diff --git a/data/data/azure/bootstrap/main.tf b/data/data/azure/bootstrap/main.tf
new file mode 100644
index 00000000000..09e65359b3e
--- /dev/null
+++ b/data/data/azure/bootstrap/main.tf
@@ -0,0 +1,160 @@
+locals {
+  bootstrap_nic_ip_configuration_name = "bootstrap-nic-ip"
+  ssh_nat_rule_id                     = var.ssh_nat_rule_id
+}
+
+resource "random_string" "storage_suffix" {
+  length  = 5
+  upper   = false
+  special = false
+
+  keepers = {
+    # Generate a new ID only when a new resource group is defined
+    resource_group = var.resource_group_name
+  }
+}
+
+resource "azurerm_storage_account" "ignition" {
+  name                     = "ignitiondata${random_string.storage_suffix.result}"
+  resource_group_name      = var.resource_group_name
+  location                 = var.region
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
+
+data "azurerm_storage_account_sas" "ignition" {
+  connection_string = azurerm_storage_account.ignition.primary_connection_string
+  https_only        = true
+
+  resource_types {
+    service   = false
+    container = false
+    object    = true
+  }
+
+  services {
+    blob  = true
+    queue = false
+    table = false
+    file  = false
+  }
+
+  start  = timestamp()
+  expiry = timeadd(timestamp(), "24h")
+
+  permissions {
+    read    = true
+    list    = true
+    create  = false
+    add     = false
+    delete  = false
+    process = false
+    write   = false
+    update  = false
+  }
+}
+
+resource "azurerm_storage_container" "ignition" {
+  resource_group_name   = var.resource_group_name
+  name                  = "ignition"
+  storage_account_name  = azurerm_storage_account.ignition.name
+  container_access_type = "private"
+}
+
+resource "local_file" "ignition_bootstrap" {
+  content  = var.ignition
+  filename = "${path.module}/ignition_bootstrap.ign"
+}
+
+resource "azurerm_storage_blob" "ignition" {
+  name                   = "bootstrap.ign"
+  source                 = local_file.ignition_bootstrap.filename
+  resource_group_name    = var.resource_group_name
+  storage_account_name   = azurerm_storage_account.ignition.name
+  storage_container_name = azurerm_storage_container.ignition.name
+  type                   = "block"
+}
+
+data "ignition_config" "redirect" {
+  replace {
+    source = "${azurerm_storage_blob.ignition.url}${data.azurerm_storage_account_sas.ignition.sas}"
+  }
+}
+
+resource "azurerm_network_interface" "bootstrap" {
+  name                = "${var.cluster_id}-bootstrap-nic"
+  location            = var.region
+  resource_group_name = var.resource_group_name
+
+  ip_configuration {
+    subnet_id                     = var.subnet_id
+    name                          = local.bootstrap_nic_ip_configuration_name
+    private_ip_address_allocation = "Dynamic"
+  }
+}
+
+resource "azurerm_network_interface_nat_rule_association" "bootstrap_ssh" {
+  network_interface_id  = azurerm_network_interface.bootstrap.id
+  ip_configuration_name = local.bootstrap_nic_ip_configuration_name
+  nat_rule_id           = local.ssh_nat_rule_id
+}
+
+resource "azurerm_network_interface_backend_address_pool_association" "public_lb_bootstrap" {
+  network_interface_id    = azurerm_network_interface.bootstrap.id
+  backend_address_pool_id = var.elb_backend_pool_id
+  ip_configuration_name   = local.bootstrap_nic_ip_configuration_name
+}
+
+resource "azurerm_network_interface_backend_address_pool_association" "internal_lb_bootstrap" {
+  network_interface_id    = azurerm_network_interface.bootstrap.id
+  backend_address_pool_id = var.ilb_backend_pool_id
+  ip_configuration_name   = local.bootstrap_nic_ip_configuration_name
+}
+
+data "azurerm_subscription" "current" {
+}
+
+resource "azurerm_virtual_machine" "bootstrap" {
+  name                  = "${var.cluster_id}-bootstrap"
+  location              = var.region
+  resource_group_name   = var.resource_group_name
+  network_interface_ids = [azurerm_network_interface.bootstrap.id]
+  vm_size               = var.vm_size
+
+  delete_os_disk_on_termination    = true
+  delete_data_disks_on_termination = true
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [var.identity]
+  }
+
+  storage_os_disk {
+    name              = "${var.cluster_id}-bootstrap_OSDisk" # os disk name needs to match cluster-api convention
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+    managed_disk_type = "Premium_LRS"
+    disk_size_gb      = 100
+  }
+
+  storage_image_reference {
+    id = "${data.azurerm_subscription.current.id}${var.vm_image}"
+  }
+
+  os_profile {
+    computer_name  = "${var.cluster_id}-bootstrap-vm"
+    admin_username = "core"
+    admin_password = "P@ssword1234!"
+    custom_data    = data.ignition_config.redirect.rendered
+  }
+
+  os_profile_linux_config {
+    disable_password_authentication = false
+  }
+
+  boot_diagnostics {
+    enabled     = true
+    storage_uri = var.boot_diag_blob_endpoint
+  }
+}
+
diff --git a/data/data/azure/bootstrap/variables.tf b/data/data/azure/bootstrap/variables.tf
new file mode 100644
index 00000000000..e66cc45c709
--- /dev/null
+++ b/data/data/azure/bootstrap/variables.tf
@@ -0,0 +1,66 @@
+variable "vm_size" {
+  type        = string
+  description = "The SKU ID for the bootstrap node."
