In this edition
Azure Architect Tip of the Day
Always Deploy Azure Key Vault With Soft Delete + Purge Protection Enabled
Many teams treat Key Vault like “just another resource,” but it’s the heart of your cloud security. Keys, secrets, certificates — everything your apps need to run — lives here. Accidentally delete a vault or secret, and suddenly production apps can’t start, pipelines fail, and authentication flows break.
This is why Soft Delete + Purge Protection is non-negotiable.
Soft Delete protects you from accidental deletion.
Purge Protection ensures even an admin cannot permanently remove items until the retention period ends.
Together, they turn Key Vault into a resilient security boundary, not a fragile dependency. In regulated or enterprise environments, this is a must-have — and it costs nothing extra.
Architect’s takeaway:
Enable these settings before the first secret is added. Forgetting later can expose you to operational and security risks you may not recover from.
Azure Good-Reads
The 5 Pillars of Azure Architecture Every Architect Should Master
If you’ve worked with Azure long enough, you know — good architecture isn’t about throwing the latest services together.
It’s about designing systems that can handle failure gracefully, scale effortlessly, stay secure, and still keep costs in check.
That balance is what separates a good architect from a great one.
Microsoft’s Azure Well-Architected Framework captures that balance beautifully. It’s built around five core pillars — reliability, security, cost optimization, operational excellence and performance efficiency.
In this post, let’s unpack each of these pillars with real-world examples and see how you can use them to build architectures that don’t just run — they endure.
1. Reliability – “Will it hold up when things go wrong?”
In infra world, failure is not a “maybe”: hardware fails, network links drop, Azure region incidents happen. Reliability is about building resilience and recovery into your architecture so that the service still meets SLAs when parts fail.
In infrastructure, this means building redundancy into every critical layer — compute, storage, and network.
When you design for reliability, you’re essentially preparing for chaos — but ensuring your users never feel it.
Key design considerations
Define Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for workloads.
Avoid single points of failure: use Azure Availability Zones, zone-redundant services, multi-region failover.
Use automation for failover, backup/restore.
Use health-probes, graceful degradation, circuit-breakers.
Real-world example
At a large customer, we had on-premises VM clusters for a business-critical app. When migrating to Azure, we designed the architecture so that two VMs (in two Availability Zones) hosted the compute layer, with Azure Load Balancer fronting them, and SQL Always On availability groups for the database. In one incident, a zone went down – the load balancer failed over to the other zone seamlessly, RTO was under 5 minutes.
2. Security – “Are we protected at every layer?”
Security isn’t just a checkbox—it is foundational. A compromised network, VM, or identity can bring down everything else. In Azure’s WAF, security is the pillar that ensures confidentiality, integrity and availability (CIA) of data and workloads.
Key design considerations
Defence-in-Depth: network (NSG, Azure Firewall), compute (just-in-time, hardened OS), identity (Azure AD, managed identities), data (encryption at rest + in transit), operations (monitoring, alerting).
Least privilege access, separation of duties.
Security-by-design: treat security from day-one of your ESLZ design, not as add-on.
Logging, auditing, threat detection (Azure Sentinel, Defender).
Compliance and regulatory needs (especially for public sector or regulated industries).
The Security Layers:
Layer 1: Identity
Azure AD with Conditional Access
Privileged Identity Management (PIM) for admin access
Multi-Factor Authentication (MFA) – mandatory for all
Layer 2: Network
Private Endpoints for all PaaS services
Network Security Groups (NSGs) with deny-by-default
Azure Firewall for centralized egress filtering
Layer 3: Data
All data encrypted at rest (enabled by default, but verify)
TLS 1.2+ for all communications
Azure Key Vault for secrets, keys, and certificates
Never hardcode credentials in configuration
Layer 4: Monitoring
Microsoft Defender for Cloud (formerly Security Center)
Azure Sentinel for SIEM
Log Analytics for centralized logging
Automated alerts for suspicious activities
The Non-Negotiables:
Enable Azure AD for everything
Use Managed Identities (no connection strings in configurations)
Implement Zero Trust – verify explicitly, use least privilege, assume breach
Regular security reviews with Microsoft Defender for Cloud
Automate security responses where possible
Real-world example
True incident: A development team accidentally set a storage account to "public access" during testing. It contained customer PII.
Fortunately, we caught it through Azure Security Center (think Microsoft Defender for Cloud now) alerts before any damage. But it was a serious wake-up call for everyone.
