In modern cloud infrastructure development, writing Terraform code manually can be time-consuming and error-prone—especially for teams that frequently deploy modular and scalable environments. There’s a growing need for tools that:

• Allow natural language input to describe infrastructure requirements.
• Automatically generate clean, modular Terraform code.
• Integrate with cloud authentication mechanisms.
• Save and organize code into execution-ready files.

This model bridges the gap between human-readable Infrastructure descriptions and machine-executable Terraform scripts, making infrastructure-as-code more accessible and efficient. To build this model, we utilize CodeGemma, a lightweight AI model optimized for coding tasks, which runs locally via Ollama.

In this blog, we explore how to build a Terraform code generator web app using:

• Flask for the web interface
• Ollama’s CodeGemma model for AI-powered code generation
• Azure CLI authentication using service principal credentials
• Modular Terraform file creation based on user queries

This tool empowers developers to describe infrastructure needs in natural language and receive clean, modular Terraform code ready for deployment.

Technologies Used

CodeGemma

CodeGemma is a family of lightweight, open-source models optimized for coding tasks. It supports code generation from natural language.

Running CodeGemma locally via Ollama means:

• No cloud dependency: You don’t need to send data to external APIs.
• Faster response times: Ideal for iterative development.
• Privacy and control: Your infrastructure queries and generated code stay on your machine.
• Offline capability: Ideal for use in restricted or secure environments.
• Zero cost: Since the model runs locally, there’s no usage fee or subscription required—unlike cloud-based AI services.

Flask

We chose Flask as the web framework for this project because of its:

• Simplicity and flexibility: Flask is a lightweight and easy-to-set-up framework, making it ideal for quick prototyping.

Initial Setup

• Install Python.

winget install Python.Python.3

• Install Visual Studio.
• Install Download Ollama on Windows.
• Pull and run the codegemma:7b.

ollama pull codegemma:7b
ollama run codegemma:7b

• Install the Ollama Python library to use Gemma 3 in your Python projects.

pip install ollama

Folder Structure

Code

from flask import Flask, jsonify, request, render_template_string
from ollama import generate
import subprocess
import re
import os

app = Flask(__name__)
# Azure credentials
CLIENT_ID = "Enter your credentials here."
CLIENT_SECRET = "Enter your credentials here."
TENANT_ID = "Enter your credentials here."

auth_status = {"status": "not_authenticated", "details": ""}
input_fields_html = ""
def authenticate_with_azure():
    try:
        result = subprocess.run(
            ["cmd.exe", "/c", "C:\\Program Files\\Microsoft SDKs\\Azure\\CLI2\\wbin\\az.cmd",
             "login", "--service-principal", "-u", CLIENT_ID, "-p", CLIENT_SECRET, "--tenant", TENANT_ID],
            capture_output=True, text=True, check=True
        )
        auth_status["status"] = "success"
        auth_status["details"] = result.stdout
    except subprocess.CalledProcessError as e:
        auth_status["status"] = "failed"
        auth_status["details"] = e.stderr
    except Exception as ex:
        auth_status["status"] = "terminated"
        auth_status["details"] = str(ex)

@app.route('/', methods=['GET', 'POST'])
def home():
    terraform_code = ""
    user_query = ""
    input_fields_html = ""

    if request.method == 'POST':
        user_query = request.form.get('query', '')

        base_prompt = (
            "Generate modular Terraform code using best practices. "
            "Create separate files for main.tf, vm.tf, vars.tf, terraform.tfvars, subnet.tf, kubernetes_cluster etc. "
            "Ensure the code is clean and execution-ready. "
            "Use markdown headers like ## Main.tf: followed by code blocks."
        )

        full_prompt = base_prompt + "\n" + user_query
        try:
            response_cleaned = generate(model='codegemma:7b', prompt=full_prompt)
            terraform_code = response_cleaned.get('response', '').strip()
        except Exception as e:
            terraform_code = f"# Error generating code: {str(e)}"

            provider_block = f"""
              provider "azurerm" {{
              features {{}}
              subscription_id = "Enter your credentials here."
              client_id       = "{CLIENT_ID}"
              client_secret   = "{CLIENT_SECRET}"
              tenant_id       = "{TENANT_ID}"
            }}"""
            terraform_code = provider_block + "\n\n" + terraform_code

        with open('main.tf', 'w', encoding='utf-8') as f:
            f.write(terraform_code)


        # Create output directory
        output_dir = r"C:\Users\riya.achkarpohre\Desktop\AI\test7\terraform_output"
        os.makedirs(output_dir, exist_ok=True)

        # Define output paths
        paths = {
            "main.tf": os.path.join(output_dir, "Main.tf"),
            "vm.tf": os.path.join(output_dir, "VM.tf"),
            "subnet.tf": os.path.join(output_dir, "Subnet.tf"),
            "vpc.tf": os.path.join(output_dir, "VPC.tf"),
            "vars.tf": os.path.join(output_dir, "Vars.tf"),
            "terraform.tfvars": os.path.join(output_dir, "Terraform.tfvars"),
            "kubernetes_cluster.tf": os.path.join(output_dir, "kubernetes_cluster.tf")
        }

        # Split response using markdown headers
        sections = re.split(r'##\s*(.*?)\.tf:\s*\n+```(?:terraform)?\n', terraform_code)

        # sections = ['', 'Main', '<code>', 'VM', '<code>', ...]
        for i in range(1, len(sections), 2):
            filename = sections[i].strip().lower() + '.tf'
            code_block = sections[i + 1].strip()

            # Remove closing backticks if present
            code_block = re.sub(r'```$', '', code_block)

            # Save to file if path is defined
            if filename in paths:
                with open(paths[filename], 'w', encoding='utf-8') as f:
                    f.write(code_block)
                    print(f"\n--- Written: {filename} ---")
                    print(code_block)
            else:
                print(f"\n--- Skipped unknown file: {filename} ---")

        return render_template_string(f"""
        <html>
        <head><title>Terraform Generator</title></head>
        <body>
            <form method="post">
                <center>
                    <label>Enter your query:</label><br>
                    <textarea name="query" rows="6" cols="80" placeholder="Describe your infrastructure requirement here..."></textarea><br><br>
                    <input type="submit" value="Generate Terraform">
                </center>
            </form>
            <hr>
            <h2>Generated Terraform Code:</h2>
            <pre>{terraform_code}</pre>
            <h2>Enter values for the required variables:</h2>
            <h2>Authentication Status:</h2>
            <pre>Status: {auth_status['status']}\n{auth_status['details']}</pre>
        </body>
        </html>
        """)

    # Initial GET request
    return render_template_string('''
    <html>
    <head><title>Terraform Generator</title></head>
    <body>
        <form method="post">
            <center>
                <label>Enter your query:</label><br>
                <textarea name="query" rows="6" cols="80" placeholder="Describe your infrastructure requirement here..."></textarea><br><br>
                <input type="submit" value="Generate Terraform">
            </center>
        </form>
    </body>
    </html>
    ''')

authenticate_with_azure()
@app.route('/authenticate', methods=['POST'])
def authenticate():
    authenticate_with_azure()
    return jsonify(auth_status)

if __name__ == '__main__':
    app.run(debug=True)

Open Visual Studio, create a new file named file.py, and paste the code into it. Then, open the terminal and run the script by typing:

python file.py

Flask Development Server

Code Structure Explanation

• Azure Authentication
  • The app uses the Azure CLI (az.cmd) via Python’s subprocess.run() to authenticate with Azure using a service principal. This ensures secure access to Azure resources before generating Terraform code.
• User Query Handling
  • When a user submits a query through the web form, it is captured using:

user_query = request.form.get('query', '')

• Prompt Construction
  • The query is appended to a base prompt that instructs CodeGemma to generate modular Terraform code using best practices. This prompt includes instructions to split the code into files, such as main.tf, vm.tf, subnet.tf, etc.
• Code Generation via CodeGemma
  • The prompt is sent to the CodeGemma:7b model using:

response_cleaned = generate(model='codegemma:7b', prompt=full_prompt)

• Saving the Full Response
  • The entire generated Terraform code is first saved to a main.tf file as a backup.
• Output Directory Setup
  • A specific output directory is created using os.makedirs() to store the split .tf files:

output_dir = r"C:\Users\riya.achkarpohre\Desktop\AI\test7\terraform_output"

• File Path Mapping
  • A dictionary maps expected filenames (such as main.tf and vm.tf) to their respective output paths. This ensures each section of the generated code is saved correctly.
• Code Splitting Logic
  • The response is split using a regex-based approach, based on markdown headers like ## main.tf: followed by Terraform code blocks. This helps isolate each module.
• Conditional File Writing
  • For each split section, the code checks if the filename exists in the predefined path dictionary:
    • If defined, the code block is written to the corresponding file.
    • If not defined, the section is skipped and logged as  “unknown file”.
• Web Output Rendering
  • The generated code and authentication status are displayed on the webpage using render_template_string().

