microsoft · WilliamBerryiii · Apr 15, 2026 · Mar 25, 2026 · Apr 1, 2026 · Apr 1, 2026
diff --git a/evaluation/.amlignore b/evaluation/.amlignore
@@ -0,0 +1,42 @@
+# Azure ML ignore file - uses gitignore syntax
+# Place in code root to exclude files from job snapshots
+
+# Python bytecode and cache
+__pycache__/
+*.py[cod]
+*$py.class
+*.pyc
+*.pyo
+
+# Virtual environments
+.venv/
+venv/
+env/
+.env/
+
+# Testing and coverage
+.pytest_cache/
+.mypy_cache/
+.coverage
+htmlcov/
+*.cover
+
+# Build artifacts
+*.egg-info/
+dist/
+build/
+*.egg
+
+# IDE and editor files
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Temp folders used in OSMO jobs
+.tmp/
diff --git a/evaluation/sil/scripts/submit-azureml-validation.sh b/evaluation/sil/scripts/submit-azureml-validation.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Submit Azure ML validation job using training/rl/ as the code directory
+# Submit Azure ML validation job using evaluation/ as the code directory
 # The .amlignore file controls which files are excluded from the code snapshot
 set -o errexit -o nounset
 
@@ -108,7 +108,7 @@ subscription_id="${AZURE_SUBSCRIPTION_ID:-$(get_subscription_id)}"
 resource_group="${AZURE_RESOURCE_GROUP:-$(get_resource_group)}"
 workspace_name="${AZUREML_WORKSPACE_NAME:-$(get_azureml_workspace)}"
 
-job_file="$REPO_ROOT/workflows/azureml/validate.yaml"
+job_file="$REPO_ROOT/evaluation/sil/workflows/azureml/validate.yaml"
 compute="${AZUREML_COMPUTE:-$(get_compute_target)}"
 instance_type="gpuspot"
 experiment_name=""
@@ -165,9 +165,9 @@ if [[ -z "$model_name" ]]; then
   info "Auto-derived model name: $model_name"
 fi
 
-code_path="$REPO_ROOT"
-[[ -d "$code_path/training" ]] || fatal "Training source not found: $code_path/training"
-[[ -f "$code_path/training/.amlignore" ]] || warn "No .amlignore found; __pycache__ may be included in snapshot"
+code_path="$REPO_ROOT/evaluation"
+[[ -d "$code_path/sil" ]] || fatal "SIL evaluation source not found: $code_path/sil"
+[[ -f "$code_path/.amlignore" ]] || warn "No evaluation/.amlignore found; the AML snapshot may include unrelated files"
 
 if [[ "$config_preview" == "true" ]]; then
   section "Configuration Preview"
@@ -267,8 +267,10 @@ cmd="$cmd --success-threshold \${{inputs.success_threshold}}"
 
 [[ "$headless" == "true" ]] && cmd="$cmd --headless"
 
+# AML snapshots evaluation/ as the code root, so recreate the top-level evaluation path
+# expected by the shell entrypoint and Python imports inside the job container.
 az_args+=(
-  --set "command=bash training/scripts/validate.sh $cmd"
+  --set "command=if [ ! -e evaluation ]; then ln -s . evaluation; fi && bash evaluation/sil/validate.sh $cmd"
   --set "inputs.task=${task:-auto}"
   --set "inputs.framework=${framework:-auto}"
   --set "inputs.success_threshold=${threshold:--1.0}"

diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf
@@ -5,7 +5,6 @@
  * and optional Azure Machine Learning integration.
  *
  * Architecture:
- *
  * - Platform Module: Shared services (networking, security, observability, ACR, storage, ML workspace)
  * - SiL Module: AKS cluster with GPU node pools and ML extension integration
  */
@@ -80,6 +79,7 @@ module "platform" {
 