3. Cost Optimization – “Are we spending wisely?”
In cloud infra, you pay for what you provision. Cost-optimization means designing architectures that deliver required capacity/performance/resilience at the lowest cost while still meeting business needs. The WAF explicitly calls this a pillar.
Key design considerations
Right-size VMs, use reserved instances or Azure Savings Plans where appropriate.
Use autoscaling, avoid over-provisioning.
Leverage PaaS managed services instead of DIY VM where cost/ops benefit is clear.
Monitor unused or under-utilised resources, shut them down or scale back. Use Azure Cost Management & Azure Advisor.
Use tagging, budgeting, charge-back showbacks to drive accountability.
Real-world example
A global enterprise realized 30% of their VM workloads were idle after hours. By implementing Azure Automation runbooks to power off non-production environments and using Azure Reservations for production VMs, they cut monthly spend by 40%.
4. Operational Excellence – “Can we run it efficiently and reliably day-to-day?”
Building the architecture is only half the job. Running it—monitoring, operating, updating, recovering—is just as important. Operational excellence ensures your systems deliver the business value, with predictable releases, observability, incident-response. These are especially important in large enterprise infra.
Key design considerations
Use Infrastructure-as-Code (IaC) for repeatability (e.g., ARM templates, Bicep, Terraform).
Automate deployments, updates, rollback.
Monitoring, alerting and logging built-in from day one (Azure Monitor, Log Analytics, Application Insights even for infra).
Runbooks for incident response, playbooks for failover.
Post-incident reviews, continuous improvement.
Real-world example
For a large public-sector deployment, infrastructure telemetry from VMs, Load Balancers, and Storage Accounts was centralized in Log Analytics, with Azure Monitor alerts feeding into ServiceNow.
Patch management was automated using Update Management Center, and infra provisioning followed a Terraform+ Azure DevOps pipeline for consistent deployments.
The Golden Rule: If you've done it twice manually, automate it. If you've done it three times, you're already late.
5. Performance Efficiency – “Will it scale and perform under load?”
The cloud gives you elasticity—but you still have to design for scale, latency, throughput, network/disk bottlenecks. Performance Efficiency ensures your architecture can adapt to changing demands and maintain responsiveness.
Key design considerations
Understand load patterns: steady vs burst vs unpredictable.
Use scaling: scale-up vs scale-out. Example: VM scale sets, Azure App Service autoscale.
Choose appropriate storage tiers, partitioning, caching (Azure Cache, Redis).
Network design: latency, regional distance, peering, ExpressRoute when necessary.
Use performance testing, baseline metrics, monitor resource saturation, tune early.
Real-world example
One customer had a seasonal batch job (monthly end-of-month) that for 3 days ran very heavy compute loads followed by quiet periods. Instead of permanently sizing for the peak, we designed the compute layer in Azure using VM scale sets with auto-scale rules based on queue length.
Bringing It All Together: The Balanced Architecture
Here's the thing – these pillars aren't isolated. They overlap and sometimes conflict. Want the highest reliability? That costs more. Want the best performance? You might need more resources, which impacts cost.
The art of being a good Azure architect is finding the right balance for YOUR specific scenario.
Pillar | Trade-offs & Relationships |
|---|---|
Reliability ↔ Cost | Increasing reliability (redundant regions, ASR, ZRS) improves uptime but raises cost. Balance SLA vs budget. |
Security ↔ Performance | Deep inspection (Firewalls, NSGs, encryption) may add latency; design networks for minimal choke points. |
Performance ↔ Cost | Autoscaling and high-performance SKUs increase spend — use telemetry to right-size. |
Operational Excellence ↔ Cost | Automation, monitoring, and IaC require upfront effort but reduce long-term operational costs. |
All Pillars ↔ Reliability | Security, performance, and operations all contribute to overall system reliability. Balance across them ensures resilience without waste. |
Final Thoughts
As Infra Architects working with Azure, we often focus on the technology: VMs, VNets, Load Balancers, Storage, etc. But architecture isn’t just “what services I pick”. It’s how you pick and combine them so the solution is secure, reliable, cost-efficient, operationally manageable and performant. That’s exactly what the five pillars of the Azure Well-Architected Framework guide you to do.
Keep the pillars in mind early—design for them, measure against them, revisit them. And your architecture will hold up when the unexpected happens (and trust me, it will).
Happy architecting, and here’s to strong Pillars!
If you found this useful, tap Subscribe at the bottom of the page to get future updates straight to your inbox.