AgentSkillsCN

Azure Architecture Patterns

遵循 Well-Architected Framework 原则,结合参考架构与云原生解决方案的最佳实践。

SKILL.md
--- frontmatter
name: "Azure Architecture Patterns"
description: "Well-Architected Framework principles, reference architectures, and best practices for cloud-native solutions"

Skill: Azure Architecture Patterns

Well-Architected Framework principles, reference architectures, and best practices for cloud-native solutions.

Metadata

FieldValue
Skill IDazure-architecture-patterns
Version1.0.0
CategoryCloud/Infrastructure
DifficultyAdvanced
PrerequisitesBasic Azure knowledge
Related Skillsazure-devops-automation, cognitive-load (for architecture reviews)

Overview

Azure architecture is about trade-offs, not perfection. This skill provides structured guidance for designing, evaluating, and optimizing Azure solutions using the Well-Architected Framework (WAF) pillars.

The Five Pillars

PillarFocusKey Question
ReliabilityResiliency, availability"Will it stay up?"
SecurityProtection, compliance"Is it safe?"
Cost OptimizationEfficiency, value"Is it worth it?"
Operational ExcellenceManageability, observability"Can we run it?"
Performance EfficiencyScalability, responsiveness"Is it fast enough?"

Module 1: Reliability Patterns

Design Principles

  1. Design for failure - Assume components will fail
  2. Observe health - Know when something is wrong
  3. Drive automation - Reduce human error
  4. Design for self-healing - Automatic recovery
  5. Design for scale-out - Horizontal over vertical

Key Patterns

Circuit Breaker

Prevent cascading failures by failing fast when a downstream service is unhealthy.

csharp
// Polly implementation
var circuitBreakerPolicy = Policy
    .Handle<HttpRequestException>()
    .CircuitBreakerAsync(
        exceptionsAllowedBeforeBreaking: 3,
        durationOfBreak: TimeSpan.FromSeconds(30)
    );

Retry with Exponential Backoff

Handle transient failures with increasing delays.

csharp
var retryPolicy = Policy
    .Handle<HttpRequestException>()
    .WaitAndRetryAsync(3, retryAttempt => 
        TimeSpan.FromSeconds(Math.Pow(2, retryAttempt)));

Availability Zones

Distribute resources across physically separate datacenters.

ResourceZone Support
VMsZone-redundant or zonal
Azure SQLZone-redundant HA
StorageZRS, GZRS
App ServiceZone-redundant (Premium)

Reliability Checklist

  • Single points of failure identified and mitigated
  • Health endpoints implemented (/health, /ready)
  • Retry policies with backoff configured
  • Circuit breakers for external dependencies
  • Availability zones utilized (where supported)
  • Disaster recovery plan documented
  • RTO/RPO defined and tested

Module 2: Security Patterns

Zero Trust Principles

PrincipleImplementation
Verify explicitlyAlways authenticate/authorize
Least privilegeMinimal necessary permissions
Assume breachSegment, encrypt, detect

Identity Patterns

Managed Identity

Eliminate credential management with Azure AD-backed identity.

json
{
  "type": "Microsoft.Web/sites",
  "identity": {
    "type": "SystemAssigned"
  }
}

Use cases:

  • App Service → Key Vault secrets
  • Azure Functions → Storage access
  • VMs → Database connections

RBAC Best Practices

PracticeRationale
Use built-in roles firstCustom roles add complexity
Scope to resource groupNot subscription (too broad)
Use groups, not usersEasier lifecycle management
Regular access reviewsRemove stale permissions

Network Security

Private Endpoints

Keep traffic on Azure backbone, off public internet.

bicep
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-05-01' = {
  name: 'pe-storage'
  properties: {
    subnet: { id: subnetId }
    privateLinkServiceConnections: [{
      name: 'plsc-storage'
      properties: {
        privateLinkServiceId: storageAccountId
        groupIds: ['blob']
      }
    }]
  }
}

Network Security Groups (NSG)

Default deny, explicit allow.