   // Networking configuration
   should_enable_nat_gateway = var.should_enable_nat_gateway
+  nat_gateway_zones         = var.nat_gateway_zones
   should_create_vm_subnet   = var.should_create_vm_subnet
   virtual_network_config = {
     address_space                  = var.virtual_network_config.address_space

diff --git a/infrastructure/terraform/modules/platform/networking.tf b/infrastructure/terraform/modules/platform/networking.tf
@@ -84,7 +84,7 @@ resource "azurerm_public_ip" "nat_gateway" {
   resource_group_name = var.resource_group.name
   allocation_method   = "Static"
   sku                 = "Standard"
-  zones               = ["1"]
+  zones               = var.nat_gateway_zones
 
   lifecycle {
     ignore_changes = [ip_tags]
@@ -100,7 +100,7 @@ resource "azurerm_nat_gateway" "main" {
   resource_group_name     = var.resource_group.name
   sku_name                = "Standard"
   idle_timeout_in_minutes = 10
-  zones                   = ["1"]
+  zones                   = var.nat_gateway_zones
 }
 
 // NAT Gateway Public IP Association

diff --git a/infrastructure/terraform/modules/platform/tests/validation.tftest.hcl b/infrastructure/terraform/modules/platform/tests/validation.tftest.hcl
@@ -0,0 +1,138 @@
+// Platform module variable validation tests
+// Validates that invalid nat_gateway_zones values are rejected by validation blocks
+
+mock_provider "azurerm" {}
+mock_provider "azuread" {}
+mock_provider "azapi" {}
+mock_provider "random" {}
+
+override_data {
+  target = data.azurerm_client_config.current
+  values = {
+    tenant_id = "00000000-0000-0000-0000-000000000000"
+  }
+}
+
+variables {
+  current_user_oid = "00000000-0000-0000-0000-000000000001"
+}
+
+run "setup" {
+  module {
+    source = "./tests/setup"
+  }
+}
+
+// ============================================================
+// NAT Gateway Zones — Invalid Zone Value
+// ============================================================
+
+run "nat_gateway_zones_invalid_zone_rejected" {
+  command = plan
+
+  variables {
+    resource_prefix   = run.setup.resource_prefix
+    environment       = run.setup.environment
+    instance          = run.setup.instance
+    location          = run.setup.location
+    resource_group    = run.setup.resource_group
+    current_user_oid  = run.setup.current_user_oid
+    nat_gateway_zones = ["4"]
+  }
+
+  expect_failures = [var.nat_gateway_zones]
+}
+
+// ============================================================
+// NAT Gateway Zones — Non-numeric Value
+// ============================================================
+
+run "nat_gateway_zones_non_numeric_rejected" {
+  command = plan
+
+  variables {
+    resource_prefix   = run.setup.resource_prefix
+    environment       = run.setup.environment
+    instance          = run.setup.instance
+    location          = run.setup.location
+    resource_group    = run.setup.resource_group
+    current_user_oid  = run.setup.current_user_oid
+    nat_gateway_zones = ["abc"]
+  }
+
+  expect_failures = [var.nat_gateway_zones]
+}
+
+// ============================================================
+// NAT Gateway Zones — Duplicate Zones
+// ============================================================
+
+run "nat_gateway_zones_duplicates_rejected" {
+  command = plan
+
+  variables {
+    resource_prefix   = run.setup.resource_prefix
+    environment       = run.setup.environment
+    instance          = run.setup.instance
+    location          = run.setup.location
+    resource_group    = run.setup.resource_group
+    current_user_oid  = run.setup.current_user_oid
+    nat_gateway_zones = ["1", "1"]
+  }
+
+  expect_failures = [var.nat_gateway_zones]
+}
+
+// ============================================================
+// NAT Gateway Zones — Valid Single Zone
+// ============================================================
+
+run "nat_gateway_zones_single_zone_accepted" {
+  command = plan
+
+  variables {
+    resource_prefix   = run.setup.resource_prefix
+    environment       = run.setup.environment
+    instance          = run.setup.instance
+    location          = run.setup.location
+    resource_group    = run.setup.resource_group
+    current_user_oid  = run.setup.current_user_oid
+    nat_gateway_zones = ["2"]
+  }
+}
+
+// ============================================================
+// NAT Gateway Zones — Valid Multiple Zones
+// ============================================================
+
+run "nat_gateway_zones_multiple_zones_accepted" {
+  command = plan
+
+  variables {
+    resource_prefix   = run.setup.resource_prefix
+    environment       = run.setup.environment
+    instance          = run.setup.instance
+    location          = run.setup.location
+    resource_group    = run.setup.resource_group
+    current_user_oid  = run.setup.current_user_oid
+    nat_gateway_zones = ["1", "2", "3"]
+  }
+}
+
+// ============================================================
+// NAT Gateway Zones — Empty List (No AZ Support)
+// ============================================================
+
+run "nat_gateway_zones_empty_accepted" {
+  command = plan
+
+  variables {
+    resource_prefix   = run.setup.resource_prefix
+    environment       = run.setup.environment
+    instance          = run.setup.instance
+    location          = run.setup.location
+    resource_group    = run.setup.resource_group
+    current_user_oid  = run.setup.current_user_oid
+    nat_gateway_zones = []
+  }
+}
diff --git a/infrastructure/terraform/modules/platform/variables.tf b/infrastructure/terraform/modules/platform/variables.tf
@@ -25,6 +25,25 @@ variable "should_enable_nat_gateway" {
   default     = true
 }
 
