Azure Architecture | Skills Pool
Azure Architecture Microsoft Azure architecture patterns and best practices. Use when designing, deploying, or reviewing Azure infrastructure including AKS, App Service, Functions, CosmosDB, and Entra ID.
liauw-media 3 Sterne 11.01.2026 Beruf Kategorien Architekturmuster Microsoft Azure Architecture
Comprehensive guide for building secure, scalable infrastructure on Microsoft Azure.
When to Use
Designing Azure architecture for new projects
Deploying applications to Azure services
Setting up networking (VNet, NSGs)
Configuring Azure AD/Entra ID and RBAC
Working with AKS (Azure Kubernetes Service)
Integrating with Microsoft 365 ecosystem
Core Services Overview
Compute
Service Use Case Key Features Virtual Machines Full control Any OS, any workload AKS Managed Kubernetes Azure-integrated K8s App Service PaaS web apps Managed platform
Schnellinstallation
Azure Architecture npx skills add liauw-media/CodeAssist
Sterne 3
Aktualisiert 11.01.2026
Beruf Functions Serverless Event-driven, consumption
Container Apps Serverless containers Dapr, KEDA built-in
Container Instances Simple containers Quick deployment
Storage Service Use Case Key Features Blob Storage Object storage Hot/Cool/Archive tiers Azure Files SMB/NFS shares Cloud file storage Managed Disks Block storage (VMs) SSD/HDD options Queue Storage Message queuing Simple queues Table Storage NoSQL key-value Structured data
Database Service Use Case Key Features Azure SQL Managed SQL Server Hyperscale, serverless PostgreSQL Flexible Managed PostgreSQL Zone redundant CosmosDB Multi-model NoSQL Global distribution Cache for Redis In-memory cache Managed Redis
Networking Service Use Case Key Features VNet Virtual network Private networking Application Gateway Layer 7 LB WAF, SSL termination Load Balancer Layer 4 LB Regional/Global Front Door Global CDN + LB WAF, routing Private Endpoint Private connectivity PaaS over VNet
VNet Architecture
Hub-Spoke Topology ┌─────────────────────────────────────────────────────────────────┐
│ Hub VNet │
│ 10.0.0.0/16 │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌────────────────┐ │
│ │ Gateway Subnet │ │ Firewall Subnet │ │ Bastion Subnet │ │
│ │ 10.0.0.0/24 │ │ 10.0.1.0/24 │ │ 10.0.2.0/24 │ │
│ │ │ │ │ │ │ │
│ │ ┌─────────────┐ │ │ ┌─────────────┐ │ │ ┌────────────┐ │ │
│ │ │ VPN Gateway │ │ │ │ Azure │ │ │ │ Bastion │ │ │
│ │ └─────────────┘ │ │ │ Firewall │ │ │ └────────────┘ │ │
│ └─────────────────┘ │ └─────────────┘ │ └────────────────┘ │
│ └─────────────────┘ │
└──────────────────────────────┬──────────────────────────────────┘
│ Peering
┌──────────────────────┼──────────────────────┐
│ │ │
▼ ▼ ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ Spoke: Prod │ │ Spoke: Dev │ │ Spoke: Shared │
│ 10.1.0.0/16 │ │ 10.2.0.0/16 │ │ 10.3.0.0/16 │
│ │ │ │ │ │
│ App + Data │ │ App + Data │ │ DNS, AD DS │
│ Subnets │ │ Subnets │ │ Monitoring │
└───────────────┘ └───────────────┘ └───────────────┘
# Resource Group
resource "azurerm_resource_group" "main" {
name = "${var.project}-${var.environment}-rg"
location = var.location
tags = local.common_tags
}
# Virtual Network
resource "azurerm_virtual_network" "main" {
name = "${var.project}-${var.environment}-vnet"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
address_space = ["10.0.0.0/16"]
tags = local.common_tags
}
# Subnets
resource "azurerm_subnet" "app" {
name = "app-subnet"
resource_group_name = azurerm_resource_group.main.name
virtual_network_name = azurerm_virtual_network.main.name
address_prefixes = ["10.0.1.0/24"]
delegation {
name = "app-service-delegation"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
resource "azurerm_subnet" "data" {
name = "data-subnet"
resource_group_name = azurerm_resource_group.main.name
virtual_network_name = azurerm_virtual_network.main.name
address_prefixes = ["10.0.2.0/24"]
service_endpoints = [
"Microsoft.Sql",
"Microsoft.Storage",
"Microsoft.KeyVault"
]
}
resource "azurerm_subnet" "aks" {
name = "aks-subnet"
resource_group_name = azurerm_resource_group.main.name
virtual_network_name = azurerm_virtual_network.main.name
address_prefixes = ["10.0.10.0/22"]
}
# Network Security Group
resource "azurerm_network_security_group" "app" {
name = "${var.project}-app-nsg"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
security_rule {
name = "AllowHTTPS"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "DenyAllInbound"
priority = 4096
direction = "Inbound"
access = "Deny"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
tags = local.common_tags
}
resource "azurerm_subnet_network_security_group_association" "app" {
subnet_id = azurerm_subnet.app.id
network_security_group_id = azurerm_network_security_group.app.id
}
Azure AD / Entra ID
