Indispensable Azure Tools: Azure Verified Modules. Secure, Scalable Infrastructure by Design

Welcome back to our Indispensable Azure Tools series. This time, we’re exploring Azure Verified Modules (AVM), Microsoft’s standardized, reusable Infrastructure as Code (IaC) modules for Bicep and Terraform.

If you’ve ever worked with inconsistent resource templates, policy drift, or manually configuring private endpoints (for the hundredth time ;-), AVM is about to simplify your life. These modules bring the Azure Well-Architected Framework directly into your code, so every deployment starts from a secure, consistent baseline.

What Makes AVM Different

AVM is Microsoft’s official, well-maintained collection of Bicep and Terraform modules that follow best practices for design, security, and governance. Each module is validated, versioned, and tested before publication, available through the Bicep Registry and Terraform Registry.

AVM modules come in two flavors:

• Resource Modules; Individual Azure resources with secure defaults (for example, avm/res/storage-account includes private endpoints and TLS out of the box).
• Pattern Modules; Complete architectures such as production-grade AKS or hub-spoke landing zones.

Because these are Microsoft-supported, you’re always aligned with Azure’s latest capabilities and compliance standards, no need to chase breaking API changes or security baselines manually.

The value of AVM

Large Azure environments often grow organically, different teams, different scripts, slightly different configurations. That’s where AVM can deliver real value:

• Consistency; Shared parameters for location, tags, networking, and security keep everything predictable.
• Speed; Deployments that used to take hours can now be done in minutes.
• Security by Default; TLS enforcement, RBAC, private access — all handled automatically.
• Future-Proof; Modules evolve with Azure’s roadmap, reducing your maintenance burden.

In one of our projects, an AVM Key Vault module automatically flagged a misconfigured access policy that would have caused a compliance issue. That’s the kind of protection you want baked into your IaC.

Azure Verified Modules provides two types of modules: Resource and Pattern modules.

AVM modules are used to deploy Azure resources and their extensions, as well as reusable architectural patterns consistently.

How AVM Looks in Practice

Here’s a simple Bicep example deploying a resource group and storage account using AVM:

targetScope = 'subscription'

@description('Name of the resource group to create and deploy resources into')
param rgName string = 'rg-example-bicep'

@description('Azure region for deployment')
param location string = 'westeurope'

// Create (or update) the resource group
module rg 'br/public:avm/res/resources/resource-group:0.4.1' = {
  name: 'createResourceGroup'
  scope: subscription()
  params: {
    name: rgName
    location: location
    tags: {
      environment: 'production'
      department: 'finance'
    }
  }
}

// Deploy a storage account inside that resource group
module sa 'br/public:avm/res/storage/storage-account:0.27.1' = {
  name: 'createStorageAccount'
  scope: resourceGroup(rgName)
  params: {
    name: 'stdevopsmasterminds01'
    location: location
    publicNetworkAccess: 'Disabled'
    minimumTlsVersion: 'TLS1_2'
  }
}

targetScope = 'subscription'

@description('Name of the resource group to create and deploy resources into')
param rgName string = 'rg-example-bicep'

@description('Azure region for deployment')
param location string = 'westeurope'

// Create (or update) the resource group
module rg 'br/public:avm/res/resources/resource-group:0.4.1' = {
  name: 'createResourceGroup'
  scope: subscription()
  params: {
    name: rgName
    location: location
    tags: {
      environment: 'production'
      department: 'finance'
    }
  }
}

// Deploy a storage account inside that resource group
module sa 'br/public:avm/res/storage/storage-account:0.27.1' = {
  name: 'createStorageAccount'
  scope: resourceGroup(rgName)
  params: {
    name: 'stdevopsmasterminds01'
    location: location
    publicNetworkAccess: 'Disabled'
    minimumTlsVersion: 'TLS1_2'
  }
}

One concise file, no boilerplate, no missing security settings. Note that each AVM module is versioned explicitly and stored by version number.

For Terraform users, the experience is equally clean:

terraform {
  required_providers {
    azurerm = { source = "hashicorp/azurerm", version = "~>3.113" }
  }
}

provider "azurerm" { features {} }

module "rg" {
  source  = "Azure/avm-res-resources-resourcegroup/azurerm"
  version = "0.4.1"

  name     = "rg-example-tf"
  location = "westeurope"
  tags     = { environment = "production", department = "finance" }
}

module "sa" {
  source  = "Azure/avm-res-storage-storageaccount/azurerm"
  version = "0.27.1"

  name                  = "stdevopsmmweu01"
  resource_group_name   = module.rg.name
  location              = module.rg.location
  public_network_access = "Disabled"
  min_tls_version       = "TLS1_2"
}

terraform {
  required_providers {
    azurerm = { source = "hashicorp/azurerm", version = "~>3.113" }
  }
}

provider "azurerm" { features {} }

module "rg" {
  source  = "Azure/avm-res-resources-resourcegroup/azurerm"
  version = "0.4.1"

  name     = "rg-example-tf"
  location = "westeurope"
  tags     = { environment = "production", department = "finance" }
}

module "sa" {
  source  = "Azure/avm-res-storage-storageaccount/azurerm"
  version = "0.27.1"

  name                  = "stdevopsmmweu01"
  resource_group_name   = module.rg.name
  location              = module.rg.location
  public_network_access = "Disabled"
  min_tls_version       = "TLS1_2"
}

From Landing Zones to AKS

We’ve seen the biggest gains using AVM’s pattern modules.

For instance, avm-ptn-alz builds a complete Azure Landing Zone with networking, governance, and identity configured the right way.

And the AKS Production module (avm-ptn-aks-production) gives you:

• Multi-region availability zones
• Private cluster networking
• Managed ACR integration
• Auto-scaling with spot node pools

In one deployment, we reduced setup time for an enterprise AKS environment from three days to under an hour, fully compliant and monitorable from day one.

Current limitations and practical work-arounds

While Azure Verified Modules already cover a wide range of resources (https://azure.github.io/Azure-Verified-Modules/indexes/) the pattern modules for complex topologies such as entire Azure Landing Zones, SQL Managed Instances and hub-spoke networks are still rolling out to the public Bicep registry. At the time of writing, these modules are available in the AVM GitHub repository and as Terraform packages, but not yet as officially released Bicep modules. This means that teams relying purely on Bicep must currently assemble their own “mini landing zones” by composing published resource modules, such as resource-group, network-security-group, and storage-account, to achieve a comparable structure.

Integrating AVM in Your Pipeline

You don’t have to rebuild everything to start using AVM. In fact, the best approach is to start small:

1. Reference AVM modules directly in your Bicep or Terraform code.
2. Validate locally using bicep build or terraform plan.
3. Deploy through your existing CI/CD (GitHub Actions, Azure DevOps, etc.).
4. Use Pester tests (yes, from our earlier post) for pre-deployment validation.

Pin module versions (1.0.0, not latest) to keep builds reproducible, and keep an eye on the AVM release portal for updates.

Why It’s Indispensable

Azure Verified Modules turns best practices into deployable code. It cuts down on duplicated templates, reduces risk, and enforces compliance.

If you’re serious about scaling Azure safely and efficiently, AVM should be part of your foundation. Explore Azure Verified Modules: https://azure.github.io/Azure-Verified-Modules/

This post is part of the Indispensable Azure Tools series by DevOps Masterminds. Explore the full series here.

Stay tuned as we continue to highlight the tools that make building on Azure smarter, faster, and easier to manage.