Azure Architecture Patterns
Version: 1.1.0 | Updated: 2026-07-16
Purpose
Define the production components, control paths, state boundaries, and failure containment for subscription workload, Bicep module, managed identity, private endpoint, or release pipeline.
Why
Infrastructure is declarative; identities are credentialless and least-privilege; private connectivity, policy, diagnostics, and cost ownership are explicit. The diagram models actual Azure platform elements so reviewers can identify ownership and unsafe coupling.
How
Required boundaries
- Landing zones own tenant, subscription, policy, network, logging, and budget controls.
- Workloads receive managed identities and data-plane roles at the narrowest resource scope.
- Private endpoints and DNS links are deployed as one connectivity contract.
- Bicep modules expose stable inputs/outputs and pin explicit API versions.
- Safe deployment uses rings, health signals, and deployment history.
Operational evidence
- Bicep/ARM source, parameter provenance, compiled template, and What-If result
- tenant, subscription, resource-group, principal object ID, role assignments, deny assignments, and policy state
- private endpoint, subnet, route, NSG, private DNS zone links, and caller-side DNS resolution
- Activity Log, resource diagnostics, platform metrics, Service Health, quota, and cost data
Rollback path
Reapply the last approved Bicep/parameter artifact or route traffic to the prior deployment slot; never delete stateful resources to force convergence, and restore access changes through reviewed RBAC/policy state.
Version-aware caution
Capture Azure CLI/Bicep versions, resource-provider API versions, and service SKU/region capabilities. ARM API and managed-service features vary by API version, cloud, region, and SKU; a portal screenshot is not a reproducible contract.
Tradeoffs
The architecture introduces explicit Azure boundaries and operational artifacts that require ownership. In return, failures in management-plane authorization or policy denial, ARM/Bicep dependency or API-version deployment failure, managed identity token/role mismatch, private DNS, route, NSG, or endpoint failure, throttling, quota, regional capacity, or service degradation become observable and containable.
Anti-patterns
- Portal-authored production resources create configuration that cannot be reviewed, reproduced, or safely rolled back.
- Do not remove a native warning, validator, policy, or safety limit merely to make generated output pass.
- Do not claim a successful result without preserving the command, target, artifact/revision, and observed output.
Enterprise considerations
Azure governance maps management groups to policy initiatives, centralizes Activity Logs and diagnostics, time-bounds exemptions, and records data residency and cost ownership.
Official sources
Checklist
- Landing zones own tenant, subscription, policy, network, logging, and budget controls.
- Workloads receive managed identities and data-plane roles at the narrowest resource scope.
- Private endpoints and DNS links are deployed as one connectivity contract.
- Bicep modules expose stable inputs/outputs and pin explicit API versions.
- Safe deployment uses rings, health signals, and deployment history.
- Diagram matches deployed topology rather than an aspirational target.
- Rollback path preserves state and mixed-version contracts.
Changelog
- 1.1.0 (2026-07-16): Replaced generic adapter diagram with native Azure architecture.
- 1.0.0 (2026-07-16): Added initial pattern.