Chapter Nine
Architecting on Azure
Seven cross-cutting topics that turn a catalog of services into a sound architecture — the Well-Architected Framework, landing zones, network topology, resilience, cost, security, and multi-Region design.
Core Terminology
Architecture on Azure rests on a shared set of frameworks and patterns. These terms recur across the chapter.
Well-Architected Framework
Microsoft's five pillars for evaluating a workload: reliability, security, cost optimization, operational excellence, and performance efficiency.
Landing Zone
A pre-provisioned, governed environment — identity, networking, policy, and management — that workloads deploy into, so each team does not rebuild the foundation.
Hub-and-Spoke
A network topology where shared services live in a central hub VNet that workload spoke VNets peer into.
Availability Zone
Physically separate datacenters in a Region. Zone-redundant deployment is the baseline for surviving a datacenter failure.
RPO / RTO
Recovery point objective (how much data you can lose) and recovery time objective (how long recovery may take) — the two numbers that drive DR design.
Subscription
A billing and management boundary. The number and shape of subscriptions is an architectural decision, not just an accounting one.
Topics in This Chapter
Topic 59
Well-Architected Framework
The five pillars — reliability, security, cost, operations, performance — and how to weigh them. The lens every other decision in this chapter uses.
Topic 60
Landing Zones
The governed foundation workloads deploy into: management-group hierarchy, identity, networking, and policy. Build it once; teams inherit it.
Topic 61
Hub-and-Spoke Networking
The standard enterprise topology — shared services in a hub, workloads in spokes — and when a Virtual WAN replaces hand-built peering.
Topic 62
High Availability & DR
Designing for failure with availability zones, paired Regions, and backups — and setting RPO and RTO before choosing the mechanism.
Topic 63
Cost Optimization
Where Azure spend goes and how to cut it: right-sizing, reservations, savings plans, autoscale, and the tiers that quietly dominate the bill.
Topic 64
Security Baseline
The non-negotiables — identity as perimeter, least privilege, encryption, secrets in Key Vault, and a defended network edge — assembled into a baseline.
Topic 65
Multi-Region Architecture
Active-passive versus active-active, data replication, and global routing — the cost and complexity of surviving a Region-wide outage.