed GitHub / Azure DevOps organisation.]
6.1 Repository Provisioning
| # | Repository Name | Platform | Purpose | Visibility | Status | Notes |
|---|---|---|---|---|---|---|
| 1 | [Platform Code]-infra | GitHub | Infrastructure-as-Code (Bicep templates), CI/CD pipeline definitions, environment configurations | Private | Hosts azd project structure | |
| 2 | [Platform Code]-app | GitHub | Application source code (Chat Web App, Admin Web App, Function App Backend) | Private | Dockerfile, application code, tests | |
| [#] | [Repo Name] | [Platform] | [Purpose] | [Visibility] |
[If the client requires repositories to be hosted in their own GitHub Organisation or Azure DevOps instance, note that here and adjust access requests accordingly.]
6.2 Repository Access — Team Members
| # | Name / Team | Repository | Access Level | Purpose | Status | Notes |
|---|---|---|---|---|---|---|
| 1 | [calab.ai Solution Lead] | [Platform Code]-infra | Admin | Repository administration, branch protection, environment configuration | ||
| 2 | [calab.ai Solution Lead] | [Platform Code]-app | Admin | Repository administration, branch protection | ||
| 3 | [calab.ai Platform Engineers] | [Platform Code]-infra | Write | IaC development, PR creation, code review | ||
| 4 | [calab.ai Platform Engineers] | [Platform Code]-app | Write | Application development, PR creation, code review | ||
| 5 | [Client IT Rep(s)] | [Platform Code]-infra | Read | Code review, audit, architecture review | ||
| 6 | [Client IT Rep(s)] | [Platform Code]-app | Read | Code review, audit | ||
| [#] | [Name / Team] | [Repo] | [Access Level] | [Purpose] |
6.3 Repository Branch Protection
[Request the following branch protection rules on the main and develop branches. Adjust based on project requirements.]
| Branch | Protection Rule | Detail |
|---|---|---|
main | Require pull request reviews | Minimum 1 approving review |
main | Require status checks to pass | CI build and lint checks |
main | Restrict who can push | Restrict to Admin users only |
develop | Require pull request reviews | Minimum 1 approving review |
develop | Require status checks to pass | CI build and lint checks |
7 Code Pipeline Access
[Request access and configuration for CI/CD pipelines that automate infrastructure provisioning and application deployment. The platform uses GitHub Actions for pipeline execution.]
7.1 GitHub Actions Configuration
| Request Item | Detail | Status | Notes |
|---|---|---|---|
| GitHub Actions enabled | Enable GitHub Actions on all platform repositories | ||
| GitHub-hosted runners | Standard GitHub-hosted runners (ubuntu-latest) | If [Client] requires self-hosted runners, specify here | |
| Self-hosted runners | [If required — specify runner group, labels, and hosting location] | Required if [Client] network policies prevent GitHub-hosted runners from accessing Azure resources |
7.2 GitHub Environments
[GitHub Environments provide deployment protection rules and environment-specific secrets. Each environment maps to an Azure Resource Group.]
| # | Environment Name | Repository | Protection Rules | Reviewers | Status | Notes |
|---|---|---|---|---|---|---|
| 1 | dev | [Platform Code]-infra | None (auto-deploy) | N/A | Deploys to [Platform Code]-DEV | |
| 2 | uat | [Platform Code]-infra | Required reviewers | [Reviewer Name(s)] | Deploys to [Platform Code]-UAT | |
| 3 | dev | [Platform Code]-app | None (auto-deploy) | N/A | Deploys to [Platform Code]-DEV | |
| 4 | uat | [Platform Code]-app | Required reviewers | [Reviewer Name(s)] | Deploys to [Platform Code]-UAT |
7.3 Pipeline Secrets and Variables
[Configure the following secrets and variables in each GitHub Environment. Secrets are encrypted and not visible after creation. Variables are plaintext configuration values.]