+// WARNING: Changing zones on an existing deployment forces replacement of both the
+// NAT Gateway and its Public IP. This causes a brief outbound connectivity interruption
+// while Azure provisions new resources. Plan changes during a maintenance window.
+variable "nat_gateway_zones" {
+  type        = list(string)
+  description = "Availability zones for NAT Gateway and its public IP. Leave empty for regions without AZ support"
+  default     = ["1"]
+
+  validation {
+    condition     = alltrue([for z in var.nat_gateway_zones : contains(["1", "2", "3"], z)])
+    error_message = "Each zone must be \"1\", \"2\", or \"3\""
+  }
+
+  validation {
+    condition     = length(var.nat_gateway_zones) == length(distinct(var.nat_gateway_zones))
+    error_message = "nat_gateway_zones must not contain duplicates"
+  }
+}
+
 variable "should_create_vm_subnet" {
   type        = bool
   description = "Whether to create a dedicated subnet for virtual machines in the platform virtual network"

diff --git a/infrastructure/terraform/terraform.tfvars.example b/infrastructure/terraform/terraform.tfvars.example
@@ -85,6 +85,15 @@ node_pools = {
 //   }
 // }
 
+// NAT Gateway Availability Zones
+// Set to ["1"] in AZ-supported regions (e.g. westus3, eastus2)
+// Leave empty for regions without AZ support (e.g. westus)
+// NOTE: Changing zones on an existing deployment forces replacement of both the NAT Gateway
+// and its Public IP. To preserve existing zonal behavior, set nat_gateway_zones to your current
+// zone (e.g. ["1"]) explicitly before applying. Run `terraform plan` to confirm no unintended
+// NAT/Public IP recreation.
+nat_gateway_zones = []
+
 // OSMO Backend Services
 should_deploy_postgresql = true
 should_deploy_redis      = true

diff --git a/infrastructure/terraform/variables.tf b/infrastructure/terraform/variables.tf
@@ -275,6 +275,15 @@ variable "should_enable_nat_gateway" {
   default     = true
 }
 
+// WARNING: Changing zones on an existing deployment forces replacement of both the
+// NAT Gateway and its Public IP. This causes a brief outbound connectivity interruption
+// while Azure provisions new resources. Plan changes during a maintenance window.
+variable "nat_gateway_zones" {
+  type        = list(string)
+  description = "Availability zones for NAT Gateway and its public IP. Set to [\"1\"] in regions with AZ support. Leave empty for regions without AZ support (e.g. westus)"
+  default     = ["1"]
+}
+
 variable "should_create_vm_subnet" {
   type        = bool
   description = "Whether to create a dedicated subnet for virtual machines in the platform virtual network"