diff --git a/azure/anf.tf b/azure/anf.tf
new file mode 100644
index 0000000..00440bb
--- /dev/null
+++ b/azure/anf.tf
@@ -0,0 +1,51 @@
+resource "azurerm_netapp_account" "anf" {
+  name                = "anf-${local.cluster_id}"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+
+  lifecycle {
+    ignore_changes = [
+      tags
+    ]
+  }
+}
+
+resource "azurerm_netapp_pool" "anfpool" {
+  name                = "anfpool"
+  account_name        = azurerm_netapp_account.anf.name
+  location            = azurerm_netapp_account.anf.location
+  resource_group_name = azurerm_netapp_account.anf.resource_group_name
+  service_level       = "Standard" # local.homefs_service_level
+  size_in_tb          = 4 # local.homefs_size_tb
+  lifecycle {
+    ignore_changes = [
+      tags
+    ]
+  }
+}
+resource "azurerm_netapp_volume" "shared" {
+  name                = "shared"
+  location            = azurerm_netapp_account.anf.location
+  resource_group_name = azurerm_netapp_account.anf.resource_group_name
+  account_name        = azurerm_netapp_account.anf.name
+  pool_name           = azurerm_netapp_pool.anfpool.name
+  volume_path         = "shared"
+  service_level       = "Standard"
+  subnet_id           = azurerm_subnet.netapp.id
+  protocols           = ["NFSv3"]
+  security_style      = "Unix"
+  storage_quota_in_gb = 4 * 1024
+
+  export_policy_rule {
+    rule_index        = 1
+    allowed_clients   = [ "0.0.0.0/0" ]
+    unix_read_write   = true
+    protocols_enabled = [ "NFSv3" ]
+    root_access_enabled = true
+  }
+  lifecycle {
+    ignore_changes = [
+      tags
+    ]
+  }
+}
diff --git a/azure/compute.tf b/azure/compute.tf
new file mode 100644
index 0000000..0bac4e1
--- /dev/null
+++ b/azure/compute.tf
@@ -0,0 +1,110 @@
+resource "tls_private_key" "internal" {
+  algorithm = "RSA"
+  rsa_bits  = 2048 # This is the default
+}
+
+resource "local_file" "private_key" {
+    content     = tls_private_key.internal.private_key_pem
+    filename = "${path.cwd}/${local.admin_username}_id_rsa"
+    file_permission = "0600"
+}
+
+resource "local_file" "public_key" {
+    content     = tls_private_key.internal.public_key_openssh
+    filename = "${path.cwd}/${local.admin_username}_id_rsa.pub"
+    file_permission = "0644"
+}
+
+resource "azurerm_public_ip" "mgmt-pip" {
+  name                = "mgmt-pip"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  allocation_method   = "Static"
+}
+
+resource "azurerm_network_interface" "mgmt-nic" {
+  name                = "mgmt-nic"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+
+  ip_configuration {
+    name                          = "internal"
+    subnet_id                     = azurerm_subnet.subnet.id
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = azurerm_public_ip.mgmt-pip.id
+  }
+}
+
+locals {
+  custom_data = data.template_file.bootstrap-script.rendered
+  }
+
+
+resource "azurerm_linux_virtual_machine" "mgmt" {
+  name                = "mgmt"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  size                = "Standard_D4s_v3"
+  admin_username      = "${local.admin_username}" 
+  network_interface_ids = [
+    azurerm_network_interface.mgmt-nic.id,
+  ]
+
+  admin_ssh_key {
+    username   = "${local.admin_username}" 
+    public_key = tls_private_key.internal.public_key_openssh #file("~/.ssh/id_rsa.pub")
+  }
+
+  os_disk {
+    caching              = "ReadWrite"
+    storage_account_type = "Standard_LRS"
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  source_image_reference {
+    publisher = "OpenLogic"
+    offer     = "CentOS"
+    sku       = "8_4-gen2"
+    version   = "latest"
+  }
+
