Cloud Provider Notes
Azure Platform Notes
Use these notes to translate the blue book patterns into common Azure services. Azure platform work often centers on subscription structure, Entra ID, networking, policy, and integration with Microsoft tooling.
Common service mapping
| Capability | Common Azure services |
|---|---|
| Landing zone | Azure Landing Zones, Management Groups |
| Identity | Entra ID, Managed Identity, Privileged Identity Management |
| Networking | Virtual Network, Private Link, DNS, Application Gateway |
| Containers | AKS, Container Apps, ACR |
| PaaS | App Service, Functions |
| Data | Azure SQL, Cosmos DB, Storage, Synapse, Fabric |
| Secrets and keys | Key Vault, Managed HSM |
| Observability | Azure Monitor, Log Analytics, Application Insights |
| Security | Defender for Cloud, Sentinel, Policy, Activity Logs |
Baseline practices
- Use management groups and subscriptions for isolation and governance.
- Use Azure Policy for guardrails and evidence where practical.
- Use managed identities instead of client secrets.
- Centralize logs through Azure Monitor and Log Analytics.
- Use Private Link for sensitive managed-service connectivity.
- Define region, naming, tagging, and resource group standards.
Runtime guidance
- Use App Service for conventional web apps and APIs.
- Use Azure Container Apps for managed container workloads that do not require AKS.
- Use AKS when Kubernetes platform requirements justify cluster operations.
- Use Functions for event-driven workloads with clear retry and idempotency behavior.
Watchouts
- Subscription and resource group ownership must be explicit.
- Role assignments can sprawl without access review.
- Private DNS and Private Link require careful operational ownership.
- Policy exemptions need owners and expiry dates.