Terminal

The Power of AI in Infrastructure Automation

This project demonstrates how combining AI models, such as CodeGemma, with simple tools like Flask and Terraform can revolutionize the way we approach cloud infrastructure provisioning. By allowing developers to describe their infrastructure in natural language and instantly receive clean, modular Terraform code, we eliminate the need for repetitive manual scripting and reduce the chances of human error.

Running CodeGemma locally via Ollama ensures:

• Full control over data
• Zero cost for code generation
• Fast and private execution
• Seamless integration with existing workflows

The use of Azure CLI authentication adds a layer of real-world applicability, making the generated code deployable in enterprise environments.

Whether you’re a cloud engineer, DevOps practitioner, or technical consultant, this tool empowers you to move faster, prototype smarter, and deploy infrastructure with confidence.

As AI continues to evolve, tools like this will become essential in bridging the gap between human intent and machine execution, making infrastructure-as-code not only powerful but also intuitive.

For years, insurers have experimented with digital initiatives, but the pace of disruption has accelerated. Legacy models can’t keep up with rising risks, evolving customer expectations, and operational pressures. The question isn’t whether insurers will transform, but rather how fast they can adapt.

Technologies like AI, advanced analytics, and embedded solutions have moved from emerging concepts to essential capabilities for competitive advantage. Earlier this year, we highlighted these opportunities in our Top 5 Digital Trends for Insurance.

As we gear up for the world’s largest event for insurance innovation in October, ITC Vegas, it’s clear these trends are shaping the conversations that matter most. Here’s a closer look at three that are leading the way.

1. Make AI Your Growth Engine

Artificial intelligence is a core enabler of insurance innovation. It’s powering efficiency and elevating customer experiences across the value chain. From underwriting to claims, AI enables real-time decisions, sharpens risk modeling, and delivers personalized interactions at scale. Generative AI builds on this foundation by accelerating content creation, enabling smarter agent support, and transforming customer engagement. Together, these capabilities thrive on modern, cloud-native platforms designed for speed and scalability.

Why Leaders Should Act Now:

AI creates value when it’s embedded in workflows. Focus on the high-impact domains that accelerate outcomes: underwriting, claims, and distribution. Research shows early AI adopters are already seeing measurable results:

• New-agent success and sales conversion rates increased up to 20%
• Premium growth boosted by as much as 15%
• New customer onboarding costs reduced up to 40%

We help clients advance AI capabilities through virtual assistants, generative interfaces, agentic frameworks, and product development, enhancing team velocity by integrating AI team members.

Read More: Empowering the Modern Insurance Agent

2. Personalize Every Moment

Today’s policyholders expect the same level of personalization they receive from other industries like retail and streaming platforms. By leveraging AI and advanced analytics, insurers can move beyond broad segments to anticipate needs, remove friction, and tailor products and pricing in the moments that matter.

Forbes highlights three key pillars of modern personalization critical for insurers aiming to deliver tailored experiences: data, intent signals, and artificial intelligence. At ITC, these principles are front and center as insurers explore how to meet expectations and unlock new revenue streams, without adding complexity.

Why Leaders Should Act Now:

Personalization isn’t just about customer experience—it’s a growth strategy. Research shows over 70% of consumers expect personalized interactions, and more than three-quarters feel frustrated when they don’t get them. Insurers that utilize AI to anticipate needs and simplify choices can earn trust and loyalty faster than those who don’t.

Success In Action: Proving Rapid Value and Creating Better Member Experiences

3. Meet Customers at the Point of Need

Embedded insurance is moving into everyday moments, and research shows it’s on a massive growth trajectory. Global P&C embedded sales are projected to reach as high as $700 billion by 2030, including $70 billion in the U.S. alone. By meeting customers where decisions happen, carriers can create seamless experiences, new revenue streams, and stronger brand visibility—while offering convenience, transparency, and choice.

Insurers that embrace ecosystems will expand their reach and relevance as consumer expectations and engagement continually shift. Agencies will continue to play a critical role in navigating difficult underwriting conditions by tailoring policy coverages and providing transparency, which requires that they have access to modern sales and servicing tools. It’s a prominent theme that’s echoed throughout ITC sessions this year.

Why Leaders Should Act Now:

AI amplifies embedded strategies by enabling real-time pricing, risk assessment, and personalized offers within those touchpoints. What matters most is making the “yes” simple: clear options, plain language, and confidence about what’s covered. Together, embedded ecosystems and AI-driven insights help insurers deliver relevance at scale when and where consumers need it.

You May Also Enjoy: Commerce Experiences and the Rise of Digital-First Insurance

Lead the Insurance Evolution With AI-First Transformation

The insurance industry is entering uncharted territory. Those who act decisively and swiftly to leverage AI, embrace embedded ecosystems, and personalize every moment will lead the curve in the next era of insurance.

As the industry gathers at events like ITC Vegas, these conversations come to life. Expect AI to be the common thread across underwriting, claims, distribution, and customer experience. If you’re attending ITC at Mandalay Bay in October, schedule a meeting with our team to explore how we help insurers turn disruption into opportunity.

Carriers and brokers count on us to help modernize, innovate, and win in an increasingly competitive marketplace. Our solutions power personalized omnichannel experiences and optimize performance across the enterprise.

• Business Transformation: Activate strategy and innovation ​within the insurance ecosystem.​
• Modernization: Optimize technology to boost agility and ​efficiency across the value chain.​
• Data + Analytics: Power insights and accelerate ​underwriting and claims decision-making.​
• Customer Experience: Ease and personalize experiences ​for policyholders and producers.​

We are trusted by leading technology partners and consistently mentioned by analysts. Discover why we have been trusted by 13 of the 20 largest P&C firms and 11 of the 20 largest annuity carriers. Explore our insurance expertise and contact us to learn more.

My 30-year technology career has taught me many things…and one big thing: the companies that treat technology as a cost center are the ones that get blindsided. In manufacturing, that blindside is already here — and it’s wearing the name tag “AI.”

For decades, manufacturers have been locked into rigid systems, long upgrade cycles, and siloed data. The result? Operations that run on yesterday’s insights while competitors are making tomorrow’s moves. Sound familiar? It’s the same trap traditional IT outsourcing fell into — and it’s just as deadly in the age of smart manufacturing.

The AI Advantage in Manufacturing

Oracle Fusion AI for Manufacturing Smart Operations isn’t just another software upgrade. It’s a shift from reactive to predictive, from siloed to synchronized. Think:

• Real-time anomaly detection that flags quality issues before they hit the line.
• Predictive maintenance that slashes downtime and extends asset life.
• Intelligent scheduling that adapts to supply chain disruptions in minutes, not weeks.
• Embedded analytics that turn every operator, planner, and manager into a decision-maker armed with live data.

This isn’t about replacing people — it’s about giving them superpowers. Read more from Oracle here.

Proof in Action: Roeslein & Associates

If you want to see what this looks like in the wild, look at Roeslein & Associates. They were running on disparate, outdated legacy systems — the kind that make global process consistency a pipe dream. Perficient stepped in and implemented Oracle Fusion Cloud Manufacturing with Project Driven Supply Chain, plus full Financial and Supply Chain Management suites. The result?

