deploying-on-azure

# Azure Patterns

Design and implement Azure cloud architectures following Microsoft's Well-Architected Framework and best practices for service selection, cost optimization, and security.

## When to Use

Use this skill when:
- Designing new applications for Azure cloud
- Selecting Azure compute services (Container Apps, AKS, Functions, App Service)
- Architecting storage solutions (Blob Storage, Files, Cosmos DB)
- Integrating Azure OpenAI or Cognitive Services
- Implementing messaging patterns (Service Bus, Event Grid, Event Hubs)
- Designing secure networks with Private Endpoints
- Applying Azure governance and compliance policies
- Optimizing Azure costs and performance

## Core Concepts

### Service Selection Philosophy

Azure offers 200+ services. Choose based on:
1. **Managed vs. IaaS** - Prefer fully managed services (lower operational burden)
2. **Cost Model** - Consumption vs. dedicated capacity
3. **Integration Requirements** - Microsoft 365, Active Directory, hybrid cloud
4. **Control vs. Simplicity** - More control = more operational overhead

### Azure Well-Architected Framework (Five Pillars)

| Pillar | Focus | Key Practices |
|--------|-------|---------------|
| **Cost Optimization** | Maximize value within budget | Reserved Instances, auto-scaling, lifecycle management |
| **Operational Excellence** | Run reliable systems | Azure Policy, automation, monitoring |
| **Performance Efficiency** | Scale to meet demand | Autoscaling, caching, CDN |
| **Reliability** | Recover from failures | Availability Zones, multi-region, backup |
| **Security** | Protect data and assets | Managed Identity, Private Endpoints, Key Vault |

Reference `references/well-architected.md` for detailed pillar implementation patterns.

## Compute Service Selection

### Decision Framework

```
Container-based workload?
  YES → Need Kubernetes control plane?
          YES → Azure Kubernetes Service (AKS)
          NO → Azure Container Apps (recommended)
  NO → Event-driven function?
         YES → Azure Functions
         NO → Web application?
                YES → Azure App Service
                NO → Legacy/specialized → Virtual Machines
```

### Service Comparison

| Service | Best For | Pricing Model | Operational Overhead |
|---------|----------|---------------|---------------------|
| **Container Apps** | Microservices, APIs, background jobs | Consumption or dedicated | Low |
| **AKS** | Complex K8s workloads, service mesh | Node-based | High |
| **Functions** | Event-driven, short tasks (<10 min) | Consumption or premium | Low |
| **App Service** | Web apps, simple APIs | Dedicated plans | Low |
| **Virtual Machines** | Legacy apps, specialized software | VM-based | High |

**Recommendation:** Start with Azure Container Apps for 80% of containerized workloads (simpler and cheaper than AKS).

Reference `references/compute-services.md` for detailed comparison with Bicep and Terraform examples.

## Storage Architecture

### Blob Storage Tier Selection

| Tier | Access Pattern | Cost/GB/Month | Minimum Storage Duration |
|------|---------------|---------------|--------------------------|
| **Hot** | Daily access | $0.018 | None |
| **Cool** | <1/month access | $0.010 | 30 days |
| **Cold** | <90 days access | $0.0045 | 90 days |
| **Archive** | Rare access | $0.00099 | 180 days |

**Pattern:** Use lifecycle management policies to automatically move data to lower-cost tiers.

### Storage Service Decision

```
File system interface required?
  YES → Protocol?
          SMB → Azure Files (or NetApp Files for high performance)
          NFS → Azure Files (NFS 4.1)
  NO → Object storage → Blob Storage
       Block storage → Managed Disks (Standard/Premium SSD/Ultra)
       Analytics → Data Lake Storage Gen2
```

Reference `references/storage-patterns.md` for lifecycle policies, redundancy options, and performance tuning.

