JJiten
Microsoft Azure Cloud Platform: Architectural
Overview and Governance Framework
Azure Global Infrastructure (Regions and Availability Zones)
Azure’s cloud platform is built on a worldwide network of datacenter regions. Each Azure region is a
geographic area containing one or more datacenters, with Azure operating in over 60 regions globally
to meet customer needs and data residency requirements 1 . To enhance resilience within a region,
Azure offers Availability Zones – physically separate datacenter locations with independent power,
cooling, and networking. Each zone in a region is isolated from failures in other zones, so deploying
resources across multiple zones provides high availability and fault tolerance 2 . For example, critical
applications can be distributed across zones such that even if one datacenter goes down, the
application remains available in another zone. Azure also pairs certain regions together (region pairs)
for disaster recovery, ensuring that updates roll out to one region at a time and that at least one region
in each pair is prioritized for recovery in the event of a widespread outage.
Azure’s global infrastructure design allows customers to choose where to deploy their data and
services for optimal performance and compliance. You control the region in which your data resides,
helping address regulatory requirements (e.g. keeping EU data in EU regions for GDPR) 3 . No matter
which region you select, Azure’s backbone network interconnects all regions with high-speed links,
enabling reliable cross-region replication and backup. This global footprint, combined with availability
zones, underpins the flexibility, scalability, and high availability of Azure’s core services 4 2 .
Azure Compute Services
Azure provides a broad range of compute options to run applications, from virtual machines to
serverless functions. These compute services are designed to be scalable on demand and to support
various workload types:
• Azure Virtual Machines (VMs): On-demand, scalable infrastructure-as-a-service (IaaS) VMs that
let you deploy Windows or Linux operating systems in the cloud. You can choose VM sizes (CPU,
memory, storage) to suit your workload, and configure high availability (e.g. by using availability
sets or zones) to ensure resiliency 5 . VMs give full control over the OS and are ideal for
migrating legacy applications or running custom software.
• Azure App Service: A fully managed platform-as-a-service for hosting web applications, REST
APIs, and mobile backends. With App Service, you can deploy web apps using languages
like .NET, Java, Python, Node.js, or PHP without managing the underlying server infrastructure
6 . The service automatically handles load balancing, autoscaling, and patches, enabling
developers to focus on app code. It’s well-suited for modern cloud web apps that need to scale
on demand.
• Azure Kubernetes Service (AKS): A fully managed Kubernetes orchestration service for running
and managing containerized applications. AKS simplifies deploying and scaling clusters for
containers, handling the Kubernetes control plane and integrations. It supports automatic
1
, scaling, updates, and monitoring of containers, allowing you to run microservices or portability-
focused workloads with ease 7 . This service is ideal when you need container orchestration
without the overhead of managing Kubernetes masters yourself.
• Azure Functions: A serverless compute service where you can execute code in response to
events or triggers without provisioning any servers. With Azure Functions, you write discrete
pieces of code (functions) and the platform automatically runs them on-demand, scaling out as
needed and charging only for execution time. This is ideal for event-driven architectures,
background jobs, or integrations – you can, for example, run a piece of code when a new
message arrives in a queue or a timer triggers, without ever managing an underlying VM 8 .
Serverless functions provide high scalability and cost efficiency for intermittent workloads.
In addition to the above, Azure also offers services like Azure Batch (for large-scale parallel and high-
performance computing tasks), Azure Service Fabric (microservices platform), and Azure Container
Instances (running containers without orchestration). These compute components collectively give
architects the flexibility to choose the appropriate model (VMs, managed app platform, containers, or
serverless) for each part of an application, all integrated with Azure’s networking, storage, and identity
systems for a cohesive solution.
Azure Storage Services
Storing and managing data is a core part of Azure’s platform. Azure provides multiple storage services
optimized for different data types and usage scenarios, all of which are highly durable (with multiple
replicas of data) and scalable:
• Azure Blob Storage: An object storage service for unstructured data such as documents,
images, videos, backups, and log files. Blob storage is highly scalable and ideal for storing
massive amounts of data that doesn’t conform to a fixed schema 9 . For example, it’s often
used to hold data lakes or media files, and supports tiers (hot, cool, archive) to balance access
speed and cost.