+  provisioner "file" {
+    destination = "/tmp/startnode.yaml"
+    content     = data.template_file.startnode-yaml.rendered
+
+    connection {
+      type        = "ssh"
+      user        = "centos"
+      private_key = tls_private_key.internal.private_key_pem 
+      host        = azurerm_public_ip.mgmt-pip.ip_address
+    }
+  }
+
+  provisioner "file" {
+    destination = "/tmp/shapes.yaml"
+    source      = "${path.module}/files/shapes.yaml"
+
+    connection {
+      type        = "ssh"
+      user        = "centos"
+      private_key = tls_private_key.internal.private_key_pem 
+      host        = azurerm_public_ip.mgmt-pip.ip_address
+    }
+  }
+
+  custom_data = base64encode(local.custom_data)
+}
+ 
+
+resource "azurerm_role_assignment" "role_assignment" {
+  scope              = azurerm_resource_group.rg.id
+  role_definition_name = "Contributor"
+  principal_id       = "${lookup(azurerm_linux_virtual_machine.mgmt.identity[0], "principal_id")}"
+
+  lifecycle {
+    ignore_changes = [name]
+  }
+}
diff --git a/azure/data-sources.tf b/azure/data-sources.tf
new file mode 100644
index 0000000..fd5b438
--- /dev/null
+++ b/azure/data-sources.tf
@@ -0,0 +1,32 @@
+data "template_file" "bootstrap-script" {
+  template = file("${path.module}/../common-files/bootstrap.sh.tpl")
+  vars = {
+    ansible_repo = var.ansible_repo
+    ansible_branch = var.ansible_branch
+    cloud-platform = "azure"
+    fileserver-ip  = element(azurerm_netapp_volume.shared.mount_ip_addresses, 0)
+    custom_block = templatefile("${path.module}/files/bootstrap_custom.sh.tpl", {
+      dns_zone = azurerm_private_dns_zone.citc.name
+      citc_keys = var.admin_public_keys
+    })
+    mgmt_hostname: local.mgmt_hostname
+    citc_keys = var.admin_public_keys
+  }
+}
+
+data "template_file" "startnode-yaml" {
+  template = file("${path.module}/files/startnode.yaml.tpl")
+  vars = {
+    cloud-platform = "azure"
+    ansible_repo = var.ansible_repo
+    ansible_branch = var.ansible_branch
+    region = var.region
+    resource_group = azurerm_resource_group.rg.name
+    subnet =  azurerm_subnet.subnet.id
+    virtual_network =  azurerm_virtual_network.vnet.name
+    virtual_network_subnet =  azurerm_subnet.subnet.name
+    subscription = data.azurerm_subscription.primary.subscription_id
+    dns_zone = azurerm_private_dns_zone.citc.name
+    cluster_id: local.cluster_id
+  }
+}
diff --git a/azure/dns.tf b/azure/dns.tf
new file mode 100644
index 0000000..7da8ad3
--- /dev/null
+++ b/azure/dns.tf
@@ -0,0 +1,20 @@
+resource "azurerm_private_dns_zone" "citc" {
+  name                = "citc.zone"
+  resource_group_name = azurerm_resource_group.rg.name
+}
+
+resource "azurerm_private_dns_a_record" "fileserver" {
+  name                = "fileserver"
+  zone_name           = azurerm_private_dns_zone.citc.name
+  resource_group_name = azurerm_resource_group.rg.name
+  ttl                 = 300
+  records             = azurerm_netapp_volume.shared.mount_ip_addresses
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "citc" {
+  name                  = "citc"
+  resource_group_name   = azurerm_resource_group.rg.name
+  private_dns_zone_name = azurerm_private_dns_zone.citc.name
+  virtual_network_id    = azurerm_virtual_network.vnet.id
+  registration_enabled  = true
+}
diff --git a/azure/files/bootstrap_custom.sh.tpl b/azure/files/bootstrap_custom.sh.tpl
new file mode 100644
index 0000000..b1714ba
--- /dev/null
+++ b/azure/files/bootstrap_custom.sh.tpl
@@ -0,0 +1,15 @@
+# This allows the user to log into the centos provisioning account
+# with their provided keys. This is needed to debug if,
+# for example,ansible fails to run.