• A global solution template that can be rolled out anywhere in the business.
• A redesigned enterprise structure to track profits across business units.
• Standardized manufacturing processes that still flex for highly customized demand.
• Integrated aftermarket parts ordering and manufacturing flows.
• Seamless connections between Fusion, labor capture systems, and eCommerce.

That’s not just “going live” — that’s rewiring the operational nervous system for speed, visibility, and scale.

Why Standing Still is Riskier Than Moving Fast

In my words, “true innovation is darn near impossible” when you’re chained to legacy thinking. The same applies here: if your manufacturing ops are running on static ERP data and manual interventions, you’re already losing ground to AI‑driven competitors who can pivot in real time.

Oracle Fusion Cloud with embedded AI is the equalizer. A mid‑sized manufacturer with the right AI tools can outmaneuver industry giants still stuck in quarterly planning cycles.

Where Perficient Comes In

Perficient’s Oracle team doesn’t just implement software — they architect transformation. With deep expertise in Oracle Manufacturing Cloud, Supply Chain Management, and embedded Fusion AI solutions, they help you:

• Integrate AI into existing workflows without blowing up your operations.
• Optimize supply chain visibility from raw materials to customer delivery.
• Leverage IoT and machine learning for continuous process improvement.
• Scale securely in the cloud while keeping compliance and governance in check.

They’ve done it for global manufacturers, and they can do it for you — faster than you think.

The Call to Action

If you believe your manufacturing operations are immune to disruption, history says otherwise. The companies that win will be the ones that treat AI not as a pilot project, but as the new operating system for their business.

Rather than letting new entrants disrupt your position, take initiative and lead the charge—make them play catch-up.

In today’s fast-paced digital workplace, agility, scalability, and collaboration aren’t just nice to have—they’re business-critical. If your organization is still on Microsoft SharePoint On-Premises, now is the time to make the move to SharePoint Online. Here’s why this isn’t just a technology upgrade—it’s a strategic leap forward.

1. Work Anywhere, Without Barriers

SharePoint Online empowers your workforce with secure access to content from virtually anywhere. Whether your team is remote, hybrid, or on the go, they can collaborate in real time without being tethered to a corporate network or VPN.

2. Always Up to Date

Forget about manual patching and version upgrades. SharePoint Online is part of Microsoft 365, which means you automatically receive the latest features, security updates, and performance improvements—without the overhead of managing infrastructure.

3. Reduce Costs and Complexity

Maintaining on-premises servers is expensive and resource-intensive. By moving to SharePoint Online, you eliminate hardware costs, reduce IT overhead, and streamline operations. Plus, Microsoft handles the backend, so your team can focus on innovation instead of maintenance.

4. Enterprise-Grade Security and Compliance

Microsoft invests heavily in security, offering built-in compliance tools, data loss prevention, and advanced threat protection. SharePoint Online is designed to meet global standards and industry regulations, giving you peace of mind that your data is safe.

5. Seamless Integration with Microsoft 365

SharePoint Online integrates effortlessly with Microsoft Teams, OneDrive, Power Automate, and Power BI—enabling smarter workflows, better insights, and more connected experiences across your organization.

6. Scalability for the Future

Whether you’re a small business or a global enterprise, SharePoint Online scales with your needs. You can easily add users, expand storage, and adapt to changing business demands without worrying about infrastructure limitations.

Why Perficient for Your SharePoint Online Migration 

• 35% boost in collaboration efficiency
• Up to 60% cost savings per user
• 73% reduction in data breach risk
• 100+ IT hours saved each month

Oracle’s flagship event is back—and it’s got a bold new name. What was once known as Oracle CloudWorld is now Oracle AI World, reflecting the seismic shift in enterprise technology: AI is no longer a buzzword, it’s the backbone of innovation.

From October 13–16, Oracle AI World will take over The Venetian Las Vegas with a packed agenda of keynotes, demos, and networking opportunities designed to help attendees harness the power of artificial intelligence across cloud infrastructure, applications, and data management.

Whether you’re exploring generative AI, building intelligent agents, or reimagining analytics, this event is your front-row seat to the future.

Meet us at our booth in AI World Hub in the Venetian to connect with subject matter experts and thought leaders and learn how we’ve leveraged our extensive expertise in Enterprise Resource Planning (ERP), Supply Chain Management, Human Capital Management, Enterprise Performance Management (EPM), Business Analytics, Oracle Cloud Infrastructure, and Oil and Gas to drive digital transformation for our customers.

Ask Us About Our Jumpstart Offers

Redwood Experience Jumpstart:

Our Redwood Experience Jumpstart is designed to accelerate your Redwood adoption via a series of collaborative sessions and assessments that introduce Redwood’s intuitive design and embedded AI capabilities, while aligning with your specific application needs and personalization goals.

Oracle AI Jumpstart:

Our Oracle AI Jumpstart is a structured engagement designed to help you quickly activate and scale Oracle’s embedded AI capabilities. Through a series of alignment sessions, demonstrations, and configuration activities, you’ll gain hands-on experience with Generative AI, machine learning, and prebuilt AI services that are seamlessly integrated into the Oracle Cloud Infrastructure and application ecosystem.

As an Oracle Partner with 25+ years of experience, we are committed to partnering with our clients to tackle complex business challenges and accelerate transformative growth. We’re excited to talk with attendees about how Perficient is helping clients unlock real value from Oracle’s AI-powered solutions—from Fusion Applications to OCI and beyond. Our team will be on-site, ready to share insights, answer questions, and explore how we can partner to drive smarter, faster decisions with Oracle AI.

Whether you’re attending Oracle AI World to learn, network, or just get inspired, make sure to carve out time to connect with Perficient to learn more about how we partner with our customers to forge the future. We’re here to help you turn AI ambition into action.

See you in Vegas!

The move to SaaS is one of the biggest shifts happening in digital experience. It’s not just about technology, it’s about making platforms simpler, faster, and more adaptable to the pace of customer expectations.

Sitecore has leaned in with a clear vision: “It’s SaaS. It’s Simple. It’s Sitecore.”

Here are five reasons why more organizations are turning to Sitecore SaaS to power their digital experience strategies:

1. Simplicity: A Modern Foundation

Sitecore SaaS solutions like XM Cloud remove the burden of managing infrastructure and upgrades.

• No more complex version upgrades, updates happen automatically.
• Reduced reliance on IT for day-to-day maintenance.
• A leaner, more cost-effective foundation for marketing teams.

By simplifying operations, companies can focus on what matters most; delivering exceptional digital experiences.

2. Speed-to-Value: Launch Faster

Traditional DXPs can take months (or more) to implement and optimize. Sitecore SaaS is designed for speed:

• Faster deployments with prebuilt components.
• Seamless integrations with other SaaS and cloud tools.
• Empowerment for marketers to build and launch campaigns without heavy dev cycles.

Organizations adopting Sitecore SaaS are moving from planning to execution faster than ever.

3. Scalability: Grow Without Rebuilds

As customer expectations grow, so does the need to scale digital experiences quickly. Sitecore SaaS allows companies to:

• Spin up new sites, regions, or languages without starting from scratch.
• Adjust to spikes in demand without disruption.
• Add capabilities as the business evolves — without heavy upfront investment.

This scalability ensures brands can adapt as fast as their audiences do.

4. Continuous Innovation: Always Current

One of the most frustrating parts of traditional platforms is the upgrade cycle. Sitecore SaaS solves this with:

• Automatic access to the latest innovations — no disruptive “big bang” upgrades.
• Built-in adoption of emerging technologies like AI and machine learning.
• A platform that’s always modern, not years behind.

With Sitecore SaaS, companies get a future-proof DXP that evolves with them.

5. Composability Without the Complexity

Composable DXPs promise flexibility, but without the right foundation they can feel overwhelming. Sitecore SaaS makes composability practical:

• Start with XM Cloud as a core CMS foundation.
• Add personalization, commerce, or search when ready.
• Use APIs to integrate best-of-breed tools, without losing control.

