The Azure parallel of the EARE deployment — same product, different cloud. Kiro generated a complete Azure-native stack: Bicep modules, HIPAA-compliant VNet, Durable Functions ETL, Cosmos DB graph and vector databases, Container Apps MCP servers, Azure OpenAI multi-agent orchestration, and five interactive dashboards — including a zero-dependency demo mode deployable in minutes.
EARE on Azure is the direct parallel to the AWS deployment, designed and generated simultaneously from the same product spec pattern applied to Azure-native services. The workflow is identical: write a precise architecture design spec; Kiro generates the implementation. The cloud changes; the approach doesn't.
The Azure design spec described 10 Bicep modules, a 4-subnet VNet with Private Endpoints and Private DNS Zones, Durable Functions ETL orchestration, Cosmos DB multi-API (Gremlin + NoSQL on the same account), Azure AI Search with HNSW vector search, Container Apps MCP servers, and an Azure OpenAI function-calling agent swarm. Kiro generated all of it — Bicep templates, Python Azure Functions, container Dockerfiles, deployment scripts, and a fully self-contained demo mode.
The key insight: specifying architecture precisely is now the engineering work. Kiro handles the implementation. This deployment has zero manually authored Bicep, zero hand-written IAM/RBAC, and zero custom observability wiring — all generated from the spec with correct Managed Identity assignments, Private Endpoint configurations, and Application Insights instrumentation.
networking, data-ingestion, etl, masking, databases, compute, cdn, ai, security, monitoring — plus main.bicep orchestrator with parameter files for dev/staging/prod.
Bicep · No state filePublic, private compute, private database, private integration subnets. 6 Private Endpoints with Private DNS Zones. NSG Flow Logs. HIPAA=true tags on all resources.
Azure NetworkingAPI handlers (5 routes), file validator (Event Grid trigger), Cosmos loader, vector indexer — all with VNet integration, system-assigned Managed Identity, Application Insights.
Python 3.11 · Durable12-state normalization orchestration in Python. Azure Data Factory for CSV/JSON. AI Document Intelligence for PDFs. Microsoft Purview + AI Health Insights for PHI masking.
Durable FunctionsSingle Cosmos DB account hosting both Gremlin API (dependency graph) and NoSQL API (recommendations + reviews). Private Endpoint, continuous backup, autoscale throughput.
Cosmos DB Gremlin + NoSQLHNSW vector search with 1536-dim text-embedding-ada-002 embeddings. 3 indices (procurement, architecture, market-intel). Private Endpoint, RBAC-controlled access.
Azure AI SearchGraph MCP (Gremlin → 4 tools) and Vector MCP (AI Search → 4 tools) on Azure Container Apps. Private ACR, VNet-integrated environment, 1–3 replica autoscale.
Container Apps · ACRGPT-4o Orchestrator + 4 specialist tool groups + Synthesizer using Azure OpenAI function calling. Private Endpoint, Managed Identity auth, Cognitive Services OpenAI User role.
Azure OpenAI · GPT-4oSystem-assigned and user-assigned Managed Identities replace all service principal credentials. Explicit Azure RBAC role assignments per identity. Zero secrets in code.
Managed Identity · RBACSeparate demo/ folder with static JSON data, localStorage HITL persistence, and a Digital Twin upsell preview. Deployable in minutes to Blob Static Website — no backend needed.
