Deploying On Azure

Azure Well-Architected Framework (Five Pillars)

Reference references/well-architected.md for detailed pillar implementation patterns.

Compute Service Selection

Decision Framework

Container-based workload?
  YES → Need Kubernetes control plane?
          YES → Azure Kubernetes Service (AKS)
          NO → Azure Container Apps (recommended)
  NO → Event-driven function?
         YES → Azure Functions
         NO → Web application?
                YES → Azure App Service
                NO → Legacy/specialized → Virtual Machines

Service Comparison

Recommendation: Start with Azure Container Apps for 80% of containerized workloads (simpler and cheaper than AKS).

Reference references/compute-services.md for detailed comparison with Bicep and Terraform examples.

Storage Architecture

Blob Storage Tier Selection

Pattern: Use lifecycle management policies to automatically move data to lower-cost tiers.

Storage Service Decision

File system interface required?
  YES → Protocol?
          SMB → Azure Files (or NetApp Files for high performance)
          NFS → Azure Files (NFS 4.1)
  NO → Object storage → Blob Storage
       Block storage → Managed Disks (Standard/Premium SSD/Ultra)
       Analytics → Data Lake Storage Gen2

Reference references/storage-patterns.md for lifecycle policies, redundancy options, and performance tuning.

Database Service Selection

Decision Framework

Relational data?
  YES → SQL Server compatible?
          YES → Need VM-level access?
                  YES → SQL Managed Instance
                  NO → Azure SQL Database
          NO → Open source?
                 PostgreSQL → PostgreSQL Flexible Server
                 MySQL → MySQL Flexible Server
  NO → Data model?
         Document/JSON → Cosmos DB (NoSQL API)
         Graph → Cosmos DB (Gremlin API)
         Wide-column → Cosmos DB (Cassandra API)
         Key-value cache → Azure Cache for Redis
         Time-series → Azure Data Explorer

Cosmos DB Consistency Levels

Reference references/database-selection.md for capacity planning, indexing strategies, and migration patterns.

AI and Machine Learning Integration

Azure OpenAI Service

Use Cases:

• Chatbots and conversational AI (GPT-4)
• Content generation and summarization
• Semantic search with embeddings (RAG pattern)
• Code generation and completion
• Function calling for structured outputs

Key Advantages:

• Enterprise data privacy (no model training on customer data)
• Regional deployment for data residency
• Microsoft enterprise SLAs
• Built-in content filtering

Integration Pattern:

from openai import AzureOpenAI
from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()
client = AzureOpenAI(
    azure_endpoint="https://myopenai.openai.azure.com",
    azure_ad_token_provider=token_provider,
    api_version="2024-02-15-preview"
)

response = client.chat.completions.create(
    model="gpt-4-turbo",
    messages=[{"role": "user", "content": "Hello!"}]
)

Other AI Services

Reference references/ai-integration.md for RAG architecture, function calling, and fine-tuning patterns.

Messaging and Integration

Service Selection Matrix

When to Use What:

• Service Bus: Reliable messaging with transactions (e.g., order processing)
• Event Grid: React to Azure resource events (e.g., blob created, VM stopped)
• Event Hubs: High-throughput streaming (e.g., IoT telemetry, application logs)

Reference references/messaging-patterns.md for implementation examples, retry policies, and dead-letter handling.

Networking Architecture

Private Endpoints vs. Service Endpoints

Best Practice: Use Private Endpoints for all PaaS services in production (treat public endpoints as anti-pattern).

Hub-and-Spoke Topology

Components:

• Hub VNet: Shared services (Azure Firewall, VPN Gateway, Private Endpoints)
• Spoke VNets: Application workloads (isolated per environment or team)
• VNet Peering: Low-latency connectivity between hub and spokes

Benefits:

• Centralized security (firewall, DNS)
• Cost optimization (shared egress)
• Simplified governance

Reference references/networking-architecture.md for hub-spoke Bicep templates, NSG patterns, and DNS configuration.

Identity and Access Management

Managed Identity Pattern

Always use Managed Identity instead of:

• Connection strings in code
• Storage account keys
• Service principal credentials
• API keys

System-Assigned vs. User-Assigned:

Example Flow:

1. Enable Managed Identity on Container App
2. Grant identity access to Key Vault (RBAC or Access Policy)
3. Application authenticates automatically (no credentials)

from azure.identity import DefaultAzureCredential

# Works automatically with Managed Identity
credential = DefaultAzureCredential()
keyvault_client = SecretClient(vault_url="...", credential=credential)

Azure RBAC Best Practices

• Use built-in roles when possible (Owner, Contributor, Reader)
• Apply least privilege principle
• Assign roles at resource group level (not subscription)
• Use Azure AD groups for user management
• Audit role assignments regularly

Reference references/identity-access.md for Entra ID integration, Conditional Access policies, and B2C patterns.

