https://github.com/jonathan-vella/azure-smb-rf
Azure accelerator for SMB migrations—policy-enforced, security-hardened, and deployable with Bicep + AVM.
https://github.com/jonathan-vella/azure-smb-rf
agents automation azure azure-migrate azure-verified-modules bicep github-copilot iac infrastructure-as-code microsoft-partner migration smb
Last synced: 2 months ago
JSON representation
Azure accelerator for SMB migrations—policy-enforced, security-hardened, and deployable with Bicep + AVM.
- Host: GitHub
- URL: https://github.com/jonathan-vella/azure-smb-rf
- Owner: jonathan-vella
- License: mit
- Created: 2026-01-29T08:23:34.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2026-02-19T18:21:10.000Z (4 months ago)
- Last Synced: 2026-02-19T21:28:16.745Z (4 months ago)
- Topics: agents, automation, azure, azure-migrate, azure-verified-modules, bicep, github-copilot, iac, infrastructure-as-code, microsoft-partner, migration, smb
- Language: Python
- Homepage:
- Size: 4.71 MB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
[![Contributors][contributors-shield]][contributors-url]
[![Forks][forks-shield]][forks-url]
[![Stargazers][stars-shield]][stars-url]
[![Issues][issues-shield]][issues-url]
[![MIT License][license-shield]][license-url]
[![Azure][azure-shield]][azure-url]
Azure SMB Ready Foundation
Repeatable Azure SMB Ready Foundation for SMB customers.
On-premises migration ready • Policy-enforced • Security-hardened
Quick Start »
·
View Artifacts
·
Report Bug
·
Request Feature
📑 Table of Contents
- About The Project
- Architecture
- Deployment Scenarios
- Quick Start
- Included Resources
- Azure Policy Guardrails
- Project Structure
- Key Design Decisions
- Development
- Target Audience
- Additional Resources
- Contributing
- License
---
## 🚀 About The Project
Single-subscription Azure environment designed for **Microsoft Partners** migrating small
business customers from on-premises infrastructure to Azure at scale.
| ✅ On-premises migrations | ✅ Cost-first design | ✅ Policy-enforced security | ✅ Repeatable deployments |
| :-----------------------: | :---------------------------------: | :-------------------------: | :---------------------------: |
| Via Azure Migrate | Resilience traded for affordability | 20 guardrail policies | No per-customer customization |
Built using the [Agentic InfraOps](https://github.com/jonathan-vella/azure-agentic-infraops) framework —
an AI-agent workflow for requirements gathering, architecture assessment, and Bicep code generation.
The SMB Ready Foundation is a ready-to-deploy output of that framework, not the framework itself.
### 🛠️ Built With
[![Bicep][bicep-shield]][bicep-url]
[![PowerShell][powershell-shield]][powershell-url]
[![Azure CLI][azcli-shield]][azcli-url]
[![GitHub Copilot][copilot-shield]][copilot-url]
[![Dev Containers][devcontainer-shield]][devcontainer-url]
---
## 🏗️ Architecture
Complete architecture with all optional components (Firewall, VPN Gateway)
The SMB Ready Foundation follows a **hub-and-spoke** topology within a single subscription:
| Component | Purpose |
| --------------------- | ------------------------------------------------------------------ |
| **Hub VNet** | Centralized services (Bastion, Firewall, VPN Gateway, Private DNS) |
| **Spoke VNet** | Workload hosting with NAT Gateway for outbound internet |
| **Azure Migrate** | Server discovery and assessment |
| **Log Analytics** | Centralized monitoring with 500 MB/day cap |
| **Recovery Services** | VM backup with default policy |
---
## 💰 Deployment Scenarios
Choose the scenario that fits your budget and connectivity requirements:
| Scenario | Firewall | VPN | NAT GW | Peering | UDR | Deploy Time | Monthly Cost |
| :------------: | :------: | :-: | :----: | :-----: | :-: | :---------: | -----------: |
| **`baseline`** | ❌ | ❌ | ✅ | ❌ | ❌ | ~4 min | **~$48** |
| **`firewall`** | ✅ | ❌ | ❌ | ✅ | ✅ | ~15 min | **~$336** |
| **`vpn`** | ❌ | ✅ | ❌ | ✅ | ❌ | ~25 min | **~$187** |
| **`full`** | ✅ | ✅ | ❌ | ✅ | ✅ | ~40-55 min | **~$476** |
> 💡 **Tip:** Start with `baseline` for testing, upgrade to `firewall` or `full` for production
> workloads requiring traffic inspection or hybrid connectivity.