+}
+
+variable "vm_image" {
+  type        = string
+  description = "The resource id of the vm image used for bootstrap."
+}
+
+variable "region" {
+  type        = string
+  description = "The region for the deployment."
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "The resource group name for the deployment."
+}
+
+variable "cluster_id" {
+  type        = string
+  description = "The identifier for the cluster."
+}
+
+variable "identity" {
+  type        = string
+  description = "The user assigned identity id for the vm."
+}
+
+variable "ignition" {
+  type        = string
+  description = "The content of the bootstrap ignition file."
+}
+
+variable "subnet_id" {
+  type        = string
+  description = "The subnet ID for the bootstrap node."
+}
+
+variable "elb_backend_pool_id" {
+  type        = string
+  description = "The external load balancer bakend pool id. used to attach the bootstrap NIC"
+}
+
+variable "ilb_backend_pool_id" {
+  type        = string
+  description = "The internal load balancer bakend pool id. used to attach the bootstrap NIC"
+}
+
+variable "boot_diag_blob_endpoint" {
+  type        = string
+  description = "the blob endpoint where machines should store their boot diagnostics."
+}
+
+variable "ssh_nat_rule_id" {
+  type        = string
+  description = "ssh nat rule to make the bootstrap node reachable"
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "tags to be applied to created resources."
+}
+
diff --git a/data/data/azure/bootstrap/versions.tf b/data/data/azure/bootstrap/versions.tf
new file mode 100644
index 00000000000..ac97c6ac8e7
--- /dev/null
+++ b/data/data/azure/bootstrap/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/data/data/azure/dns/dns.tf b/data/data/azure/dns/dns.tf
new file mode 100644
index 00000000000..46bf564084d
--- /dev/null
+++ b/data/data/azure/dns/dns.tf
@@ -0,0 +1,63 @@
+locals {
+  // extracting "api.<clustername>" from <clusterdomain>
+  api_external_name = "api.${replace(var.cluster_domain, ".${var.base_domain}", "")}"
+}
+
+resource "azurerm_dns_zone" "private" {
+  name                           = var.cluster_domain
+  resource_group_name            = var.resource_group_name
+  zone_type                      = "Private"
+  resolution_virtual_network_ids = [var.internal_dns_resolution_vnet_id]
+}
+
+resource "azurerm_dns_cname_record" "apiint_internal" {
+  name                = "api-int"
+  zone_name           = azurerm_dns_zone.private.name
+  resource_group_name = var.resource_group_name
+  ttl                 = 300
+  record              = var.external_lb_fqdn
+}
+
+resource "azurerm_dns_cname_record" "api_internal" {
+  name                = "api"
+  zone_name           = azurerm_dns_zone.private.name
+  resource_group_name = var.resource_group_name
+  ttl                 = 300
+  record              = var.external_lb_fqdn
+}
+
+resource "azurerm_dns_cname_record" "api_external" {
+  name                = local.api_external_name
+  zone_name           = var.base_domain
+  resource_group_name = var.base_domain_resource_group_name
+  ttl                 = 300
+  record              = var.external_lb_fqdn
+}
+
+resource "azurerm_dns_a_record" "etcd_a_nodes" {
+  count               = var.etcd_count
+  name                = "etcd-${count.index}"
+  zone_name           = azurerm_dns_zone.private.name
+  resource_group_name = var.resource_group_name
+  ttl                 = 60
+  records             = [var.etcd_ip_addresses[count.index]]
+}
+
+resource "azurerm_dns_srv_record" "etcd_cluster" {
+  name                = "_etcd-server-ssl._tcp"
+  zone_name           = azurerm_dns_zone.private.name
+  resource_group_name = var.resource_group_name
+  ttl                 = 60
+
+  dynamic "record" {
+    for_each = azurerm_dns_a_record.etcd_a_nodes.*.name
+    iterator = name
+    content {
+      target   = "${name.value}.${azurerm_dns_zone.private.name}"
+      priority = 10
+      weight   = 10
+      port     = 2380
+    }
+  }
+}
+
diff --git a/data/data/azure/dns/variables.tf b/data/data/azure/dns/variables.tf
new file mode 100644
index 00000000000..bc3efdb6f97
--- /dev/null
+++ b/data/data/azure/dns/variables.tf
@@ -0,0 +1,52 @@
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "tags to be applied to created resources."
+}
+
+variable "cluster_domain" {
+  description = "The domain for the cluster that all DNS records must belong"
+  type        = string
+}
+
+variable "base_domain" {
+  description = "The base domain used for public records"
+  type        = string
+}
+
+variable "base_domain_resource_group_name" {
+  description = "The resource group where the base domain is"
+  type        = string
+}
+
+variable "external_lb_fqdn" {
+  description = "External API's LB fqdn"
+  type        = string
+}
+
+variable "internal_lb_ipaddress" {
+  description = "External API's LB Ip address"
+  type        = string
+}
+
+variable "internal_dns_resolution_vnet_id" {
+  description = "the vnet id to be attached to the private DNS zone"
+  type        = string
+}
+
+variable "etcd_count" {
+  description = "The number of etcd members."
+  type        = string
+}
+
+variable "etcd_ip_addresses" {
+  description = "List of string IPs for machines running etcd members."
