Azure OpenAI Setup

Route AI agent traffic through TapPass while using Azure OpenAI as the LLM provider. Azure OpenAI offers EU-resident deployments (West Europe, Sweden Central). ideal for GDPR compliance.

Why Azure OpenAI?

Benefit	Details
EU data residency	Deploy models in West Europe or Sweden Central: data never leaves the EU
Enterprise billing	Use your existing Azure EA/CSP agreement
Private networking	VNet integration, Private Endpoints, no public internet exposure
Content filtering	Azure’s built-in content safety on top of TapPass governance
SLA	99.9% availability backed by Microsoft

Quick Start

1. Create an Azure OpenAI resource

# Azure CLI
az cognitiveservices account create \
  --name tappass-openai \
  --resource-group your-rg \
  --kind OpenAI \
  --sku S0 \
  --location westeurope  # EU data residency

2. Deploy a model

az cognitiveservices account deployment create \
  --name tappass-openai \
  --resource-group your-rg \
  --deployment-name gpt-4o-mini \
  --model-name gpt-4o-mini \
  --model-version "2024-07-18" \
  --model-format OpenAI \
  --sku-capacity 10 \
  --sku-name Standard

3. Configure TapPass

Add to your .env or environment:

# Azure OpenAI credentials (read by LiteLLM directly)
AZURE_API_KEY="your-azure-openai-key"
AZURE_API_BASE="https://tappass-openai.openai.azure.com/"
AZURE_API_VERSION="2024-10-21"

4. Use Azure models

from tappass import Agent

agent = Agent("http://localhost:9620", "tp_...")

# Explicitly request Azure model
response = agent.chat("Analyze Q3 trends", model="azure/gpt-4o-mini")

Or set as the default model in your pipeline configuration.

Model Names

TapPass uses LiteLLM’s azure/<deployment-name> format:

TapPass model name	Azure deployment	Notes
`azure/gpt-4o-mini`	`gpt-4o-mini`	Fast, cheap, good for most tasks
`azure/gpt-4o`	`gpt-4o`	Best quality, higher cost
`azure/gpt-4`	`gpt-4`	Previous generation

Important: The deployment name in Azure must match the part after azure/. If your Azure deployment is named my-gpt4o, use azure/my-gpt4o in TapPass.

EU Data Residency

When TAPPASS_EU_DATA_RESIDENCY=true, TapPass automatically routes CONFIDENTIAL+ data to Azure OpenAI (when configured) or Mistral (EU-native fallback).

TAPPASS_EU_DATA_RESIDENCY=true
AZURE_API_KEY="..."
AZURE_API_BASE="https://your-resource.openai.azure.com/"

Routing priority for EU residency:

Classification	Model	Reason
PUBLIC	Requested model	No restriction
INTERNAL	Requested model	No restriction
CONFIDENTIAL	`azure/gpt-4o` → `mistral/mistral-large-latest`	EU-hosted
RESTRICTED	`ollama/llama3.2`	Local only

Private Networking

For maximum security, use Azure Private Endpoints to ensure TapPass communicates with Azure OpenAI over a private network:

# Create private endpoint
az network private-endpoint create \
  --name tappass-openai-pe \
  --resource-group your-rg \
  --vnet-name your-vnet \
  --subnet your-subnet \
  --private-connection-resource-id /subscriptions/.../tappass-openai \
  --group-ids account \
  --connection-name tappass-openai-connection

Then set AZURE_API_BASE to the private endpoint URL.

Managed Identity (recommended)

Instead of API keys, use Azure Managed Identity:

# Assign Cognitive Services OpenAI User role to your TapPass VM/container
az role assignment create \
  --assignee <tappass-managed-identity-id> \
  --role "Cognitive Services OpenAI User" \
  --scope /subscriptions/.../tappass-openai

LiteLLM supports Azure Managed Identity automatically when AZURE_API_KEY is not set and AZURE_AD_TOKEN or DefaultAzureCredential is available.

Monitoring

TapPass tracks Azure OpenAI usage in the same audit trail as other providers:

Per-agent cost tracking (Azure pricing)
Token usage per call
Circuit breaker for Azure provider failures
Model routing decisions in audit trail

# Check Azure model availability
curl http://localhost:9620/v1/models | jq '.data[] | select(.id | startswith("azure/"))'