Constructing Safe, Nicely-Architected Azure Workloads with Azure Verified Modules and GitHub Copilot

Good day People!

You probably have been writing Bicep or Terraform for Azure over the previous couple of years, you will have most likely lived this story. You decide a group module, it really works nice for six months, then the maintainer strikes on, points cease getting answered, and you might be caught proudly owning code you by no means wrote. On the Microsoft Azure Infra Summit 2026, Jack Tracy and Jarrod Holgate (tech leads on the Azure Verified Modules challenge) walked us by way of how AVM solves that, and the way pairing it with GitHub Copilot and Spec Equipment adjustments the way in which IT execs construct Azure workloads.

📺 Watch the session:

This isn’t a developer-only matter. If you’re the particular person answerable for touchdown zones, platform engineering, or the IaC pipelines that different groups ship by way of, this hits you straight.

• You cease proudly owning home-grown storage account and VNet modules that no two groups write the identical manner.
• You get secure-by-default sources with out having to draft a 40-page inner coding customary.
• You’ll be able to let software groups transfer quick with out sacrificing the Nicely-Architected Framework guardrails you care about.
• You get a supported, Microsoft-backed module library with a transparent lifecycle, as an alternative of betting on an deserted repo.
• You lastly have a deterministic solution to put AI to work on infrastructure code with out it inventing issues you do not need in manufacturing.

If any of that seems like a Tuesday for you, this session is value 40 minutes.

Azure Verified Modules (AVM) is the official Microsoft infrastructure-as-code module library for each Bicep and Terraform. Jack put it plainly within the session: AVM is the one-time resolution that’s not going to go away, with possession, an outlined lifecycle, construction, and well-defined specs.

Here’s what makes AVM totally different from the earlier panorama of group repos:

• It’s supported in a number of IaC languages at present (Bicep and Terraform), with constant specs throughout each.
• Modules are aligned to the Azure Nicely-Architected Framework by default. Zone redundancy on, public IPs off, wise TLS minimums, proper out of the field. All the pieces continues to be versatile, you may override any of it by way of a parameter or variable.
• It’s open supply. Folks inside and out of doors Microsoft can contribute and keep modules.
• It consolidates the older CARML and Terraform Verified Modules efforts underneath one roof, owned by Microsoft FTEs and backed by the AVM core crew.

AVM has three module classifications, and understanding them is half the battle:

• Useful resource modules. A one-to-one mapping to a single useful resource sort, like a storage account or a digital community. Want ten of them, loop the module ten occasions.
• Sample modules. A group of sources, normally constructed on prime of useful resource modules, that delivers a much bigger slice of an structure. The Azure Touchdown Zone is roughly 5 sample modules behind the scenes.
• Utility modules. Helpers you most likely by no means name straight, however that the library makes use of for issues like area lookups, SKU availability, and naming requirements.

One factor that will get undersold: AVM isn’t just for you. The Azure Developer CLI templates use it. Azure Touchdown Zone and Sovereign Touchdown Zone are constructed on it. Inside Microsoft service groups use it. Once you undertake AVM, you might be utilizing the identical constructing blocks Microsoft makes use of.

That is the place the session will get attention-grabbing. AVM provides you the trusted Lego bricks. GitHub Copilot provides you a coding assistant. The issue, as Jack known as out, is that AI is non-deterministic by default. It’s nice at fixing ambiguous issues, however you can not simply level it at a clean repo and belief it to stamp out manufacturing infrastructure.

That’s the hole spec-driven growth is designed to fill.

Spec-driven growth is a documentation-first strategy. As a substitute of telling Copilot “write me a Terraform module for a hub-spoke community,” you write a structured specification up entrance that captures intent, high quality bar, safety necessities, and coding requirements. The AI then makes use of that spec because the contract, generates code, validates in opposition to it, and loops till the output matches what you requested for.