+  type        = list(string)
+  default     = []
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "Resource group for the deployment"
+}
+
diff --git a/data/data/azure/dns/versions.tf b/data/data/azure/dns/versions.tf
new file mode 100644
index 00000000000..ac97c6ac8e7
--- /dev/null
+++ b/data/data/azure/dns/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/data/data/azure/main.tf b/data/data/azure/main.tf
new file mode 100644
index 00000000000..a2a31de6048
--- /dev/null
+++ b/data/data/azure/main.tf
@@ -0,0 +1,107 @@
+locals {
+  tags = merge(
+    {
+      "kubernetes.io_cluster.${var.cluster_id}" = "owned"
+    },
+    var.azure_extra_tags,
+  )
+
+  master_subnet_cidr = cidrsubnet(var.machine_cidr, 3, 0) #master subnet is a smaller subnet within the vnet. i.e from /21 to /24
+  node_subnet_cidr   = cidrsubnet(var.machine_cidr, 3, 1) #node subnet is a smaller subnet within the vnet. i.e from /21 to /24
+}
+
+module "bootstrap" {
+  source                  = "./bootstrap"
+  resource_group_name     = azurerm_resource_group.main.name
+  region                  = var.azure_region
+  vm_size                 = var.azure_bootstrap_vm_type
+  vm_image                = var.azure_image_id
+  identity                = azurerm_user_assigned_identity.main.id
+  cluster_id              = var.cluster_id
+  ignition                = var.ignition_bootstrap
+  subnet_id               = module.vnet.public_subnet_id
+  elb_backend_pool_id     = module.vnet.public_lb_backend_pool_id
+  ilb_backend_pool_id     = module.vnet.internal_lb_backend_pool_id
+  tags                    = local.tags
+  boot_diag_blob_endpoint = azurerm_storage_account.bootdiag.primary_blob_endpoint
+  ssh_nat_rule_id         = module.vnet.bootstrap_ssh_nat_rule_id
+}
+
+module "vnet" {
+  source              = "./vnet"
+  resource_group_name = azurerm_resource_group.main.name
+  vnet_cidr           = var.machine_cidr
+  master_subnet_cidr  = local.master_subnet_cidr
+  node_subnet_cidr    = local.node_subnet_cidr
+  cluster_id          = var.cluster_id
+  region              = var.azure_region
+  dns_label           = var.cluster_id
+  master_count        = var.master_count
+}
+
+module "master" {
+  source                  = "./master"
+  resource_group_name     = azurerm_resource_group.main.name
+  cluster_id              = var.cluster_id
+  region                  = var.azure_region
+  vm_size                 = var.azure_master_vm_type
+  vm_image                = var.azure_image_id
+  identity                = azurerm_user_assigned_identity.main.id
+  ignition                = var.ignition_master
+  external_lb_id          = module.vnet.public_lb_id
+  elb_backend_pool_id     = module.vnet.public_lb_backend_pool_id
+  ilb_backend_pool_id     = module.vnet.internal_lb_backend_pool_id
+  subnet_id               = module.vnet.public_subnet_id
+  master_subnet_cidr      = local.master_subnet_cidr
+  instance_count          = var.master_count
+  boot_diag_blob_endpoint = azurerm_storage_account.bootdiag.primary_blob_endpoint
+  os_volume_size          = var.azure_master_root_volume_size
+  ssh_nat_rule_ids        = module.vnet.mmaster_ssh_nat_rule_ids
+}
+
+module "dns" {
+  source                          = "./dns"
+  cluster_domain                  = var.cluster_domain
+  base_domain                     = var.base_domain
+  external_lb_fqdn                = module.vnet.public_lb_pip_fqdn
+  internal_lb_ipaddress           = module.vnet.internal_lb_ip_address
+  resource_group_name             = azurerm_resource_group.main.name
+  base_domain_resource_group_name = var.azure_base_domain_resource_group_name
+  internal_dns_resolution_vnet_id = module.vnet.vnet_id
+  etcd_count                      = var.master_count
+  etcd_ip_addresses               = module.master.ip_addresses
+}
+
+resource "random_string" "storage_suffix" {
+  length  = 5
+  upper   = false
+  special = false
+}
+
+resource "azurerm_resource_group" "main" {
+  name     = "${var.cluster_id}-rg"
+  location = var.azure_region
+  tags     = local.tags
+}
+
+resource "azurerm_storage_account" "bootdiag" {
+  name                     = "bootdiagmasters${random_string.storage_suffix.result}"
+  resource_group_name      = azurerm_resource_group.main.name
+  location                 = var.azure_region
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
+
+resource "azurerm_user_assigned_identity" "main" {
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+
+  name = "${var.cluster_id}-identity"
+}
+
+resource "azurerm_role_assignment" "main" {
+  scope                = azurerm_resource_group.main.id
+  role_definition_name = "Contributor"
+  principal_id         = azurerm_user_assigned_identity.main.principal_id
+}
+
diff --git a/data/data/azure/master/master.tf b/data/data/azure/master/master.tf
new file mode 100644
index 00000000000..3bfc7e56339
--- /dev/null
+++ b/data/data/azure/master/master.tf
@@ -0,0 +1,89 @@
+locals {
+  // The name of the masters' ipconfiguration is hardcoded to "pipconfig". It needs to match cluster-api
+  // https://github.com/openshift/cluster-api-provider-azure/blob/master/pkg/cloud/azure/services/networkinterfaces/networkinterfaces.go#L131
+  ip_configuration_name = "pipConfig"
+}
+
+resource "azurerm_network_interface" "master" {
+  count               = var.instance_count
+  name                = "${var.cluster_id}-master${count.index}-nic"
+  location            = var.region
+  resource_group_name = var.resource_group_name
+
+  ip_configuration {
+    subnet_id                     = var.subnet_id
+    name                          = local.ip_configuration_name
+    private_ip_address_allocation = "Dynamic"
+  }
+}
+
+resource "azurerm_network_interface_nat_rule_association" "master_ssh" {
+  count                 = var.instance_count
+  network_interface_id  = element(azurerm_network_interface.master.*.id, count.index)
+  ip_configuration_name = local.ip_configuration_name
+  nat_rule_id           = element(var.ssh_nat_rule_ids, count.index)
+}
+
+resource "azurerm_network_interface_backend_address_pool_association" "master" {
+  count                   = var.instance_count
+  network_interface_id    = element(azurerm_network_interface.master.*.id, count.index)
+  backend_address_pool_id = var.elb_backend_pool_id
+  ip_configuration_name   = local.ip_configuration_name #must be the same as nic's ip configuration name.