This approach ensures organizations adopt what they need, when they need it without the complexity of managing multiple disconnected systems.

Why it Matters

Companies aren’t moving to Sitecore SaaS just to keep up with technology. They’re moving because it makes their organizations more agile, efficient, and competitive. SaaS with Sitecore means simpler operations, faster launches, continuous innovation, and a platform that grows alongside your business.

Azure Cosmos DB for NoSQL now supports hybrid search, it is a powerful feature that combines full-text search and vector search to deliver highly relevant and accurate results. This blog post provides a comprehensive guide for developers and architects to understand, implement, and leverage hybrid search capabilities in their applications.

• What is hybrid search?
• How hybrid search works in Cosmos DB
• Vector embedding
• Implementing hybrid search
  • Enable hybrid search.
  • Container set-up and indexing
  • Data Ingestion
  • Search Queries
• Code Example

What is Hybrid Search?

Hybrid search is an advanced search technology that combines keyword search (also known as full-text search) and vector search to deliver more accurate and relevant search results. It leverages the strengths of both approaches to overcome the limitations of each when used in isolation.

Key Components

• Full-Text Search: This traditional method matches the words you type in, using techniques like stemming, lemmatization, and fuzzy matching to find relevant documents. It excels at finding exact matches and is efficient for structured queries with specific terms. Employs the BM25 algorithm to evaluate and rank the relevance of records based on keyword matching and text relevance.
• Vector Search: This method uses machine learning models to represent queries and documents as numerical embeddings in a multidimensional space, allowing the system to find items with similar characteristics and relationships, even if the exact keywords don’t match. Vector search is particularly useful for finding information that’s conceptually similar to the search query.
• Reciprocal Rank Fusion (RRF): This algorithm merges the results from both keyword and vector search, creating a single, unified ranked list of documents. RRF ensures that relevant results from both search types are fairly represented.

Hybrid search is suitable for various use cases, such as:

• Retrieval Augmented Generation (RAG) with LLMs
• Knowledge management systems: Enabling employees to efficiently find pertinent information within an enterprise knowledge base.
• Content Management: Efficiently search through articles, blogs, and documents.
• AI-powered chatbots
• E-commerce platforms: Helping customers find products based on descriptions, reviews, and other text attributes.
• Streaming services: Helping users find content based on specific titles or themes.

Let’s understand vector search and full-text search before diving into hybrid search implementation.

Understanding of Vector Search

Vector search in Azure Cosmos DB for NoSQL is a powerful feature that allows you to find similar items based on their semantic meaning, rather than relying on exact matches of keywords or specific values. It is a fundamental component for building AI applications, semantic search, recommendation engines, and more.

Here’s how vector search works in Cosmos DB:

Vector embeddings

Vector embeddings are numerical representations of data in a high-dimensional space, capturing their semantic meaning. In this space, semantically similar items are represented by vectors that are closer to each other. The dimensionality of these vectors can be quite large. We have separate topics in this blog on how to generate vector embedding.

Storing and indexing vectors

Azure Cosmos DB allows you to store vector embeddings directly within your documents. You define a vector policy for your container to specify the vector data’s path, data type, and dimensions. Cosmos DB supports various vector index types to optimize search performance, accuracy, and cost:

• Flat: Provides exact k-nearest neighbor (KNN) search.
• Quantized Flat: Offers exact search on compressed vectors.
• DiskANN: Enables highly scalable and accurate Approximate Nearest Neighbor (ANN) search.

Querying

• Azure Cosmos DB provides the VectorDistance() system function, which can be used within SQL queries to perform vector similarity searches as part of vector search.

Understanding Full-Text Search

Azure Cosmos DB for NoSQL now offers full-text search functionality (feature is in preview at this time for certain Azure regions), allowing you to perform powerful and efficient text-based searches within your documents directly in the database. This significantly enhances your application’s search capabilities without the need for an external search service for basic full-text needs.

Indexing

To enable full-text search, you need to define a full-text policy specifying the paths for searching and add a full-text index to your container’s indexing policy. Without the index, full-text searches would perform a full scan. Indexing involves tokenization, stemming, and stop word removal, creating a data structure like an inverted index for fast retrieval. Multi-language support (beyond English) and stop word removal are in early preview.

Querying

Cosmos DB provides system functions for full-text search in the NoSQL query language. These include FullTextContains, FullTextContainsAll, and FullTextContainsAny for filtering in the WHERE clause. The FullTextScore function uses the BM25 algorithm to rank documents by their relevance.

How Hybrid Search works in Cosmos DB

• Data Storage: Your documents in Cosmos DB include both text fields (for full-text search) and vector embedding fields (for vector search).
• Indexing:
  • Full-Text Index: A full-text policy and index are configured on your text fields, enabling keyword-based searches.
  • Vector Index: A vector policy and index are configured on your vector embedding fields, allowing for efficient similarity searches based on semantic meaning.

• Querying: A single query request is used to initiate hybrid search, including both full-text and vector search parameters.
• Parallel Execution: The vector and full-text search components run in parallel.
  • VectorDistance() measures vector similarity.
  • FullTextContains() or similar functions find keyword matches, and `FullTextScore()` ranks results using BM25.

• Result Fusion: The RRF function merges the rankings from both searches (vector & full text), creating a combined, ordered list based on overall relevance.
• Enhanced Results: The final results are highly relevant, leveraging both semantic understanding and keyword precision.

Vector Embedding

Vector embedding refers to the process of transforming data (like text, images) into a series of numbers, or a vector, that captures its semantic meaning. In this n-dimensional space, similar data points are mapped closer together, allowing computers to understand and analyze relationships that would be difficult with raw data.

To support hybrid search in Azure Cosmos DB, enhance the data by generating vector embeddings from searchable text fields. Store these embeddings in dedicated vector fields alongside the original content to enable both semantic and keyword-based queries.

Steps to generate embeddings with Azure OpenAI models

Provision Azure OpenAI Resource

• Sign in to the Azure portal: Go to https://portal.azure.com and log in.
• Create a resource: Select “Create a resource” from the Azure dashboard and search for “Azure OpenAI”.

Deploy Embedding Model

• Navigate to your newly created Azure OpenAI resource and click on “Explore Azure AI Foundry portal” in the overview page.
• Go to the model catalog and search for embedding models.
• Select embedding model:
  • From the embedding model list, choose an embedding model like text-embedding-ada-002, text-embedding-3-large, or text-embedding-3-small.

• • 
  • Azure open AI embedding models https://learn.microsoft.com/en-us/azure/ai-foundry/openai/concepts/models?tabs=global-standard%2Cstandard-chat-completions#embeddings
• Deployment name: Provide a unique name for your deployment. This name is crucial for accessing the model via the API.
• Deploy the model: Click “Create” to deploy the embedding model.
• After deployment, the resource will appear under the ‘Deployments’ section.
  • 

Accessing and utilizing embeddings

• Endpoint and API Key: After deployment, navigate to your Azure OpenAI resource and find the “Keys and Endpoint” under “Resource Management”. Copy these values as they are needed for authenticating API calls.
• Integration with applications: Use the Azure OpenAI SDK or REST APIs in your applications, referencing the deployment name and the retrieved endpoint and API key to generate embeddings.

