1# Intake
2 
3Collect all inputs in one pass, tiered by priority. Extract implicit answers from the user’s message before asking. Use `AskUserQuestion` for unanswered items — batch related questions.
4 
5---
6 
7## Tier 1 — Core
8 
9### 1.0 Verify Subscription
10 
11Run:
12 
13```bash
14az account show --query "{Name:name, Id:id, State:state}" -o table
15```
16 
17Confirm with user. Switch if needed:
18 
19```bash
20az account set --subscription "<name-or-id>"
21```
22 
23### 1.1 Extract Known Answers
24 
25Scan the user's message before asking:
26 
27| User Says | Inferred |
28|-----------|----------|
29| "my existing VNet" / "my VNet" | BYO VNet |
30| "managed virtual network" | Managed VNet |
31| "user-assigned identity" / "UAI" | User-assigned identity |
32| "APIM" / "API Management" | Needs APIM |
33| "MCP servers on the VNet" | Needs MCP subnet |
34| "I have a Bicep/Terraform template" | Extend existing IaC |
35| "add Foundry to my existing infra" | Extend existing IaC |
36 
37### 1.2 Architecture Questions
38 
39For unanswered items, use `AskUserQuestion`:
40 
41**VNet model:** BYO VNet or Managed VNet (preview)?
42 
43**Agents:** Agent workloads, or just models/projects?
44 
45**Region:** Which Azure region? After answer, verify capacity:
46 
47```bash
48az cognitiveservices account list-skus --location <region> --kind AIServices -o table
49```
50 
51If empty, warn the user and suggest alternatives.
52 
53**Resource Group:** New or existing?
54 
55**VNet:** New or existing? If new: address space (default `192.168.0.0/16`), subnet CIDRs (agent `/24`, PE `/24`).
56 
57### 1.3 Determine Approach
58 
59Based on the answers collected, select one of three paths:
60 
61```
62User has existing IaC they want to extend?
63├── Yes → EXTEND
64│
65└── No → check template-index.md
66    ├── Template fits as-is → OFFICIAL
67    └── Partial or no fit → ADAPT (start from closest template)
68```
69 
70**OFFICIAL:** Load [template-index.md](template-index.md), fetch the best-fit README from GitHub. Present the match using the template's descriptive name.
71 
72**ADAPT:** Fetch the closest template's README. Explain what doesn't fit, present the delta, offer to adapt.
73 
74**EXTEND:** The user has existing Bicep/Terraform — no template selection needed yet. Continue to Tier 2.
75 
76Confirm the approach with the user before continuing to Tier 2.
77 
78---
79 
80## Tier 2 — Architecture
81 
82*Skip questions already answered or not applicable.*
83 
84### BYO VNet only
85 
86**Topology:** Standalone, hub-spoke, or Azure vWAN?
87 
88**On-prem connectivity:** VPN Gateway, ExpressRoute, or none?
89 
90**DNS:** Azure-provided, custom DNS resolver, or on-prem DNS forwarding?
91 
92**Address space:** Is `192.168.0.0/16` available, or use a specific range?
93 
94**NSG / Firewall:** Existing rules on the subnets?
95 
96**Deployment executor:** Where will post-deployment commands run? (VM, Bastion, VPN, Cloud Shell)
97 
98**Subscription scope:** Same subscription/tenant, cross-subscription, or cross-tenant?
99 
100**Team ownership:** Same team controls VNet, DNS, NSG, and policy? If different team, block and get pre-approval before deploying.
101 
102### Managed VNet only
103 
104**Feature flag:** Run `az feature show` to verify `AI.ManagedVnetPreview` is registered. If not, register and wait 15–30 min.
105 
106**Outbound mode:** Internet outbound (default) or approved outbound only?
107 
108**MCP:** Public MCP endpoints or private MCP on VNet?
109 
110**Client access:** Where will clients connect from? (Same VNet, peered VNet, on-prem via VPN/ER, Azure-hosted service)
111 
112### Both paths
113 
114**MCP servers:** Needed on VNet?
115 
116**APIM:** Needed?
117 
118**Identity:** System-assigned (default) or user-assigned?
119 
120**BYO resources:** Reuse existing Cosmos DB / Storage / AI Search, or create new?
121 
122> If reusing, confirm all in same region as VNet.
123 
124**Key Vault / App Insights:** If user mentions existing ones, collect resource IDs. Optional.
125 
126---
127 
128## Tier 3 — Enterprise
129 
130**Agent tools:** Which tools? (AI Search, Cosmos DB, Storage, MCP, external APIs, Bing grounding, Code Interpreter)
131 
132**Model:** Name, vendor, version. Verify version format:
133 
134| Vendor | Format | Example |
135|--------|--------|---------|
136| OpenAI | Date | `2025-04-14` |
137| Mistral AI | Integer | `1` |
138| Meta | Integer | `9` |
139 
140**Client type:** SDK, web app, Teams bot, other service?
141 
142**Client network path:** Inside VNet, peered VNet, VPN/ExpressRoute?
143 
144**Authentication:** Entra ID (recommended) or API key?
145 
146> Entra ID token audience for Foundry Agents API: `https://ai.azure.com`
147 
148**GitHub access:** Can deployment environment reach `github.com`? If not, pre-stage template.
149 
150**Azure Policy:** Known policies (e.g., `disableLocalAuth`, `defaultOutboundAccess`)? If unknown, `what-if` catches them in Step 4.
151 
152**Monitoring:** Existing Log Analytics workspace, create new, or not needed?
153 
154---
155 
156## Validate Against Learn
157 
158After collecting all requirements, validate the user's configuration against current documentation. Use `microsoft_docs_fetch` on the relevant pages below, then `microsoft_docs_search` for any requirement-specific concerns not covered.
159 
160### Reference Pages
161 
162| Topic | URL |
163|-------|-----|
164| Network isolation overview | https://learn.microsoft.com/azure/ai-foundry/how-to/configure-private-link |
165| Agent Service private networking | https://learn.microsoft.com/azure/ai-services/agents/how-to/virtual-networks |
166| Managed VNet configuration | https://learn.microsoft.com/azure/ai-foundry/how-to/configure-managed-network |
167| Agent Service FAQ — VNet | https://learn.microsoft.com/azure/foundry/agents/faq#virtual-networking |
168| Supported regions & availability | https://learn.microsoft.com/azure/ai-foundry/reference/region-support |
169| NSP | https://learn.microsoft.com/en-us/azure/networking/network-security-perimeter |
170| Feature Limitations | https://learn.microsoft.com/en-us/azure/foundry/how-to/configure-private-link#foundry-feature-limitations |
171 
172> These URLs may change. If a fetch returns 404, use `microsoft_docs_search` to find the current page.
173 
174If a conflict is found, present:
1751. The constraint and its source URL
1762. Which requirement it affects
1773. Options to resolve
178 
179Do NOT proceed until all conflicts are resolved or accepted.
180 
181---
182 
183## Confirmation
184 
185Present a summary of all gathered requirements. Ask: **"Confirm this is accurate before I generate a deployment plan."**
186 
187> Do NOT proceed to Plan Generation until you validated requirements against documents and the user confirms.
188