Managed Identity # User Assigned Managed Identity
resource "azurerm_user_assigned_identity" "app" {
name = "${var.project}-app-identity"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
}
# Role Assignment - Storage
resource "azurerm_role_assignment" "storage" {
scope = azurerm_storage_account.main.id
role_definition_name = "Storage Blob Data Contributor"
principal_id = azurerm_user_assigned_identity.app.principal_id
}
# Role Assignment - Key Vault
resource "azurerm_role_assignment" "keyvault" {
scope = azurerm_key_vault.main.id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_user_assigned_identity.app.principal_id
}
# Role Assignment - SQL
resource "azurerm_role_assignment" "sql" {
scope = azurerm_mssql_server.main.id
role_definition_name = "SQL DB Contributor"
principal_id = azurerm_user_assigned_identity.app.principal_id
}
Service Principal (CI/CD) # For CI/CD pipelines
resource "azuread_application" "cicd" {
display_name = "${var.project}-cicd"
}
resource "azuread_service_principal" "cicd" {
client_id = azuread_application.cicd.client_id
}
resource "azuread_service_principal_password" "cicd" {
service_principal_id = azuread_service_principal.cicd.id
end_date_relative = "8760h" # 1 year
}
# Grant Contributor to Resource Group
resource "azurerm_role_assignment" "cicd" {
scope = azurerm_resource_group.main.id
role_definition_name = "Contributor"
principal_id = azuread_service_principal.cicd.object_id
}
AKS (Azure Kubernetes Service)
Production AKS Cluster resource "azurerm_kubernetes_cluster" "main" {
name = "${var.project}-aks"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
dns_prefix = var.project
kubernetes_version = var.kubernetes_version
default_node_pool {
name = "system"
node_count = 3
vm_size = "Standard_D4s_v3"
vnet_subnet_id = azurerm_subnet.aks.id
zones = ["1", "2", "3"]
enable_auto_scaling = true
min_count = 3
max_count = 10
node_labels = {
"nodepool" = "system"
}
}
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.aks.id]
}
network_profile {
network_plugin = "azure"
network_policy = "azure"
load_balancer_sku = "standard"
outbound_type = "loadBalancer"
}
oidc_issuer_enabled = true
workload_identity_enabled = true
azure_active_directory_role_based_access_control {
managed = true
azure_rbac_enabled = true
admin_group_object_ids = [var.aks_admin_group_id]
}
key_vault_secrets_provider {
secret_rotation_enabled = true
secret_rotation_interval = "2m"
}
oms_agent {
log_analytics_workspace_id = azurerm_log_analytics_workspace.main.id
}
microsoft_defender {
log_analytics_workspace_id = azurerm_log_analytics_workspace.main.id
}
tags = local.common_tags
}
# User Node Pool
resource "azurerm_kubernetes_cluster_node_pool" "user" {
name = "user"
kubernetes_cluster_id = azurerm_kubernetes_cluster.main.id
vm_size = "Standard_D8s_v3"
zones = ["1", "2", "3"]
enable_auto_scaling = true
min_count = 2
max_count = 20
vnet_subnet_id = azurerm_subnet.aks.id
node_labels = {
"nodepool" = "user"
}
node_taints = []
tags = local.common_tags
}
App Service
Web App with Slots resource "azurerm_service_plan" "main" {
name = "${var.project}-plan"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
os_type = "Linux"
sku_name = var.environment == "prod" ? "P2v3" : "B1"
}
resource "azurerm_linux_web_app" "main" {
name = "${var.project}-app"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
service_plan_id = azurerm_service_plan.main.id
https_only = true
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.app.id]
}
site_config {
always_on = var.environment == "prod"
http2_enabled = true
minimum_tls_version = "1.2"
ftps_state = "Disabled"
vnet_route_all_enabled = true
application_stack {
node_version = "20-lts"
}
health_check_path = "/health"
}
app_settings = {
WEBSITES_ENABLE_APP_SERVICE_STORAGE = "false"
NODE_ENV = "production"
KEY_VAULT_URI = azurerm_key_vault.main.vault_uri
}
connection_string {
name = "Database"
type = "SQLAzure"
value = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.db_connection.id})"
}
virtual_network_subnet_id = azurerm_subnet.app.id
logs {
http_logs {
file_system {
retention_in_days = 7
retention_in_mb = 35
}
}
}
tags = local.common_tags
}
# Deployment Slot
resource "azurerm_linux_web_app_slot" "staging" {
name = "staging"
app_service_id = azurerm_linux_web_app.main.id
site_config {
always_on = false
http2_enabled = true
minimum_tls_version = "1.2"
application_stack {
node_version = "20-lts"
}
}
app_settings = azurerm_linux_web_app.main.app_settings
tags = local.common_tags
}
Azure SQL
SQL Database resource "azurerm_mssql_server" "main" {
name = "${var.project}-sql"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
version = "12.0"
administrator_login = var.sql_admin_username