| # | Name | Type | DEV Value | UAT Value | Purpose | Status |
|---|---|---|---|---|---|---|
| 1 | AZURE_CLIENT_ID | Secret | [App Registration Client ID] | [App Registration Client ID] | OIDC authentication to Azure | |
| 2 | AZURE_TENANT_ID | Secret | [Azure AD Tenant ID] | [Azure AD Tenant ID] | OIDC authentication to Azure | |
| 3 | AZURE_SUBSCRIPTION_ID | Secret | [Subscription ID] | [Subscription ID] | Target Azure Subscription | |
| 4 | AZURE_RESOURCE_GROUP | Variable | [Platform Code]-DEV | [Platform Code]-UAT | Target Resource Group | |
| 5 | AZURE_LOCATION | Variable | [Azure Region] | [Azure Region] | Deployment region | |
| 6 | ENVIRONMENT_NAME | Variable | dev | uat | Environment identifier | |
| [#] | [Name] | [Type] | [Value] | [Value] | [Purpose] |
[No client secrets or certificates should be stored in pipeline secrets. Authentication uses OIDC federated credentials configured in 5.3 Federated Credentials.]
8 Networking and Firewall
[Request the networking infrastructure and firewall rules required for the platform. These requests are typically fulfilled by the client’s Network and Security teams. Refer to PROJECT CODE – AI PLATFORM CODE – PAD for the full network topology.]
8.1 Virtual Network Provisioning
| # | Request Item | Detail | Status | Notes |
|---|---|---|---|---|
| 1 | Spoke VNet (DEV) | Dedicated VNet for [Platform Name] DEV resources. Address space: [CIDR, e.g. 10.x.x.x/24]. Custom DNS servers (region-specific for Private DNS Zone resolution). | ||
| 2 | Spoke VNet (UAT) | Dedicated VNet for [Platform Name] UAT resources. Address space: [CIDR, e.g. 10.x.x.x/24]. Custom DNS servers (region-specific for Private DNS Zone resolution). | ||
| 3 | ASE Subnet (DEV) | Subnet delegated to Microsoft.Web/hostingEnvironments. Minimum size: /27 (32 IPs). NSG associated. | Within DEV Spoke VNet | |
| 4 | ASE Subnet (UAT) | Subnet delegated to Microsoft.Web/hostingEnvironments. Minimum size: /27 (32 IPs). NSG associated. | Within UAT Spoke VNet | |
| 5 | Private Links Subnet (DEV) | Subnet for Private Endpoints. PE network policies disabled. NSG associated. | Within DEV Spoke VNet | |
| 6 | Private Links Subnet (UAT) | Subnet for Private Endpoints. PE network policies disabled. NSG associated. | Within UAT Spoke VNet |
[If the client uses a shared VNet model (single VNet with environment-specific subnets rather than environment-specific VNets), adjust accordingly.]
8.2 VNet Peering
| # | Source VNet | Destination VNet | Direction | Purpose | Status | Notes |
|---|---|---|---|---|---|---|
| 1 | [Platform Name] DEV Spoke | Hub VNet | Bidirectional | Connectivity between platform resources and hub (PaloAlto NVA, on-premises, Zscaler) | ||
| 2 | [Platform Name] UAT Spoke | Hub VNet | Bidirectional | Connectivity between platform resources and hub (PaloAlto NVA, on-premises, Zscaler) |
8.3 Route Table Association
| # | Route Table | Subnet | Purpose | Status | Notes |
|---|---|---|---|---|---|
| 1 | [Hub route table — nonprod] | ASE Subnet (DEV) | Route all traffic through PaloAlto NVA | ||
| 2 | [Hub route table — nonprod] | Private Links Subnet (DEV) | Route all traffic through PaloAlto NVA | ||
| 3 | [Hub route table — nonprod/prod] | ASE Subnet (UAT) | Route all traffic through PaloAlto NVA | Confirm if UAT uses prod or nonprod route table | |
| 4 | [Hub route table — nonprod/prod] | Private Links Subnet (UAT) | Route all traffic through PaloAlto NVA | Confirm if UAT uses prod or nonprod route table |
8.4 Firewall Rules (PaloAlto NVA)
[Request firewall rules on the PaloAlto NVA to permit traffic flows required by the platform. Refer to PROJECT CODE – AI PLATFORM CODE – PAD for the traffic flow patterns.]