PriorityDescription
100-200Allow known good traffic
300-400Deny known bad traffic
4096Default deny all

Security Checklist

  • Managed identities used (no stored credentials)
  • Key Vault for secrets/certificates
  • Private endpoints for PaaS services
  • NSG/firewall rules explicit deny-by-default
  • TLS 1.2+ enforced
  • Microsoft Defender for Cloud enabled
  • Diagnostic settings → Log Analytics

Module 3: Cost Optimization Patterns

Design for Cost

StrategyImpact
Right-sizeMatch SKU to actual workload
Reserved Instances1-3 year commitment = 40-72% savings
Spot VMs90% discount for interruptible workloads
Auto-shutdownDev/test VMs off at night
ServerlessPay per execution, not idle time

Cost-Aware Architecture

Compute Selection Matrix

Workload TypeRecommendedWhy
Steady-state webApp Service PremiumPredictable, manageable
Event-drivenAzure FunctionsPay per execution
Batch processingContainer Apps + KEDAScale to zero
Big computeSpot VMs + BatchMassive savings
Dev/testB-series VMsBurstable, cheap

Storage Tiers

TierUse CaseCost/GB/month
HotFrequently accessed~$0.02
CoolInfrequent (30+ days)~$0.01
ArchiveRarely accessed~$0.002

Lifecycle management: Auto-tier blobs based on last access.

Cost Monitoring

kusto
// Azure Resource Graph - find expensive resources
resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| extend vmSize = properties.hardwareProfile.vmSize
| project name, resourceGroup, vmSize, location
| order by vmSize desc

Cost Checklist

  • Azure Advisor recommendations reviewed
  • Reserved Instances for predictable workloads
  • Auto-shutdown for non-prod
  • Right-sized based on actual utilization
  • Storage lifecycle policies configured
  • Cost alerts and budgets set
  • Orphaned resources cleaned up

Module 4: Operational Excellence Patterns

Infrastructure as Code

ToolBest For
BicepAzure-native, declarative
TerraformMulti-cloud, state management
ARMLegacy, avoid for new work
PulumiDevelopers who prefer code

Bicep Best Practices

bicep
// Use parameters with descriptions and constraints
@description('The environment name')
@allowed(['dev', 'staging', 'prod'])
param environment string

// Use variables for derived values
var resourcePrefix = 'app-${environment}'

// Use modules for reusability
module storage 'modules/storage.bicep' = {
  name: 'storage-${environment}'
  params: {
    prefix: resourcePrefix
    location: location
  }
}

Observability Stack

LayerServicePurpose
LogsLog AnalyticsCentralized logging
MetricsAzure MonitorPerformance data
TracesApplication InsightsDistributed tracing
AlertsAzure AlertsProactive notification
DashboardsAzure WorkbooksVisualization

Essential Diagnostic Settings

bicep
resource diagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  scope: appService
  name: 'diag-appservice'
  properties: {
    workspaceId: logAnalyticsId
    logs: [
      { category: 'AppServiceHTTPLogs', enabled: true }
      { category: 'AppServiceConsoleLogs', enabled: true }
    ]
    metrics: [
      { category: 'AllMetrics', enabled: true }
    ]
  }
}

Operational Checklist

  • IaC for all resources (Bicep/Terraform)
  • CI/CD pipelines for deployment
  • Diagnostic settings to Log Analytics
  • Application Insights integrated
  • Alerts for critical metrics
  • Runbooks for common operations
  • Chaos engineering tests scheduled

Module 5: Performance Efficiency Patterns

Scalability Patterns

Horizontal Scaling (Scale Out)

Add more instances, not bigger instances.

