Azure Patterns
Design and implement Azure cloud architectures following Microsoft's Well-Architected Framework and best practices for service selection, cost optimization, and security.
When to Use
Use this skill when:
- •Designing new applications for Azure cloud
- •Selecting Azure compute services (Container Apps, AKS, Functions, App Service)
- •Architecting storage solutions (Blob Storage, Files, Cosmos DB)
- •Integrating Azure OpenAI or Cognitive Services
- •Implementing messaging patterns (Service Bus, Event Grid, Event Hubs)
- •Designing secure networks with Private Endpoints
- •Applying Azure governance and compliance policies
- •Optimizing Azure costs and performance
Core Concepts
Service Selection Philosophy
Azure offers 200+ services. Choose based on:
- •Managed vs. IaaS - Prefer fully managed services (lower operational burden)
- •Cost Model - Consumption vs. dedicated capacity
- •Integration Requirements - Microsoft 365, Active Directory, hybrid cloud
- •Control vs. Simplicity - More control = more operational overhead
Azure Well-Architected Framework (Five Pillars)
| Pillar | Focus | Key Practices |
|---|---|---|
| Cost Optimization | Maximize value within budget | Reserved Instances, auto-scaling, lifecycle management |
| Operational Excellence | Run reliable systems | Azure Policy, automation, monitoring |
| Performance Efficiency | Scale to meet demand | Autoscaling, caching, CDN |
| Reliability | Recover from failures | Availability Zones, multi-region, backup |
| Security | Protect data and assets | Managed Identity, Private Endpoints, Key Vault |
Reference references/well-architected.md for detailed pillar implementation patterns.
Compute Service Selection
Decision Framework
Container-based workload?
YES → Need Kubernetes control plane?
YES → Azure Kubernetes Service (AKS)
NO → Azure Container Apps (recommended)
NO → Event-driven function?
YES → Azure Functions
NO → Web application?
YES → Azure App Service
NO → Legacy/specialized → Virtual Machines
Service Comparison
| Service | Best For | Pricing Model | Operational Overhead |
|---|---|---|---|
| Container Apps | Microservices, APIs, background jobs | Consumption or dedicated | Low |
| AKS | Complex K8s workloads, service mesh | Node-based | High |
| Functions | Event-driven, short tasks (<10 min) | Consumption or premium | Low |
| App Service | Web apps, simple APIs | Dedicated plans | Low |
| Virtual Machines | Legacy apps, specialized software | VM-based | High |
Recommendation: Start with Azure Container Apps for 80% of containerized workloads (simpler and cheaper than AKS).
Reference references/compute-services.md for detailed comparison with Bicep and Terraform examples.
Storage Architecture
Blob Storage Tier Selection
| Tier | Access Pattern | Cost/GB/Month | Minimum Storage Duration |
|---|---|---|---|
| Hot | Daily access | $0.018 | None |
| Cool | <1/month access | $0.010 | 30 days |
| Cold | <90 days access | $0.0045 | 90 days |
| Archive | Rare access | $0.00099 | 180 days |
Pattern: Use lifecycle management policies to automatically move data to lower-cost tiers.
Storage Service Decision
File system interface required?
YES → Protocol?
SMB → Azure Files (or NetApp Files for high performance)
NFS → Azure Files (NFS 4.1)
NO → Object storage → Blob Storage
Block storage → Managed Disks (Standard/Premium SSD/Ultra)
Analytics → Data Lake Storage Gen2
Reference references/storage-patterns.md for lifecycle policies, redundancy options, and performance tuning.
Database Service Selection
Decision Framework
Relational data?
YES → SQL Server compatible?
YES → Need VM-level access?
YES → SQL Managed Instance
NO → Azure SQL Database
NO → Open source?
PostgreSQL → PostgreSQL Flexible Server
MySQL → MySQL Flexible Server
NO → Data model?
