You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add a separate advanced tutorial that shows how to run the AgentOps Hosted Agent workflow inside a network-isolated enterprise Azure environment, using Azure AI Landing Zone as the baseline infrastructure.
This should not be a short note in the basic Hosted Agent tutorial. It should be its own tutorial, or an advanced variant, because the target reader needs additional landing-zone prerequisites, connectivity decisions, validation steps, and operational guidance before the normal Hosted Agent flow can work safely.
Background
The basic Hosted Agent tutorial is useful for the standard sandbox-to-production workflow. Enterprise users also need guidance for environments where public access is restricted and core AI resources are deployed behind private networking.
The Azure AI Landing Zone repository, https://github.com/Azure/bicep-ptn-aiml-landing-zone, describes an enterprise-scale, production-ready reference architecture for secure and resilient AI applications and agents on Azure. This tutorial should treat Azure AI Landing Zone as the baseline infrastructure that is deployed first. AgentOps should not duplicate the landing-zone architecture. Instead, the tutorial should explain how to operate AgentOps and Hosted Agent within that isolated baseline.
Proposed tutorial scope
Create a tutorial that explains this workflow:
Deploy Azure AI Landing Zone first, following the landing-zone guidance and enterprise controls.
Confirm the isolated environment has the required networking, identity, monitoring, and DevOps access paths.
Deploy or configure AgentOps and Hosted Agent to operate inside that environment.
Reuse the existing Hosted Agent workflow where possible:
sandbox/dev
evaluate
ship through a PR gate
observe
own and collect evidence
Add the extra validation steps needed when public network access is disabled or tightly restricted.
Topics to cover
The tutorial should include practical guidance for at least these areas:
Private networking and private endpoints: which resources need private access, DNS expectations, and how to validate name resolution and connectivity.
Identity and RBAC: managed identity or workload identity usage, least-privilege role assignments, and expected access boundaries between AgentOps, Foundry, storage, monitoring, and deployment resources.
GitHub Actions, OIDC, and runner connectivity: how PR gates and deployment workflows authenticate, and what changes when GitHub-hosted runners cannot reach private endpoints. Cover options such as self-hosted runners, private network access patterns, and OIDC trust configuration.
Azure AI Foundry project endpoints: how Hosted Agent connects to project endpoints in an isolated environment, including validation for private endpoint access and blocked public access.
Application Insights and Azure Monitor access: how telemetry is emitted, queried, and reviewed when monitoring resources are private or ingestion/query paths are restricted.
Egress constraints: required outbound dependencies, expected deny-by-default behavior, and how to document approved egress when needed.
Secrets and configuration: Key Vault or managed identity patterns, configuration values that differ from the basic tutorial, and how to avoid placing secrets in repository files or GitHub logs.
Evaluation and telemetry under restricted public access: how evaluation runs, traces, logs, and evidence collection work when the environment cannot call public endpoints freely.
Suggested structure
A possible tutorial outline:
When to use this tutorial
Explain that this is for enterprise or regulated environments using Azure AI Landing Zone and private networking.
Link to the basic Hosted Agent tutorial for non-isolated scenarios.
Architecture baseline
Introduce Azure AI Landing Zone as the prerequisite baseline.
Clarify that AgentOps builds on the landing zone instead of recreating it.
Summary
Add a separate advanced tutorial that shows how to run the AgentOps Hosted Agent workflow inside a network-isolated enterprise Azure environment, using Azure AI Landing Zone as the baseline infrastructure.
This should not be a short note in the basic Hosted Agent tutorial. It should be its own tutorial, or an advanced variant, because the target reader needs additional landing-zone prerequisites, connectivity decisions, validation steps, and operational guidance before the normal Hosted Agent flow can work safely.
Background
The basic Hosted Agent tutorial is useful for the standard sandbox-to-production workflow. Enterprise users also need guidance for environments where public access is restricted and core AI resources are deployed behind private networking.
The Azure AI Landing Zone repository, https://github.com/Azure/bicep-ptn-aiml-landing-zone, describes an enterprise-scale, production-ready reference architecture for secure and resilient AI applications and agents on Azure. This tutorial should treat Azure AI Landing Zone as the baseline infrastructure that is deployed first. AgentOps should not duplicate the landing-zone architecture. Instead, the tutorial should explain how to operate AgentOps and Hosted Agent within that isolated baseline.
Proposed tutorial scope
Create a tutorial that explains this workflow:
Topics to cover
The tutorial should include practical guidance for at least these areas:
Suggested structure
A possible tutorial outline:
When to use this tutorial
Architecture baseline
Prerequisites
Connectivity validation
Run the Hosted Agent flow inside the isolated environment
Troubleshooting
Cleanup and governance notes
Acceptance criteria
Suggested labels