Code example for .NET Core

Note: Ensure you have the .NET Core 8 SDK installed

using Azure;
using Azure.AI.OpenAI;
using System;
using System.Linq;

namespace AzureOpenAIAmbeddings
{
    class Program
    {
        static async Task Main(string[] args)
        {
            // Set your Azure OpenAI endpoint and API key securely
            string endpoint = Environment.GetEnvironmentVariable("AZURE_OPENAI_ENDPOINT") ?? "https://YOUR_RESOURCE_NAME.openai.azure.com/"; // Replace with OpenAI endpoint
            string apiKey = Environment.GetEnvironmentVariable("AZURE_OPENAI_API_KEY") ?? "YOUR_API_KEY"; // Replace with OpenAI API key

            // Create an AzureOpenAIAClient
            var credentials = new AzureKeyCredential(apiKey);
            var openaiClient = new OpenAIClient(new Uri(endpoint), credentials);

            // Create embedding options
            EmbeddingOptions embeddingOptions = new()
            {
                DeploymentName = "text-embedding-ada-002", // Replace with your deployment name
                Input = { "Your text for generating embedding" },  // Text that require to generate embedding 
            };

            // Generate embeddings
            var returnValue = await openaiClient.GetEmbeddingsAsync(embeddingOptions);

            //Store generated embedding data to Cosmos DB along with your text content
            var embedding = returnValue.Value.Data[0].Embedding.ToArray()
        }
    }
}

Implementing Hybrid search

Implementing hybrid search in Azure Cosmos DB for NoSQL involves several key steps to combine the power of vector search and full-text search. This diagram illustrates the architecture of Hybrid Search in Azure Cosmos DB, leveraging Azure OpenAI for generating embedding, combining both vector-based and keyword-based search:

Step 1: Enable hybrid search in the Cosmos DB account

To implement hybrid search in Cosmos DB, begin by enabling both vector search and full-text search on the Azure Cosmos DB account.

• Navigate to Your Azure Cosmos DB for NoSQL Resource Page

• Access the Features Pane:

  • Select the “Features” pane under the “Settings” menu item.

• Enable Vector Search:

  • Locate and select the “Vector Search for NoSQL.” Read the description to understand the feature.
  • Click “Enable” to activate vector indexing and search capabilities.
  • 

• Enable Full-Text Search:

  • Locate and select the “Preview Feature for Full-Text Search” (Full-Text Search for NoSQL API (preview)). Read the description to confirm your intention to enable it.
  • Click “Enable” to activate full-text indexing and search capabilities.

                Notes:

• • • Once these features are enabled, they cannot be disabled.
    • Full Text Search (preview) may not be available in all regions at this time.

Step 2: Container Setup and Indexing

• Create a database and container or use an existing one.
  • Note: Adding a vector index policy to an existing container may not be supported. If so, you will need to create a new container.

• Define the Vector embedding policy on the container
  • You need to specify a vector embedding policy for the container during its creation. This policy defines how vectors are treated at the container level.
  • 

    {
       "vectorEmbeddings": [
           {
               "path":"/contentvector",
               "dataType":"float32",
               "distanceFunction":"cosine",
               "dimensions":1536
           },
    }
    

    • Path: Specify the JSON path to your vector embedding field (e.g., /contentvector).
    • Data type: Define the data type of the vector elements (e.g., float32).
    • Dimensions: Specify the dimensionality of your vectors (e.g., 1536 for text-embedding-ada-002).
    • Distance Function: Choose the distance metric for similarity calculation (e.g., cosine, dotProduct, or euclidean)

• Add Vector Index: Add a vector index to your container’s indexing policy. This enables efficient vector similarity searches.
  • 

• • • Path: Include the same vector path defined in your vector policy.
    • Type: Select the appropriate index type (flat, quantizedFlat, or diskANN).

• Define Full-Text Policy: Define a container-level full-text policy. This policy specifies which paths in your documents contain the text content that you want to search.
  • 

• • • Path: Specify the JSON path to your text search field
    • Language: content language

• Add Full-Text Index: Add a full-text index to the indexing policy, making full-text searches efficient
  • 

Hybrid search index (both Full-Text and Vector index)

{
  "indexingMode": "consistent",
  "automatic": true,
  "includedPaths": [
    {
      "path": "/*"
    }
  ],
  "excludedPaths": [
    {
      "path": "/_etag*/?"
    },
    {
      "path": "/contentvector/*"
    }
  ],
  "fullTextIndexes": [
    {
      "path": "/content"
    },
    {
      "path": "/description"
    }
  ],
  "vectorIndexes": [
    {
      "path": "/contentvector",
      "type": "diskANN"
    }
  ]
}

Exclude the Vector Path:

• To optimize performance during data ingestion, you must add the vector path to the “excludedPaths” section of your indexing policy. This prevents the vector path from being indexed by the default range indexes, which can increase RU charges and latency.

Step 3: Data Ingestion

• Generate Vector Embeddings: For every document, convert the text content (and potentially other data like images) into numerical vector embeddings using an embedding model (e.g., from Azure OpenAI Service). This topic is covered above.
• Populate Documents: Insert documents into your container. Each document should have:
  • The text content in the fields specified in your full-text policy (e.g., content, description).
  • The corresponding vector embedding in the field is specified in your vector policy (e.g., /contentvector).
  • Example document
  • 

Step 4: Search Queries

Hybrid search queries in Azure Cosmos DB for NoSQL combine the power of vector similarity search and full-text search within a single query using the Reciprocal Rank Fusion (RRF) function. This allows you to find documents that are both semantically similar and contain specific keywords.

SQL:  SELECT TOP 10 * FROM c ORDER BY RANK RRF(VectorDistance(c.contentvector, @queryVector), FullTextScore(c.content, @searchKeywords))

VectorDistance(c. contentvector, @queryVector):

• VectorDistance(): This is a system function that calculates the similarity score between two vectors.
• @queryVector: This is a parameter representing the vector embedding of your search query. You would generate this vector embedding using the same embedding model used to create document vector embeddings.
• Return Value: Returns a similarity score based on the distance function defined in your vector policy (e.g., cosine, dot product, Euclidean).

FullTextScore(c.content, @searchKeywords):

• FullTextScore(): This is a system function that calculates a BM25 score, which evaluates the relevance of a document to a given set of search terms. This function relies on a full-text index on the specified path.
• @searchKeywords: This is a parameter representing the keywords or phrases you want to search for. You can provide multiple keywords separated by commas.
• Return Value: Returns a BM25 score, indicating the relevance of the document to the search terms. Higher scores mean greater relevance.

ORDER BY RANK RRF(…):

• RRF(…) (Reciprocal Rank Fusion): This is a system function that combines the ranked results from multiple scoring functions (like VectorDistance and FullTextScore) into a single, unified ranking. RRF ensures that documents that rank highly in either the vector search or the full-text search are prioritized in the final results.

Weighted hybrid search query:

SELECT TOP 10 * FROM c ORDER BY RANK RRF(VectorDistance(c.contentvector, @queryVector), FullTextScore(c.content, @searchKeywords), [2, 1]).

• Optional Weights: You can optionally provide an array of weights as the last argument to RRF to control the relative importance of each component score. For example, to weight the vector search twice as important as the full-text search, you could use RRF(VectorDistance(c.contentvector, @queryVector), FullTextScore(c.content, @searchKeywords), [2,1]).

Multi-field hybrid search query:

SELECT TOP 10 * FROM c ORDER BY RANK RRF(VectorDistance(c.contentvector, @queryVector),VectorDistance(c.imagevector, @queryVector),

FullTextScore(c.content, @searchKeywords, FullTextScore(c.description, @searchKeywords,  [3,2,1,1]).