+}
+
+resource "azurerm_network_interface_backend_address_pool_association" "master_internal" {
+  count                   = var.instance_count
+  network_interface_id    = element(azurerm_network_interface.master.*.id, count.index)
+  backend_address_pool_id = var.ilb_backend_pool_id
+  ip_configuration_name   = local.ip_configuration_name #must be the same as nic's ip configuration name.
+}
+
+data "azurerm_subscription" "current" {
+}
+
+resource "azurerm_virtual_machine" "master" {
+  count                 = var.instance_count
+  name                  = "${var.cluster_id}-master${count.index}"
+  location              = var.region
+  resource_group_name   = var.resource_group_name
+  network_interface_ids = [element(azurerm_network_interface.master.*.id, count.index)]
+  vm_size               = var.vm_size
+
+  delete_os_disk_on_termination = true
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [var.identity]
+  }
+
+  storage_os_disk {
+    name              = "${var.cluster_id}-master-${count.index}_OSDisk" # os disk name needs to match cluster-api convention
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+    managed_disk_type = "Premium_LRS"
+    disk_size_gb      = var.os_volume_size
+  }
+
+  storage_image_reference {
+    id = "${data.azurerm_subscription.current.id}${var.vm_image}"
+  }
+
+  //we don't provide a ssh key, because it is set with ignition. 
+  //it is required to provide at least 1 auth method to deploy a linux vm
+  os_profile {
+    computer_name  = "${var.cluster_id}-master-${count.index}"
+    admin_username = "core"
+    admin_password = "P@ssword1234!"
+    custom_data    = var.ignition
+  }
+
+  os_profile_linux_config {
+    disable_password_authentication = false
+  }
+
+  boot_diagnostics {
+    enabled     = true
+    storage_uri = var.boot_diag_blob_endpoint
+  }
+}
+
diff --git a/data/data/azure/master/outputs.tf b/data/data/azure/master/outputs.tf
new file mode 100644
index 00000000000..414be4c4807
--- /dev/null
+++ b/data/data/azure/master/outputs.tf
@@ -0,0 +1,4 @@
+output "ip_addresses" {
+  value = azurerm_network_interface.master.*.private_ip_address
+}
+
diff --git a/data/data/azure/master/variables.tf b/data/data/azure/master/variables.tf
new file mode 100644
index 00000000000..e64acf0eb1b
--- /dev/null
+++ b/data/data/azure/master/variables.tf
@@ -0,0 +1,90 @@
+variable "region" {
+  type        = string
+  description = "The region for the deployment."
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "The resource group name for the deployment."
+}
+
+variable "cluster_id" {
+  type = string
+}
+
+variable "vm_size" {
+  type = string
+}
+
+variable "vm_image" {
+  type        = string
+  description = "The resource id of the vm image used for masters."
+}
+
+variable "identity" {
+  type        = string
+  description = "The user assigned identity id for the vm."
+}
+
+variable "instance_count" {
+  type = string
+}
+
+variable "external_lb_id" {
+  type = string
+}
+
+variable "elb_backend_pool_id" {
+  type = string
+}
+
+variable "ilb_backend_pool_id" {
+  type = string
+}
+
+variable "ignition_master" {
+  type    = string
+  default = ""
+}
+
+variable "kubeconfig_content" {
+  type    = string
+  default = ""
+}
+
+variable "subnet_id" {
+  type        = string
+  description = "The subnet to attach the masters to."
+}
+
+variable "os_volume_size" {
+  type        = string
+  description = "The size of the volume in gigabytes for the root block device."
+  default     = "100"
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "tags to be applied to created resources."
+}
+
+variable "boot_diag_blob_endpoint" {
+  type        = string
+  description = "the blob endpoint where machines should store their boot diagnostics."
+}
+
+variable "ignition" {
+  type = string
+}
+
+variable "master_subnet_cidr" {
+  type        = string
+  description = "the master subnet cidr"
+}
+
+variable "ssh_nat_rule_ids" {
+  type        = list(string)
+  description = "ssh nat rule to make the master nodes reachable"
+}
+
diff --git a/data/data/azure/master/versions.tf b/data/data/azure/master/versions.tf
new file mode 100644
index 00000000000..ac97c6ac8e7
--- /dev/null
+++ b/data/data/azure/master/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/data/data/azure/variables-azure.tf b/data/data/azure/variables-azure.tf
new file mode 100644
index 00000000000..0eca2d36cc5
--- /dev/null
+++ b/data/data/azure/variables-azure.tf
@@ -0,0 +1,53 @@
+variable "azure_config_version" {
+  description = <<EOF
+(internal) This declares the version of the Azure configuration variables.