Governance and Compliance

Azure Policy for Guardrails

Common Policy Patterns:

• Require tags on all resources (Environment, Owner, CostCenter)
• Restrict allowed Azure regions
• Enforce TLS 1.2 minimum
• Require Private Endpoints for storage accounts
• Deny public IP addresses on VMs

Policy Effects:

• Deny: Block non-compliant resource creation
• Audit: Log non-compliance but allow creation
• DeployIfNotExists: Auto-remediate missing configurations
• Modify: Change resource properties during deployment

Cost Management

Optimization Strategies:

Monitoring:

• Set budgets and alerts in Azure Cost Management
• Review Azure Advisor cost recommendations weekly
• Tag resources for cost allocation
• Use FinOps Toolkit for Power BI dashboards

Reference references/governance-compliance.md for Azure Landing Zones, Policy definitions, and Blueprints.

Infrastructure as Code

Tool Selection

Recommendation:

• Use Bicep for Azure-only infrastructure (best Azure integration, native type safety)
• Use Terraform for multi-cloud or existing Terraform shops
• Use Azure CLI for quick scripts and CI/CD automation

Bicep Best Practices

• Use parameter files for environment-specific values
• Leverage Azure Verified Modules (AVM) for tested patterns
• Organize by resource lifecycle (networking, data, compute)
• Use symbolic names (not string interpolation)
• Enable linting and validation in CI/CD

Reference Bicep and Terraform examples in examples/bicep/ and examples/terraform/ directories.

Security Best Practices

Essential Security Controls

Defense-in-Depth Layers

1. Network: Private Endpoints, NSGs, Azure Firewall
2. Identity: Entra ID, Managed Identity, Conditional Access
3. Application: Web Application Firewall, API Management
4. Data: Encryption at rest, encryption in transit (TLS 1.2+)
5. Monitoring: Microsoft Defender, Azure Monitor, Sentinel

Reference references/security-architecture.md (see also security-hardening and auth-security skills).

Cost Estimation

Pricing Considerations

Compute:

• Container Apps: ~$60/month (1 vCPU, 2GB RAM, 24/7)
• AKS: ~$400/month (3-node D4s_v5 cluster)
• App Service P1v3: ~$145/month (2 vCPU, 8GB RAM)
• Functions Consumption: ~$0.20 per 1M executions

Storage:

• Blob Hot: $0.018/GB/month
• Blob Cool: $0.010/GB/month
• Blob Archive: $0.00099/GB/month
• Managed Disks Premium SSD: $0.15/GB/month

Database:

• Azure SQL Database (2 vCores): ~$280/month
• Cosmos DB Serverless: Pay per RU consumed
• PostgreSQL Flexible (2 vCores): ~$125/month

Use Azure Pricing Calculator: https://azure.microsoft.com/pricing/calculator/

Quick Reference Tables

Compute Service Decision Matrix

Storage Service Decision Matrix

Database Service Decision Matrix

Integration with Other Skills

• infrastructure-as-code: Implement Azure patterns using Bicep or Terraform
• kubernetes-operations: AKS-specific configuration and operations
• deploying-applications: Container Apps and App Service deployment
• building-ci-pipelines: Azure DevOps and GitHub Actions integration
• auth-security: Entra ID authentication and authorization patterns
• observability: Azure Monitor and Application Insights
• ai-chat: Azure OpenAI Service for chat applications
• databases-nosql: Cosmos DB implementation details
• secret-management: Azure Key Vault integration patterns

Reference Documentation

For detailed implementation guidance, see:

• references/compute-services.md - Container Apps, AKS, Functions, App Service with Bicep/Terraform
• references/storage-patterns.md - Blob Storage, Files, Disks, lifecycle management
• references/database-selection.md - SQL Database, Cosmos DB, PostgreSQL patterns
• references/ai-integration.md - Azure OpenAI, RAG architecture, function calling
• references/messaging-patterns.md - Service Bus, Event Grid, Event Hubs examples
• references/networking-architecture.md - Hub-spoke, Private Endpoints, DNS configuration
• references/identity-access.md - Entra ID, Managed Identity, RBAC
• references/governance-compliance.md - Azure Policy, Landing Zones, cost optimization
• references/well-architected.md - Five pillars implementation guide

Code Examples

Working examples available in:

• examples/bicep/ - Infrastructure templates (Container Apps, AKS, networking, databases)
• examples/terraform/ - Multi-cloud IaC examples
• examples/sdk/python/ - Python SDK integration (OpenAI, Managed Identity, messaging)
• examples/sdk/typescript/ - TypeScript SDK examples

Additional Resources

• Azure Architecture Center: https://learn.microsoft.com/azure/architecture/
• Azure Well-Architected Framework: https://learn.microsoft.com/azure/well-architected/
• Azure Verified Modules: https://aka.ms/avm
• Azure Charts (Service Comparison): https://azurecharts.com/
• Azure Updates: https://azure.microsoft.com/updates/