administrator_login_password = random_password.sql.result
minimum_tls_version = "1.2"
public_network_access_enabled = false
azuread_administrator {
login_username = "AzureAD Admin"
object_id = var.sql_aad_admin_object_id
azuread_authentication_only = var.environment == "prod"
}
identity {
type = "SystemAssigned"
}
tags = local.common_tags
}
resource "azurerm_mssql_database" "main" {
name = var.database_name
server_id = azurerm_mssql_server.main.id
collation = "SQL_Latin1_General_CP1_CI_AS"
max_size_gb = 100
sku_name = var.environment == "prod" ? "GP_S_Gen5_4" : "Basic"
zone_redundant = var.environment == "prod"
storage_account_type = "Zone"
short_term_retention_policy {
retention_days = 7
backup_interval_in_hours = 12
}
long_term_retention_policy {
weekly_retention = var.environment == "prod" ? "P4W" : null
monthly_retention = var.environment == "prod" ? "P12M" : null
}
threat_detection_policy {
state = "Enabled"
email_account_admins = "Enabled"
retention_days = 30
}
tags = local.common_tags
}
# Private Endpoint
resource "azurerm_private_endpoint" "sql" {
name = "${var.project}-sql-pe"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
subnet_id = azurerm_subnet.data.id
private_service_connection {
name = "${var.project}-sql-psc"
private_connection_resource_id = azurerm_mssql_server.main.id
is_manual_connection = false
subresource_names = ["sqlServer"]
}
private_dns_zone_group {
name = "sql-dns-zone-group"
private_dns_zone_ids = [azurerm_private_dns_zone.sql.id]
}
}
Key Vault
Secure Secrets Management resource "azurerm_key_vault" "main" {
name = "${var.project}-kv"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 90
purge_protection_enabled = var.environment == "prod"
enable_rbac_authorization = true
public_network_access_enabled = false
network_acls {
default_action = "Deny"
bypass = "AzureServices"
virtual_network_subnet_ids = [azurerm_subnet.app.id]
}
tags = local.common_tags
}
resource "azurerm_key_vault_secret" "db_connection" {
name = "db-connection-string"
value = "Server=tcp:${azurerm_mssql_server.main.fully_qualified_domain_name};Database=${var.database_name};..."
key_vault_id = azurerm_key_vault.main.id
depends_on = [azurerm_role_assignment.kv_admin]
}
Storage Account
Secure Blob Storage resource "azurerm_storage_account" "main" {
name = "${replace(var.project, "-", "")}storage"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
account_tier = "Standard"
account_replication_type = var.environment == "prod" ? "GRS" : "LRS"
account_kind = "StorageV2"
min_tls_version = "TLS1_2"
allow_nested_items_to_be_public = false
public_network_access_enabled = false
blob_properties {
versioning_enabled = true
delete_retention_policy {
days = 30
}
container_delete_retention_policy {
days = 30
}
}
network_rules {
default_action = "Deny"
bypass = ["AzureServices"]
virtual_network_subnet_ids = [azurerm_subnet.app.id]
}
identity {
type = "SystemAssigned"
}
tags = local.common_tags
}
resource "azurerm_storage_container" "data" {
name = "data"
storage_account_name = azurerm_storage_account.main.name
container_access_type = "private"
}
# Lifecycle Management
resource "azurerm_storage_management_policy" "main" {
storage_account_id = azurerm_storage_account.main.id
rule {
name = "archive-old-blobs"
enabled = true
filters {
blob_types = ["blockBlob"]
prefix_match = ["data/"]
}
actions {
base_blob {
tier_to_cool_after_days_since_modification_greater_than = 30
tier_to_archive_after_days_since_modification_greater_than = 90
delete_after_days_since_modification_greater_than = 365
}
}
}
}
CLI Reference # Auth
az login
az account set --subscription "SUBSCRIPTION_NAME"
az account show
# Resource Groups
az group list
az group create --name mygroup --location eastus
# AKS
az aks get-credentials --resource-group mygroup --name mycluster
az aks list
az aks scale --resource-group mygroup --name mycluster --node-count 5
# App Service
az webapp list
az webapp deployment source config-zip --resource-group mygroup --name myapp --src app.zip
az webapp deployment slot swap --resource-group mygroup --name myapp --slot staging
# SQL
az sql db list --resource-group mygroup --server myserver
az sql db show-connection-string --server myserver --name mydb --client ado.net
# Storage
az storage blob list --container-name mycontainer --account-name mystorage
az storage blob upload --container-name mycontainer --file local.txt --name remote.txt
# Key Vault
az keyvault secret list --vault-name myvault
az keyvault secret show --vault-name myvault --name mysecret
az keyvault secret set --vault-name myvault --name mysecret --value "value"
Security Checklist
Integration
/terraform - Azure provider configuration/k8s - AKS deployments/devops - Azure DevOps pipelines/security - Azure security review 02
When to Use