Code Example (.NET Core C#)

• Add Cosmos DB and OpenAI SDKs
• Get Cosmos DB connection string and create Cosmos DB client
• Get the OpenAI endpoint and key to create an OpenAI client
• Generate embedding for user query
• A hybrid search query to do a vector and keyword search

using Microsoft.Azure.Cosmos;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;

namespace CosmosHybridSearch
{
    public class Product
    {
        public string Id { get; set; }
        public string Name { get; set; }
        public float[] DescriptionVector { get; set; } // Your vector embedding property
    }

    public class Program
    {
        private static readonly string EndpointUri = "YOUR_COSMOS_DB_ENDPOINT";
        private static readonly string PrimaryKey = "YOUR_COSMOS_DB_PRIMARY_KEY";
        private static readonly string DatabaseId = "YourDatabaseId";
        
        // Set your Azure OpenAI endpoint and API key securely.
        string endpoint = Environment.GetEnvironmentVariable("AZURE_OPENAI_ENDPOINT") ?? "https://YOUR_RESOURCE_NAME.openai.azure.com/"; // Replace with your endpoint
        string apiKey = Environment.GetEnvironmentVariable("AZURE_OPENAI_API_KEY") ?? "YOUR_API_KEY"; // Replace with your API key

        public static async Task Main(string[] args)
        {
            using CosmosClient client = new(EndpointUri, PrimaryKey);
            Database database = await client.CreateDatabaseIfNotExistsAsync(DatabaseId);
            Container container = database.GetContainer(ContainerId);

            // Create an AzureOpenAiEmbeddings instance - not online :)
            var credentials = new ApiKeyServiceClientCredentials(apiKey);
            AzureOpenAiEmbeddings openAiClient = new(endpoint, credentials);

            // Example: search your actual query vector and search term.
            float[] queryVector;
            string searchTerm = "lamp";

            EmbeddingOptions embeddingOptions = new()
            {
                DeploymentName = "text-embedding-ada-002", // Replace with your deployment name
                Input = searchTerm,
            };

            var queryVectorResponse = await openAICient.GetEmbeddingsAsync(embeddingOptions);
            queryVector = returnValue.Value.Data[0].Embedding.ToArray()

            // Define the hybrid search query using KQL
            QueryDefinition queryDefinition = new QueryDefinition(
              "SELECT top 10 * " +
              "FROM myindex " +
              "ORDER BY _vectorScore(desc, @queryVector), FullTextScore(_description, @searchTerm)")
           .WithParameter("@queryVector", queryVector)
           .WithParameter("@searchTerm", searchTerm);

           List<Product> products = new List<Product>();

           using FeedIterator<Product> feedIterator = container.GetItemQueryIterator<Product>(queryDefinition);

           while (feedIterator.HasMoreResults)
           {
              FeedResponse<Product> response = await feedIterator.ReadNextAsync();
              foreach (Product product in response)
              {
                  products.Add(product);
              }
           }

           // Process your search results
           foreach (Product product in products)
           {
              Console.WriteLine($"Product Id: {product.Id}, Name: {product.Name}");
           }
        }
    }
}

How to monitor hundreds of Key Vaults across multiple subscriptions for just $15-25/month

The Challenge: Key Vault Sprawl in Enterprise Azure

If you’re managing Azure at enterprise scale, you’ve likely encountered this scenario: Key Vaults scattered across dozens of subscriptions, hundreds of certificates and secrets with different expiry dates, and the constant fear of unexpected outages due to expired certificates. Manual monitoring simply doesn’t scale when you’re dealing with:

• Multiple Azure subscriptions (often 10-50+ in large organizations)
• Hundreds of Key Vaults across different teams and environments
• Thousands of certificates with varying renewal cycles
• Critical secrets that applications depend on
• Different time zones and rotation schedules

The traditional approach of spreadsheets, manual checks, or basic Azure Monitor alerts breaks down quickly. You need something that scales automatically, costs practically nothing, and provides real-time visibility across your entire Azure estate.

The Solution: Event-Driven Monitoring Architecture

Single Function App, Unlimited Key Vaults

Instead of deploying monitoring resources per Key Vault (expensive and complex), we use a centralized architecture:

Management Group (100+ Key Vaults)
           ↓
   Single Function App
           ↓
     Action Group
           ↓
    Notifications

This approach provides:

• Unlimited scalability: Monitor 1 or 1000+ Key Vaults with the same infrastructure
• Cross-subscription coverage: Works across your entire Azure estate
• Real-time alerts: Sub-5-minute notification delivery
• Cost optimization: $15-25/month total (not per Key Vault!)

How It Works: The Technical Deep Dive

1. Event Grid System Topics (The Sensors)

Azure Key Vault automatically generates events when certificates and secrets are about to expire. We create Event Grid System Topics for each Key Vault to capture these events:

Event Types Monitored:
• Microsoft.KeyVault.CertificateNearExpiry
• Microsoft.KeyVault.CertificateExpired  
• Microsoft.KeyVault.SecretNearExpiry
• Microsoft.KeyVault.SecretExpired

The beauty? These events are generated automatically by Azure – no polling, no manual checking, just real-time notifications when things are about to expire.

2. Centralized Processing (The Brain)

A single Azure Function App processes ALL events from across your organization:

// Simplified event processing flow
eventGridEvent → parseEvent() → extractMetadata() → 
formatAlert() → sendToActionGroup()

Example Alert Generated:
{
  severity: "Sev1",
  alertTitle: "Certificate Expired in Key Vault",
  description: "Certificate 'prod-ssl-cert' has expired in Key Vault 'prod-keyvault'",
  keyVaultName: "prod-keyvault",
  objectType: "Certificate",
  expiryDate: "2024-01-15T00:00:00.000Z"
}

3. Smart Notification Routing (The Messenger)

Azure Action Groups handle notification distribution with support for:

• Email notifications (unlimited recipients)
• SMS alerts for critical expiries
• Webhook integration with ITSM tools (ServiceNow, Jira, etc.)
• Voice calls for emergency situations.

Implementation: Infrastructure as Code

The entire solution is deployed using Terraform, making it repeatable and version-controlled. Here’s the high-level infrastructure:

Resource Architecture

# Single monitoring resource group
resource "azurerm_resource_group" "monitoring" {
  name     = "rg-kv-monitoring-${var.timestamp}"
  location = var.primary_location
}

# Function App (handles ALL Key Vaults)
resource "azurerm_linux_function_app" "kv_processor" {
  name                = "func-kv-monitoring-${var.timestamp}"
  service_plan_id     = azurerm_service_plan.function_plan.id
  # ... configuration
}

# Event Grid System Topics (one per Key Vault)
resource "azurerm_eventgrid_system_topic" "key_vault" {
  for_each = { for kv in var.key_vaults : kv.name => kv }
  
  name                   = "evgt-${each.key}"
  source_arm_resource_id = "/subscriptions/${each.value.subscriptionId}/resourceGroups/${each.value.resourceGroup}/providers/Microsoft.KeyVault/vaults/${each.key}"
  topic_type            = "Microsoft.KeyVault.vaults"
}

# Event Subscriptions (route events to Function App)
resource "azurerm_eventgrid_event_subscription" "certificate_expiry" {
  for_each = { for kv in var.key_vaults : kv.name => kv }
  
  azure_function_endpoint {
    function_id = "${azurerm_linux_function_app.kv_processor.id}/functions/EventGridTrigger"
  }
  
  included_event_types = [
    "Microsoft.KeyVault.CertificateNearExpiry",
    "Microsoft.KeyVault.CertificateExpired"
  ]
}

CI/CD Pipeline Integration

The solution includes an Azure DevOps pipeline that:

1. Discovers Key Vaults across your management group automatically
2. Generates Terraform variables with all discovered Key Vaults
3. Deploys infrastructure using infrastructure as code
4. Validates deployment to ensure everything works

# Simplified pipeline flow
stages:
  - stage: DiscoverKeyVaults
    # Scan management group for all Key Vaults
    
  - stage: DeployMonitoring  
    # Deploy Function App and Event Grid subscriptions
    
  - stage: ValidateDeployment
    # Ensure monitoring is working correctly

Cost Analysis: Why This Approach Wins

Traditional Approach (Per-Key Vault Monitoring)

100 Key Vaults × $20/month per KV = $2,000/month
Annual cost: $24,000

This Approach (Centralized Monitoring)

Base infrastructure: $15-25/month
Event Grid events: $2-5/month  
Total: $17-30/month
Annual cost: $204-360

Savings: 98%+ reduction in monitoring costs

Detailed Cost Breakdown

Implementation Guide: Getting Started

Prerequisites

1. Azure Management Group with Key Vaults to monitor
2. Service Principal with appropriate permissions:
   • Reader on Management Group
   • Contributor on monitoring subscription
   • Event Grid Contributor on Key Vault subscriptions
3. Azure DevOps or similar CI/CD platform

Step 1: Repository Setup

Create this folder structure:

keyvault-monitoring/
├── terraform/
│   ├── main.tf              # Infrastructure definitions
│   ├── variables.tf         # Configuration variables
│   ├── terraform.tfvars     # Your specific settings
│   └── function_code/       # Function App source code
├── azure-pipelines.yml      # CI/CD pipeline
└── docs/                    # Documentation