| # | Rule Name | Source | Destination | Protocol / Port | Direction | Purpose | Status | Notes |
|---|---|---|---|---|---|---|---|---|
| 1 | [Platform Code]-staff-access | Zscaler App Connector / Corporate Office / WVD | [Platform Name] Spoke VNet (ASE Subnet) | HTTPS (443) | Inbound | User access to Chat Web App and Admin Web App | ||
| 2 | [Platform Code]-paas-egress | ASE Subnet | Private Links Subnet | HTTPS (443) | Internal | App Services to PaaS services via Private Endpoints | ||
| 3 | [Platform Code]-acr-pull | ASE Subnet | Azure Container Registry PE | HTTPS (443) | Internal | Container image pull via VNet | ||
| 4 | [Platform Code]-external-api | ASE Subnet | External API endpoints | HTTPS (443) | Outbound | API Management / external integration traffic | ||
| 5 | [Platform Code]-azure-mgmt | ASE Subnet | Azure Management Plane | HTTPS (443) | Outbound | Azure Resource Manager, ARM API calls | Required for Managed Identity token acquisition | |
| [#] | [Rule Name] | [Source] | [Destination] | [Protocol/Port] | [Direction] | [Purpose] |
8.5 Network Security Groups (NSG)
[Confirm whether custom NSG rules are required beyond Azure default rules. In most deployments, the PaloAlto NVA provides the primary network security boundary, and NSGs use default rules only.]
| # | NSG Name | Associated Subnet | Custom Rules Required | Status | Notes |
|---|---|---|---|---|---|
| 1 | [Platform Code]-dev-ase-nsg | ASE Subnet (DEV) | [Yes / No — Azure defaults only] | ||
| 2 | [Platform Code]-dev-pe-nsg | Private Links Subnet (DEV) | [Yes / No — Azure defaults only] | ||
| 3 | [Platform Code]-uat-ase-nsg | ASE Subnet (UAT) | [Yes / No — Azure defaults only] | ||
| 4 | [Platform Code]-uat-pe-nsg | Private Links Subnet (UAT) | [Yes / No — Azure defaults only] |
9 DNS Configuration
[Request Private DNS Zone access and configuration for Private Endpoint name resolution. Private DNS Zones are typically managed centrally in the client’s shared services subscription.]
9.1 Private DNS Zone Access
[The platform requires the ability to register Private Endpoint DNS A-records in the following centrally managed Private DNS Zones. This is typically achieved by granting the Deployment Service Principal the
Private DNS Zone Contributorrole on each zone, or by requesting the client’s DNS team to register records as part of the deployment process.]
| # | Private DNS Zone | Resource Group (DNS Zone) | Records For | Access Method | Status | Notes |
|---|---|---|---|---|---|---|
| 1 | privatelink.blob.core.windows.net | [Shared Services RG] | Storage Account (blob) | [SP role assignment / Client-managed] | ||
| 2 | privatelink.queue.core.windows.net | [Shared Services RG] | Storage Account (queue) | [SP role assignment / Client-managed] | ||
| 3 | privatelink.documents.azure.com | [Shared Services RG] | Cosmos DB | [SP role assignment / Client-managed] | ||
| 4 | privatelink.vaultcore.azure.net | [Shared Services RG] | Key Vault | [SP role assignment / Client-managed] | ||
| 5 | privatelink.search.windows.net | [Shared Services RG] | Azure AI Search | [SP role assignment / Client-managed] | ||
| 6 | privatelink.openai.azure.com | [Shared Services RG] | Azure OpenAI Service | [SP role assignment / Client-managed] | ||
| 7 | privatelink.cognitiveservices.azure.com | [Shared Services RG] | Document Intelligence, Content Safety, Speech, Computer Vision | [SP role assignment / Client-managed] | ||
| 8 | privatelink.azurecr.io | [Shared Services RG] | Azure Container Registry | [SP role assignment / Client-managed] |
[If the Deployment Service Principal requires direct access to register DNS records, request the
Private DNS Zone Contributorrole on the shared services Resource Group or on each individual Private DNS Zone resource.]