Jarrod walked by way of Spec Equipment, the open supply toolkit maintained by GitHub and Microsoft, which formalizes this into eight steps:

1. Structure. The non-negotiables. “We should use AVM. We should adjust to PCI. Optimize for price.” That is your challenge DNA.
2. Specify. What you really wish to construct, targeted on person objectives and outcomes, not implementation particulars.
3. Make clear. Copilot scans the spec, finds ambiguities, and asks you focused questions (IP ranges, bastion SKUs, something that’s fuzzy).
4. Plan. A technical plan that maps the spec to your requirements and constraints.
5. Guidelines. A top quality guidelines the agent makes use of later to validate its personal work.
6. Duties. The plan damaged down into small, reviewable steps.
7. Analyze. A consolidated report throughout the spec, plan, and duties so you may sanity verify the entire bundle.
8. Implement. Copilot lastly writes the code, validating in opposition to every little thing above because it goes.

The crucial element: at each a type of gates, you assessment. You might be nonetheless the human within the loop. The AI is just not flying solo, and you aren’t signing off on a thousand-line code dump.

Once you wire AVM into the structure (“use AVM modules wherever attainable”), Copilot stops making an attempt to hand-roll uncooked useful resource declarations. It composes options out of trusted, examined, WAF-aligned modules. That’s what makes the mix so highly effective.

Spec Equipment is just not the one choice. Jack talked about two others value realizing about:

• OpenSpec. Leaner than Spec Equipment, brownfield-first, geared toward smaller skilled groups.
• Squad. A very totally different mannequin constructed by a Microsoft crew. No specs. As a substitute, a digital crew of agent personas (IaC specialist, UX, deployment, an orchestrator known as Ralph) that collaborate to ship work. Price a glance in case your fashion is extra agent-team than document-first.

So what does this really purchase you when Monday morning hits?

• Velocity with out sacrificing the bar. Software groups cease writing storage account boilerplate. They deal with what the workload must do, and the AVM modules deal with the resilient, compliant defaults.
• Compliance turns into additive, not a rewrite. If you might want to add HIPAA or NIST compliance later, you add one other spec on prime of your current structure and iterate. You don’t throw out your modules.
• Much less ambiguity loop, fewer tokens burned. A very good spec up entrance means fewer Copilot iterations. You get to a working reply quicker, with much less backwards and forwards.
• Belief within the AI output. As a result of AVM modules are examined, supported, and WAF-aligned, what Copilot stitches collectively is constructed on stable foundations. You’ll be able to assessment the spec as an alternative of each line of Terraform.
• Your builders shift up the stack. They cease writing IaC primitives and begin designing architectures and necessities. That’s the place the enterprise worth lives anyway.

A notice on tradeoffs. AVM modules are deliberately generic and versatile, so that you typically get parameters you do not want, and the well-architected defaults could be opinionated to your situation. The repair is easy, override the parameter. You might be buying and selling some management for lots of consistency, and for many groups that commerce is the precise one.

If you wish to do this for your self, right here is the trail I might take:

1. Go to aka.ms/AVM and bookmark it. All the pieces begins there.
2. Browse the Bicep and Terraform module indexes. Discover the useful resource you’d usually hand-write and take a look at the AVM model in a dev subscription.
3. Learn the AVM specs so that you perceive the contract each module follows. It makes the parameter units lots much less stunning.
4. Set up Spec Equipment by way of the Specify CLI (the GitHub repo has the directions) and take a look at the AVM instance underneath the experimental “AI-Assisted Resolution Improvement” part on the AVM website.
5. Run the eight-step Spec Equipment stream in opposition to a small workload. Don’t begin along with your manufacturing touchdown zone. Choose one thing contained, like a single app with an online tier, a database, and a Key Vault.
6. Maintain the human within the loop. Evaluate each spec gate. That’s the place the standard comes from.

In case you discovered this handy, there’s much more the place it got here from. The Microsoft Azure Infra Summit 2026 playlist covers touchdown zones, deployment stacks, AKS networking, storage, and the AI facet of platform operations. Block out a day and binge it.

Microsoft Azure Infra Summit 2026 on YouTube

Cheers!

Pierre Roman