Azure OpenAI
Keeptrusts gateways Azure OpenAI Service with full policy enforcement, audit logging, and built-in deployment-aware routing. Azure OpenAI uses a unique URL structure (https://<resource>.openai.azure.com/openai/deployments/<deployment>/...) and API versioning (api-version query parameter) that differs from standard OpenAI. Keeptrusts handles all of this automatically — configure your resource, deployment, and API version, and the gateway builds the correct upstream URLs.
Use this page when
- You need the exact command, config, API, or integration details for Azure OpenAI.
- You are wiring automation or AI retrieval and need canonical names, examples, and constraints.
- If you want a guided rollout instead of a reference page, use the linked workflow pages in Next steps.
Primary audience
- Primary: AI Agents, Technical Engineers
- Secondary: Technical Leaders
Prerequisites
- Azure OpenAI resource — create one in the Azure Portal.
- Model deployment — deploy a model (e.g.,
gpt-4o) within your Azure OpenAI resource. - API key or Azure AD credentials — copy an API key from the Azure Portal or configure Entra ID (Azure AD) for OAuth2 auth.
- Keeptrusts CLI — install
kt(quickstart guide). - Export your credentials:
export AZURE_OPENAI_API_KEY="your-azure-api-key"
Configuration
Create a policy-config.yaml with your Azure OpenAI target:
pack:
name: azure-openai-gateway
version: 1.0.0
enabled: true
policies:
chain:
- prompt-injection
- pii-detector
- safety-filter
- audit-logger
policy:
prompt-injection:
threshold: 0.8
action: block
pii-detector:
action: redact
safety-filter:
mode: strict
action: block
audit-logger:
retention_days: 365
providers:
strategy: single
targets:
- id: azure-gpt4o
provider: azure-openai
model: gpt-4o
base_url: https://my-resource.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_API_KEY
Start the gateway:
kt gateway run \
--listen 0.0.0.0:41002 \
--policy-config policy-config.yaml
Provider Fields
All fields available on a providers.targets[] entry for Azure OpenAI:
| Field | Type | Default | Description |
|---|---|---|---|
id | string | required | Unique identifier for this target |
provider | string | required | "azure-openai" |
model | string | required | Model name, e.g. "gpt-4o", "gpt-4o-mini" |
base_url | string | required | Your Azure resource URL: https://<resource>.openai.azure.com |
secret_key_ref | object | AZURE_OPENAI_API_KEY | Object reference to the environment variable holding the API key |
api_key_header | string | "api-key" | HTTP header name for authentication (Azure uses api-key, not Authorization) |
api_key_prefix | string | "" | Prefix before the key value (empty for Azure; OpenAI uses "Bearer ") |
azure_api_version | string | required | Azure API version, e.g. "2024-12-01-preview" |
azure_deployment | string | none | Deployment name. If set, Keeptrusts constructs /openai/deployments/<deployment>/... paths automatically |
path_template | string | none | Custom URL path template with {deployment} placeholder for non-standard Azure paths |
timeout_seconds | integer | 60 | Maximum time for non-streaming requests |
stream_timeout_seconds | integer | none | Maximum time for streaming requests |
max_context_tokens | integer | none | Maximum tokens in the context window |
headers | map | {} | Additional HTTP headers sent with each request |
format | string | "openai" | Wire format ("openai" — Azure uses the same format as OpenAI) |
provider_type | string | "azure-openai" | Explicit provider type |
description | string | none | Human-readable description |
weight | float | 1.0 | Routing weight for weighted_round_robin strategy |
data_policy | object | none | Data handling policy |
pricing | object | none | Token pricing in USD per 1M tokens |
health_probe | object | none | Active health probe configuration |
Authentication
Azure OpenAI supports two authentication methods:
API Key Authentication
The default method. Azure uses the api-key HTTP header (not Authorization: Bearer):