Document/JSON → Cosmos DB (NoSQL API)
Graph → Cosmos DB (Gremlin API)
Wide-column → Cosmos DB (Cassandra API)
Key-value cache → Azure Cache for Redis
Time-series → Azure Data Explorer
Cosmos DB Consistency Levels
| Level | Use Case | Latency | Throughput |
|---|---|---|---|
| Strong | Financial transactions, inventory | Highest | Lowest |
| Bounded Staleness | Real-time leaderboards with acceptable lag | High | Low |
| Session | Shopping carts, user sessions (default) | Medium | Medium |
| Consistent Prefix | Social feeds, IoT telemetry | Low | High |
| Eventual | Analytics, ML training data | Lowest | Highest |
Reference references/database-selection.md for capacity planning, indexing strategies, and migration patterns.
AI and Machine Learning Integration
Azure OpenAI Service
Use Cases:
- •Chatbots and conversational AI (GPT-4)
- •Content generation and summarization
- •Semantic search with embeddings (RAG pattern)
- •Code generation and completion
- •Function calling for structured outputs
Key Advantages:
- •Enterprise data privacy (no model training on customer data)
- •Regional deployment for data residency
- •Microsoft enterprise SLAs
- •Built-in content filtering
Integration Pattern:
from openai import AzureOpenAI
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
client = AzureOpenAI(
azure_endpoint="https://myopenai.openai.azure.com",
azure_ad_token_provider=token_provider,
api_version="2024-02-15-preview"
)
response = client.chat.completions.create(
model="gpt-4-turbo",
messages=[{"role": "user", "content": "Hello!"}]
)
Other AI Services
| Service | Purpose | Common Use Cases |
|---|---|---|
| Cognitive Services | Pre-built AI models | Vision, Speech, Language, Decision |
| Azure Machine Learning | Custom model training | MLOps, model deployment, feature engineering |
| Azure AI Search | Semantic search engine | RAG patterns, document search |
Reference references/ai-integration.md for RAG architecture, function calling, and fine-tuning patterns.
Messaging and Integration
Service Selection Matrix
| Service | Pattern | Message Size | Ordering | Transactions | Best For |
|---|---|---|---|---|---|
| Service Bus | Queue/Topic | 256 KB - 100 MB | Yes (sessions) | Yes | Enterprise messaging |
| Event Grid | Pub/Sub | 1 MB | No | No | Event-driven architectures |
| Event Hubs | Streaming | 1 MB | Yes (partitions) | No | Big data ingestion, telemetry |
| Storage Queues | Simple queue | 64 KB | No | No | Async work, <500k msgs/sec |
When to Use What:
- •Service Bus: Reliable messaging with transactions (e.g., order processing)
- •Event Grid: React to Azure resource events (e.g., blob created, VM stopped)
- •Event Hubs: High-throughput streaming (e.g., IoT telemetry, application logs)
Reference references/messaging-patterns.md for implementation examples, retry policies, and dead-letter handling.
Networking Architecture
Private Endpoints vs. Service Endpoints
| Aspect | Private Endpoint | Service Endpoint |
|---|---|---|
| Security Model | Private IP in VNet | Optimized route to public endpoint |
| Data Exfiltration Protection | Yes (network-isolated) | Limited (service firewall only) |
| Cost | ~$7.30/month per endpoint | Free |
| Recommendation | Production workloads | Dev/test environments |
Best Practice: Use Private Endpoints for all PaaS services in production (treat public endpoints as anti-pattern).
Hub-and-Spoke Topology
Components:
- •Hub VNet: Shared services (Azure Firewall, VPN Gateway, Private Endpoints)
- •Spoke VNets: Application workloads (isolated per environment or team)
- •VNet Peering: Low-latency connectivity between hub and spokes
Benefits:
- •Centralized security (firewall, DNS)
- •Cost optimization (shared egress)
- •Simplified governance
Reference references/networking-architecture.md for hub-spoke Bicep templates, NSG patterns, and DNS configuration.