9.2 VNet DNS Server Configuration
| # | Request Item | Detail | Status | Notes |
|---|---|---|---|---|
| 1 | Custom DNS servers (DEV VNet) | Configure custom DNS servers on the DEV Spoke VNet for Private DNS Zone resolution. DNS server IPs: [To be provided by Client] | Region-specific DNS forwarders | |
| 2 | Custom DNS servers (UAT VNet) | Configure custom DNS servers on the UAT Spoke VNet for Private DNS Zone resolution. DNS server IPs: [To be provided by Client] | Region-specific DNS forwarders |
9.3 Private DNS Zone VNet Links
[Each Private DNS Zone must be linked to the platform Spoke VNets to enable DNS resolution for Private Endpoints within the VNet.]
| # | Private DNS Zone | VNet to Link | Auto-Registration | Status | Notes |
|---|---|---|---|---|---|
| 1 | All zones listed in 9.1 Private DNS Zone Access | [Platform Name] DEV Spoke VNet | Disabled | ||
| 2 | All zones listed in 9.1 Private DNS Zone Access | [Platform Name] UAT Spoke VNet | Disabled |
10 Azure AD Security Groups
[Request the creation of Azure AD Security Groups to manage application-level access. These groups are assigned to Azure AD App Registrations used for web application authentication (AAD built-in auth on App Services). Refer to PROJECT CODE – AI PLATFORM CODE – PAD for the user role definitions.]
10.1 Security Group Provisioning
| # | Group Name | Group Type | Purpose | Members | Status | Notes |
|---|---|---|---|---|---|---|
| 1 | [Platform Code]-StandardUsers-DEV | Security | Controls access to the Chat Web App (DEV) | [User list or “To be populated”] | Mapped to Standard Users role | |
| 2 | [Platform Code]-AdminUsers-DEV | Security | Controls access to the Admin Web App (DEV) | [User list or “To be populated”] | Mapped to Admin Users role | |
| 3 | [Platform Code]-StandardUsers-UAT | Security | Controls access to the Chat Web App (UAT) | [User list or “To be populated”] | Mapped to Standard Users role | |
| 4 | [Platform Code]-AdminUsers-UAT | Security | Controls access to the Admin Web App (UAT) | [User list or “To be populated”] | Mapped to Admin Users role | |
| [#] | [Group Name] | [Type] | [Purpose] | [Members] |
10.2 App Registration for Web App Authentication
[If the platform web applications (Chat Web App, Admin Web App) use Azure AD built-in authentication, request App Registrations for each application per environment.]
| # | App Registration Name | Environment | Redirect URI | Purpose | Status | Notes |
|---|---|---|---|---|---|---|
| 1 | [Platform Code]-chat-dev | DEV | https://[chat-app-hostname]/.auth/login/aad/callback | AAD authentication for Chat Web App (DEV) | ||
| 2 | [Platform Code]-admin-dev | DEV | https://[admin-app-hostname]/.auth/login/aad/callback | AAD authentication for Admin Web App (DEV) | ||
| 3 | [Platform Code]-chat-uat | UAT | https://[chat-app-hostname]/.auth/login/aad/callback | AAD authentication for Chat Web App (UAT) | ||
| 4 | [Platform Code]-admin-uat | UAT | https://[admin-app-hostname]/.auth/login/aad/callback | AAD authentication for Admin Web App (UAT) |
11 SSL and TLS Certificates
[Request SSL/TLS certificates for the App Service Environment and web application custom domains, if applicable. ASEv3 with Internal Load Balancing requires an ILB certificate for the ASE’s default domain.]