+It has no impact on generated assets but declares the version contract of the configuration.
+EOF
+
+
+  default = "0.1"
+}
+
+variable "azure_region" {
+  type = string
+  description = "The target Azure region for the cluster."
+}
+
+variable "azure_bootstrap_vm_type" {
+  type = string
+  description = "Instance type for the bootstrap node. Example: `Standard_DS4_v3`."
+}
+
+variable "azure_master_vm_type" {
+  type = string
+  description = "Instance type for the master node(s). Example: `Standard_DS4_v3`."
+}
+
+variable "azure_extra_tags" {
+  type = map(string)
+
+  description = <<EOF
+(optional) Extra Azure tags to be applied to created resources.
+
+Example: `{ "key" = "value", "foo" = "bar" }`
+EOF
+
+
+default = {}
+}
+
+variable "azure_master_root_volume_size" {
+type        = string
+description = "The size of the volume in gigabytes for the root block device of master nodes."
+}
+
+variable "azure_base_domain_resource_group_name" {
+type        = string
+description = "The resource group that contains the dns zone used as base domain for the cluster."
+}
+
+variable "azure_image_id" {
+type        = string
+description = "The resource id of the vm image used for all node."
+}
+
diff --git a/data/data/azure/versions.tf b/data/data/azure/versions.tf
new file mode 100644
index 00000000000..ac97c6ac8e7
--- /dev/null
+++ b/data/data/azure/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/data/data/azure/vnet/common.tf b/data/data/azure/vnet/common.tf
new file mode 100644
index 00000000000..8304830352b
--- /dev/null
+++ b/data/data/azure/vnet/common.tf
@@ -0,0 +1,19 @@
+# Canonical internal state definitions for this module.
+# read only: only locals and data source definitions allowed. No resources or module blocks in this file
+
+// Only reference data sources which are guaranteed to exist at any time (above) in this locals{} block
+locals {
+  vnet_id = azurerm_virtual_network.cluster_vnet.id
+
+  subnet_ids = azurerm_subnet.master_subnet.id
+
+  lb_fqdn = azurerm_lb.public.id
+
+  elb_backend_pool_id = azurerm_lb_backend_address_pool.master_public_lb_pool.id
+
+  internal_lb_controlplane_pool_id = azurerm_lb_backend_address_pool.internal_lb_controlplane_pool.id
+
+  public_lb_id   = azurerm_lb.public.id
+  internal_lb_id = azurerm_lb.internal.id
+}
+
diff --git a/data/data/azure/vnet/internal-lb.tf b/data/data/azure/vnet/internal-lb.tf
new file mode 100644
index 00000000000..78ecffb6f6a
--- /dev/null
+++ b/data/data/azure/vnet/internal-lb.tf
@@ -0,0 +1,76 @@
+locals {
+  internal_lb_frontend_ip_configuration_name = "internal-lb-ip"
+}
+
+resource "azurerm_lb" "internal" {
+  sku                 = "Standard"
+  name                = "${var.cluster_id}-internal-lb"
+  resource_group_name = var.resource_group_name
+  location            = var.region
+
+  frontend_ip_configuration {
+    name                          = local.internal_lb_frontend_ip_configuration_name
+    subnet_id                     = azurerm_subnet.master_subnet.id
+    private_ip_address_allocation = "Static"
+    private_ip_address            = cidrhost(var.master_subnet_cidr, -2) #last ip is reserved by azure
+  }
+}
+
+resource "azurerm_lb_backend_address_pool" "internal_lb_controlplane_pool" {
+  resource_group_name = var.resource_group_name
+  loadbalancer_id     = azurerm_lb.internal.id
+  name                = "${var.cluster_id}-internal-controlplane"
+}
+
+resource "azurerm_lb_rule" "internal_lb_rule_api_internal" {
+  name                           = "api-internal"
+  resource_group_name            = var.resource_group_name
+  protocol                       = "Tcp"
+  backend_address_pool_id        = azurerm_lb_backend_address_pool.internal_lb_controlplane_pool.id
+  loadbalancer_id                = azurerm_lb.internal.id
+  frontend_port                  = 6443
+  backend_port                   = 6443
+  frontend_ip_configuration_name = local.internal_lb_frontend_ip_configuration_name
+  enable_floating_ip             = false
+  idle_timeout_in_minutes        = 30
+  load_distribution              = "Default"
+  probe_id                       = azurerm_lb_probe.internal_lb_probe_api_internal.id
+}
+
+resource "azurerm_lb_rule" "internal_lb_rule_sint" {
+  name                           = "sint"
+  resource_group_name            = var.resource_group_name
+  protocol                       = "Tcp"
+  backend_address_pool_id        = azurerm_lb_backend_address_pool.internal_lb_controlplane_pool.id
+  loadbalancer_id                = azurerm_lb.internal.id
+  frontend_port                  = 22623
+  backend_port                   = 22623
+  frontend_ip_configuration_name = local.internal_lb_frontend_ip_configuration_name
+  enable_floating_ip             = false
+  idle_timeout_in_minutes        = 30
+  load_distribution              = "Default"
+  probe_id                       = azurerm_lb_probe.internal_lb_probe_sint.id
+}
+
+resource "azurerm_lb_probe" "internal_lb_probe_sint" {
