The Architecture Validator automatically checks and fixes Azure diagrams to follow Well-Architected Framework best practices. It runs automatically after AI generation to ensure proper service placement, grouping, and hierarchy.
✅ Ensures these groups exist:
- Resource Group (contains everything)
- Virtual Network (contains compute + data services)
- App Subnet (compute tier)
- Data Subnet (data tier)
If any are missing, they're automatically created.
✅ Enforces proper nesting:
Resource Group
└── Virtual Network (10.0.0.0/16)
├── App Subnet (10.0.1.0/24)
└── Data Subnet (10.0.2.0/24)
If groups are misplaced (e.g., VNet outside RG), they're automatically moved.
These sit at the Resource Group level, outside the VNet:
- Front Door
- Entra ID (Azure AD)
- DDoS Protection
- Log Analytics
- Application Insights
Why: These are global/regional services that operate at a higher network layer.
These go inside App Subnet (10.0.1.0/24):
- App Service
- Function App
- Container Apps
- AKS (Kubernetes)
- Virtual Machines
- API Management
- Application Gateway
- Static Web Apps
- Azure OpenAI
- AI Search
Why: Application workloads need network isolation and can communicate within the subnet.
These go inside Data Subnet (10.0.2.0/24):
- Cosmos DB
- SQL Database
- Redis Cache
- Storage Account
- Service Bus
- Event Hub
- Event Grid
Why: Data services should be isolated from compute tier for security and network traffic management.
- Key Vault → App Subnet (default)
Why: Commonly accessed by compute services, so placed in same subnet for low latency.
When the validator runs, it automatically:
- Creates missing groups (RG, VNet, App Subnet, Data Subnet)
- Fixes group hierarchy (moves VNet inside RG, subnets inside VNet)
- Moves misplaced services (e.g., Front Door out of subnets, SQL into Data Subnet)
- Assigns orphaned services (ensures all services belong to at least Resource Group)
❌ Front Door → inside App Subnet (WRONG - global service)
❌ SQL Database → outside any subnet (WRONG - needs isolation)
❌ VNet → not inside Resource Group (WRONG - hierarchy)
❌ API Management → in Data Subnet (WRONG - compute service)
✅ Front Door → Resource Group level (global service)
✅ SQL Database → Data Subnet (data tier)
✅ VNet → inside Resource Group (proper hierarchy)
✅ API Management → App Subnet (compute service)
After AI generates an architecture, check the console output:
[generateArchitecture] Validation: ⚠️ Architecture validation found issues:
1. Front Door (front-door) should NOT be in a subnet (global service)
2. SQL Database (sql-database) should be in Data Subnet
3. VNet not inside Resource Group
🔧 Auto-fixes applied:
1. Removed Front Door from subnet (global service)
2. Moved SQL Database to Data Subnet
3. Moved VNet inside Resource Group
The AI response message will also include:
Generated architecture: 12 services, 15 connections, 4 groups.
Est. cost: $1,234/mo. Auto-fixed 3 architecture issues.
WAF Review: All checks passed!
The validator will auto-fix this. Check the service type classification in architectureValidator.ts if you disagree with the placement.
The validator fixes logical parent relationships. After auto-fix, use the organizeLayout action to visually separate them.
- Check browser console for validation messages
- Verify the validator ran (look for
[generateArchitecture] Validation:log) - If issues persist, manually regenerate the architecture
Location: apps/web/lib/validators/architectureValidator.ts
Integration: Runs in useCopilotActions.ts → generateArchitecture handler (Step 6, before batchUpdate)
Pure Function: validateAndFixArchitecture(nodes) takes nodes, returns fixed nodes + validation result
No Side Effects: All fixes are applied to in-memory copies before state mutation
- Support for custom subnets (Gateway Subnet, Security Subnet, etc.)
- Region-specific validation (e.g., availability zones)
- Multi-VNet scenarios (hub-spoke topology)
- Private endpoint validation (data services should use private endpoints)
- NSG/routing validation