Identity and Access Management
Managed Identity Pattern
Always use Managed Identity instead of:
- •Connection strings in code
- •Storage account keys
- •Service principal credentials
- •API keys
System-Assigned vs. User-Assigned:
| Type | Lifecycle | Use Case |
|---|---|---|
| System-Assigned | Tied to resource | Single resource needs access |
| User-Assigned | Independent | Multiple resources share identity |
Example Flow:
- •Enable Managed Identity on Container App
- •Grant identity access to Key Vault (RBAC or Access Policy)
- •Application authenticates automatically (no credentials)
from azure.identity import DefaultAzureCredential # Works automatically with Managed Identity credential = DefaultAzureCredential() keyvault_client = SecretClient(vault_url="...", credential=credential)
Azure RBAC Best Practices
- •Use built-in roles when possible (Owner, Contributor, Reader)
- •Apply least privilege principle
- •Assign roles at resource group level (not subscription)
- •Use Azure AD groups for user management
- •Audit role assignments regularly
Reference references/identity-access.md for Entra ID integration, Conditional Access policies, and B2C patterns.
Governance and Compliance
Azure Policy for Guardrails
Common Policy Patterns:
- •Require tags on all resources (Environment, Owner, CostCenter)
- •Restrict allowed Azure regions
- •Enforce TLS 1.2 minimum
- •Require Private Endpoints for storage accounts
- •Deny public IP addresses on VMs
Policy Effects:
- •Deny: Block non-compliant resource creation
- •Audit: Log non-compliance but allow creation
- •DeployIfNotExists: Auto-remediate missing configurations
- •Modify: Change resource properties during deployment
Cost Management
Optimization Strategies:
| Pattern | Savings | Use Case |
|---|---|---|
| Reserved Instances (1-year) | 40-50% | Steady-state workloads (databases, VMs) |
| Reserved Instances (3-year) | 60-70% | Long-term commitments |
| Spot VMs | Up to 90% | Fault-tolerant batch processing |
| Auto-shutdown | Variable | Dev/test resources (off-hours) |
| Storage lifecycle policies | 50-90% | Move to Cool/Archive tiers |
Monitoring:
- •Set budgets and alerts in Azure Cost Management
- •Review Azure Advisor cost recommendations weekly
- •Tag resources for cost allocation
- •Use FinOps Toolkit for Power BI dashboards
Reference references/governance-compliance.md for Azure Landing Zones, Policy definitions, and Blueprints.
Infrastructure as Code
Tool Selection
| Tool | Best For | Azure Integration | Multi-Cloud |
|---|---|---|---|
| Bicep | Azure-native projects | Excellent (official) | No |
| Terraform | Multi-cloud environments | Good (azurerm provider) | Yes |
| Pulumi | Developer-first approach | Good (native SDK) | Yes |
| Azure CLI | Scripts and automation | Excellent | No |
Recommendation:
- •Use Bicep for Azure-only infrastructure (best Azure integration, native type safety)
- •Use Terraform for multi-cloud or existing Terraform shops
- •Use Azure CLI for quick scripts and CI/CD automation
Bicep Best Practices
- •Use parameter files for environment-specific values
- •Leverage Azure Verified Modules (AVM) for tested patterns
- •Organize by resource lifecycle (networking, data, compute)
- •Use symbolic names (not string interpolation)
- •Enable linting and validation in CI/CD
Reference Bicep and Terraform examples in examples/bicep/ and examples/terraform/ directories.
Security Best Practices
Essential Security Controls
| Control | Implementation | Priority |
|---|---|---|
| Managed Identity | Enable on all compute resources | Critical |
| Private Endpoints | All PaaS services in production | Critical |
| Key Vault | Store secrets, keys, certificates | Critical |
| Network Segmentation | NSGs, application security groups | High |
| Microsoft Defender | Enable for all resource types | High |
| Azure Policy | Preventive controls | High |
| Just-In-Time Access | VMs and privileged access | Medium |
Defense-in-Depth Layers
- •Network: Private Endpoints, NSGs, Azure Firewall
- •Identity: Entra ID, Managed Identity, Conditional Access
- •Application: Web Application Firewall, API Management
- •Data: Encryption at rest, encryption in transit (TLS 1.2+)
- •Monitoring: Microsoft Defender, Azure Monitor, Sentinel
Reference references/security-architecture.md (see also security-hardening and auth-security skills).