## Database Service Selection

### Decision Framework

```
Relational data?
  YES → SQL Server compatible?
          YES → Need VM-level access?
                  YES → SQL Managed Instance
                  NO → Azure SQL Database
          NO → Open source?
                 PostgreSQL → PostgreSQL Flexible Server
                 MySQL → MySQL Flexible Server
  NO → Data model?
         Document/JSON → Cosmos DB (NoSQL API)
         Graph → Cosmos DB (Gremlin API)
         Wide-column → Cosmos DB (Cassandra API)
         Key-value cache → Azure Cache for Redis
         Time-series → Azure Data Explorer
```

### Cosmos DB Consistency Levels

| Level | Use Case | Latency | Throughput |
|-------|----------|---------|------------|
| **Strong** | Financial transactions, inventory | Highest | Lowest |
| **Bounded Staleness** | Real-time leaderboards with acceptable lag | High | Low |
| **Session** | Shopping carts, user sessions (default) | Medium | Medium |
| **Consistent Prefix** | Social feeds, IoT telemetry | Low | High |
| **Eventual** | Analytics, ML training data | Lowest | Highest |

Reference `references/database-selection.md` for capacity planning, indexing strategies, and migration patterns.

## AI and Machine Learning Integration

### Azure OpenAI Service

**Use Cases:**
- Chatbots and conversational AI (GPT-4)
- Content generation and summarization
- Semantic search with embeddings (RAG pattern)
- Code generation and completion
- Function calling for structured outputs

**Key Advantages:**
- Enterprise data privacy (no model training on customer data)
- Regional deployment for data residency
- Microsoft enterprise SLAs
- Built-in content filtering

**Integration Pattern:**
```python
from openai import AzureOpenAI
from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()
client = AzureOpenAI(
    azure_endpoint="https://myopenai.openai.azure.com",
    azure_ad_token_provider=token_provider,
    api_version="2024-02-15-preview"
)

response = client.chat.completions.create(
    model="gpt-4-turbo",
    messages=[{"role": "user", "content": "Hello!"}]
)
```

### Other AI Services

| Service | Purpose | Common Use Cases |
|---------|---------|------------------|
| **Cognitive Services** | Pre-built AI models | Vision, Speech, Language, Decision |
| **Azure Machine Learning** | Custom model training | MLOps, model deployment, feature engineering |
| **Azure AI Search** | Semantic search engine | RAG patterns, document search |

Reference `references/ai-integration.md` for RAG architecture, function calling, and fine-tuning patterns.

## Messaging and Integration

### Service Selection Matrix

| Service | Pattern | Message Size | Ordering | Transactions | Best For |
|---------|---------|--------------|----------|--------------|----------|
| **Service Bus** | Queue/Topic | 256 KB - 100 MB | Yes (sessions) | Yes | Enterprise messaging |
| **Event Grid** | Pub/Sub | 1 MB | No | No | Event-driven architectures |
| **Event Hubs** | Streaming | 1 MB | Yes (partitions) | No | Big data ingestion, telemetry |
| **Storage Queues** | Simple queue | 64 KB | No | No | Async work, <500k msgs/sec |

**When to Use What:**
- **Service Bus:** Reliable messaging with transactions (e.g., order processing)
- **Event Grid:** React to Azure resource events (e.g., blob created, VM stopped)
- **Event Hubs:** High-throughput streaming (e.g., IoT telemetry, application logs)

Reference `references/messaging-patterns.md` for implementation examples, retry policies, and dead-letter handling.

## Networking Architecture

### Private Endpoints vs. Service Endpoints

| Aspect | Private Endpoint | Service Endpoint |
|--------|------------------|------------------|
| **Security Model** | Private IP in VNet | Optimized route to public endpoint |
| **Data Exfiltration Protection** | Yes (network-isolated) | Limited (service firewall only) |
| **Cost** | ~$7.30/month per endpoint | Free |
| **Recommendation** | Production workloads | Dev/test environments |

**Best Practice:** Use Private Endpoints for all PaaS services in production (treat public endpoints as anti-pattern).

### Hub-and-Spoke Topology

**Components:**
- **Hub VNet:** Shared services (Azure Firewall, VPN Gateway, Private Endpoints)
- **Spoke VNets:** Application workloads (isolated per environment or team)
- **VNet Peering:** Low-latency connectivity between hub and spokes

**Benefits:**
- Centralized security (firewall, DNS)
- Cost optimization (shared egress)
- Simplified governance

Reference `references/networking-architecture.md` for hub-spoke Bicep templates, NSG patterns, and DNS configuration.