• Azure Disk Storage: Durable block storage volumes for use with Azure VMs. Disk storage
provides persistent, low-latency disk volumes (SSD or HDD) that you attach to virtual machines,
functioning like hard drives in the cloud 10 . Disks come in various performance tiers (Standard
HDD, Standard SSD, Premium SSD, Ultra SSD) to meet needs from dev/test workloads up to high-
IOPS enterprise databases.
• Azure Files: Managed file shares in the cloud, accessible via the SMB (Server Message Block)
protocol or NFS. Azure Files allows you to migrate legacy applications that use traditional file
shares, or to provide shared storage accessible by multiple VMs and on-premises systems (via
secure VPN/ExpressRoute). It offers features like snapshot backups and Azure File Sync for
caching files on-premises. Essentially, Azure Files provides fully managed network file shares that
can be mounted by Windows, Linux, and macOS clients 10 .
• Azure Queue Storage: A simple message queue service for decoupling components of cloud
applications. Queue storage lets you store a large number of messages that can be accessed
reliably by other services asynchronously 10 . It’s often used to enable communication between
distributed application components – for example, a web front-end can post work items to a
queue, and a background worker role can process them at its own pace. This improves resiliency
and load leveling in cloud apps.
2
, Azure Storage services automatically encrypt data at rest using 256-bit AES encryption (with the option
for customer-managed keys via Azure Key Vault), and replicate data to protect against hardware
failures. They can also be geo-redundant (spreading copies across multiple regions) if desired. Beyond
the above, Azure provides specialized data services like Azure Table Storage (NoSQL key-value store)
and Azure Data Lake Storage (for big data analytics scenarios), as well as a range of database services
(Azure SQL Database, Azure Cosmos DB, etc.) which complement the core storage offerings.
Azure Networking
Networking in Azure enables you to build isolated, secure, and well-connected environments for your
applications. At the foundation is Azure Virtual Network (VNet), which is analogous to a private
network in the cloud. A VNet allows you to define address ranges, subnets, route tables, and network
gateways, effectively giving you control over your own network topology within Azure. All Azure
resources (VMs, Azure SQL, functions with VNet integration, etc.) can communicate securely within a
VNet as if on a private LAN. VNets can also be linked with on-premises networks, enabling true hybrid
cloud scenarios.
Key Azure networking components include:
• Azure Virtual Network (VNet): An isolated network environment in Azure where you can run
your resources. You define IP address spaces and subnets, and Azure automatically routes traffic
between resources in the same VNet. VNets support peering (connecting VNets together) and
can be extended to on-premises via VPN or ExpressRoute. They form the backbone of any Azure
deployment’s network security boundary 11 .
• Network Security Groups (NSGs): These are virtual firewall policies for controlling traffic at the
subnet or NIC level. NSGs contain security rules that allow or deny inbound or outbound traffic
based on source/destination IP, port, and protocol. By associating NSGs with subnets or
individual VM network interfaces, you can enforce granular traffic filtering and segmentation (for
example, allowing web traffic to a web subnet but blocking it from a database subnet) 12 13 .
NSGs are an important part of Azure’s zero trust network strategy, acting as distributed
firewall rules within your VNet.
• Load Balancers & Application Gateway: Azure offers Layer-4 load balancing via Azure Load
Balancer to distribute incoming traffic across multiple VMs or services for high availability. It
supports TCP/UDP load balancing and health probes. For more advanced Layer-7 traffic
management, Azure Application Gateway provides load balancing with SSL termination and a
web application firewall (WAF) for protecting HTTP/HTTPS traffic 14 . Application Gateway can
route requests based on URL paths or host headers to different backend pools, enabling
scenarios like blue/green deployments or microservices-based routing. These services ensure
your applications can scale out and remain resilient under load.
• Azure ExpressRoute: A private, dedicated connection from your on-premises datacenter or
office to Azure, not traversing the public Internet. ExpressRoute links your network to Azure via
an MPLS or exchange provider, offering higher reliability and lower latency for consistent
enterprise-grade connectivity. It’s commonly used for scenarios with strict network requirements
or large data transfer needs, and it bypasses exposure to Internet risks by extending your
corporate WAN into Azure 15 . (Alternatively, Azure also supports site-to-site VPN gateways over
the Internet for encrypted tunnels to VNets, which is simpler but goes over the public network.)
