// the find
Azure/GPT-RAG
Sharing the learning along the way we been gathering to enable Azure OpenAI at enterprise scale in a secure manner. GPT-RAG core is a Retrieval-Augmented Generation pattern running in Azure, using Azure Cognitive Search for retrieval and Azure OpenAI large language models to power ChatGPT-style and Q&A experiences.
GPT-RAG is a Microsoft-maintained solution accelerator for deploying RAG systems on Azure using Azure AI Search and Azure OpenAI, with a strong emphasis on enterprise security constraints (Zero-Trust, VNet isolation, private endpoints). It's aimed at enterprise teams that need to ship a compliant RAG deployment inside Azure and don't want to assemble the plumbing from scratch. Not a library — it's a template you deploy and then modify.
Zero-Trust network isolation is a first-class concern, not an afterthought — the deployment flow actively blocks you from doing data-plane work outside the VNet. The preflight checker (`Invoke-PreflightChecks.ps1`) validates model quota, regional capacity, and provider support before ARM deployment starts, which saves the 'waited 20 minutes to hit a quota error' experience. The split between workstation provisioning and jumpbox deployment is honest about the reality of air-gapped enterprise networks — most similar tools pretend this problem doesn't exist. Actively maintained by the Azure team with a real changelog and submodule versioning (`ailz_tag`).
This is a repo of repos: the actual orchestration, data ingestion, and frontend code live in separate submodules not shown here, so what you're cloning is largely Bicep infra glue and config scripts — you need to chase down 3-4 more repos to see the full picture, which is a meaningful friction cost. The `azure.yaml` + AZD dependency means you're locked into Microsoft's developer CLI toolchain; if your org doesn't already use AZD, that's a new thing to learn and trust. Python config scripts (`config/search/setup.py`, etc.) doing post-provision work via the Azure SDK add a fragile imperative layer on top of declarative Bicep — drift between the two is inevitable. No local development story: the Zero-Trust architecture is real, but it means running this outside Azure for testing or iteration is essentially unsupported.