+  name                = "sint-probe"
+  resource_group_name = var.resource_group_name
+  interval_in_seconds = 10
+  number_of_probes    = 3
+  loadbalancer_id     = azurerm_lb.internal.id
+  port                = 22623
+  request_path        = "/healthz"
+  protocol            = "Https"
+}
+
+resource "azurerm_lb_probe" "internal_lb_probe_api_internal" {
+  name                = "api-internal-probe"
+  resource_group_name = var.resource_group_name
+  interval_in_seconds = 10
+  number_of_probes    = 3
+  loadbalancer_id     = azurerm_lb.internal.id
+  port                = 6443
+  request_path        = "/readyz"
+  protocol            = "Https"
+}
+
diff --git a/data/data/azure/vnet/nsg.tf b/data/data/azure/vnet/nsg.tf
new file mode 100644
index 00000000000..cb2135a20a3
--- /dev/null
+++ b/data/data/azure/vnet/nsg.tf
@@ -0,0 +1,64 @@
+resource "azurerm_network_security_group" "master" {
+  name                = "${var.cluster_id}-controlplane-nsg"
+  location            = var.region
+  resource_group_name = var.resource_group_name
+}
+
+resource "azurerm_subnet_network_security_group_association" "master" {
+  subnet_id                 = azurerm_subnet.master_subnet.id
+  network_security_group_id = azurerm_network_security_group.master.id
+}
+
+resource "azurerm_network_security_group" "worker" {
+  name                = "${var.cluster_id}-node-nsg"
+  location            = var.region
+  resource_group_name = var.resource_group_name
+}
+
+resource "azurerm_subnet_network_security_group_association" "worker" {
+  subnet_id                 = azurerm_subnet.node_subnet.id
+  network_security_group_id = azurerm_network_security_group.worker.id
+}
+
+resource "azurerm_network_security_rule" "apiserver_in" {
+  name                        = "apiserver_in"
+  priority                    = 101
+  direction                   = "Inbound"
+  access                      = "Allow"
+  protocol                    = "Tcp"
+  source_port_range           = "*"
+  destination_port_range      = "6443"
+  source_address_prefix       = "*"
+  destination_address_prefix  = "*"
+  resource_group_name         = var.resource_group_name
+  network_security_group_name = azurerm_network_security_group.master.name
+}
+
+resource "azurerm_network_security_rule" "sint_in" {
+  name                        = "sint_in"
+  priority                    = 102
+  direction                   = "Inbound"
+  access                      = "Allow"
+  protocol                    = "Tcp"
+  source_port_range           = "*"
+  destination_port_range      = "22623"
+  source_address_prefix       = "*"
+  destination_address_prefix  = "*"
+  resource_group_name         = var.resource_group_name
+  network_security_group_name = azurerm_network_security_group.master.name
+}
+
+resource "azurerm_network_security_rule" "ssh_in" {
+  name                        = "ssh_in"
+  priority                    = 100
+  direction                   = "Inbound"
+  access                      = "Allow"
+  protocol                    = "Tcp"
+  source_port_range           = "*"
+  destination_port_range      = "22"
+  source_address_prefix       = "*"
+  destination_address_prefix  = "*"
+  resource_group_name         = var.resource_group_name
+  network_security_group_name = azurerm_network_security_group.master.name
+}
+
diff --git a/data/data/azure/vnet/outputs.tf b/data/data/azure/vnet/outputs.tf
new file mode 100644
index 00000000000..9e3e2f5fbe2
--- /dev/null
+++ b/data/data/azure/vnet/outputs.tf
@@ -0,0 +1,44 @@
+output "vnet_id" {
+  value = local.vnet_id
+}
+
+output "cluster-pip" {
+  value = azurerm_public_ip.cluster_public_ip.ip_address
+}
+
+output "public_subnet_id" {
+  value = local.subnet_ids
+}
+
+output "public_lb_backend_pool_id" {
+  value = azurerm_lb_backend_address_pool.master_public_lb_pool.id
+}
+
+output "internal_lb_backend_pool_id" {
+  value = local.internal_lb_controlplane_pool_id
+}
+
+output "public_lb_id" {
+  value = local.public_lb_id
+}
+
+output "public_lb_pip_fqdn" {
+  value = data.azurerm_public_ip.cluster_public_ip.fqdn
+}
+
+output "internal_lb_ip_address" {
+  value = azurerm_lb.internal.private_ip_address
+}
+
+output "master_nsg_id" {
+  value = azurerm_network_security_group.master.id
+}
+
+output "bootstrap_ssh_nat_rule_id" {
+  value = azurerm_lb_nat_rule.bootstrap_ssh.id
+}
+
+output "mmaster_ssh_nat_rule_ids" {
+  value = azurerm_lb_nat_rule.master_ssh.*.id
+}
+
diff --git a/data/data/azure/vnet/public-lb.tf b/data/data/azure/vnet/public-lb.tf
new file mode 100644
index 00000000000..b7faeadd9da
--- /dev/null
+++ b/data/data/azure/vnet/public-lb.tf
@@ -0,0 +1,107 @@
+locals {
+  public_lb_frontend_ip_configuration_name = "public-lb-ip"
+}
+
+resource "azurerm_public_ip" "cluster_public_ip" {
+  sku                 = "Standard"
+  location            = var.region
+  name                = "${var.cluster_id}-pip"
+  resource_group_name = var.resource_group_name
+  allocation_method   = "Static"