| # | Certificate Type | Domain / Subject | Environment | Issued By | Status | Notes |
|---|---|---|---|---|---|---|
| 1 | ASE ILB Certificate (DEV) | *.[ase-name].appserviceenvironment.net | DEV | [Client CA / Public CA] | Required for ASE internal traffic | |
| 2 | ASE ILB Certificate (UAT) | *.[ase-name].appserviceenvironment.net | UAT | [Client CA / Public CA] | Required for ASE internal traffic | |
| 3 | Custom Domain Certificate (if applicable) | [Custom domain, e.g. platform.client.com] | [Environment] | [Client CA / Public CA] | Only if custom domains are used |
12 Service Quotas and Resource Provider Registration
[Request the registration of required Azure Resource Providers on the subscription and confirm that service quotas are sufficient for the platform deployment.]
12.1 Resource Provider Registration
[The following Resource Providers must be registered on the Azure Subscription. Most are registered by default, but some AI-specific providers may require explicit registration.]
| # | Resource Provider | Purpose | Status | Notes |
|---|---|---|---|---|
| 1 | Microsoft.CognitiveServices | Azure OpenAI, Document Intelligence, Speech, Content Safety, Computer Vision | ||
| 2 | Microsoft.Search | Azure AI Search | ||
| 3 | Microsoft.DocumentDB | Azure Cosmos DB | ||
| 4 | Microsoft.Web | App Service, Function App, App Service Environment | ||
| 5 | Microsoft.Storage | Azure Storage Accounts | ||
| 6 | Microsoft.KeyVault | Azure Key Vault | ||
| 7 | Microsoft.ContainerRegistry | Azure Container Registry | ||
| 8 | Microsoft.EventGrid | Event Grid System Topic | ||
| 9 | Microsoft.Insights | Application Insights, Log Analytics | ||
| 10 | Microsoft.OperationalInsights | Log Analytics Workspace | ||
| 11 | Microsoft.Network | Virtual Networks, Private Endpoints, NSGs | ||
| 12 | Microsoft.ManagedIdentity | Managed Identities | ||
| 13 | Microsoft.Resources | Deployment Stacks |
12.2 Service Quota Validation
[Confirm that the following service quotas are sufficient in the target Azure Region. Quotas are particularly important for Azure OpenAI models, which have region-specific TPM limits.]
| # | Service | Quota Item | Required | Current Limit | Status | Notes |
|---|---|---|---|---|---|---|
| 1 | Azure OpenAI | GPT-4o Standard TPM ([Azure Region]) | 30K TPM per environment | [Current limit] | ||
| 2 | Azure OpenAI | text-embedding-3-large Standard TPM ([Azure Region]) | 300K TPM per environment | [Current limit] | ||
| 3 | Azure OpenAI | gpt-4o-mini-audio-preview GlobalStandard TPM | 3K TPM per environment | [Current limit] | Global region (e.g. eastus2) | |
| 4 | Azure OpenAI | gpt-4o-mini-realtime-preview GlobalStandard TPM | 3K TPM per environment | [Current limit] | Global region (e.g. eastus2) | |
| 5 | App Service Environment | ASEv3 instances ([Azure Region]) | 1 per environment | [Current limit] | ||
| 6 | Azure AI Search | Standard tier instances ([Azure Region]) | 1 per environment | [Current limit] | ||
| [#] | [Service] | [Quota Item] | [Required] | [Current Limit] |
13 Monitoring and Cost Management
[Request configuration for monitoring access and cost management controls.]
13.1 Monitoring Access
| # | Request Item | Detail | Status | Notes |
|---|---|---|---|---|
| 1 | Log Analytics Workspace access | Grant calab.ai team members Reader access to the platform Log Analytics Workspace for troubleshooting and performance analysis | ||
| 2 | Application Insights access | Grant calab.ai team members access to Application Insights for application-level monitoring | Typically inherited via Resource Group RBAC | |
| 3 | Azure Monitor Dashboard sharing | Share platform monitoring dashboards with client stakeholders |
13.2 Cost Management and Budgets
| # | Request Item | Detail | Status | Notes |
|---|---|---|---|---|
| 1 | Cost Management Reader | Grant calab.ai Solution Lead Cost Management Reader access on the Subscription or Resource Groups | For Azure consumption cost reporting | |
| 2 | Budget Alert (DEV) | Configure budget alert on [Platform Code]-DEV Resource Group. Threshold: [$ amount / month] | Notify: [email addresses] | |
| 3 | Budget Alert (UAT) | Configure budget alert on [Platform Code]-UAT Resource Group. Threshold: [$ amount / month] | Notify: [email addresses] |
14 Remote Access Configuration
[Request remote access configuration for calab.ai team members to access platform resources within the client’s private network. This is required because all platform resources are deployed behind Private Endpoints with no public internet exposure.]
