back
loading skill details...
Design Azure architectures for startups and enterprises. Use when asked to design Azure infrastructure, create Bicep/ARM templates, optimize Azure costs, set…
Azure Cloud Architect
Design scalable, cost-effective Azure architectures for startups and enterprises with Bicep infrastructure-as-code templates.
Workflow
Step 1: Gather Requirements
Collect application specifications:
- Application type (web app, mobile backend, data pipeline, SaaS, microservices)
- Expected users and requests per second
- Budget constraints (monthly spend limit)
- Team size and Azure experience level
- Compliance requirements (GDPR, HIPAA, SOC 2, ISO 27001)
- Availability requirements (SLA, RPO/RTO)
- Region preferences (data residency, latency)
Step 2: Design Architecture
Run the architecture designer to get pattern recommendations:
python scripts/architecture_designer.py \
--app-type web_app \
--users 10000 \
--requirements '{"budget_monthly_usd": 500, "compliance": ["SOC2"]}'
Example output:
{
"recommended_pattern": "app_service_web",
"service_stack": ["App Service", "Azure SQL", "Front Door", "Key Vault", "Entra ID"],
"estimated_monthly_cost_usd": 280,
"pros": ["Managed platform", "Built-in autoscale", "Deployment slots"],
"cons": ["Less control than VMs", "Platform constraints", "Cold start on consumption plans"]
}
Select from recommended patterns:
App Service Web: Front Door + App Service + Azure SQL + Redis Cache
Microservices on AKS: AKS + Service Bus + Cosmos DB + API Management
Serverless Event-Driven: Functions + Event Grid + Service Bus + Cosmos DB
Data Pipeline: Data Factory + Synapse Analytics + Data Lake Storage + Event Hubs
See references/architecture_patterns.md for detailed pattern specifications.
Validation checkpoint: Confirm the recommended pattern matches the team's operational maturity and compliance requirements before proceeding to Step 3.
Step 3: Generate IaC Templates
Create infrastructure-as-code for the selected pattern:
# Web app stack (Bicep)
python scripts/bicep_generator.py --arch-type web-app --output main.bicep
Example Bicep output (core web app resources):
@description('The environment name')
param environment string = 'dev'
@description('The Azure region for resources')
param location string = resourceGroup().location
@description('The application name')
param appName string = 'myapp'
// App Service Plan
resource appServicePlan 'Microsoft.Web/serverfarms@2023-01-01' = {
name: '${environment}-${appName}-plan'
location: location
sku: {
name: 'P1v3'
tier: 'PremiumV3'
capacity: 1
}
properties: {
reserved: true // Linux
}
}
// App Service
resource appService 'Microsoft.Web/sites@2023-01-01' = {
name: '${environment}-${appName}-web'
location: location
properties: {
serverFarmId: appServicePlan.id
httpsOnly: true
siteConfig: {
linuxFxVersion: 'NODE|20-lts'
minTlsVersion: '1.2'
ftpsState: 'Disabled'
alwaysOn: true
}
}
identity: {
type: 'SystemAssigned'
}
}
// Azure SQL Database
resource sqlServer 'Microsoft.Sql/servers@2023-05-01-preview' = {
name: '${environment}-${appName}-sql'
location: location
properties: {
administrators: {
azureADOnlyAuthentication: true
}
minimalTlsVersion: '1.2'
}
}
resource sqlDatabase 'Microsoft.Sql/servers/databases@2023-05-01-preview' = {
parent: sqlServer
name: '${appName}-db'
location: location
sku: {
name: 'GP_S_Gen5_2'
tier: 'GeneralPurpose'
}
properties: {
autoPauseDelay: 60
minCapacity: json('0.5')
}
}
Full templates including Front Door, Key Vault, Managed Identity, and monitoring are generated by bicep_generator.py and also available in references/architecture_patterns.md.
Bicep is the recommended IaC language for Azure. Prefer Bicep over ARM JSON templates: Bicep compiles to ARM JSON, has cleaner syntax, supports modules, and is first-party supported by Microsoft.
