Constructing Safe, Properly-Architected Azure Workloads with Azure Verified Modules and GitHub Copilot

Hi there Of us!

You probably have been writing Bicep or Terraform for Azure over the previous few years, you’ve in all probability lived this story. You decide a group module, it really works nice for six months, then the maintainer strikes on, points cease getting answered, and you might be caught proudly owning code you by no means wrote. On the Microsoft Azure Infra Summit 2026, Jack Tracy and Jarrod Holgate (tech leads on the Azure Verified Modules challenge) walked us by means of how AVM solves that, and the way pairing it with GitHub Copilot and Spec Equipment adjustments the way in which IT professionals construct Azure workloads.

📺 Watch the session:

This isn’t a developer-only subject. In case you are the particular person chargeable for touchdown zones, platform engineering, or the IaC pipelines that different groups ship by means of, this hits you immediately.

• You cease proudly owning home-grown storage account and VNet modules that no two groups write the identical manner.
• You get secure-by-default sources with out having to draft a 40-page inside coding normal.
• You possibly can let software groups transfer quick with out sacrificing the Properly-Architected Framework guardrails you care about.
• You get a supported, Microsoft-backed module library with a transparent lifecycle, as a substitute of betting on an deserted repo.
• You lastly have a deterministic method to put AI to work on infrastructure code with out it inventing issues you don’t want in manufacturing.

If any of that appears like a Tuesday for you, this session is price 40 minutes.

Azure Verified Modules (AVM) is the official Microsoft infrastructure-as-code module library for each Bicep and Terraform. Jack put it plainly within the session: AVM is the one-time answer that isn’t going to go away, with possession, an outlined lifecycle, construction, and well-defined specs.

Here’s what makes AVM completely different from the earlier panorama of group repos:

• It’s supported in a number of IaC languages right this moment (Bicep and Terraform), with constant specs throughout each.
• Modules are aligned to the Azure Properly-Architected Framework by default. Zone redundancy on, public IPs off, smart TLS minimums, proper out of the field. All the pieces continues to be versatile, you’ll be able to override any of it by way of a parameter or variable.
• It’s open supply. Individuals inside and outdoors Microsoft can contribute and keep modules.
• It consolidates the older CARML and Terraform Verified Modules efforts beneath one roof, owned by Microsoft FTEs and backed by the AVM core crew.

AVM has three module classifications, and understanding them is half the battle:

• Useful resource modules. A one-to-one mapping to a single useful resource kind, like a storage account or a digital community. Want ten of them, loop the module ten occasions.
• Sample modules. A set of sources, normally constructed on prime of useful resource modules, that delivers an even bigger slice of an structure. The Azure Touchdown Zone is roughly 5 sample modules behind the scenes.
• Utility modules. Helpers you in all probability by no means name immediately, however that the library makes use of for issues like area lookups, SKU availability, and naming requirements.

One factor that will get undersold: AVM isn’t just for you. The Azure Developer CLI templates use it. Azure Touchdown Zone and Sovereign Touchdown Zone are constructed on it. Inside Microsoft service groups use it. If you undertake AVM, you might be utilizing the identical constructing blocks Microsoft makes use of.

That is the place the session will get attention-grabbing. AVM provides you the trusted Lego bricks. GitHub Copilot provides you a coding assistant. The issue, as Jack known as out, is that AI is non-deterministic by default. It’s nice at fixing ambiguous issues, however you can’t simply level it at a clean repo and belief it to stamp out manufacturing infrastructure.

That’s the hole spec-driven growth is designed to fill.

Spec-driven growth is a documentation-first method. As a substitute of telling Copilot “write me a Terraform module for a hub-spoke community,” you write a structured specification up entrance that captures intent, high quality bar, safety necessities, and coding requirements. The AI then makes use of that spec because the contract, generates code, validates in opposition to it, and loops till the output matches what you requested for.