pack:
name: azure-openai-providers-2
version: 1.0.0
enabled: true
providers:
targets:
- id: azure-gpt4o
provider: azure-openai
model: gpt-4o
base_url: https://my-resource.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Azure AD / Entra ID (OAuth2)
For managed identity or service principal authentication, configure a header that contains an OAuth2 bearer token:
pack:
name: azure-openai-providers-3
version: 1.0.0
enabled: true
providers:
targets:
- id: azure-gpt4o-entra
provider: azure-openai
model: gpt-4o
base_url: https://my-resource.openai.azure.com
secret_key_ref:
env: AZURE_AD_TOKEN
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
For production deployments using Azure Managed Identity or service principals, obtain tokens using the Azure CLI or SDK (
az account get-access-token --resource https://cognitiveservices.azure.com) and pass them via environment variable. Token refresh is your responsibility — Keeptrusts reads the env var on each request.Supported Models
The following models can be deployed in Azure OpenAI and proxied through Keeptrusts:
| Model | Context Window | Notes |
|---|---|---|
gpt-4o | 128K | Most capable Azure model |
gpt-4o-mini | 128K | Cost-effective, fast |
gpt-4 | 8K / 32K | Previous generation |
gpt-4-turbo | 128K | Previous generation, vision support |
gpt-35-turbo | 4K / 16K | Fastest, cheapest (Azure uses gpt-35-turbo, not gpt-3.5-turbo) |
o1 | 200K | Reasoning model |
o1-mini | 128K | Lightweight reasoning |
o3-mini | 200K | Latest reasoning, configurable effort |
text-embedding-ada-002 | 8K | Legacy embeddings |
text-embedding-3-small | 8K | Modern embeddings |
text-embedding-3-large | 8K | Highest quality embeddings |
Azure model names may differ from OpenAI (e.g.,
gpt-35-turbo vs gpt-3.5-turbo). Use the Azure deployment name or Azure model name.Client Examples
Once the gateway is running, point your client to http://localhost:8080. Clients use standard OpenAI format — Keeptrusts routes to the correct Azure deployment automatically.
- Python
- Node.js
- cURL
- Azure SDK
from openai import OpenAI
# Standard OpenAI SDK — Keeptrusts routes to Azure deployment automatically
client = OpenAI(
base_url="http://localhost:8080/v1",
api_key="unused", # auth handled by Keeptrusts via AZURE_OPENAI_API_KEY
)
response = client.chat.completions.create(
model="gpt-4o",
messages=[
{"role": "system", "content": "You are a helpful assistant."},
{"role": "user", "content": "What are the benefits of Azure AI services?"},
],
temperature=0.7,
max_tokens=512,
)
print(response.choices[0].message.content)
import OpenAI from "openai";
const client = new OpenAI({
baseURL: "http://localhost:8080/v1",
apiKey: "unused", // auth handled by Keeptrusts via AZURE_OPENAI_API_KEY
});
const response = await client.chat.completions.create({
model: "gpt-4o",
messages: [
{ role: "system", content: "You are a helpful assistant." },
{ role: "user", content: "What are the benefits of Azure AI services?" },
],
temperature: 0.7,
max_tokens: 512,
});
console.log(response.choices[0].message.content);
curl http://localhost:8080/v1/chat/completions \
-H "Content-Type: application/json" \
-d '{
"model": "gpt-4o",
"messages": [
{"role": "system", "content": "You are a helpful assistant."},
{"role": "user", "content": "What are the benefits of Azure AI services?"}
],
"temperature": 0.7,
"max_tokens": 512
}'
# You can also use the Azure OpenAI SDK directly
from openai import AzureOpenAI
client = AzureOpenAI(
azure_endpoint="http://localhost:8080",
api_key="unused",
api_version="2024-12-01-preview",
)
response = client.chat.completions.create(
model="gpt-4o-deployment", # Use your deployment name
messages=[
{"role": "system", "content": "You are a helpful assistant."},
{"role": "user", "content": "Explain Azure OpenAI."},
],
)
print(response.choices[0].message.content)
Streaming
Keeptrusts fully supports Azure OpenAI streaming. Set stream: true — policies are applied per-chunk in real time.
