Azure Architecture

Inputs Checklist

Collect before recommending architecture:

• Business criticality and recovery targets (RTO, RPO)
• Regulatory constraints and data residency requirements
• Environments (dev/test/stage/prod) and isolation model
• Connectivity requirements (Internet, on-prem, partner, multi-region)
• Identity model (Entra ID tenant boundaries, B2B/B2C needs)
• Cost envelope and scaling expectations
• Team operating model (central platform vs app team ownership)

Design Rules

Apply these rules consistently:

1. Separate platform foundation from workload subscriptions.
2. Use management groups and policy-as-code for guardrails first.
3. Use hub-and-spoke or Virtual WAN for shared connectivity at scale.
4. Prefer private service connectivity for sensitive data paths.
5. Standardize observability and security telemetry from day one.
6. Define failure domains and cross-zone/region strategy explicitly.
7. Design for least privilege with RBAC and managed identities.
8. Enforce tagging, naming, and budget controls at onboarding time.

Landing Zone Scope

Always include:

• Management group hierarchy and subscription vending pattern
• Identity and access boundary model
• Network topology and egress strategy
• Policy initiatives and exemption process
• Logging/monitoring architecture and retention controls
• Backup/DR posture and key workload dependencies
• Secure software supply chain and deployment guardrails

Output Contract

For every architecture answer:

1. Provide target-state architecture in concise bullets.
2. Explain major tradeoffs and why the recommendation fits.
3. List required guardrails and platform controls.
4. Provide phased rollout plan (foundation, migration, hardening).
5. Include validation checks, risks, and rollback strategy.

Delivery Templates

When useful, structure output as:

• Architecture Decision Record bullets for major choices
• Landing Zone Backlog with prioritized work items
• Control Matrix mapping risks to Azure controls