## Identity and Access Management

### Managed Identity Pattern

**Always use Managed Identity instead of:**
- Connection strings in code
- Storage account keys
- Service principal credentials
- API keys

**System-Assigned vs. User-Assigned:**

| Type | Lifecycle | Use Case |
|------|-----------|----------|
| **System-Assigned** | Tied to resource | Single resource needs access |
| **User-Assigned** | Independent | Multiple resources share identity |

**Example Flow:**
1. Enable Managed Identity on Container App
2. Grant identity access to Key Vault (RBAC or Access Policy)
3. Application authenticates automatically (no credentials)

```python
from azure.identity import DefaultAzureCredential

# Works automatically with Managed Identity
credential = DefaultAzureCredential()
keyvault_client = SecretClient(vault_url="...", credential=credential)
```

### Azure RBAC Best Practices

- Use built-in roles when possible (Owner, Contributor, Reader)
- Apply least privilege principle
- Assign roles at resource group level (not subscription)
- Use Azure AD groups for user management
- Audit role assignments regularly

Reference `references/identity-access.md` for Entra ID integration, Conditional Access policies, and B2C patterns.

## Governance and Compliance

### Azure Policy for Guardrails

**Common Policy Patterns:**
- Require tags on all resources (Environment, Owner, CostCenter)
- Restrict allowed Azure regions
- Enforce TLS 1.2 minimum
- Require Private Endpoints for storage accounts
- Deny public IP addresses on VMs

**Policy Effects:**
- **Deny:** Block non-compliant resource creation
- **Audit:** Log non-compliance but allow creation
- **DeployIfNotExists:** Auto-remediate missing configurations
- **Modify:** Change resource properties during deployment

### Cost Management

**Optimization Strategies:**

| Pattern | Savings | Use Case |
|---------|---------|----------|
| **Reserved Instances (1-year)** | 40-50% | Steady-state workloads (databases, VMs) |
| **Reserved Instances (3-year)** | 60-70% | Long-term commitments |
| **Spot VMs** | Up to 90% | Fault-tolerant batch processing |
| **Auto-shutdown** | Variable | Dev/test resources (off-hours) |
| **Storage lifecycle policies** | 50-90% | Move to Cool/Archive tiers |

**Monitoring:**
- Set budgets and alerts in Azure Cost Management
- Review Azure Advisor cost recommendations weekly
- Tag resources for cost allocation
- Use FinOps Toolkit for Power BI dashboards

Reference `references/governance-compliance.md` for Azure Landing Zones, Policy definitions, and Blueprints.

## Infrastructure as Code

### Tool Selection

| Tool | Best For | Azure Integration | Multi-Cloud |
|------|----------|-------------------|-------------|
| **Bicep** | Azure-native projects | Excellent (official) | No |
| **Terraform** | Multi-cloud environments | Good (azurerm provider) | Yes |
| **Pulumi** | Developer-first approach | Good (native SDK) | Yes |
| **Azure CLI** | Scripts and automation | Excellent | No |

**Recommendation:**
- Use **Bicep** for Azure-only infrastructure (best Azure integration, native type safety)
- Use **Terraform** for multi-cloud or existing Terraform shops
- Use **Azure CLI** for quick scripts and CI/CD automation

### Bicep Best Practices

- Use parameter files for environment-specific values
- Leverage Azure Verified Modules (AVM) for tested patterns
- Organize by resource lifecycle (networking, data, compute)
- Use symbolic names (not string interpolation)
- Enable linting and validation in CI/CD

Reference Bicep and Terraform examples in `examples/bicep/` and `examples/terraform/` directories.

## Security Best Practices

### Essential Security Controls

| Control | Implementation | Priority |
|---------|---------------|----------|
| **Managed Identity** | Enable on all compute resources | Critical |
| **Private Endpoints** | All PaaS services in production | Critical |
| **Key Vault** | Store secrets, keys, certificates | Critical |
| **Network Segmentation** | NSGs, application security groups | High |
| **Microsoft Defender** | Enable for all resource types | High |
| **Azure Policy** | Preventive controls | High |
| **Just-In-Time Access** | VMs and privileged access | Medium |

### Defense-in-Depth Layers

1. **Network:** Private Endpoints, NSGs, Azure Firewall
2. **Identity:** Entra ID, Managed Identity, Conditional Access
3. **Application:** Web Application Firewall, API Management
4. **Data:** Encryption at rest, encryption in transit (TLS 1.2+)
5. **Monitoring:** Microsoft Defender, Azure Monitor, Sentinel

Reference `references/security-architecture.md` (see also `security-hardening` and `auth-security` skills).