pack:
name: azure-openai-providers-4
version: 1.0.0
enabled: true
providers:
targets:
- id: azure-gpt4o-stream
provider: azure-openai
model: gpt-4o
base_url: https://my-resource.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
- Python
- cURL
from openai import OpenAI
client = OpenAI(base_url="http://localhost:8080/v1", api_key="unused")
stream = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Write a poem about cloud computing."}],
stream=True,
)
for chunk in stream:
if chunk.choices[0].delta.content:
print(chunk.choices[0].delta.content, end="", flush=True)
curl http://localhost:8080/v1/chat/completions \
-H "Content-Type: application/json" \
-N \
-d '{
"model": "gpt-4o",
"messages": [{"role": "user", "content": "Write a poem about cloud computing."}],
"stream": true
}'
Advanced Configuration
Multi-Region Failover
Deploy targets across Azure regions for high availability and data residency:
pack:
name: azure-openai-providers-5
version: 1.0.0
enabled: true
providers:
targets:
- id: azure-eastus-primary
provider: azure-openai
model: gpt-4o
base_url: https://my-resource-eastus.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_API_KEY_EASTUS
- id: azure-westeurope-failover
provider: azure-openai
model: gpt-4o
base_url: https://my-resource-westeurope.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_API_KEY_WESTEUROPE
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Data Residency
Azure OpenAI processes data within the region where your resource is created. Use multi-region targets to enforce geographic routing:
pack:
name: azure-openai-providers-6
version: 1.0.0
enabled: true
providers:
targets:
- id: azure-eu-only
provider: azure-openai
model: gpt-4o
base_url: https://my-resource-westeurope.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_API_KEY_EU
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Azure OpenAI never uses customer data for model training. Set
training_opt_out: true to document this in your audit trail.Azure Content Filtering Integration
Azure OpenAI includes built-in content filtering. When enabled, filtered responses return HTTP 400 with an innererror.code of "ResponsibleAIPolicyViolation". Keeptrusts logs these as policy enforcement events alongside its own policy chain results, giving you unified audit visibility.
No additional configuration is required — Keeptrusts preserves Azure's content filter information in the response and audit logs.
Cross-Provider Fallback
Use Azure OpenAI as primary with standard OpenAI as fallback:
pack:
name: azure-openai-providers-7
version: 1.0.0
enabled: true
providers:
targets:
- id: azure-primary
provider: azure-openai
model: gpt-4o
base_url: https://my-resource.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_API_KEY
- id: openai-fallback
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Circuit Breaker
Temporarily remove unhealthy Azure targets from rotation:
pack:
name: azure-openai-providers-8
version: 1.0.0
enabled: true
providers:
targets:
- id: azure-gpt4o
provider: azure-openai
model: gpt-4o
base_url: https://my-resource.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Retry Policy
Retry transient failures (429 rate limit, 5xx server errors):
pack:
name: azure-openai-providers-9
version: 1.0.0
enabled: true
providers:
targets:
- id: azure-gpt4o
provider: azure-openai
model: gpt-4o
base_url: https://my-resource.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Zero Data Retention
Azure OpenAI supports abuse-monitoring opt-out for approved customers. Combine with Keeptrusts's ZDR enforcement:
pack:
name: azure-openai-providers-10
version: 1.0.0
enabled: true
providers:
targets:
- id: azure-zdr
provider: azure-openai
model: gpt-4o
base_url: https://my-resource.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
A/B Testing Across Deployments
Route traffic across different Azure model deployments:
pack:
name: azure-openai-providers-11
version: 1.0.0
enabled: true
providers:
targets:
- id: azure-gpt4o-full
provider: azure-openai
model: gpt-4o
base_url: https://my-resource.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_API_KEY
- id: azure-gpt4o-mini
provider: azure-openai
model: gpt-4o-mini
base_url: https://my-resource.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Rate Limiting
Enforce per-provider request rate limits:
pack:
name: azure-openai-providers-12
version: 1.0.0
enabled: true
providers:
targets:
- id: azure-gpt4o
provider: azure-openai
model: gpt-4o
base_url: https://my-resource.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_API_KEY
policies:
chain:
- audit-logger
policy:
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
Azure OpenAI vs OpenAI
| Feature | Azure OpenAI | OpenAI |
|---|---|---|
| Auth | API key (api-key header) or Azure AD | Bearer token |
| URL structure | Resource + deployment based | Fixed api.openai.com |
| API versioning | Required api-version parameter | Implicit |
| Data residency | Regional (your Azure subscription) | US-based |
| Content filtering | Built-in, always-on | Separate moderation API |
| SLA | Enterprise SLA available | Best-effort |
| Training | Never trains on your data | Opt-out available |
| Compliance | SOC 2, HIPAA, FedRAMP, etc. | SOC 2 |
Best Practices
- Always set
api_key_header: "api-key"andapi_key_prefix: ""— Azure uses a different auth header format than OpenAI. - Set
azure_api_versionexplicitly — Azure requires it and different versions have different feature sets. - Use
azure_deploymentto let Keeptrusts construct the correct URL path — avoids manual path construction. - Enable health probes for multi-region failover so routing strategies can react to regional Azure outages.
