Microsoft Azure — Services Documentation
A comprehensive, organized reference for Microsoft's cloud platform — every major service category covered, with a deep focus on Azure AI, including Azure OpenAI Service, AI Foundry, AI Search, Machine Learning, and the full set of pre-built AI services.
01 Overview
Azure is Microsoft's public cloud platform — a global network of datacenters offering compute, storage, networking, databases, analytics, AI, and SaaS that you consume on-demand and pay for as you use.
Azure organizes its 200+ services into a handful of well-defined categories: Compute, Containers, Networking, Storage, Databases, Analytics, AI & ML, Integration, Identity & Security, DevOps, IoT, Hybrid, Management, Web, Mobile, Migration, Media, and Quantum/HPC. This document walks each category in turn and surfaces the practical "what to use when."
Infrastructure-as-a-Service: VMs, virtual networks, disks, storage. You manage the OS and runtime.
Platform-as-a-Service: App Service, SQL Database, Functions, Container Apps. Microsoft manages the platform; you bring code.
Software-as-a-Service: Microsoft 365, Power Platform, Azure DevOps. Fully managed apps you consume.
02 Foundations
Five concepts you must understand before placing anything in Azure: tenant, subscription, management group, resource group, and resource.
| Concept | What it is | Why it matters |
|---|---|---|
| Microsoft Entra tenant | The identity boundary — your directory of users, groups, apps. | One tenant per organization; everything authenticates against it. |
| Subscription | The billing & quota boundary that holds resources. | Common pattern: separate subscriptions per environment (dev/test/prod) or business unit. |
| Management group | Container for multiple subscriptions, used to apply policy and access at scale. | Apply Azure Policy and RBAC once at a management group → inherits to all child subs. |
| Resource group | Logical container for resources sharing a lifecycle. | Delete the RG → delete everything in it. Tag at the RG for cost rollups. |
| Resource | Any individually-managed object — a VM, a storage account, a database, a key vault. | Every resource has a globally-unique resourceId; the API surface is uniform. |
Azure Resource Manager (ARM)
The control plane. Every Azure operation — create, read, update, delete, tag, lock, role-assign — flows through ARM. Templates come in two flavors:
- ARM JSON templates — the original declarative format; verbose but universal.
- Bicep — Microsoft's first-party DSL that compiles to ARM JSON; far more readable. Recommended for new work.
- Terraform — popular third-party alternative; multi-cloud; mature provider for Azure.
03 Global infrastructure
Azure runs from 60+ regions in 140 countries — more than any other major cloud. Where you deploy affects latency, residency, redundancy, price, and which services are available.
A geography-bound set of datacenters (e.g. eastus, westeurope). Most resources are regional.
Physically separate datacenters within a region with independent power, cooling, network. Use 3 zones for 99.99%+ SLAs.
Geographically distant pair (e.g. East US ↔ West US) for cross-region replication and DR.
Smaller deployments at metropolitan or carrier edge for ultra-low-latency workloads (5G, real-time).
Azure Government (US), Azure China (operated by 21Vianet), Azure for European Union Data Boundary.
For telcos and regulated industries that need Azure services on-premises or at the edge.
04 Compute
Run code on Azure. The choice spans raw VMs through fully managed serverless functions — pick the lowest-management option that satisfies your constraints.
Windows or Linux VMs with hundreds of sizes (general, compute-optimized, memory-optimized, GPU, HPC). Spot VMs for cheap, interruptible workloads. Reserved instances for steady workloads.
Identical VMs that auto-scale on metrics or schedule. The fabric behind AKS node pools and many PaaS services.
Fully-managed PaaS for web apps and APIs. Languages: .NET, Java, Python, Node, PHP, Ruby. Built-in TLS, custom domains, deployment slots, autoscale, hybrid connections.
Event-driven serverless compute. Triggers on HTTP, queues, blobs, timers, Cosmos DB, Event Grid, Service Bus, Event Hubs. Consumption / Premium / Flex / Dedicated plans.