---
## ⚡ Quick Start
### Prerequisites
- 🐳 Docker Desktop (or Podman, Colima, Rancher Desktop)
- 💻 VS Code with [Dev Containers](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) extension
- 🤖 GitHub Copilot subscription
- ☁️ Azure subscription with Owner access
### 1️⃣ Clone and Open
```bash
git clone https://github.com/jonathan-vella/azure-smb-rf.git
cd azure-smb-rf
code .
```
### 2️⃣ Start Dev Container
Press `F1` → **Dev Containers: Reopen in Container**
> ⏱️ First build takes 3-5 minutes
### 3️⃣ Authenticate with Azure
```bash
az login
az account set --subscription ""
```
### 4️⃣ Deploy
```powershell
cd infra/bicep/smb-ready-foundation
# Preview changes (What-If)
./deploy.ps1 -Scenario baseline -WhatIf
# Deploy baseline (~$48/mo)
./deploy.ps1 -Scenario baseline
# Deploy with firewall (~$336/mo)
./deploy.ps1 -Scenario firewall
# Deploy full scenario (~$476/mo)
./deploy.ps1 -Scenario full
```
### 5️⃣ Cleanup (Optional)
When you're done testing, remove all deployed resources:
```powershell
cd infra/bicep/smb-ready-foundation/scripts
# Preview what will be deleted
./Remove-SmbReadyFoundation.ps1 -Location swedencentral -WhatIf
# Delete all resources (no confirmation prompts)
./Remove-SmbReadyFoundation.ps1 -Location swedencentral -Force
```
> ⏱️ Cleanup takes 10-15 minutes (Azure Firewall and VPN Gateway take longest to delete)
---
## 📦 Included Resources
### Always Deployed
| Resource | Resource Group | Configuration |
| -------------------------- | -------------- | ---------------------------- |
| 🌐 Hub VNet | `rg-hub` | Pre-provisioned subnets |
| 🌐 Spoke VNet | `rg-spoke` | Workload subnets + NSG |
| 🚪 NAT Gateway | `rg-spoke` | Outbound internet |
| 🔐 Azure Bastion Developer | `rg-hub` | Secure VM access |
| 🔗 Azure Private DNS | `rg-hub` | Auto-registration |
| 📦 Azure Migrate Project | `rg-migrate` | Server assessment |
| 📊 Log Analytics Workspace | `rg-monitor` | 500 MB/day, 30-day retention |
| 💾 Recovery Services Vault | `rg-backup` | VM backup |
| 💰 Cost Management Budget | subscription | $500/month + alerts |
| 🛡️ Defender for Cloud | subscription | Free tier |
---
## 🛡️ Azure Policy Guardrails
20 policies enforcing security best practices:
| Category | Policies |
| -------------- | ------------------------------------------------------- |
| **Compute** | Allowed SKUs (B/D/E only), no public IPs, managed disks |
| **Network** | NSG required, management ports closed, no IP forwarding |
| **Storage** | HTTPS only, no public blob, TLS 1.2+ |
| **Identity** | Azure AD-only SQL, no classic resources |
| **Compliance** | Required tags, allowed locations, backup audit |
---
## 📁 Project Structure
```
├── 📁 .devcontainer/ # Dev container configuration
├── 📁 .github/
│ ├── 📁 agents/ # Copilot agents (requirements, architect, bicep-*, deploy)
│ ├── 📁 instructions/ # AI coding standards
│ ├── 📁 prompts/
│ │ └── 📄 plan-smb-ready-foundation.prompt.md # ⭐ Main prompt
│ └── 📁 templates/ # Artifact output templates
├── 📁 agent-output/
│ └── 📁 smb-ready-foundation/ # Generated artifacts for this project
├── 📁 docs/
│ └── 📁 images/ # Architecture diagrams
├── 📁 infra/bicep/
│ └── 📁 smb-ready-foundation/ # Bicep templates (generated by agents)
└── 📁 mcp/azure-pricing-mcp/ # Azure Pricing MCP server
```
---
## 🎯 Key Design Decisions
| Decision | Choice | Rationale |
| --------------------- | --------------------------------- | ---------------------------- |
| **Resilience** | Not required | Cost priority for SMB |
| **SLA/RTO/RPO** | N/A | Rebuild from Bicep if needed |
| **VM Access** | Azure Bastion Developer | No public IPs on VMs |
| **Outbound Internet** | NAT Gateway | Default outbound deprecated |
| **DNS** | Azure Private DNS | Auto-registration for VMs |
| **Regions** | swedencentral, germanywestcentral | EU GDPR compliant |
| **Tags** | Environment, Owner (required) | Consistent tagging standard |