Step 2: Configuration

Update terraform.tfvars with your settings:

# Required configuration
notification_emails = [
  "your-team@company.com",
  "security@company.com"
]

primary_location = "East US"
log_retention_days = 90

# Optional: SMS for critical alerts
sms_notifications = [
  {
    country_code = "1"
    phone_number = "5551234567"
  }
]

# Optional: Webhook integration
webhook_url = "https://your-itsm-tool.com/api/alerts"

Step 3: Deployment

The pipeline automatically:

1. Scans your management group for all Key Vaults
2. Generates infrastructure code with discovered Key Vaults
3. Deploys monitoring resources using Terraform
4. Validates functionality with test events

Expected deployment time: 5-10 minutes

Step 4: Validation

Test the setup by creating a short-lived certificate:

# Create test certificate with 1-day expiry
az keyvault certificate create \
  --vault-name "your-test-keyvault" \
  --name "test-monitoring-cert" \
  --policy '{
    "issuerParameters": {"name": "Self"},
    "x509CertificateProperties": {
      "validityInMonths": 1,
      "subject": "CN=test-monitoring"
    }
  }'

# You should receive an alert within 5 minutes

Operational Excellence

Monitoring the Monitor

The solution includes comprehensive observability:

// Function App performance dashboard
FunctionAppLogs
| where TimeGenerated > ago(24h)
| summarize 
    ExecutionCount = count(),
    SuccessRate = (countif(Level != "Error") * 100.0) / count(),
    AvgDurationMs = avg(DurationMs)
| extend PerformanceScore = case(
    SuccessRate >= 99.5, "Excellent",
    SuccessRate >= 99.0, "Good", 
    "Needs Attention"
)

Advanced Features and Customizations

1. Integration with ITSM Tools

The webhook capability enables integration with enterprise tools:

// ServiceNow integration example
const serviceNowPayload = {
  short_description: `${objectType} '${objectName}' expiring in Key Vault '${keyVaultName}'`,
  urgency: severity === 'Sev1' ? '1' : '3',
  category: 'Security',
  subcategory: 'Certificate Management',
  caller_id: 'keyvault-monitoring-system'
};

2. Custom Alert Routing

Different Key Vaults can route to different teams:

// Route alerts based on Key Vault naming convention
const getNotificationGroup = (keyVaultName) => {
  if (keyVaultName.includes('prod-')) return 'production-team';
  if (keyVaultName.includes('dev-')) return 'development-team';
  return 'platform-team';
};

3. Business Hours Filtering

Critical alerts can bypass business hours, while informational alerts respect working hours:

const shouldSendImmediately = (severity, currentTime) => {
  if (severity === 'Sev1') return true; // Always send critical alerts
  
  const businessHours = isBusinessHours(currentTime);
  return businessHours || isNearBusinessHours(currentTime, 2); // 2 hours before business hours
};

Troubleshooting Common Issues

Issue: No Alerts Received

Symptoms:

Events are visible in Azure, but no notifications are arriving

Resolution Steps:

1. Check the Action Group configuration in the Azure Portal
2. Verify the Function App is running and healthy
3. Review Function App logs for processing errors
4. Validate Event Grid subscription is active

Issue: High Alert Volume

Symptoms:

Too many notifications, alert fatigue

Resolution:

// Implement intelligent batching
const batchAlerts = (alerts, timeWindow = '15m') => {
  return alerts.reduce((batches, alert) => {
    const key = `${alert.keyVaultName}-${alert.objectType}`;
    batches[key] = batches[key] || [];
    batches[key].push(alert);
    return batches;
  }, {});
};

Issue: Missing Key Vaults

Symptoms: Some Key Vaults are not included in monitoring

Resolution:

1. Re-run the discovery pipeline to pick up new Key Vaults
2. Verify service principal has Reader access to all subscriptions
3. Check for Key Vaults in subscriptions outside the management group

At Perficient, we don’t just embrace innovation, we engineer it. That’s why we’re proud to share that we’ve achieved Amazon Web Services (AWS) Premier Tier Services Partner status, a milestone that solidifies our position as a leader in delivering transformative AI-first solutions.

This top-tier AWS designation reflects the depth of our technical expertise, the success of our client outcomes, and our commitment to helping enterprises modernize and thrive in a digital world. But what sets us apart isn’t just cloud proficiency; it’s how we can blend AI into every layer of digital transformation.

“We’re thrilled to join an elite group of technology innovators holding the AWS Premier Tier Services Partner status. This achievement is a testament to our strategic commitment to AWS, our partner-to-partner model, and the transformative outcomes we deliver for our clients,” said Santhosh Nair, senior vice president, Perficient. “Together with AWS, we’re building and deploying AI-first solutions at scale with speed and precision. From real-time analytics to AI-first product development, our approach empowers enterprises to innovate faster, personalize customer experiences, and unlock new business value.”

Combining the Power of AWS and AI

Whether it’s through intelligent automation, predictive analytics, or generative AI, we help organizations infuse intelligence across their operations using AWS’s scalable infrastructure. Our solutions are built to adapt, evolve, and deliver measurable outcomes from streamlining clinical workflows in healthcare to enhancing customer experiences in financial services.

As an AWS Premier Tier Services Partner, we now gain even more direct access to AWS tools, early service previews, and strategic collaboration opportunities, allowing us to deliver smarter, faster, and more impactful AI-first solutions for our clients.

Unlocking What’s Next

Our talented cloud and AI teams continue to push boundaries, helping clients harness the full potential of cloud and data while solving their toughest challenges with precision and innovation.

Ready to explore what AI and cloud transformation could look like for your business? Let’s talk.

In Part 1 (Harnessing the Power of AWS Bedrock through CloudFormation / Blogs / Perficient), we discussed what Azure Virtual WAN is and why it’s a powerful solution for global networking. Now, let’s get hands-on and walk through the actual implementation—step by step, in a simple, conversational way.

1.     Creating the Virtual WAN – The Network’s Control Plane

Virtual WAN is the heart of a global network, not just another resource. It replaces: Isolated VPN gateways per region, Manual ExpressRoute configurations, and complex peering relationships.

Setting it up is easy:

• Navigate to Azure Portal → Search “Virtual WAN”
• Click Create and configure.
• Name: Naming matters for enterprise environments
• Resource Group: Create new rg-network-global (best practice for lifecycle management)
• Type: Standard (Basic lacks critical features like ExpressRoute support)

Azure will set up the Virtual WAN in a few seconds. Now, the real fun begins.

2. Setting Up the Virtual WAN Hub – The Heart of The Network

The hub is where all connections converge. It’s like a major airport hub where traffic from different locations meets and gets efficiently routed. Without a hub, you’d need to configure individual gateways for every VPN and ExpressRoute connection, leading to higher costs and management overhead.

• Navigate to the Virtual WAN resource → Click Hubs → New Hub.
• Configure the Hub.
• Region: Choose based on: Primary user locations & Azure service availability (some regions lack certain services)
• Address Space: Assign a private IP range (e.g., 10.100.0.0/24).

Wait for Deployment, this takes about 30 minutes (Azure is building VPN gateways, ExpressRoute gateways, and more behind the scenes).

Once done, the hub is ready to connect everything: offices, cloud resources, and remote users.

3. Connecting Offices via Site-to-Site VPN – Building Secure Tunnels

Branches and data centres need a reliable, encrypted connection to Azure. Site-to-Site VPN provides this over the public internet while keeping data secure. Without VPN tunnels, branch offices would rely on slower, less secure internet connections to access cloud resources, increasing latency and security risks.

• In the Virtual WAN Hub, go to VPN (Site-to-Site) → Create VPN Site.
• Name: branch-nyc-01
• Private Address Space: e.g., 192.168.100.0/24 (must match on-premises network)
• Link Speed: Set accurately for Azure’s QoS calculations
• Download VPN Configuration: Azure provides a config file—apply it to the office’s VPN device (like a Cisco or Fortinet firewall).
• Lastly, connect the VPN Site to the Hub.
• Navigate to VPN connections → Create connection → Link the office to the hub.