Serverless containers built on Kubernetes + Dapr + KEDA. Scale to zero; ideal for microservices, event processing, and AI agents.
Run a single container without orchestration. Good for short-lived jobs and bursty workloads.
Microsoft's microservices/orchestration platform predating AKS. Still used for high-density stateful services.
Large-scale parallel and HPC workloads — render farms, financial simulations, scientific computing.
Managed Spring Boot platform built with VMware. Eliminates Spring infrastructure ops.
Run native VMware (vSphere, vSAN, NSX) on Azure-managed bare metal — lift-and-shift VMware estates.
VM family quick reference
| Series | Type | Best for |
|---|---|---|
B | Burstable | Dev/test, low-traffic web servers, build agents. |
D / Dv5 / Dasv5 | General purpose | Most production workloads — balanced CPU/memory. |
F / Fasv6 | Compute-optimized | Web tier, batch, analytics, gaming. |
E / Easv5 | Memory-optimized | SQL/NoSQL DBs, in-memory caches, large analytics. |
L | Storage-optimized | NoSQL, big-data, transactional DBs needing local NVMe. |
N (NC, ND, NV) | GPU | NC: ML training. ND: large model training (H100/H200). NV: visualization/inference. |
HB / HC | HPC | MPI workloads, fluid dynamics, weather, molecular dynamics. |
M | Memory + CPU extreme | SAP HANA, very large in-memory DBs. |
05 Containers & Kubernetes
Five surfaces for running containers, ordered from "I just want a container to run" to "I need full Kubernetes control."
Managed Kubernetes — control plane is free, you pay for nodes. Integrations with Entra ID, Defender, Monitor, Container Registry, Azure Linux, Karpenter-style autoscaler.
Serverless container platform on top of Kubernetes — without exposing Kubernetes. Scale-to-zero, KEDA event scaling, Dapr sidecar, revisions, splits.
Single containers / container groups, billed per second. Good for batch jobs, CI runners, ephemeral compute.
Private Docker / OCI registry with geo-replication, content trust, image scanning, and tasks (build/patch on Azure).
Jointly engineered with Red Hat — full OpenShift platform managed by both companies.
Reliable services + actor model. Microsoft's older microservices platform; powers many internal Azure services.
06 Networking
Azure networking is layered: a virtual network gives you private IP space; load balancers distribute traffic; gateways connect on-prem; CDN/Front Door accelerates global delivery.
Private IP address space in the cloud — subnets, route tables, NSGs, peering. Foundational to almost everything in Azure.
Layer-4 (TCP/UDP) load balancing within a region. Standard tier supports zonal redundancy.
Layer-7 (HTTP) load balancer with WAF, SSL termination, URL-based routing, autoscale.
Global L7 entry point — Anycast routing, WAF, CDN, dynamic site acceleration. Microsoft's edge network in 100+ POPs.
Content delivery via Microsoft, Akamai, or Verizon (sunset). Static asset caching at the edge.
DNS-based global load balancing — geographic, weighted, performance-based, priority routing.
Site-to-site IPsec VPN; point-to-site for users. Up to 10 Gbps with VpnGw5 SKU.
Private dedicated circuit from your DC to Azure — bypasses the public internet. 50 Mbps to 100 Gbps.
Hub-and-spoke at global scale — unifies VPN, ExpressRoute, SD-WAN partners, secure hub with Firewall.
Stateful, fully managed network firewall. Premium tier adds TLS inspection and IDPS.
Stateful packet filtering at the subnet or NIC level. Zero-cost, foundational segmentation.
Always-on, ML-driven volumetric and protocol attack mitigation. IP Protection (per-resource) and Network Protection (per-VNet) tiers.
OWASP top-10 protection on Application Gateway and Front Door. Custom rules, bot protection, geo-filtering.
SSH/RDP into VMs through the Azure portal — no public IPs required. Premium tier supports private connectivity.
Reach Azure PaaS (Storage, SQL, Cosmos, Cognitive…) over a private IP in your VNet. The default for production.