## Cost Estimation

### Pricing Considerations

**Compute:**
- Container Apps: ~$60/month (1 vCPU, 2GB RAM, 24/7)
- AKS: ~$400/month (3-node D4s_v5 cluster)
- App Service P1v3: ~$145/month (2 vCPU, 8GB RAM)
- Functions Consumption: ~$0.20 per 1M executions

**Storage:**
- Blob Hot: $0.018/GB/month
- Blob Cool: $0.010/GB/month
- Blob Archive: $0.00099/GB/month
- Managed Disks Premium SSD: $0.15/GB/month

**Database:**
- Azure SQL Database (2 vCores): ~$280/month
- Cosmos DB Serverless: Pay per RU consumed
- PostgreSQL Flexible (2 vCores): ~$125/month

**Use Azure Pricing Calculator:** https://azure.microsoft.com/pricing/calculator/

## Quick Reference Tables

### Compute Service Decision Matrix

| If You Need... | Choose |
|----------------|--------|
| Kubernetes features (CRDs, operators) | Azure Kubernetes Service |
| Microservices without K8s complexity | Azure Container Apps |
| Event-driven functions (<10 min) | Azure Functions |
| Traditional web app (Node, .NET, Python) | Azure App Service |
| Batch processing, HPC | Azure Batch or VM Scale Sets |
| Legacy application migration | Virtual Machines |

### Storage Service Decision Matrix

| If You Need... | Choose |
|----------------|--------|
| SMB file shares | Azure Files |
| NFS file shares | Azure Files (NFS 4.1) |
| Object storage (images, backups) | Blob Storage |
| High-performance file storage | Azure NetApp Files |
| Block storage for VMs | Managed Disks |
| Big data analytics | Data Lake Storage Gen2 |

### Database Service Decision Matrix

| If You Need... | Choose |
|----------------|--------|
| SQL Server features (T-SQL, SQL Agent) | Azure SQL Database or Managed Instance |
| PostgreSQL | PostgreSQL Flexible Server |
| MySQL | MySQL Flexible Server |
| Global distribution, multi-model | Cosmos DB |
| In-memory cache | Azure Cache for Redis |
| Graph database | Cosmos DB (Gremlin API) |
| Time-series data | Azure Data Explorer |

## Integration with Other Skills

- **infrastructure-as-code:** Implement Azure patterns using Bicep or Terraform
- **kubernetes-operations:** AKS-specific configuration and operations
- **deploying-applications:** Container Apps and App Service deployment
- **building-ci-pipelines:** Azure DevOps and GitHub Actions integration
- **auth-security:** Entra ID authentication and authorization patterns
- **observability:** Azure Monitor and Application Insights
- **ai-chat:** Azure OpenAI Service for chat applications
- **databases-nosql:** Cosmos DB implementation details
- **secret-management:** Azure Key Vault integration patterns

## Reference Documentation

For detailed implementation guidance, see:

- **`references/compute-services.md`** - Container Apps, AKS, Functions, App Service with Bicep/Terraform
- **`references/storage-patterns.md`** - Blob Storage, Files, Disks, lifecycle management
- **`references/database-selection.md`** - SQL Database, Cosmos DB, PostgreSQL patterns
- **`references/ai-integration.md`** - Azure OpenAI, RAG architecture, function calling
- **`references/messaging-patterns.md`** - Service Bus, Event Grid, Event Hubs examples
- **`references/networking-architecture.md`** - Hub-spoke, Private Endpoints, DNS configuration
- **`references/identity-access.md`** - Entra ID, Managed Identity, RBAC
- **`references/governance-compliance.md`** - Azure Policy, Landing Zones, cost optimization
- **`references/well-architected.md`** - Five pillars implementation guide

## Code Examples

Working examples available in:

- **`examples/bicep/`** - Infrastructure templates (Container Apps, AKS, networking, databases)
- **`examples/terraform/`** - Multi-cloud IaC examples
- **`examples/sdk/python/`** - Python SDK integration (OpenAI, Managed Identity, messaging)
- **`examples/sdk/typescript/`** - TypeScript SDK examples

## Additional Resources

- Azure Architecture Center: https://learn.microsoft.com/azure/architecture/
- Azure Well-Architected Framework: https://learn.microsoft.com/azure/well-architected/
- Azure Verified Modules: https://aka.ms/avm
- Azure Charts (Service Comparison): https://azurecharts.com/
- Azure Updates: https://azure.microsoft.com/updates/