The Azure deployment is architecturally identical to the AWS version — same pipeline stages, same agent pattern, same dashboard structure. The service choices follow Azure Well-Architected Framework principles, not just direct substitution.
| AWS Service | Azure Equivalent | Key Rationale |
|---|---|---|
| CloudFormation (nested stacks) | Azure Bicep (modules) | Native IaC, no state file, cleaner syntax, instant support for new resource types |
| VPC + Security Groups + VPC Endpoints | VNet + NSGs + Private Endpoints + Private DNS Zones | Azure uses DNS-based private endpoint resolution — requires Private DNS Zone per service |
| Lambda | Azure Functions (Python 3.11) | Direct equivalent; VNet integration via Premium plan for production |
| Step Functions | Azure Durable Functions | Code-first orchestration in Python; fan-out/fan-in; native retry; same runtime as other functions |
| Glue DataBrew | Azure Data Factory (data flows) | Managed ETL; visual designer; managed VNet integration for secure data movement |
| Amazon Textract | Azure AI Document Intelligence | Prebuilt-read model; Private Endpoint in integration subnet |
| Amazon Macie | Microsoft Purview | Data estate scanning and PHI/PII classification across Blob Storage |
| Amazon Comprehend Medical | Azure AI Health Insights | Direct equivalent for PHI entity detection in healthcare text |
| Amazon Neptune (Gremlin) | Cosmos DB Gremlin API | Managed graph DB; same Gremlin queries; no self-managed HA; 99.999% SLA |
| OpenSearch Serverless (vectors) | Azure AI Search (vector) | Managed HNSW; RBAC-native; no capacity planning; Azure-integrated auth |
| DynamoDB | Cosmos DB NoSQL API | Same Cosmos DB account as Gremlin — one managed service, two APIs |
| ECS Fargate | Azure Container Apps | Serverless containers; built-in scaling; VNet integration; no cluster management |
| Amazon Bedrock Agents | Azure OpenAI (function calling) | GPT-4o with tool use; same multi-agent pattern; Private Endpoint; Managed Identity auth |
| Bedrock Titan Embeddings | text-embedding-ada-002 / text-embedding-3-large | 1536 or 3072 dimensions; configurable via EMBEDDING_MODEL env var |
| IAM Roles | Managed Identities + Azure RBAC | No credential rotation; no leaked service principal keys; role assignments in Bicep |
| CloudFront + S3 Static Site | Azure Front Door + Blob Static Website | Front Door includes WAF, rate limiting, managed HTTPS — CDN classic is being deprecated |
| Secrets Manager | Azure Key Vault (Private Endpoint) | Soft delete + purge protection; accessed via Private Endpoint only; RBAC-controlled |
| CloudWatch Logs + Alarms | Log Analytics + Application Insights + Monitor Alerts | Application Insights provides distributed tracing across Functions and Container Apps |
| SNS | Azure Monitor Action Group | Email/webhook alert actions; integrated with all Azure Monitor alert rules |
raw/{date}/{dimension}/. Event Grid fires a BlobCreated event filtered to the raw/ prefix. The validator Function checks file extension and dimension name. Valid → Durable Functions orchestration starts. Invalid → quarantine + Action Group alert.normalized/.review-required/. Passed files receive deterministic SHA-256 token masking — same input always produces the same token for referential integrity across all files.| Agent / Tool Group | MCP Server | Tools Called | Execution |
|---|---|---|---|
| Orchestrator | — | Delegates to all tool groups, collects outputs for Synthesizer | GPT-4o · 4096 tokens · 30s timeout per tool group |
| Telemetry Tool Group | Graph MCP (Container Apps) | get_application_profile, get_dependencies |
Parallel with Procurement |
| Dependency Tool Group | Graph MCP (Container Apps) | get_dependencies, get_blast_radius, detect_circular_dependencies |
Sequential — after Telemetry |
| Procurement Tool Group | Vector MCP (Container Apps) | search_contracts, search_market_intel |
Parallel with Telemetry |
| Provisioning Tool Group | Graph MCP (Container Apps) | get_application_profile (CMDB cross-ref) |
Sequential — after Dependency |
| Synthesizer | — | Aggregates all tool group outputs | Final step → Cosmos DB NoSQL write |
Kiro generated 7 Managed Identities (system-assigned and user-assigned) with explicit
Azure RBAC role assignments scoped to the minimum required resources. No service principal
secrets, no credential rotation, no risk of key leakage. All identity-to-role mappings
are declared in security.bicep and applied at deploy time.