Outbound-only NAT for VNets — large port pools, predictable SNAT exhaustion behavior.
Dynamic routing (BGP) between Azure VNets and your network virtual appliances or ExpressRoute.
Diagnostics: connection troubleshoot, packet capture, NSG flow logs, topology, IP flow verify.
07 Storage
Object, file, block, and queue storage — durable, replicated, and accessible globally.
Massively-scalable object store. Block blobs (general data), append blobs (logs), page blobs (VHDs). Hot / Cool / Cold / Archive tiers — automatic tiering policies.
Blob storage + HDFS-compatible namespace. Foundation for analytics on Synapse, Databricks, Fabric.
Managed SMB and NFS file shares. Premium tier (SSD) for low-latency; standard tier on HDD.
Persistent block storage for VMs. Ultra Disk, Premium SSD v2, Premium SSD, Standard SSD, Standard HDD — pick by IOPS and throughput.
Simple FIFO message queue (REST). Use Service Bus for advanced messaging.
NoSQL key-value / wide-column. Cosmos DB Table API supersedes for new workloads.
Enterprise NAS service powered by NetApp ONTAP — for SAP, EDA, HPC, demanding shared file workloads.
File cache for HPC workloads pulling from on-prem NFS or blob.
Backup-as-a-service for VMs, SQL, SAP HANA, Files, Blobs. Cross-region, immutable vaults, soft-delete.
DR orchestration — replicate VMs to another region or to Azure from on-prem. Failover testing without disruption.
Hybrid cloud storage and migration tooling for moving file shares to Azure.
Physical appliances (Disk, Heavy, Box) for offline transfer of TB–PB-scale data into or out of Azure.
Replication options
| SKU | Replicas | Where | Durability |
|---|---|---|---|
LRS | 3 copies | Single datacenter | 11 nines (annual) |
ZRS | 3 copies | 3 availability zones in one region | 12 nines |
GRS | 6 copies | Primary region (LRS) + paired region (LRS) | 16 nines |
GZRS | 6 copies | Primary (ZRS) + paired (LRS) | 16 nines |
RA-GRS / RA-GZRS | 6 copies | + read access to secondary | 16 nines |
08 Databases
Managed relational and NoSQL databases — pick by workload, consistency model, and how much control you need.
Fully managed SQL Server. Single Database, Elastic Pools, Hyperscale (up to 128 TB). Serverless tier auto-pauses. Built-in HA, backups, threat detection, geo-replication.
SQL Server with near-100% feature parity (cross-db queries, agent jobs, CLR, linked servers). Lift-and-shift target for SQL Server estates.
Bring your own SQL Server license; full OS control. Best when you need OS-level customization.
Global, multi-model NoSQL. APIs: NoSQL, MongoDB, Cassandra, Gremlin, Table, PostgreSQL (Citus). Tunable consistency, serverless or provisioned, <10ms p99 reads. Native vector search.
Managed Postgres with HA, backups, custom maintenance windows. Hyperscale tier (Citus) for sharded multi-tenant workloads.
Managed MySQL with HA, replicas, backups. Choose burstable / general / business-critical.
Managed MariaDB. Note: in retirement — new workloads should use MySQL Flexible Server.
Managed Redis OSS and Redis Enterprise tiers (active geo-replication, modules, Redis on Flash, Search).
Managed Cassandra clusters; can hybrid-mesh with on-prem Cassandra.
Online migrations from SQL Server, Oracle, MySQL, Postgres, MongoDB to Azure equivalents.
Lightweight SQL engine for IoT and edge — ARM and x64; sync with Azure SQL.
09 Analytics & big data
From data ingestion through transformation, warehousing, and BI. Microsoft Fabric is the umbrella for the modern analytics stack; the underlying services remain available individually.
SaaS analytics platform unifying Data Factory, Synapse Data Engineering, Synapse Data Warehouse, Real-Time Analytics, Power BI, and Data Activator on OneLake.
Unified workspace: dedicated SQL pools (MPP DW), serverless SQL, Spark pools, pipelines. Synapse functionality is being absorbed into Fabric.
