Ask anything about
infrastructure.
Infrastructure Department agent for Cloud, Tools, Network, and Hosting.
Infrastructure Department agent can make mistakes. This service is in preview.
IU has a lot of information.
The agent keeps them behind one calm entry point. Cloud is available now; Tools, Network, and Hosting are coming soon.
Cloud
Available now for platforms, landing zones, accounts, identity, cost, and compliance posture.
Tools
Coming soon.
Network
Coming soon.
Hosting
Coming soon.
And more
Sign in to model answer.
A Scania user signs in, asks a question, protected backend services call the agent, and the model answer streams back.
How the deployed agent works.
The runtime is a static SPA at the edge with Entra-protected APIs behind CloudFront, WAF, API Gateway, Lambda, and OpenAI.
User
A Scania user opens the browser app and signs in if needed.
SPA gets tokens
MSAL uses Entra auth-code + PKCE to get API access tokens.
AWS edge routes
CloudFront serves the SPA and routes API calls through WAF.
APIs are checked
API Gateway authorizers validate Entra tokens; Lambdas verify CloudFront origin.
AWS Lambdas run
Chat streams from Node; dictation gets an S3 upload URL and then transcribes audio.
OpenAI model calls
OpenAI returns streamed answers and speech-to-text results.
Future MCP/domain tools
Planned MCP servers can attach domain systems after the core app path.
SPA sign-in session
The browser runs the static app, signs in through Entra ID when needed, and keeps API tokens separate from direct S3 uploads.
CDK writes non-secret tenant, client, authority, API scope, and Graph scope config into the deployed frontend bucket.
Chat and transcription API calls include Entra access tokens. The presigned S3 PUT for audio receives no Entra token.
CloudFront serves the app and gates API traffic
Route 53 and ACM bring users to CloudFront. WAF protects the edge, and S3 stays private behind Origin Access Control.
CloudFront serves the SPA from a private S3 bucket with OAC and SPA fallback to index.html.
CloudFront forwards chat to the REST API stage and injects the origin verification header.
After the /api/chat behavior is matched separately, transcription and upload-ticket calls go to the HTTP API.
API requests get token and origin checks
A shared Lambda authorizer validates Entra access tokens. Lambda handlers also reject requests that did not come through CloudFront.
Validates RS256 signature, issuer, tenant ID, audience, scope, expiration, not-before time, and principal.
CloudFront adds a private header to API origin requests. Direct API Gateway calls fail before reaching OpenAI.
Separate paths for streaming chat and dictation
Chat uses response streaming. Dictation uses short-lived S3 uploads before transcription to avoid large audio bodies through the WAF/API path.
REST API invokes the Node.js Lambda with response streaming for text chat requests.
HTTP API returns a short-lived S3 presigned PUT URL for the browser-recorded audio blob.
Python Lambda reads the uploaded object and sends audio to OpenAI speech-to-text, then the browser can submit the text to chat.
OpenAI provides chat and speech services
Backend Lambdas read the OpenAI API key from Secrets Manager and call only the model APIs needed for the user action.
Returns streamed answer text, response IDs for follow-ups, sources, and trace activity.
Transcribes uploaded microphone recordings into editable prompt text before the chat request is sent.
Security controls in the request path
Domain tools plug in after the core path
The interface is designed around domain-specific tool targets. These are shown as planned integration points rather than current production dependencies.
MCP Cloud
MCP Tools
MCP Network
MCP Hosting
Answers without hunting.
Short answers for the questions people ask before they trust, verify, or reset the agent.
01 Ask What can I ask the agent?
Ask about infrastructure topics such as cloud onboarding, account roles, architecture, platform guidance, and where to find internal documentation.
02 Context How do I get a better answer?
Include the platform, environment, team context, and what you are trying to decide. Specific questions usually produce more useful answers.
03 Sources What do source links mean?
Sources are links the answer used or recommends for verification. Open them when you need official wording, owner pages, or deeper procedures.
04 Verify Why do some answers not show sources?
Some answers rely on conversation context or general guidance. For decisions, ask the agent to find official sources.
05 Cloud Where do I start with cloud onboarding?
Start with the mandatory Cloud Onboarding guidance, then follow the platform-specific path for AWS or Azure.
Quick answers before you ask.
Common questions about using the agent, reading sources, and finding infrastructure guidance.
Getting started
How to use the assistant and shape better questions.
What can I ask the agent?
Ask about infrastructure topics such as cloud onboarding, account roles, architecture, platform guidance, and where to find internal documentation.
How do I get a better answer?
Include the platform, environment, team context, and what you are trying to decide. A concrete question usually produces a more useful answer than a broad keyword.
How do I start over?
Use New chat from the rail or header. It clears the current conversation view and focuses the prompt so you can begin with a clean question.
Sources
How to read source links and understand missing citations.
What does Sources mean?
Sources are links the answer used or recommends for verification. Open them when you need the official wording, owner page, or deeper procedure.
Why do some answers not show sources?
Some answers are based on general guidance, conversation context, or generated reasoning rather than a specific retrieved page. For decisions, ask the agent to find official sources.
How should I verify a source?
Check the page owner, date, and whether the page matches your platform or environment. If a link looks wrong, ask for a more specific source.
Cloud
Common starting points for cloud onboarding and roles.
Where do I start with cloud onboarding?
Start with the mandatory Cloud Onboarding guidance, then follow the platform-specific path for AWS or Azure. Ask the agent for the onboarding path you need.
Which cloud roles are usually needed?
Typical cloud ownership involves Account Owner, Cloud Lead, and Security Lead responsibilities. The exact requirement depends on the platform and account setup.
Can I ask about both AWS and Azure?
Yes. Mention the platform in the question so the agent can separate AWS, Azure, and general cloud foundation guidance.
Architecture
How the frontend, authentication, APIs, and OpenAI calls fit together.
Where does authentication happen?
The browser signs in with Entra ID. Backend APIs validate the access token before handling chat or transcription requests.
Does the browser call OpenAI directly?
No. The browser calls protected backend APIs, and the backend reads secrets and calls OpenAI. This keeps API keys out of the client.
What does the Architecture page show?
It shows the deployed flow from browser to CloudFront, API Gateway, Lambda, and OpenAI, plus the planned domain integration points.
Settings
Theme, profile, and account controls in one place.
Where do I change theme?
Open the profile menu and choose Settings. You can use system theme, light mode, or dark mode.
What is in the profile menu?
The profile menu contains account actions such as Settings and sign out. On desktop it opens from the bottom of the rail.
Do settings change my account?
Appearance settings are local to the browser. Signing out clears the active session but does not change your Microsoft account.