Azure OpenAI Guide

Route AI agent traffic through TapPass while using Azure OpenAI as the LLM provider. Azure OpenAI offers EU-resident deployments (West Europe, Sweden Central) ideal for GDPR compliance.

Why Azure OpenAI?

Benefit	Details
EU data residency	Deploy models in West Europe or Sweden Central data never leaves the EU
Enterprise billing	Use your existing Azure EA/CSP agreement
Private networking	VNet integration, Private Endpoints, no public internet exposure
Content filtering	Azure’s built-in content safety on top of TapPass governance
SLA	99.9% availability backed by Microsoft

Quick Start

1. Create an Azure OpenAI resource

# Azure CLI
az cognitiveservices account create \
  --name tappass-openai \
  --resource-group your-rg \
  --kind OpenAI \
  --sku S0 \
  --location westeurope  # EU data residency

2. Deploy a model

az cognitiveservices account deployment create \
  --name tappass-openai \
  --resource-group your-rg \
  --deployment-name gpt-4o-mini \
  --model-name gpt-4o-mini \
  --model-version "2024-07-18" \
  --model-format OpenAI \
  --sku-capacity 10 \
  --sku-name Standard

3. Configure TapPass

Add to your .env or environment:

# Azure OpenAI credentials (read by LiteLLM directly)
AZURE_API_KEY="your-azure-openai-key"
AZURE_API_BASE="https://tappass-openai.openai.azure.com/"
AZURE_API_VERSION="2024-10-21"

4. Use Azure models

from tappass import Agent

agent = Agent("https://tappass.example.com", "tp_...")

# Explicitly request Azure model
response = agent.chat("Analyze Q3 trends", model="azure/gpt-4o-mini")

Or set as the default model in your pipeline configuration.

Model Names

TapPass uses LiteLLM’s azure/<deployment-name> format:

TapPass model name	Azure deployment	Notes
`azure/gpt-4o-mini`	`gpt-4o-mini`	Fast, cheap, good for most tasks
`azure/gpt-4o`	`gpt-4o`	Best quality, higher cost
`azure/gpt-4`	`gpt-4`	Previous generation

Important: The deployment name in Azure must match the part after azure/. If your Azure deployment is named my-gpt4o, use azure/my-gpt4o in TapPass.

EU Data Residency

When TAPPASS_EU_DATA_RESIDENCY=true, TapPass automatically routes CONFIDENTIAL+ data to Azure OpenAI (when configured) or Mistral (EU-native fallback).

TAPPASS_EU_DATA_RESIDENCY=true
AZURE_API_KEY="..."
AZURE_API_BASE="https://your-resource.openai.azure.com/"

Routing priority for EU residency:

Classification	Model	Reason
PUBLIC	Requested model	No restriction
INTERNAL	Requested model	No restriction
CONFIDENTIAL	`azure/gpt-4o` → `mistral/mistral-large-latest`	EU-hosted
RESTRICTED	`ollama/llama3.2`	Local only

Private Networking

For maximum security, use Azure Private Endpoints to ensure TapPass communicates with Azure OpenAI over a private network:

# Create private endpoint
az network private-endpoint create \
  --name tappass-openai-pe \
  --resource-group your-rg \
  --vnet-name your-vnet \
  --subnet your-subnet \
  --private-connection-resource-id /subscriptions/.../tappass-openai \
  --group-ids account \
  --connection-name tappass-openai-connection

Then set AZURE_API_BASE to the private endpoint URL.

Managed Identity (recommended)

Instead of API keys, use Azure Managed Identity:

# Assign Cognitive Services OpenAI User role to your TapPass VM/container
az role assignment create \
  --assignee <tappass-managed-identity-id> \
  --role "Cognitive Services OpenAI User" \
  --scope /subscriptions/.../tappass-openai

LiteLLM supports Azure Managed Identity automatically when AZURE_API_KEY is not set and AZURE_AD_TOKEN or DefaultAzureCredential is available.

Monitoring

TapPass tracks Azure OpenAI usage in the same audit trail as other providers:

Per-agent cost tracking (Azure pricing)
Token usage per call
Circuit breaker for Azure provider failures
Model routing decisions in audit trail

# Check Azure model availability
curl https://tappass.example.com/v1/models | jq '.data[] | select(.id | startswith("azure/"))'