First-party offering of Databricks Lakehouse — Spark, Delta Lake, Unity Catalog, MLflow, Mosaic AI. Tight Entra/VNet integration.
Visual ETL/ELT and orchestration — 90+ connectors, mapping data flows, integration runtimes for hybrid sources. Now also delivered inside Fabric.
SQL-based stream processing on Event Hubs / IoT Hub / Blob. Sub-second to second latency.
Hyper-scale event ingestion (millions of events/sec). Kafka-protocol compatible. Capture to blob/ADLS for cold storage.
Managed open-source analytics: Hadoop, Spark, Kafka, HBase, Hive LLAP. Mature; new workloads usually go to Synapse / Fabric / Databricks.
Time-series & telemetry analytics with KQL — billions of events/day, sub-second queries. Powers Log Analytics, Sentinel, App Insights.
Unified data governance — automatic scanning, classification, lineage, sensitivity labels across Azure, M365, on-prem, AWS, GCP.
BI and analytics. Pro / Premium per user / Premium capacity / Embedded. Native semantic models, paginated reports, paginated reports.
Tabular semantic models — being superseded by Power BI Premium / Fabric semantic models.
Share datasets across orgs and tenants without copying.
10 AI services
Pre-built, REST-callable AI capabilities across vision, speech, language, and decision — what was branded "Cognitive Services" is now grouped as Azure AI Services. Most are accessed through a single multi-service endpoint or their dedicated resources.
Vision
OCR (Read), image analysis (objects, captions, tags), spatial analysis, video summarization. Florence 2 multimodal model under the hood.
Extract structured data from documents — receipts, invoices, IDs, tax forms, contracts. Pre-built and custom models. Layout API + neural extraction.
Train custom image classifiers and object detectors with a few hundred images. Export to ONNX, CoreML, TensorFlow.js for edge.
Detection, verification, identification. Identification gated to approved customers for responsible-AI reasons.
Extract metadata from video: speakers, faces, sentiment, OCR, topics, scenes, audio events.
Newer multimodal extraction service that understands documents, audio, video, and images with natural-language schemas.
Speech
Real-time and batch transcription. Custom Speech models for vertical jargon. 100+ languages and dialects.
Neural voices in 140+ languages. Custom Neural Voice (gated) for branded voices. Personal Voice for short-form cloning with consent.
Real-time translation between speech and speech / speech and text.
Verify or identify a speaker by their voice (verification GA, identification gated).
Score pronunciation quality of spoken words — for language learning apps.
Language
Umbrella service — sentiment, entity recognition (NER), key phrase, language detection, PII detection & redaction, summarization (extractive + abstractive), text analytics for health.
Neural machine translation in 130+ languages, document translation preserving formatting, custom translator models for domain.
Conversational language understanding — intents, entities, slot filling. Successor to LUIS.
Custom Q&A from URLs/PDFs/Markdown. Successor to QnA Maker.
Embeddable reading aid — read-aloud, picture dictionary, line focus, syllabification — for accessibility and learning.
Decision & safety
Detect harmful content (hate, sexual, violence, self-harm) in text and images. Prompt Shields for jailbreak / indirect-injection detection. Groundedness detection for RAG. The default safety layer for Azure-hosted GenAI.
Reinforcement-learning recommender — being retired in 2026; replace with custom RAG / RL approaches.
Univariate and multivariate anomaly detection — being retired in 2026; replace with Stream Analytics ML or Azure ML.
Time-series anomaly detection with root-cause hints — also being retired; migrate to AI Foundry / custom models.
11 Azure OpenAI & AI Foundry
Generative AI on Azure runs through two complementary surfaces: the Azure OpenAI Service (managed access to OpenAI models in your tenant) and Azure AI Foundry (the unified portal, SDK, and runtime for building AI apps and agents on top of those models).
Frontier OpenAI models in Azure — gpt-5, gpt-4o family, o-series reasoning, gpt-image-1, dall-e-3, whisper, tts, text-embedding-3. Data residency, private network, no training on your data, regional and global deployments, batch & provisioned throughput.