ServiceScaling Mechanism
App ServiceAutoscale rules
Azure FunctionsEvent-driven automatic
AKSHorizontal Pod Autoscaler + Cluster Autoscaler
VMSSAutoscale rules

Caching Strategy

Cache TypeUse CaseService
CDNStatic contentAzure Front Door
DistributedSession, computed dataAzure Cache for Redis
LocalHot dataIn-memory

Performance Patterns

CQRS (Command Query Responsibility Segregation)

Separate read and write models for optimization.

code
Write Path: Web App → Cosmos DB (write-optimized)
                 ↓ Change Feed
Read Path: Azure Search ← Cosmos DB (indexed, query-optimized)

Event Sourcing

Store events, not state. Rebuild state from event stream.

Benefits:

  • Complete audit trail
  • Temporal queries
  • Easy scaling

Database Performance

PatternWhen to Use
Read replicasRead-heavy workloads
ShardingData exceeds single node
Connection poolingMany short-lived connections
Indexing strategyQuery performance issues

Performance Checklist

  • Autoscaling configured and tested
  • CDN for static content
  • Redis cache for hot data
  • Database indexes reviewed
  • Connection pooling enabled
  • Load testing completed
  • Performance baselines established

Reference Architectures

Web Application (Standard)

code
Internet → Front Door (CDN, WAF) → App Service
                                    ↓
                              Azure SQL + Redis Cache
                                    ↓
                              Key Vault, Storage

Microservices (Azure Kubernetes Service)

code
Internet → API Management → AKS Ingress
                              ↓
                        Service Mesh (pods)
                              ↓
                        Cosmos DB, Service Bus
                              ↓
                        Azure Monitor, Key Vault

Serverless (Event-Driven)

code
Event Sources → Event Grid → Azure Functions
                                   ↓
                              Cosmos DB, Storage
                                   ↓
                              Logic Apps (orchestration)

Quick Reference

SKU Selection Guide

TierCPUMemoryUse Case
B-seriesBurstableVariableDev/test
D-seriesGeneralBalancedMost production
E-seriesMemory-optimizedHighIn-memory databases
F-seriesCompute-optimizedLowCPU-intensive

Common Anti-Patterns

Anti-PatternProblemFix
Monolithic deploymentAll or nothingMicroservices or modular
Hardcoded configEnvironment-specificApp Configuration, Key Vault
Single regionNo DRMulti-region with Traffic Manager
Over-provisioned "just in case"Wasted costRight-size + autoscale
No IaCDrift, manual errorsBicep/Terraform everything

Module 6: MCP Tool Integration

Required Extensions & MCP Servers

ComponentID / NamePurpose
VS Code Extensionms-azuretools.vscode-azure-github-copilotAzure GitHub Copilot integration
VS Code Extensionms-azuretools.vscode-azureresourcegroupsAzure resource management
VS Code Extensionms-vscode.azure-accountAzure authentication
MCP Serverazure-mcp40+ Azure tools (cloudarchitect, docs, services)

Installation:

bash
# VS Code Extensions
code --install-extension ms-azuretools.vscode-azure-github-copilot
code --install-extension ms-azuretools.vscode-azureresourcegroups
code --install-extension ms-vscode.azure-account

# MCP Server (via VS Code settings.json or mcp.json)
# Enabled via chat.mcp.gallery.enabled = true

Fallback Patterns (When MCP Unavailable)

If Azure MCP tools are not available, use these alternatives:

MCP ToolFallback Approach
cloudarchitectUse WAF Assessment: https://aka.ms/waf-assessment
documentationSearch https://learn.microsoft.com/azure/architecture
get_bestpracticesReference Azure Architecture Center patterns
Service-specific toolsUse Azure Portal or az CLI directly

Manual Architecture Design Process:

  1. Review WAF pillars checklist in Module 1-5
  2. Use Azure Architecture Center reference architectures
  3. Validate with Azure Advisor in portal
  4. Apply patterns from this skill's modules

Available Azure MCP Tools

Alex has access to 40+ Azure MCP tools for real-time architecture assistance:

CategoryToolsUse Cases
Architecture Designmcp_azure_mcp_cloudarchitectInteractive architecture design, WAF guidance
Documentationmcp_azure_mcp_documentationSearch Azure docs, best practices
Best Practicesmcp_azure_mcp_get_bestpracticesCode gen, deployment, Functions patterns
Computemcp_azure_mcp_aks, mcp_azure_mcp_appservice, mcp_azure_mcp_functionappContainer orchestration, web apps, serverless
Datamcp_azure_mcp_cosmos, mcp_azure_mcp_sql, mcp_azure_mcp_postgresDatabase recommendations
Securitymcp_azure_mcp_keyvault, mcp_azure_mcp_roleSecrets management, RBAC
Monitoringmcp_azure_mcp_monitor, mcp_azure_mcp_applicationinsightsObservability setup
DevOpsmcp_azure_mcp_deploy, mcp_azure_mcp_azdDeployment automation

Cloud Architect Tool

The mcp_azure_mcp_cloudarchitect tool provides interactive guided architecture design:

text
Invocation → Ask about user/company → 
  Gather requirements → 
    Build architecture by tier → 
      Present with ASCII diagrams

Architecture Tiers:
├── Infrastructure (VNets, VMs, Load Balancers)
├── Platform (App Service, AKS, Functions)
├── Application (Logic Apps, API Management)
├── Data (SQL, Cosmos, Storage)
├── Security (Key Vault, WAF, DDoS)
└── Operations (Monitor, Log Analytics)

The tool tracks:

  • Explicit requirements — Directly stated by user
  • Implicit requirements — Inferred from context
  • Assumed requirements — Industry/domain defaults

Best Practices Tool

Use mcp_azure_mcp_get_bestpractices with these resource/action combinations:

ResourceActions
codegenall — Code generation patterns
deploymentall — Deployment best practices
functionsall — Azure Functions patterns
swaall — Static Web App guidance
coding-agentall — MCP setup for repos

When to Use MCP Tools

ScenarioToolWhy
"Design new Azure solution"cloudarchitectInteractive, pillar-aligned
"What's the best way to..."documentationSearch official docs
"Generate Azure code"get_bestpractices + specific toolsCurrent patterns
"Cost optimization review"cloudarchitect + monitorFull picture
"Security assessment"keyvault + role + documentationMulti-tool analysis

Example: Interactive Architecture Session

code
User: "Design a solution for a retail e-commerce platform"

Alex invokes: mcp_azure_mcp_cloudarchitect with:
  - intent: "Design e-commerce architecture"
  - nextQuestionNeeded: true
  - state: {initial}

Tool asks: "What's your role and company size?"
User: "CTO of a mid-size retailer"

Tool continues gathering:
  - Expected traffic patterns
  - Data residency requirements  
  - Budget constraints
  - Compliance needs (PCI-DSS for payments)

Tool outputs:
  - Component table with SKU recommendations
  - ASCII architecture diagram
  - WAF pillar alignment
  - Cost estimation

Activation Patterns

TriggerResponse
"Azure architecture", "cloud design"Full skill activation
"reliability", "high availability", "resilience"Module 1
"security", "zero trust", "identity"Module 2
"cost", "optimize", "savings"Module 3
"IaC", "Bicep", "observability"Module 4
"performance", "scaling", "caching"Module 5
"MCP", "cloud architect tool", "Azure tools"Module 6
"design architecture interactively"Invoke cloudarchitect tool

Skill updated: 2026-02-14 | Category: Cloud/Infrastructure | Status: Active | MCP-Enhanced: Yes


Synapses

  • [.github/skills/observability/SKILL.md] (High, Enables, Bidirectional) - "Monitoring and observability patterns"
  • [.github/skills/project-scaffolding/SKILL.md] (Medium, Uses, Forward) - "Infrastructure-as-code project setup"
  • [.github/instructions/empirical-validation.instructions.md] (Medium, Validates, Forward) - "Architecture decisions require evidence"