+  domain_name_label   = var.dns_label
+}
+
+data "azurerm_public_ip" "cluster_public_ip" {
+  name                = azurerm_public_ip.cluster_public_ip.name
+  resource_group_name = var.resource_group_name
+}
+
+resource "azurerm_lb" "public" {
+  sku                 = "Standard"
+  name                = "${var.cluster_id}-public-lb"
+  resource_group_name = var.resource_group_name
+  location            = var.region
+
+  frontend_ip_configuration {
+    name                 = local.public_lb_frontend_ip_configuration_name
+    public_ip_address_id = azurerm_public_ip.cluster_public_ip.id
+  }
+}
+
+resource "azurerm_lb_nat_rule" "bootstrap_ssh" {
+  resource_group_name            = var.resource_group_name
+  name                           = "SSHBootstrap"
+  protocol                       = "Tcp"
+  frontend_port                  = 2200
+  backend_port                   = 22
+  frontend_ip_configuration_name = local.public_lb_frontend_ip_configuration_name
+  loadbalancer_id                = azurerm_lb.public.id
+}
+
+resource "azurerm_lb_nat_rule" "master_ssh" {
+  count                          = var.master_count
+  resource_group_name            = var.resource_group_name
+  name                           = "SSHMaster-${count.index}"
+  protocol                       = "Tcp"
+  frontend_port                  = count.index + 2201
+  backend_port                   = 22
+  frontend_ip_configuration_name = local.public_lb_frontend_ip_configuration_name
+  loadbalancer_id                = azurerm_lb.public.id
+}
+
+resource "azurerm_lb_backend_address_pool" "master_public_lb_pool" {
+  resource_group_name = var.resource_group_name
+  loadbalancer_id     = azurerm_lb.public.id
+  name                = "${var.cluster_id}-public-lb-control-plane"
+}
+
+resource "azurerm_lb_rule" "public_lb_rule_api_internal" {
+  name                           = "api-internal"
+  resource_group_name            = var.resource_group_name
+  protocol                       = "Tcp"
+  backend_address_pool_id        = azurerm_lb_backend_address_pool.master_public_lb_pool.id
+  loadbalancer_id                = azurerm_lb.public.id
+  frontend_port                  = 6443
+  backend_port                   = 6443
+  frontend_ip_configuration_name = local.public_lb_frontend_ip_configuration_name
+  enable_floating_ip             = false
+  idle_timeout_in_minutes        = 30
+  load_distribution              = "Default"
+  probe_id                       = azurerm_lb_probe.public_lb_probe_api_internal.id
+}
+
+resource "azurerm_lb_rule" "public_lb_rule_sint_internal" {
+  name                           = "sint-internal"
+  resource_group_name            = var.resource_group_name
+  protocol                       = "Tcp"
+  backend_address_pool_id        = azurerm_lb_backend_address_pool.master_public_lb_pool.id
+  loadbalancer_id                = azurerm_lb.public.id
+  frontend_port                  = 22623
+  backend_port                   = 22623
+  frontend_ip_configuration_name = local.public_lb_frontend_ip_configuration_name
+  enable_floating_ip             = false
+  idle_timeout_in_minutes        = 30
+  load_distribution              = "Default"
+  probe_id                       = azurerm_lb_probe.public_lb_sint.id
+}
+
+resource "azurerm_lb_probe" "public_lb_probe_api_internal" {
+  name                = "api-internal-probe"
+  resource_group_name = var.resource_group_name
+  interval_in_seconds = 10
+  number_of_probes    = 3
+  loadbalancer_id     = azurerm_lb.public.id
+  port                = 6443
+  protocol            = "TCP"
+}
+
+resource "azurerm_lb_probe" "public_lb_sint" {
+  name                = "sint-probe"
+  resource_group_name = var.resource_group_name
+  interval_in_seconds = 10
+  number_of_probes    = 3
+  loadbalancer_id     = azurerm_lb.public.id
+  port                = 22623
+  protocol            = "TCP"
+}
+
diff --git a/data/data/azure/vnet/variables.tf b/data/data/azure/vnet/variables.tf
new file mode 100644
index 00000000000..3973ab835a4
--- /dev/null
+++ b/data/data/azure/vnet/variables.tf
@@ -0,0 +1,55 @@
+variable "vnet_cidr" {
+  type = string
+}
+
+variable "master_subnet_cidr" {
+  type        = string
+  description = "The subnet for the masters"
+}
+
+variable "node_subnet_cidr" {
+  type        = string
+  description = "The subnet for the workers"
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "Resource group for the deployment"
+}
+
+variable "cluster_id" {
+  type = string
+}
+
+variable "private_master_endpoints" {
+  description = "If set to true, private-facing ingress resources are created."
+  default     = true
+}
+
+variable "public_master_endpoints" {
+  description = "If set to true, public-facing ingress resources are created."
+  default     = true
+}
+
+variable "region" {
+  type        = string
+  description = "The target Azure region for the cluster."
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "Azure tags to be applied to created resources."