The build surface: model catalog (1500+ models from OpenAI, Microsoft, Mistral, Meta, NVIDIA, Cohere, AI21, DeepSeek, Hugging Face), prompt flow, evaluation, agent service, content safety, observability, and connections to data and tools. Replaces Azure AI Studio.
Managed multi-agent runtime — orchestrate agents that call tools, use Azure AI Search for retrieval, persist memory, and integrate with Logic Apps, Functions, MCP servers, and your own APIs. Identity flows through Entra; traces flow through App Insights.
Pay-per-token serverless endpoints for non-OpenAI models — Llama, Mistral, Phi, Cohere, AI21, Mistral Large — without provisioning compute.
Reserved throughput for OpenAI models — guaranteed latency and capacity at predictable cost. Best for high-volume, latency-sensitive production.
Submit large jobs at ~50% discount with 24-hour SLA. Ideal for offline embedding, classification, summarization at corpus scale.
SFT, DPO, and reinforcement fine-tuning on supported models. Adapter weights live in your tenant.
Layered defenses — input prompt-injection detection, output content filtering, groundedness checks, protected-material detection — applied to every request unless explicitly opted out.
Automated adversarial probing of your AI app — generates jailbreaks, indirect injections, harmful inputs and reports failures.
Built-in evaluators (groundedness, relevance, similarity, fluency, coherence, safety, custom) plus your own evaluators run in CI against datasets.
Working with Azure OpenAI
# Python — chat completion through Azure OpenAI from openai import AzureOpenAI client = AzureOpenAI( azure_endpoint="https://my-resource.openai.azure.com", api_key=os.environ["AOAI_KEY"], api_version="2025-04-01-preview", ) resp = client.chat.completions.create( model="gpt-4o", # your deployment name messages=[ {"role": "system", "content": "You are a concise assistant."}, {"role": "user", "content": "Summarise the EU AI Act in two sentences."}, ], max_tokens=200, ) print(resp.choices[0].message.content)
Model catalog highlights
| Family | Examples | Use for |
|---|---|---|
| OpenAI flagship | gpt-5, gpt-4o, gpt-4o-mini | General chat, RAG, agents, multimodal. |
| OpenAI reasoning | o3, o4-mini | Complex reasoning, math, code, analysis where latency budget allows. |
| OpenAI image | gpt-image-1, dall-e-3 | Image generation and editing. |
| OpenAI audio | whisper, gpt-4o-realtime, tts | Speech-to-text, real-time voice agents, text-to-speech. |
| OpenAI embeddings | text-embedding-3-large / -small, text-embedding-ada-002 | RAG vectorization, clustering, classification. |
| Microsoft | phi-4, phi-4-mini, phi-4-vision | Small, capable models — on-device and edge. |
| Meta | llama-4, llama-3.3-70b | Open-weight LLMs, fine-tuning, custom hosting. |
| Mistral | mistral-large-2, codestral | European-built reasoning + code. |
| Cohere | command-r-plus, embed-v3, rerank-v3 | RAG-tuned generation, embeddings, rerankers. |
| NVIDIA | NIM containers, NeMo Retriever | GPU-optimized inference and RAG components. |
| Hugging Face | 20K+ models | Long tail of open models with one-click managed deploy. |
12 Machine learning
Custom ML — train, deploy, monitor your own models. Azure Machine Learning is the workspace; AI Foundry is the GenAI-first overlay built on top.
End-to-end ML platform — workspaces, compute, data assets, jobs, pipelines, models, registries, endpoints. Designer (visual), notebooks, CLI v2, SDK v2.
Automated training and selection over classification, regression, forecasting, NLP, image, recommendation. Generates explainable code.
Drag-and-drop pipeline canvas for traditional ML. Useful for citizen data scientists and rapid prototyping.
Production model serving with blue/green deployment, autoscale, A/B traffic split, App Insights tracing.
Async scoring of large datasets — pipeline-based, ideal for nightly inference.