- Use
data_policyto document Azure's built-in data protections in your audit trail. - Prefer
fallbackstrategy with multi-region for production — combine East US and West Europe targets for geo-redundancy. - Separate API keys per region — use distinct
secret_key_refvalues for each Azure region. - Declare
pricingfor cost tracking — Azure pricing differs from OpenAI and varies by region. - Consider Azure AD / Entra ID for production — managed identity eliminates API key rotation concerns.
- Monitor Azure content filter results alongside Keeptrusts policies for comprehensive compliance visibility.
For AI systems
- Canonical terms: Keeptrusts gateway, Azure OpenAI, Azure OpenAI Service, deployment, provider target, policy-config.yaml,
provider: "azure-openai", Entra ID, Azure AD. - Config field names:
provider,model,base_url,secret_key_ref.env,api_key_header: "api-key",api_key_prefix: "",azure_api_version,azure_deployment,format: "openai",provider_type: "azure-openai",data_policy. - Auth: API key via
api-keyheader (no Bearer prefix) or Azure AD / Entra ID OAuth2 with managed identity. - URL structure:
https://<resource>.openai.azure.com/openai/deployments/<deployment>/...withapi-versionquery parameter. - Best next pages: AWS Bedrock integration, OpenAI integration, Provider routing.
For engineers
- Prerequisites: Azure OpenAI resource with model deployed, API key or Entra ID credentials,
ktCLI installed. - Required env var:
AZURE_OPENAI_API_KEY. Setazure_deploymentto your deployment name andazure_api_versionto a supported version (e.g.,2024-12-01-preview). - Start command:
kt gateway run --listen 0.0.0.0:41002 --policy-config policy-config.yaml. - Validate:
curl http://localhost:8080/v1/chat/completions -H 'Content-Type: application/json' -d '{"model":"gpt-4o","messages":[{"role":"user","content":"hello"}]}'. - Azure uses
api-keyheader (notAuthorization: Bearer) — this is auto-detected whenprovider: "azure-openai". - For managed identity auth, omit
secret_key_refand configureazure_auth: "managed_identity"with the appropriate client ID.
For leaders
- Azure OpenAI provides data residency within Azure regions and supports zero data retention — customer data is not used for training.
- Entra ID / managed identity eliminates API key rotation overhead and integrates with existing Azure RBAC governance.
- Azure's built-in content filtering runs alongside Keeptrusts policies for defense-in-depth compliance.
- Deployment-based routing enables separate cost centers, rate limits, and access controls per model deployment.
- Consider Azure Private Link for traffic that must never traverse the public internet.
Next steps
- AWS Bedrock integration — alternative cloud-hosted LLM with SigV4 auth
- OpenAI integration — direct OpenAI API access
- Provider routing strategies — multi-deployment routing and failover
- Policy configuration — prompt-injection, PII, and safety policy reference
- Quickstart — install
ktand run your first gateway