3
Microsoft Azure Cloud Platform: Architectural
Overview and Governance Framework
Azure Global Infrastructure (Regions and Availability Zones)
Azure’s cloud platform is built on a worldwide network of datacenter regions. Each Azure region is a
geographic area containing one or more datacenters, with Azure operating in over 60 regions globally
to meet customer needs and data residency requirements 1 . To enhance resilience within a region,
Azure offers Availability Zones – physically separate datacenter locations with independent power,
cooling, and networking. Each zone in a region is isolated from failures in other zones, so deploying
resources across multiple zones provides high availability and fault tolerance 2 . For example, critical
applications can be distributed across zones such that even if one datacenter goes down, the
application remains available in another zone. Azure also pairs certain regions together (region pairs)
for disaster recovery, ensuring that updates roll out to one region at a time and that at least one region
in each pair is prioritized for recovery in the event of a widespread outage.
Azure’s global infrastructure design allows customers to choose where to deploy their data and
services for optimal performance and compliance. You control the region in which your data resides,
helping address regulatory requirements (e.g. keeping EU data in EU regions for GDPR) 3 . No matter
which region you select, Azure’s backbone network interconnects all regions with high-speed links,
enabling reliable cross-region replication and backup. This global footprint, combined with availability
zones, underpins the flexibility, scalability, and high availability of Azure’s core services 4 2 .
Azure Compute Services
Azure provides a broad range of compute options to run applications, from virtual machines to
serverless functions. These compute services are designed to be scalable on demand and to support
various workload types:
• Azure Virtual Machines (VMs): On-demand, scalable infrastructure-as-a-service (IaaS) VMs that
let you deploy Windows or Linux operating systems in the cloud. You can choose VM sizes (CPU,
memory, storage) to suit your workload, and configure high availability (e.g. by using availability
sets or zones) to ensure resiliency 5 . VMs give full control over the OS and are ideal for
migrating legacy applications or running custom software.
• Azure App Service: A fully managed platform-as-a-service for hosting web applications, REST
APIs, and mobile backends. With App Service, you can deploy web apps using languages
like .NET, Java, Python, Node.js, or PHP without managing the underlying server infrastructure
6 . The service automatically handles load balancing, autoscaling, and patches, enabling
developers to focus on app code. It’s well-suited for modern cloud web apps that need to scale
on demand.
• Azure Kubernetes Service (AKS): A fully managed Kubernetes orchestration service for running
and managing containerized applications. AKS simplifies deploying and scaling clusters for
containers, handling the Kubernetes control plane and integrations. It supports automatic
1
, scaling, updates, and monitoring of containers, allowing you to run microservices or portability-
focused workloads with ease 7 . This service is ideal when you need container orchestration
without the overhead of managing Kubernetes masters yourself.
• Azure Functions: A serverless compute service where you can execute code in response to
events or triggers without provisioning any servers. With Azure Functions, you write discrete
pieces of code (functions) and the platform automatically runs them on-demand, scaling out as
needed and charging only for execution time. This is ideal for event-driven architectures,
background jobs, or integrations – you can, for example, run a piece of code when a new
message arrives in a queue or a timer triggers, without ever managing an underlying VM 8 .
Serverless functions provide high scalability and cost efficiency for intermittent workloads.
In addition to the above, Azure also offers services like Azure Batch (for large-scale parallel and high-
performance computing tasks), Azure Service Fabric (microservices platform), and Azure Container
Instances (running containers without orchestration). These compute components collectively give
architects the flexibility to choose the appropriate model (VMs, managed app platform, containers, or
serverless) for each part of an application, all integrated with Azure’s networking, storage, and identity
systems for a cohesive solution.
Azure Storage Services
Storing and managing data is a core part of Azure’s platform. Azure provides multiple storage services
optimized for different data types and usage scenarios, all of which are highly durable (with multiple
replicas of data) and scalable:
• Azure Blob Storage: An object storage service for unstructured data such as documents,
images, videos, backups, and log files. Blob storage is highly scalable and ideal for storing
massive amounts of data that doesn’t conform to a fixed schema 9 . For example, it’s often
used to hold data lakes or media files, and supports tiers (hot, cool, archive) to balance access
speed and cost.