| Identity | RBAC Roles Assigned |
|---|---|
| functions-identity | Cosmos DB Data Contributor (recommendations/reviews), Cosmos DB Data Reader (Gremlin), Storage Blob Data Reader, KV Secrets User, Cognitive Services OpenAI User |
| ingestion-identity | Storage Blob Data Contributor (ingestion only), Key Vault Secrets User |
| etl-identity | Storage Blob Data Reader (masked/ only), Cosmos DB Data Contributor (Gremlin write), Search Index Data Contributor, Cognitive Services OpenAI User, KV Secrets User |
| mcp-graph-identity | Cosmos DB Built-in Data Reader — explicit deny on writes |
| mcp-vector-identity | Search Index Data Reader — explicit deny on index/delete |
| openai-identity | Cognitive Services OpenAI User |
| durable-identity | Storage Blob Data Contributor, Cosmos DB Data Contributor, Cognitive Services OpenAI User, KV Secrets User |
Azure's private endpoint model works differently from AWS VPC Endpoints: each service gets
a dedicated Private Endpoint (a private IP in the database subnet) and a Private DNS Zone
that overrides public DNS resolution. When code inside the VNet resolves
eare-dev-cosmos.documents.azure.com, Azure DNS returns the private IP —
all traffic stays inside the VNet.
Six Private Endpoints with Private DNS Zones are generated in networking.bicep:
Blob Storage, Cosmos DB, Azure AI Search, Azure OpenAI, Key Vault, and Azure Container
Registry. No database call, AI call, or secret retrieval crosses the public internet.
The static website is served via Azure Front Door Standard with a WAF policy in Prevention mode. The Microsoft_DefaultRuleSet 2.1 managed rule set covers OWASP Top 10 and common web attack patterns. A rate limiting rule blocks IPs exceeding 1,000 requests/minute — protecting both the static site and the APIM gateway.
Front Door also provides managed HTTPS with Azure-issued certificates, global
anycast routing, and the AzureFrontDoor.Backend NSG service tag that
restricts direct-to-origin access — only traffic from Front Door's PoP IPs can
reach the static site origin.
Bicep compiles to ARM JSON and is deployed directly through Azure Resource Manager —
no state file, no backend configuration, no Terraform Cloud dependency. ARM is the
source of truth. Running az deployment group create --mode Complete detects
and removes any resources that exist in Azure but aren't in the template — true
declarative infrastructure with no drift accumulation.
Bicep also has zero-lag support for new Azure resource types: any new service that ARM supports is immediately available in Bicep without waiting for a provider release. This is a meaningful operational advantage when working on the Azure service boundary.
The Azure deployment includes the same five rationalization dashboards as the AWS version, plus a fully self-contained demo mode with static JSON data and a Digital Twin upsell preview — deployable in minutes to a Blob Static Website with no backend required.
demo/ folder with pre-computed JSON data, localStorage HITL persistence, and a Digital Twin Premium upsell preview (Step 7). Deployable in minutes with ./deploy-demo.sh or run locally with ./demo-local.sh for offline presentations.sample-recommendations.json. Step 6 (HITL Review) persists
review decisions to localStorage — so reviewers can approve/reject applications during a
live demo without any API calls. Step 7 (Digital Twin Preview) is a static teaser that surfaces the
upsell narrative. The entire demo deploys to Azure Blob Static Website in under 2 minutes via
demo-bicep.bicep (minimal Storage Account + Front Door) — making it viable for
prospect demonstrations in environments where provisioning a full backend is impractical.
demo-bicep.bicep — a distinct advantage over the full-stack deployment for prospect demonstrations and offline presentations.The AWS and Azure deployments were generated in parallel from the same spec pattern. Multi-cloud isn't a migration problem when the IaC is generated — it's a spec problem.
Azure Bicep · Azure Functions · Cosmos DB · Azure AI Search · Container Apps · Azure OpenAI · Durable Functions · Python 3.11