Step 4: Review Costs
Analyze estimated costs and optimization opportunities:
python scripts/cost_optimizer.py \
--config current_resources.json \
--json
Example output:
{
"current_monthly_usd": 2000,
"recommendations": [
{ "action": "Right-size SQL Database GP_S_Gen5_8 to GP_S_Gen5_2", "savings_usd": 380, "priority": "high" },
{ "action": "Purchase 1-year Reserved Instances for AKS node pools", "savings_usd": 290, "priority": "high" },
{ "action": "Move Blob Storage to Cool tier for objects >30 days old", "savings_usd": 65, "priority": "medium" }
],
"total_potential_savings_usd": 735
}
Output includes:
Monthly cost breakdown by service
Right-sizing recommendations
Reserved Instance and Savings Plan opportunities
Potential monthly savings
Step 5: Configure CI/CD
Set up Azure DevOps Pipelines or GitHub Actions with Azure:
# GitHub Actions — deploy Bicep to Azure
name: Deploy Infrastructure
on:
push:
branches: [main]
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- uses: azure/arm-deploy@v2
with:
resourceGroupName: rg-myapp-dev
template: ./infra/main.bicep
parameters: environment=dev
# Azure DevOps Pipeline
trigger:
branches:
include:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: AzureCLI@2
inputs:
azureSubscription: 'MyServiceConnection'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
az deployment group create \
--resource-group rg-myapp-dev \
--template-file infra/main.bicep \
--parameters environment=dev
Step 6: Security Review
Validate security posture before production:
Identity: Entra ID (Azure AD) with RBAC, Managed Identity for service-to-service auth — never store credentials in code
Secrets: Key Vault for all secrets, certificates, and connection strings
Network: NSGs on all subnets, Private Endpoints for PaaS services, Application Gateway with WAF
Encryption: TLS 1.2+ in transit, Azure-managed or customer-managed keys at rest
Monitoring: Microsoft Defender for Cloud enabled, Azure Policy for guardrails
Compliance: Azure Policy assignments for SOC 2 / HIPAA / ISO 27001 initiatives
If deployment fails:
Check the deployment status:
az deployment group show \
--resource-group rg-myapp-dev \
--name main \
--query 'properties.error'
Review Activity Log for RBAC or policy errors.
Validate the Bicep template before deploying:
az bicep build --file main.bicep
az deployment group validate \
--resource-group rg-myapp-dev \
--template-file main.bicep
Common failure causes:
RBAC permission errors — verify the deploying principal has Contributor on the resource group
Resource provider not registered — run az provider register --namespace Microsoft.Web
Naming conflicts — Azure resource names are often globally unique (storage accounts, web apps)
Quota exceeded — request quota increase via Azure Portal > Subscriptions > Usage + quotas
Tools
architecture_designer.py
Generates architecture pattern recommendations based on requirements.
python scripts/architecture_designer.py \
--app-type web_app \
--users 50000 \
--requirements '{"budget_monthly_usd": 1000, "compliance": ["HIPAA"]}' \
--json
Input: Application type, expected users, JSON requirements
Output: Recommended pattern, service stack, cost estimate, pros/cons
cost_optimizer.py
Analyzes Azure resource configurations for cost savings.
python scripts/cost_optimizer.py --config resources.json --json
Input: JSON file with current Azure resource inventory
Output: Recommendations for:
Idle resource removal
VM and database right-sizing
Reserved Instance purchases
Storage tier transitions
Unused public IPs and load balancers
bicep_generator.py
Generates Bicep template scaffolds from architecture type.
