Hey,
I’ve been reviewing the current placement of the AI Gateway Landing Zone subscription within the Platform Management Group, specifically under the Connectivity scope, and wanted to share a concern and get your perspective on it.
My concern is not about the design intent, but rather about the governance implications of placing this into the Connectivity Management Group.
At the Connectivity MG level, there are Azure Policies in place that explicitly allow the deployment of networking components such as VPN, ExpressRoute, vWAN, and similar resources. If the AI Gateway Landing Zone subscription is not strictly operated by the platform team, and given that APIM typically requires service-level ownership, permissions, and potentially policy adjustments by other teams, this could open the door for unintended network resource deployments.
In a worst-case scenario, this could lead to a form of shadow IT within a highly privileged scope.
What I don’t fully understand is why this cannot be placed into a dedicated Landing Zone subscription, or alternatively, why not introduce a separate Management Group under the platform hierarchy (similar to the newer ALZ approach for security). That would allow scoping and enforcing more tailored policies specifically for this use case, without inheriting the broader network-related allowances from the Connectivity MG.
Example structure
Platform
├── Connectivity
├── Identity
├── Management
└── AI-Platform
└── AI Gateway LZ Subscription
I also discussed this with @jtracey93, and it seemed like a direction worth exploring further.
@mbilalamjad ...feel free to ping me when you have some time to take a look 🙂
Hey,
I’ve been reviewing the current placement of the AI Gateway Landing Zone subscription within the Platform Management Group, specifically under the Connectivity scope, and wanted to share a concern and get your perspective on it.
My concern is not about the design intent, but rather about the governance implications of placing this into the Connectivity Management Group.
At the Connectivity MG level, there are Azure Policies in place that explicitly allow the deployment of networking components such as VPN, ExpressRoute, vWAN, and similar resources. If the AI Gateway Landing Zone subscription is not strictly operated by the platform team, and given that APIM typically requires service-level ownership, permissions, and potentially policy adjustments by other teams, this could open the door for unintended network resource deployments.
In a worst-case scenario, this could lead to a form of shadow IT within a highly privileged scope.
What I don’t fully understand is why this cannot be placed into a dedicated Landing Zone subscription, or alternatively, why not introduce a separate Management Group under the platform hierarchy (similar to the newer ALZ approach for security). That would allow scoping and enforcing more tailored policies specifically for this use case, without inheriting the broader network-related allowances from the Connectivity MG.
Example structure
Platform
├── Connectivity
├── Identity
├── Management
└── AI-Platform
└── AI Gateway LZ Subscription
I also discussed this with @jtracey93, and it seemed like a direction worth exploring further.
@mbilalamjad ...feel free to ping me when you have some time to take a look 🙂