• Azure Disk Storage: Durable block storage volumes for use with Azure VMs. Disk storage
provides persistent, low-latency disk volumes (SSD or HDD) that you attach to virtual machines,
functioning like hard drives in the cloud 10 . Disks come in various performance tiers (Standard
HDD, Standard SSD, Premium SSD, Ultra SSD) to meet needs from dev/test workloads up to high-
IOPS enterprise databases.
• Azure Files: Managed file shares in the cloud, accessible via the SMB (Server Message Block)
protocol or NFS. Azure Files allows you to migrate legacy applications that use traditional file
shares, or to provide shared storage accessible by multiple VMs and on-premises systems (via
secure VPN/ExpressRoute). It offers features like snapshot backups and Azure File Sync for
caching files on-premises. Essentially, Azure Files provides fully managed network file shares that
can be mounted by Windows, Linux, and macOS clients 10 .
• Azure Queue Storage: A simple message queue service for decoupling components of cloud
applications. Queue storage lets you store a large number of messages that can be accessed
reliably by other services asynchronously 10 . It’s often used to enable communication between
distributed application components – for example, a web front-end can post work items to a
queue, and a background worker role can process them at its own pace. This improves resiliency
and load leveling in cloud apps.
2
, Azure Storage services automatically encrypt data at rest using 256-bit AES encryption (with the option
for customer-managed keys via Azure Key Vault), and replicate data to protect against hardware
failures. They can also be geo-redundant (spreading copies across multiple regions) if desired. Beyond
the above, Azure provides specialized data services like Azure Table Storage (NoSQL key-value store)
and Azure Data Lake Storage (for big data analytics scenarios), as well as a range of database services
(Azure SQL Database, Azure Cosmos DB, etc.) which complement the core storage offerings.
Azure Networking
Networking in Azure enables you to build isolated, secure, and well-connected environments for your
applications. At the foundation is Azure Virtual Network (VNet), which is analogous to a private
network in the cloud. A VNet allows you to define address ranges, subnets, route tables, and network
gateways, effectively giving you control over your own network topology within Azure. All Azure
resources (VMs, Azure SQL, functions with VNet integration, etc.) can communicate securely within a
VNet as if on a private LAN. VNets can also be linked with on-premises networks, enabling true hybrid
cloud scenarios.
Key Azure networking components include:
• Azure Virtual Network (VNet): An isolated network environment in Azure where you can run
your resources. You define IP address spaces and subnets, and Azure automatically routes traffic
between resources in the same VNet. VNets support peering (connecting VNets together) and
can be extended to on-premises via VPN or ExpressRoute. They form the backbone of any Azure
deployment’s network security boundary 11 .
• Network Security Groups (NSGs): These are virtual firewall policies for controlling traffic at the
subnet or NIC level. NSGs contain security rules that allow or deny inbound or outbound traffic
based on source/destination IP, port, and protocol. By associating NSGs with subnets or
individual VM network interfaces, you can enforce granular traffic filtering and segmentation (for
example, allowing web traffic to a web subnet but blocking it from a database subnet) 12 13 .
NSGs are an important part of Azure’s zero trust network strategy, acting as distributed
firewall rules within your VNet.
• Load Balancers & Application Gateway: Azure offers Layer-4 load balancing via Azure Load
Balancer to distribute incoming traffic across multiple VMs or services for high availability. It
supports TCP/UDP load balancing and health probes. For more advanced Layer-7 traffic
management, Azure Application Gateway provides load balancing with SSL termination and a
web application firewall (WAF) for protecting HTTP/HTTPS traffic 14 . Application Gateway can
route requests based on URL paths or host headers to different backend pools, enabling
scenarios like blue/green deployments or microservices-based routing. These services ensure
your applications can scale out and remain resilient under load.
• Azure ExpressRoute: A private, dedicated connection from your on-premises datacenter or
office to Azure, not traversing the public Internet. ExpressRoute links your network to Azure via
an MPLS or exchange provider, offering higher reliability and lower latency for consistent
enterprise-grade connectivity. It’s commonly used for scenarios with strict network requirements
or large data transfer needs, and it bypasses exposure to Internet risks by extending your
corporate WAN into Azure 15 . (Alternatively, Azure also supports site-to-site VPN gateways over
the Internet for encrypted tunnels to VNets, which is simpler but goes over the public network.)
3