python scripts/bicep_generator.py --arch-type microservices --output main.bicep
Output: Production-ready Bicep templates with:
Managed Identity (no passwords)
Key Vault integration
Diagnostic settings for Azure Monitor
Network security groups
Tags for cost allocation
Quick Start
Web App Architecture (< $100/month)
Ask: "Design an Azure web app for a startup with 5000 users"
Result:
- App Service (B1 Linux) for the application
- Azure SQL Serverless for relational data
- Azure Blob Storage for static assets
- Front Door (free tier) for CDN and routing
- Key Vault for secrets
- Estimated: $40-80/month
Microservices on AKS ($500-2000/month)
Ask: "Design a microservices architecture on Azure for a SaaS platform with 50k users"
Result:
- AKS cluster with 3 node pools (system, app, jobs)
- API Management for gateway and rate limiting
- Cosmos DB for multi-model data
- Service Bus for async messaging
- Azure Monitor + Application Insights for observability
- Multi-zone deployment
Serverless Event-Driven (< $200/month)
Ask: "Design an event-driven backend for processing orders"
Result:
- Azure Functions (Consumption plan) for compute
- Event Grid for event routing
- Service Bus for reliable messaging
- Cosmos DB for order data
- Application Insights for monitoring
- Estimated: $30-150/month depending on volume
Data Pipeline ($300-1500/month)
Ask: "Design a data pipeline for ingesting 10M events/day"
Result:
- Event Hubs for ingestion
- Stream Analytics or Functions for processing
- Data Lake Storage Gen2 for raw data
- Synapse Analytics for warehouse
- Power BI for dashboards
Input Requirements
Provide these details for architecture design:
Requirement
Description
Example
Application type
What you're building
SaaS platform, mobile backend
Expected scale
Users, requests/sec
10k users, 100 RPS
Budget
Monthly Azure limit
$500/month max
Team context
Size, Azure experience
3 devs, intermediate
Compliance
Regulatory needs
HIPAA, GDPR, SOC 2
Availability
Uptime requirements
99.9% SLA, 1hr RPO
JSON Format:
{
"application_type": "saas_platform",
"expected_users": 10000,
"requests_per_second": 100,
"budget_monthly_usd": 500,
"team_size": 3,
"azure_experience": "intermediate",
"compliance": ["SOC2"],
"availability_sla": "99.9%"
}
Anti-Patterns
Anti-Pattern
Why It Fails
Do This Instead
ARM JSON templates for new projects
Verbose, hard to read, no modules
Use Bicep — compiles to ARM, cleaner syntax
Storing secrets in App Settings
Secrets visible in portal, no rotation
Use Key Vault references in App Settings
Single large AKS node pool
Cannot optimize for different workloads
Use multiple node pools: system, app, jobs
Public endpoints on PaaS services
Exposed attack surface
Use Private Endpoints + VNet integration
Over-provisioning "just in case"
Wastes budget month one
Start small, use autoscale, right-size monthly
Shared resource groups for everything
Blast radius, RBAC nightmares
One resource group per environment per workload
No tagging strategy
Cannot track costs or ownership
Tag: environment, owner, cost-center, app-name
Using classic resources
Deprecated, limited features
Use ARM/Bicep resources exclusively
Output Formats
Architecture Design
Pattern recommendation with rationale
Service stack diagram (ASCII)
Monthly cost estimate and trade-offs
IaC Templates
Bicep: Recommended — first-party, module support, clean syntax
ARM JSON: Generated from Bicep when needed
Terraform HCL: Multi-cloud compatible using azurerm provider
Cost Analysis
Current spend breakdown with optimization recommendations
Priority action list (high/medium/low) and implementation checklist
Cross-References
Skill
Relationship
engineering-team/aws-solution-architect
AWS equivalent — same 6-step workflow, different services
engineering-team/gcp-cloud-architect
GCP equivalent — completes the cloud trifecta
engineering-team/senior-devops
Broader DevOps scope — pipelines, monitoring, containerization
engineering/terraform-patterns
IaC implementation — use for Terraform modules targeting Azure
engineering/ci-cd-pipeline-builder
Pipeline construction — automates Azure DevOps and GitHub Actions
Reference Documentation
Document
Contents
references/architecture_patterns.md
5 patterns: web app, microservices/AKS, serverless, data pipeline, multi-region
references/service_selection.md
Decision matrices for compute, database, storage, messaging, networking
references/best_practices.md
Naming conventions, tagging, RBAC, network security, monitoring, DRdon't have the plugin yet? install it then click "run inline in claude" again.