---
## 🔧 Development
### Generate SMB Ready Foundation with Agents
1. Press `Ctrl+Shift+A` → Select `@requirements`
2. Paste content from `.github/prompts/plan-smb-ready-foundation.prompt.md`
3. Follow agent workflow through to deployment
### Validation Commands
```bash
# Bicep lint
bicep lint infra/bicep/smb-ready-foundation/*.bicep
# Markdown lint
npm run lint:md
# Build Bicep
bicep build infra/bicep/smb-ready-foundation/main.bicep
```
---
## 🎯 Target Audience
This SMB Ready Foundation is designed for:
- 🏢 **Microsoft Partners** hosting SMB customers on on-premises infrastructure
- 🔧 **Managed Service Providers** standardizing Azure onboarding
- 💼 **IT Consultants** delivering repeatable migration projects
---
## 📚 Additional Resources
| Resource | Description |
| -------------------------------------------------------------------------------------- | --------------------------------------------- |
| [Partner Quick Reference](docs/partner-quick-reference.md) | One-page deployment guide for partners |
| [Agentic InfraOps Framework](https://github.com/jonathan-vella/azure-agentic-infraops) | Parent framework for AI-driven infrastructure |
| [Azure Verified Modules](https://aka.ms/avm) | Bicep module registry |
---
## 🤝 Contributing
Contributions are welcome! Here's how:
1. 🍴 Fork the Project
2. 🌿 Create your Feature Branch (`git checkout -b feature/AmazingFeature`)
3. 💾 Commit your Changes using [Conventional Commits](https://www.conventionalcommits.org/) (`git commit -m 'feat: add bastion subnet option'`)
4. 📤 Push to the Branch (`git push origin feature/AmazingFeature`)
5. 🔃 Open a Pull Request (PR template will guide you)
See [CONTRIBUTING.md](CONTRIBUTING.md) for detailed guidelines.
Don't forget to give the project a ⭐ if you found it useful!
---
## 📄 License
Distributed under the MIT License. See [LICENSE](LICENSE) for more information.
---
[contributors-shield]: https://img.shields.io/github/contributors/jonathan-vella/azure-smb-rf.svg?style=for-the-badge
[contributors-url]: https://github.com/jonathan-vella/azure-smb-rf/graphs/contributors
[forks-shield]: https://img.shields.io/github/forks/jonathan-vella/azure-smb-rf.svg?style=for-the-badge
[forks-url]: https://github.com/jonathan-vella/azure-smb-rf/network/members
[stars-shield]: https://img.shields.io/github/stars/jonathan-vella/azure-smb-rf.svg?style=for-the-badge
[stars-url]: https://github.com/jonathan-vella/azure-smb-rf/stargazers
[issues-shield]: https://img.shields.io/github/issues/jonathan-vella/azure-smb-rf.svg?style=for-the-badge
[issues-url]: https://github.com/jonathan-vella/azure-smb-rf/issues
[license-shield]: https://img.shields.io/github/license/jonathan-vella/azure-smb-rf.svg?style=for-the-badge
[license-url]: https://github.com/jonathan-vella/azure-smb-rf/blob/main/LICENSE
[azure-shield]: https://img.shields.io/badge/Azure-Ready-0078D4?style=for-the-badge&logo=microsoftazure&logoColor=white
[azure-url]: https://azure.microsoft.com
[bicep-shield]: https://img.shields.io/badge/Bicep-0.20+-00A4EF?style=for-the-badge&logo=azurefunctions&logoColor=white
[bicep-url]: https://learn.microsoft.com/azure/azure-resource-manager/bicep/
[powershell-shield]: https://img.shields.io/badge/PowerShell-7+-5391FE?style=for-the-badge&logo=powershell&logoColor=white
[powershell-url]: https://learn.microsoft.com/powershell/
[azcli-shield]: https://img.shields.io/badge/Azure_CLI-2.50+-0078D4?style=for-the-badge&logo=microsoftazure&logoColor=white
[azcli-url]: https://learn.microsoft.com/cli/azure/
[copilot-shield]: https://img.shields.io/badge/GitHub_Copilot-Enabled-000000?style=for-the-badge&logo=github&logoColor=white
[copilot-url]: https://github.com/features/copilot
[devcontainer-shield]: https://img.shields.io/badge/Dev_Containers-Ready-007ACC?style=for-the-badge&logo=docker&logoColor=white
[devcontainer-url]: https://containers.dev/