+}
+
+variable "dns_label" {
+  type        = string
+  description = "The label used to build the dns name. i.e. <label>.<region>.cloudapp.azure.com"
+}
+
+variable "master_count" {
+  type        = string
+  description = "number of masters. used to setup ssh nat rules"
+  default     = "3"
+}
+
diff --git a/data/data/azure/vnet/versions.tf b/data/data/azure/vnet/versions.tf
new file mode 100644
index 00000000000..ac97c6ac8e7
--- /dev/null
+++ b/data/data/azure/vnet/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/data/data/azure/vnet/vnet.tf b/data/data/azure/vnet/vnet.tf
new file mode 100644
index 00000000000..f8362ecd5ad
--- /dev/null
+++ b/data/data/azure/vnet/vnet.tf
@@ -0,0 +1,27 @@
+resource "azurerm_virtual_network" "cluster_vnet" {
+  name                = "${var.cluster_id}-vnet"
+  resource_group_name = var.resource_group_name
+  location            = var.region
+  address_space       = [var.vnet_cidr]
+}
+
+resource "azurerm_route_table" "route_table" {
+  name                = "${var.cluster_id}-node-routetable"
+  location            = var.region
+  resource_group_name = var.resource_group_name
+}
+
+resource "azurerm_subnet" "master_subnet" {
+  resource_group_name  = var.resource_group_name
+  address_prefix       = var.master_subnet_cidr
+  virtual_network_name = azurerm_virtual_network.cluster_vnet.name
+  name                 = "${var.cluster_id}-controlplane-subnet"
+}
+
+resource "azurerm_subnet" "node_subnet" {
+  resource_group_name  = var.resource_group_name
+  address_prefix       = var.node_subnet_cidr
+  virtual_network_name = azurerm_virtual_network.cluster_vnet.name
+  name                 = "${var.cluster_id}-node-subnet"
+}
+
diff --git a/pkg/asset/cluster/tfvars.go b/pkg/asset/cluster/tfvars.go
index a5a9225ee7b..8605976deb0 100644
--- a/pkg/asset/cluster/tfvars.go
+++ b/pkg/asset/cluster/tfvars.go
@@ -13,6 +13,7 @@ import (
 	"github.com/openshift/installer/pkg/asset/rhcos"
 	"github.com/openshift/installer/pkg/tfvars"
 	awstfvars "github.com/openshift/installer/pkg/tfvars/aws"
+	azuretfvars "github.com/openshift/installer/pkg/tfvars/azure"
 	libvirttfvars "github.com/openshift/installer/pkg/tfvars/libvirt"
 	openstacktfvars "github.com/openshift/installer/pkg/tfvars/openstack"
 	"github.com/openshift/installer/pkg/types/aws"
@@ -24,6 +25,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	awsprovider "sigs.k8s.io/cluster-api-provider-aws/pkg/apis/awsproviderconfig/v1beta1"
+	azureprovider "sigs.k8s.io/cluster-api-provider-azure/pkg/apis/azureprovider/v1alpha1"
 	openstackprovider "sigs.k8s.io/cluster-api-provider-openstack/pkg/apis/openstackproviderconfig/v1alpha1"
 )
 
@@ -137,7 +139,25 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 			Data:     data,
 		})
 	case azure.Name:
-		//TODO(serbrech): call generate azure tfvars, relying on MachineProviderConfig once available
+		masters, err := mastersAsset.Machines()
+		if err != nil {
+			return err
+		}
+		masterConfigs := make([]*azureprovider.AzureMachineProviderSpec, len(masters))
+		for i, m := range masters {
+			masterConfigs[i] = m.Spec.ProviderSpec.Value.Object.(*azureprovider.AzureMachineProviderSpec)
+		}
+		data, err := azuretfvars.TFVars(
+			installConfig.Config.Azure.BaseDomainResourceGroupName,
+			masterConfigs,
+		)
+		if err != nil {
+			return errors.Wrapf(err, "failed to get %s Terraform variables", platform)
+		}
+		t.FileList = append(t.FileList, &asset.File{
+			Filename: fmt.Sprintf(TfPlatformVarsFileName, platform),
+			Data:     data,
+		})
 	case libvirt.Name:
 		masters, err := mastersAsset.Machines()
 		if err != nil {
diff --git a/pkg/tfvars/azure/azure.go b/pkg/tfvars/azure/azure.go
new file mode 100644
index 00000000000..ca3baa017b8
--- /dev/null
+++ b/pkg/tfvars/azure/azure.go
@@ -0,0 +1,34 @@
+package azure
+
+import (
+	"encoding/json"
+
+	"github.com/openshift/installer/pkg/types/azure/defaults"
+	azureprovider "sigs.k8s.io/cluster-api-provider-azure/pkg/apis/azureprovider/v1alpha1"
+)
+
+type config struct {
+	ExtraTags                   map[string]string `json:"azure_extra_tags,omitempty"`
+	BootstrapInstanceType       string            `json:"azure_bootstrap_vm_type,omitempty"`
+	MasterInstanceType          string            `json:"azure_master_vm_type,omitempty"`
+	VolumeSize                  int32             `json:"azure_master_root_volume_size,omitempty"`
+	VMImageID                   string            `json:"azure_image_id,omitempty"`
+	Region                      string            `json:"azure_region,omitempty"`
+	BaseDomainResourceGroupName string            `json:"azure_base_domain_resource_group_name,omitempty"`
+}
+
+// TFVars generates Azure-specific Terraform variables launching the cluster.
+func TFVars(baseDomainResourceGroupName string, masterConfigs []*azureprovider.AzureMachineProviderSpec) ([]byte, error) {
+	masterConfig := masterConfigs[0]
+	region := masterConfig.Location
+	cfg := &config{
+		Region: region,
+		BaseDomainResourceGroupName: baseDomainResourceGroupName,
+		BootstrapInstanceType:       defaults.InstanceClass(region),
+		MasterInstanceType:          masterConfig.VMSize,
+		VolumeSize:                  masterConfig.OSDisk.DiskSizeGB,
+		VMImageID:                   masterConfig.Image.ResourceID,
+	}
+
+	return json.MarshalIndent(cfg, "", "  ")
+}