Jarrod walked by means of Spec Equipment, the open supply toolkit maintained by GitHub and Microsoft, which formalizes this into eight steps:

1. Structure. The non-negotiables. “We should use AVM. We should adjust to PCI. Optimize for value.” That is your challenge DNA.
2. Specify. What you really wish to construct, targeted on consumer targets and outcomes, not implementation particulars.
3. Make clear. Copilot scans the spec, finds ambiguities, and asks you focused questions (IP ranges, bastion SKUs, something that’s fuzzy).
4. Plan. A technical plan that maps the spec to your requirements and constraints.
5. Guidelines. A high quality guidelines the agent makes use of later to validate its personal work.
6. Duties. The plan damaged down into small, reviewable steps.
7. Analyze. A consolidated report throughout the spec, plan, and duties so you’ll be able to sanity test the entire package deal.
8. Implement. Copilot lastly writes the code, validating in opposition to all the things above because it goes.

The crucial element: at each a type of gates, you evaluate. You’re nonetheless the human within the loop. The AI shouldn’t be flying solo, and you aren’t signing off on a thousand-line code dump.

If you wire AVM into the structure (“use AVM modules wherever attainable”), Copilot stops attempting to hand-roll uncooked useful resource declarations. It composes options out of trusted, examined, WAF-aligned modules. That’s what makes the mixture so highly effective.

Spec Equipment shouldn’t be the one choice. Jack talked about two others price realizing about:

• OpenSpec. Leaner than Spec Equipment, brownfield-first, geared toward smaller skilled groups.
• Squad. A totally completely different mannequin constructed by a Microsoft crew. No specs. As a substitute, a digital crew of agent personas (IaC specialist, UX, deployment, an orchestrator known as Ralph) that collaborate to ship work. Value a glance in case your type is extra agent-team than document-first.

So what does this really purchase you when Monday morning hits?

• Pace with out sacrificing the bar. Software groups cease writing storage account boilerplate. They give attention to what the workload must do, and the AVM modules deal with the resilient, compliant defaults.
• Compliance turns into additive, not a rewrite. If you’ll want to add HIPAA or NIST compliance later, you add one other spec on prime of your present structure and iterate. You don’t throw out your modules.
• Much less ambiguity loop, fewer tokens burned. A very good spec up entrance means fewer Copilot iterations. You get to a working reply quicker, with much less backwards and forwards.
• Belief within the AI output. As a result of AVM modules are examined, supported, and WAF-aligned, what Copilot stitches collectively is constructed on strong foundations. You possibly can evaluate the spec as a substitute of each line of Terraform.
• Your builders shift up the stack. They cease writing IaC primitives and begin designing architectures and necessities. That’s the place the enterprise worth lives anyway.

A notice on tradeoffs. AVM modules are deliberately generic and versatile, so that you generally get parameters you don’t want, and the well-architected defaults may be opinionated in your situation. The repair is easy, override the parameter. You’re buying and selling some management for lots of consistency, and for many groups that commerce is the fitting one.

If you wish to do this for your self, right here is the trail I’d take:

1. Go to aka.ms/AVM and bookmark it. All the pieces begins there.
2. Browse the Bicep and Terraform module indexes. Discover the useful resource you’ll usually hand-write and take a look at the AVM model in a dev subscription.
3. Learn the AVM specs so that you perceive the contract each module follows. It makes the parameter units loads much less stunning.
4. Set up Spec Equipment by way of the Specify CLI (the GitHub repo has the directions) and take a look at the AVM instance beneath the experimental “AI-Assisted Resolution Improvement” part on the AVM web site.
5. Run the eight-step Spec Equipment circulation in opposition to a small workload. Don’t begin together with your manufacturing touchdown zone. Decide one thing contained, like a single app with an online tier, a database, and a Key Vault.
6. Preserve the human within the loop. Assessment each spec gate. That’s the place the standard comes from.

In the event you discovered this convenient, there may be much more the place it got here from. The Microsoft Azure Infra Summit 2026 playlist covers touchdown zones, deployment stacks, AKS networking, storage, and the AI facet of platform operations. Block out a day and binge it.

Microsoft Azure Infra Summit 2026 on YouTube

Cheers!

Pierre Roman