Now, the office and Azure are securely connected.

4. Adding ExpressRoute – The Private Superhighway

For critical applications (like databases or ERP systems), VPNs might not provide enough bandwidth or stability. ExpressRoute gives us a dedicated, high-speed connection that bypasses the public internet. Without ExpressRoute, latency-sensitive applications (like VoIP or real-time analytics) could suffer from internet congestion or unpredictable performance.

• Order an ExpressRoute Circuit: We can do this via the Azure Portal or through an ISP (like AT&T or Verizon).
• Authorize the Circuit in Azure
• Navigate to the Virtual WAN Hub → ExpressRoute → Authorize.
• Linking it to Hub: Once it is authorized, connect the ExpressRoute circuit to the hub.

Now, the on-premises network has a dedicated, high-speed connection to Azure—no internet required.

5. Enabling Point-to-Site VPN for Remote Workers – The Digital Commute

Employees working from home need secure access to internal apps without exposing them to the public internet. P2S VPN lets them “dial in” securely from anywhere. Without P2S VPN, remote workers might resort to risky workarounds like exposing RDP or databases to the internet.

• Configure P2S in The Hub
• Navigate to VPN (Point-to-Site) → Configure.
• Set Up Authentication: Choose certificate-based auth (secure and easy to manage) and upload the root/issuer certificates.
• Assign an IP Pool. e.g., 192.168.100.0/24 (this is where remote users will get their IPs).
• Download & Distribute the VPN Client

Employees install this on their laptops to connect securely. Now, the team can access Azure resources from anywhere just like they’re in the office.

6. Linking Azure Virtual Networks (VNets) – The Cloud’s Backbone

Applications in one VNet (e.g., frontend servers) often need to talk to another (e.g., databases). Rather than complex peering, the Virtual WAN handles routing automatically. Without VNet integration, it needs manual peering and route tables for every connection, creating a management nightmare at scale.

• VNets need to be attached.
• Navigate to The Hub → Virtual Network Connections → Add Connection.
• Select the VNets. e.g., Connect vnet-app (for applications) and vnet-db (for databases).
• Azure handles the Routing: Traffic flows automatically through the hub-no manual route tables needed.

Now, the cloud resources communicate seamlessly.

Monitoring & Troubleshooting

Networks aren’t “set and forget.” We need visibility to prevent outages and quickly fix issues. We can use tools like Azure Monitor, which tracks VPN/ExpressRoute health—like a dashboard showing all trains (data packets) moving smoothly. Again, Network Watcher can help to diagnose why a branch can’t connect.

Common Problems & Fixes

• When VPN connections fail, the problem is often a mismatched shared key—simply re-enter it on both ends.
• If ExpressRoute goes down, check with your ISP—circuit issues usually require provider intervention.
• When VNet traffic gets blocked, verify route tables in the hub—missing routes are a common culprit.

In this section, we focused primarily on generating read-only credentials and how to use them to connect to the database.

Generate Database Credentials

The Mission Control tool generates read-only database credentials for a targeted instance, which remain active for 30 minutes. These credentials allow users to run select or read-only queries, making it easier to explore data on a cloud instance. This feature is especially helpful for verifying data-related issues without taking a database backup.

Steps to generate database credentials

1. Log in to Mission Control.

2. Navigate to the Customers tab.

3. Select the appropriate Customer.

   

4. Choose the Environment for which you need the credentials.

   

5. Click the Action dropdown in the left pane.

6. Select Generate Database Credentials.

   

7. A pop-up will appear with a scheduler option.

   

8. Click Continue to initiate the process.

9. After a short time, the temporary read-only credentials will be displayed.

Once the temporary read-only credentials are generated, the next step is to connect to the database using those credentials.

To do this:

1. Download and install Azure Data Studio
   Download Azure Data Studio

2. Open Azure Data Studio after installation.

   

3. Click “New Connection” or the “Connect” button.

   

4. Use the temporary credentials provided by Mission Control to connect:

   • Server Name: Use the server name from the credentials.

   • Authentication Type: SQL Login

   • Username and Password: As provided in the credentials.

5. Once connected, you can execute SELECT queries to explore or verify data on the cloud instance.

For more details, refer to the official Optimizely documentation on Generating Database Credentials.

For Part I, visit: Optimizely Mission Control – Part I

Have you ever wondered what happens if you ask AI to create an image, write a poem, or draft an email?
Most of us picture “the cloud” working its magic in a distant location. The twist is that the cloud is physical, real, and thirsty. Data centers require water, sometimes millions of gallons per day, to stay cool while AI is operating.

By 2025, it is impossible to overlook AI’s growing water footprint. But don’t worry, AI isn’t to blame here. It’s about comprehending the problem, the ingenious ways technology is attempting to solve it, and what we (as humans) can do to improve the situation.

Why does AI need water?

Doesn’t your laptop heat up quickly when you run it on overdrive for hours? Now multiply that by millions of machines that are constantly in operation and stacked in enormous warehouses. A data centre is that.

These facilities are cooled by air conditioning units, liquid cooling, or evaporative cooling to avoid overheating. And gallons of fresh water are lost every day due to evaporative cooling, in which water actually evaporates into the atmosphere to remove heat.

Therefore, there is an invisible cost associated with every chatbot interaction, artificial intelligence-powered search, and generated image: water.

How big is the problem in 2025?

Pretty Big—and expanding. According to a 2025 industry report, data centers related to artificial intelligence may use more than 6 billion cubic meters of water a year by the end of this decade. That is roughly equivalent to the annual consumption of a mid-sized nation.

In short, AI’s water consumption is no longer a “future problem.” The effects are already being felt by the communities that surround big data centers. Concerns regarding water stress during dry months have been voiced by residents in places like Arizona and Ireland.

But wait—can AI help solve this?

Surprisingly, yes. It is being saved by the same intelligence that requires water.

optimised cooling: Businesses are utilising AI to operate data centers more effectively by anticipating precisely when and how much cooling is required, which can reduce water waste by as much as 20–30%.

Technology for liquid cooling: Some new servers are moving to liquid cooling systems, which consume a lot less water than conventional techniques.

Green data centers: Major corporations, such as Google and Microsoft, are testing facilities that use recycled water rather than fresh water for cooling and are powered by renewable energy.

Therefore, “AI is the problem” is not the story. “AI is thirsty, but also learning how to drink smarter,” it says.

What about us—can regular people help?

Absolutely.Our decisions have an impact even though the majority of us do not manage data centers. Here’s how:

More intelligent use of AI: We can be aware of how frequently we execute complex AI tasks, just as we try to conserve energy. (Is 50 AI-generated versions of the same image really necessary?)

Encourage green tech: Selecting platforms and services that are dedicated to sustainable data practices encourages the sector to improve.

Community action: Cities can enact laws that promote the use of recycled water in data centers and openness regarding the effects of water use in their communities.

Consider it similar to electricity, whose hidden costs we initially hardly noticed. Efficiency and awareness, however, had a significant impact over time. Water and AI can have the same effect.

What’s the bigger picture?

AI is only one piece of the global water puzzle. Water stress is still primarily caused by industry, agriculture, and climate change. However, the emergence of AI makes us reevaluate how we want to engage with the planet’s most valuable resource in the digital future.

If this is done correctly, artificial intelligence (AI) has the potential to be a partner in sustainability, not only in terms of how it uses water but also in terms of how it aids in global water monitoring, forecasting, and conservation.

The Takeaway

The cloud isn’t magic. It’s water, energy, wires, and metal. And AI’s thirst increases with its growth. However, this is an opportunity for creativity rather than panic. Communities, engineers, and even artificial intelligence (AI) are already rethinking how to keep machines cool without depleting the planet.

Therefore, keep in mind that every pixel and word contains a hidden drop of water the next time you converse with AI or create an interesting image. Furthermore, the more information we have, the better decisions we can make to ensure the future continues.