+cat >> /home/centos/.ssh/authorized_keys <<EOF
+${citc_keys}
+EOF
+
+dnf install -y epel-release
+dnf config-manager --set-enabled PowerTools
+hostnamectl set-hostname mgmt.${dns_zone}
+
+echo "* hard memlock unlimited" | sudo tee -a /etc/security/limits.conf
+echo "* soft memlock unlimited" | sudo tee -a /etc/security/limits.conf
+
+chmod 777 /mnt/shared
diff --git a/azure/files/shapes.yaml b/azure/files/shapes.yaml
new file mode 100644
index 0000000..dd9170b
--- /dev/null
+++ b/azure/files/shapes.yaml
@@ -0,0 +1,13 @@
+---
+
+# VMs
+
+Standard_D4s_v3:
+  memory: 14000
+  cores_per_socket: 2
+  threads_per_core: 2
+Standard_HC44rs:
+  memory: 320000 
+  cores_per_socket: 22
+  threads_per_core: 1
+  sockets: 2
diff --git a/azure/files/startnode.yaml.tpl b/azure/files/startnode.yaml.tpl
new file mode 100644
index 0000000..63dd510
--- /dev/null
+++ b/azure/files/startnode.yaml.tpl
@@ -0,0 +1,11 @@
+csp: ${cloud-platform}
+ansible_repo: ${ansible_repo}
+ansible_branch: ${ansible_branch}
+region: ${region}
+resource_group: ${resource_group}
+subnet: ${subnet}
+virtual_network: ${virtual_network}
+virtual_network_subnet: ${virtual_network_subnet}
+subscription: ${subscription}
+dns_zone: ${dns_zone}
+cluster_id: ${cluster_id}
diff --git a/azure/network.tf b/azure/network.tf
new file mode 100644
index 0000000..98d7d3b
--- /dev/null
+++ b/azure/network.tf
@@ -0,0 +1,29 @@
+resource "azurerm_virtual_network" "vnet" {
+  name                = "vnet"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  address_space       = ["10.0.0.0/16"]
+}
+
+resource "azurerm_subnet" "subnet" {
+  name                 = "compute"
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  resource_group_name  = azurerm_virtual_network.vnet.resource_group_name
+  address_prefixes     = ["10.0.1.0/24"]
+  service_endpoints    = ["Microsoft.Storage", "Microsoft.KeyVault"]
+}
+
+resource "azurerm_subnet" "netapp" {
+  name                 = "netapp"
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  resource_group_name  = azurerm_virtual_network.vnet.resource_group_name
+  address_prefixes     = ["10.0.2.0/24"]
+  delegation {
+    name = "netapp"
+
+    service_delegation {
+      name    = "Microsoft.Netapp/volumes"
+      actions = ["Microsoft.Network/networkinterfaces/*", "Microsoft.Network/virtualNetworks/subnets/join/action"]
+    }
+  }
+}
diff --git a/azure/output.tf b/azure/output.tf
new file mode 100644
index 0000000..3f7f71b
--- /dev/null
+++ b/azure/output.tf
@@ -0,0 +1,7 @@
+output "ManagementPublicIP" {
+  value = azurerm_public_ip.mgmt-pip.ip_address
+}
+
+output "cluster_id" {
+  value = local.cluster_id
+}
diff --git a/azure/provider.tf b/azure/provider.tf
new file mode 100644
index 0000000..f64a36c
--- /dev/null
+++ b/azure/provider.tf
@@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 2.61.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0.0"
+    }
+  }
+  required_version = ">= 0.13"
+}
+
+
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_subscription" "primary" {}
+data "azurerm_client_config" "current" {}
diff --git a/azure/random.tf b/azure/random.tf
new file mode 100644
index 0000000..a564d5f
--- /dev/null
+++ b/azure/random.tf
@@ -0,0 +1,11 @@
+resource "random_pet" "cluster-suffix" {
+  length = 2
+  separator = "-"
+  keepers = {
+  }
+}
+
+locals {
+  cluster_id = random_pet.cluster-suffix.id
+}
+
diff --git a/azure/resource-group.tf b/azure/resource-group.tf
new file mode 100644
index 0000000..64d313c
--- /dev/null
+++ b/azure/resource-group.tf
@@ -0,0 +1,10 @@
+resource "azurerm_resource_group" "rg" {
+  name     = "citc-${local.cluster_id}"
+  location = "${var.region}"
+
+  lifecycle {
+    ignore_changes = [
+      tags["CreatedOn"]
+    ]
+  }
+}
diff --git a/azure/variables.tf b/azure/variables.tf
new file mode 100644
index 0000000..a3c39f2
--- /dev/null
+++ b/azure/variables.tf
@@ -0,0 +1,21 @@
+locals {
+  admin_username = "centos"
+  mgmt_hostname = "mgmt"
+}
+
+variable "region" {
+  default = "westeurope"
+}
+
+variable "admin_public_keys" {
+  type = string
+  description = "A multiline string containing the public keys used to login as the admin user"
+}
+
+variable "ansible_repo" {
+  default = "https://github.com/hmeiland/ansible.git"
+}
+
+variable "ansible_branch" {
+  default = "feature-azure"
+}