Deploy ZavaStorefront On Azure With Bicep & AZD

Dec 4, 2025 by Alex Johnson 48 views

Deploying ZavaStorefront on Azure with Bicep & AZD

This article outlines how to provision Azure infrastructure for the ZavaStorefront web application using Bicep and AZD (Azure Developer CLI). The goal is to automate the deployment of a development environment that includes an App Service, Azure Container Registry (ACR), Microsoft Foundry, and Application Insights, all within a single resource group located in the westus3 region.

Requirements

Here's a detailed breakdown of the requirements for provisioning the Azure infrastructure:

App Service: The deployment needs to utilize a Linux-based Azure App Service, leveraging Docker containers. A key aspect is that no local Docker installation should be required for the deployment process. This ensures ease of use and portability for developers.
Container Registry: An Azure Container Registry (ACR) is required for storing Docker images. The App Service must be able to pull these images securely using Azure Role-Based Access Control (RBAC), eliminating the need for passwords or other less secure authentication methods. Using RBAC ensures that access to the container registry is controlled and auditable.
Monitoring: Application Insights should be enabled to provide comprehensive monitoring capabilities. This includes tracking application performance, detecting anomalies, and providing insights into user behavior. Effective monitoring is crucial for maintaining the health and performance of the ZavaStorefront application.
Microsoft Foundry: Integration with Microsoft Foundry is essential to support GPT-4 and Phi services. It's critical to ensure that the chosen region (westus3) is compatible with these services. Foundry enables the use of advanced AI capabilities within the application.
Resource Group: All Azure resources, including the App Service, Container Registry, Application Insights, and Foundry workspace, must be deployed within a single resource group. This resource group should be located in the westus3 region. Grouping resources simplifies management and cost tracking.
Automation: The entire infrastructure deployment must be automated using Bicep for infrastructure-as-code and AZD for deployment orchestration. Automation is key to ensuring consistent and repeatable deployments.
Environment: The infrastructure is intended for development usage, so resource naming and configuration should reflect this scope. Using a consistent naming convention helps to differentiate development resources from production resources.

Deep Dive into Bicep Templates

Bicep templates are the backbone of our infrastructure-as-code approach. These templates will define each Azure resource required for the ZavaStorefront application. Let's break down the key components:

Resource Definitions:
- App Service Plan: Define the SKU, operating system (Linux), and other necessary configurations.
- App Service: Configure the App Service to use a Docker container, specify the image source (ACR), and enable managed identity.
- Azure Container Registry: Define the ACR with appropriate SKU and enable admin user (if needed, but RBAC is preferred).
- Application Insights: Configure Application Insights to collect telemetry from the App Service.
- Foundry Workspace: Provision a Foundry workspace and ensure it's configured to support GPT-4 and Phi models.
Parameters:
- Define parameters for resource names, locations, and other configurable values. This allows for easy customization and reuse of the templates.
Outputs:
- Expose the endpoints of the App Service, ACR, and Application Insights. This information is useful for developers and for integrating with CI/CD pipelines.

The Bicep templates should adhere to best practices, such as using descriptive names, adding comments, and organizing the code logically. They should also be parameterized to allow for flexibility and reuse across different environments.

Azure Container Registry (ACR) and RBAC

To enhance security and streamline the deployment process, the App Service will pull Docker images from the ACR using Azure Role-Based Access Control (RBAC). This approach eliminates the need to store and manage passwords or access keys. Here's how it works:

Managed Identity:
- Enable a managed identity for the App Service. This identity is automatically managed by Azure and provides an identity for the App Service to authenticate with other Azure resources.
Role Assignment:
- Assign the AcrPull role to the managed identity of the App Service on the ACR. This role grants the App Service permission to pull images from the ACR.
Configuration:
- Configure the App Service to use the managed identity to authenticate with the ACR. This is typically done by setting the identity property of the App Service to SystemAssigned and configuring the acrUseManagedIdentityCreds property to true.

By using RBAC, you can ensure that the App Service only has the necessary permissions to pull images from the ACR, minimizing the risk of unauthorized access. This is a crucial security best practice.

Integrating Microsoft Foundry

Microsoft Foundry provides access to powerful AI models, such as GPT-4 and Phi. To integrate Foundry with the ZavaStorefront application, you need to provision a Foundry workspace and ensure that it's configured correctly. Here are the steps involved:

Workspace Provisioning:
- Use Bicep to provision a Foundry workspace in the westus3 region.
Model Access:
- Ensure that the Foundry workspace has access to the GPT-4 and Phi models. This may require additional configuration or approval from Microsoft.
API Integration:
- Integrate the ZavaStorefront application with the Foundry API to access the AI models. This typically involves using the Foundry SDK or REST API.

It's important to verify that the westus3 region supports the required AI models before deploying the Foundry workspace. Regional availability can vary, so it's essential to confirm this beforehand.

Acceptance Criteria

To ensure the successful provisioning of the Azure infrastructure, the following acceptance criteria must be met:

[x] Bicep templates define all required Azure resources in westus3.
[x] App Service can deploy container images without requiring Docker on a local machine.
[x] App Service uses RBAC to pull images from Container Registry.
[x] Application Insights is enabled and collecting metrics.
[x] Foundry workspace supports GPT-4 and Phi with confirmed regional availability.
[x] Single resource group contains all resources.
[x] AZD deploys the infrastructure via Bicep end-to-end.

AZD Deployment

To deploy the infrastructure using AZD, follow these steps:

Initialize AZD:

azd init --template <bicep_template_directory>

Configure Environment:

azd env set LOCATION westus3
azd env set AZURE_TENANT_ID <your_azure_tenant_id>
azd env set AZURE_SUBSCRIPTION_ID <your_azure_subscription_id>
azd env set AZURE_LOCATION westus3

Deploy Infrastructure:
```
azd up
```
This command will deploy the Bicep templates and provision the Azure resources.
Monitor Deployment:

Monitor the deployment progress in the Azure portal or using the AZD CLI.

Post-Deployment Steps

After the infrastructure has been deployed, you may need to perform additional steps to configure the ZavaStorefront application. These steps may include:

Configuring the application settings in the App Service.
Connecting the application to the Foundry API.
Configuring the application to use Application Insights.

Additional Notes

Ensure all configurations follow security best practices (no hardcoded passwords, use managed identity/RBAC).
Provide usage instructions or azd commands necessary for initial deployment and integration with CI/CD if appropriate.
Document all outputs and resource endpoints necessary for developers.

By following these steps, you can successfully provision the Azure infrastructure for the ZavaStorefront web application using Bicep and AZD. This will enable you to deploy and run the application in a secure, scalable, and reliable environment.

For more information on Azure deployments, visit the Microsoft Azure Documentation.