| # | Access Method | Detail | Users | Status | Notes |
|---|---|---|---|---|---|
| 1 | Zscaler Private Access (ZPA) | Configure ZPA application segment for [Platform Name] Spoke VNet resources. Grant access to calab.ai team members. | [calab.ai team members] | Required for remote access to App Services, Azure Portal resources | |
| 2 | Windows Virtual Desktop (WVD) | Provision WVD session host with access to [Platform Name] VNet resources. Install required development tools (Azure CLI, VS Code, Docker, Git). | [calab.ai team members] | Alternative to ZPA if client policy requires WVD | |
| 3 | VPN / Site-to-Site | [If applicable — describe VPN requirements for calab.ai office connectivity] | [calab.ai team members] | Only if ZPA and WVD are not available |
15 Approval and Sign-Off
[Record approvals from the client’s IT, Security, and Infrastructure teams confirming that all requested access has been reviewed and authorised.]
| # | Approver | Role | Organisation | Date | Signature / Confirmation |
|---|---|---|---|---|---|
| 1 | [Name] | IT Manager / Cloud Platform Lead | [Client] | ||
| 2 | [Name] | Information Security Officer | [Client] | ||
| 3 | [Name] | Network / Infrastructure Lead | [Client] | ||
| 4 | [Name] | Business Sponsor | [Client] | ||
| 5 | [Name] | Solution Lead | calab.ai |
16 Appendix
16.1 Glossary
| Acronym / Term | Description |
|---|---|
| PAD | Platform Architecture Document — the foundational reference document describing the platform’s infrastructure, networking, security, and operational capabilities |
| RBAC | Role-Based Access Control — Azure’s authorisation model for granting granular access to resources |
| OIDC | OpenID Connect — authentication protocol used for federated identity (passwordless CI/CD authentication) |
| IaC | Infrastructure as Code — the practice of managing infrastructure through version-controlled code (Bicep) |
| ASE | App Service Environment — a dedicated, isolated Azure hosting environment for App Services and Function Apps |
| PE | Private Endpoint — a network interface that connects privately to an Azure PaaS service via Private Link |
| NVA | Network Virtual Appliance — a virtual machine (e.g. PaloAlto) providing network security functions |
| ZPA | Zscaler Private Access — zero-trust network access service for secure remote connectivity |
| WVD | Windows Virtual Desktop — Azure-hosted virtual desktop infrastructure |
| SP | Service Principal — an Azure AD identity used by applications and automation for Azure resource access |
| MFA | Multi-Factor Authentication — requiring multiple verification factors for user authentication |
| NSG | Network Security Group — Azure network-level firewall rules applied to subnets |
| CR | Change Request — formal request to make changes to production systems or access |
| ACR | Azure Container Registry — managed Docker container registry service in Azure |
| TPM | Tokens Per Minute — Azure OpenAI rate limiting metric |
| VNet | Virtual Network — Azure’s network isolation construct |
16.2 Related Documents
| Document | Description |
|---|---|
| PROJECT CODE – AI PLATFORM CODE – PAD | Platform Architecture Document — the primary architecture reference for all access requirements in this document |
| PROJECT CODE – USE CASE CODE – SDD | Solution Design Document(s) — use-case-specific designs built on this platform |
| PROJECT CODE – USE CASE CODE – OAD | Opportunity Assessment Document(s) — business cases for use cases on this platform |