Cost Estimation
Pricing Considerations
Compute:
- •Container Apps: ~$60/month (1 vCPU, 2GB RAM, 24/7)
- •AKS: ~$400/month (3-node D4s_v5 cluster)
- •App Service P1v3: ~$145/month (2 vCPU, 8GB RAM)
- •Functions Consumption: ~$0.20 per 1M executions
Storage:
- •Blob Hot: $0.018/GB/month
- •Blob Cool: $0.010/GB/month
- •Blob Archive: $0.00099/GB/month
- •Managed Disks Premium SSD: $0.15/GB/month
Database:
- •Azure SQL Database (2 vCores): ~$280/month
- •Cosmos DB Serverless: Pay per RU consumed
- •PostgreSQL Flexible (2 vCores): ~$125/month
Use Azure Pricing Calculator: https://azure.microsoft.com/pricing/calculator/
Quick Reference Tables
Compute Service Decision Matrix
| If You Need... | Choose |
|---|---|
| Kubernetes features (CRDs, operators) | Azure Kubernetes Service |
| Microservices without K8s complexity | Azure Container Apps |
| Event-driven functions (<10 min) | Azure Functions |
| Traditional web app (Node, .NET, Python) | Azure App Service |
| Batch processing, HPC | Azure Batch or VM Scale Sets |
| Legacy application migration | Virtual Machines |
Storage Service Decision Matrix
| If You Need... | Choose |
|---|---|
| SMB file shares | Azure Files |
| NFS file shares | Azure Files (NFS 4.1) |
| Object storage (images, backups) | Blob Storage |
| High-performance file storage | Azure NetApp Files |
| Block storage for VMs | Managed Disks |
| Big data analytics | Data Lake Storage Gen2 |
Database Service Decision Matrix
| If You Need... | Choose |
|---|---|
| SQL Server features (T-SQL, SQL Agent) | Azure SQL Database or Managed Instance |
| PostgreSQL | PostgreSQL Flexible Server |
| MySQL | MySQL Flexible Server |
| Global distribution, multi-model | Cosmos DB |
| In-memory cache | Azure Cache for Redis |
| Graph database | Cosmos DB (Gremlin API) |
| Time-series data | Azure Data Explorer |
Integration with Other Skills
- •infrastructure-as-code: Implement Azure patterns using Bicep or Terraform
- •kubernetes-operations: AKS-specific configuration and operations
- •deploying-applications: Container Apps and App Service deployment
- •building-ci-pipelines: Azure DevOps and GitHub Actions integration
- •auth-security: Entra ID authentication and authorization patterns
- •observability: Azure Monitor and Application Insights
- •ai-chat: Azure OpenAI Service for chat applications
- •databases-nosql: Cosmos DB implementation details
- •secret-management: Azure Key Vault integration patterns
Reference Documentation
For detailed implementation guidance, see:
- •
references/compute-services.md- Container Apps, AKS, Functions, App Service with Bicep/Terraform - •
references/storage-patterns.md- Blob Storage, Files, Disks, lifecycle management - •
references/database-selection.md- SQL Database, Cosmos DB, PostgreSQL patterns - •
references/ai-integration.md- Azure OpenAI, RAG architecture, function calling - •
references/messaging-patterns.md- Service Bus, Event Grid, Event Hubs examples - •
references/networking-architecture.md- Hub-spoke, Private Endpoints, DNS configuration - •
references/identity-access.md- Entra ID, Managed Identity, RBAC - •
references/governance-compliance.md- Azure Policy, Landing Zones, cost optimization - •
references/well-architected.md- Five pillars implementation guide
Code Examples
Working examples available in:
- •
examples/bicep/- Infrastructure templates (Container Apps, AKS, networking, databases) - •
examples/terraform/- Multi-cloud IaC examples - •
examples/sdk/python/- Python SDK integration (OpenAI, Managed Identity, messaging) - •
examples/sdk/typescript/- TypeScript SDK examples
Additional Resources
- •Azure Architecture Center: https://learn.microsoft.com/azure/architecture/
- •Azure Well-Architected Framework: https://learn.microsoft.com/azure/well-architected/
- •Azure Verified Modules: https://aka.ms/avm
- •Azure Charts (Service Comparison): https://azurecharts.com/
- •Azure Updates: https://azure.microsoft.com/updates/