Feature definitions, materialization to online (Redis) and offline (ADLS) stores, point-in-time-correct training data.
Explainability (SHAP), fairness, error analysis, counterfactuals, causal — single dashboard per model.
Visual + code authoring of LLM workflows; runs in AML and Foundry. Ideal bridge between research and production.
Versioned models with MLflow integration; track training data, code, environment, metrics for every version.
13 AI Search & knowledge
Retrieval is the second half of every grounded GenAI system. Azure's primary surface is Azure AI Search — keyword + vector + semantic re-ranking in one managed service.
Managed search platform — full-text, vector (HNSW), hybrid, semantic ranker (L2 reranking), faceting, geo-search. Indexers ingest from Blob, ADLS, SQL, Cosmos, OneLake. Built-in skillsets call AI services for OCR, entity extraction, embedding.
Index pipelines that chunk, embed, and index documents end-to-end without your own pipeline code.
Skill-enriched outputs persisted to Blob or Tables — usable by Power BI, Synapse, downstream pipelines.
Web, image, video, news, entity, custom search. Used as a tool for grounded agents that need fresh web data.
Managed runtime for the Bot Framework — Teams, Web Chat, Slack, SMS, Direct Line. Pairs naturally with Foundry agents.
Native vector search inside Cosmos DB (NoSQL, MongoDB vCore, Postgres). Reduces architecture for chat-with-your-data.
Embed natural-language Q&A directly on top of OneLake / lakehouse data with governed permissions.
14 Integration & messaging
Glue between systems. Logic Apps for workflows, API Management for the API edge, Service Bus / Event Grid / Event Hubs for the messaging spine.
Visual workflow service with 1000+ connectors (M365, Salesforce, ServiceNow, SAP, etc.). Standard tier runs in App Service or containers.
Full API gateway — auth, throttling, transformation, caching, developer portal, products, subscriptions. Self-hosted gateway for hybrid.
Enterprise messaging: queues, topics, subscriptions, sessions, dead-lettering, scheduled delivery, transactions, MQTT (preview). Standard / Premium tiers.
Pub/sub at hyper-scale. Push-model — receivers handle events. Native event sources for nearly every Azure service.
High-throughput event ingestion (millions/sec) — Kafka-protocol compatible. Capture for cold storage; auto-inflate.
(Listed under analytics — also serves as an integration tool for ETL between systems.)
Hybrid Connections + WCF Relay — securely expose on-prem services to the cloud without firewall changes.
Managed WebSocket service for real-time apps — chat, dashboards, collaborative editing.
Cloud-native pub/sub over WebSockets, simpler than SignalR for greenfield real-time use cases.
15 Identity & security
Security in Azure starts with identity (Microsoft Entra) and layers on Defender for runtime protection and Sentinel for SIEM/SOAR.
Cloud identity and access management (formerly Azure AD). Users, groups, applications, conditional access, MFA, B2B, SSO. The trust root for all of Azure.
Entitlement management, access reviews, lifecycle workflows, PIM (Privileged Identity Management).
Customer identity (B2C / CIAM) — sign-up flows, social IDs, custom branding. Replaces legacy Azure AD B2C.
Decentralized identity — issue and verify W3C verifiable credentials (degrees, employment, KYC).
CIEM — least-privilege analysis across Azure, AWS, GCP. Right-size identities and clean up zombie permissions.
Hardware-backed secrets, keys, certificates. Managed HSM tier for FIPS 140-3 Level 3. Automatic certificate rotation with public CA integration.
Identities you give to Azure resources — no secrets in code; tokens injected by IMDS. System-assigned vs user-assigned.
CSPM + CWP across Azure, AWS, GCP. Posture, vulnerability scanning, regulatory compliance, threat detection for VMs, containers, DBs, storage, AI workloads.
Cloud-native SIEM/SOAR — KQL-based detections, hunting notebooks, automated response playbooks, fusion ML, M365 + Defender XDR integration.
Sensitivity labels, DLP, encryption, double-key encryption — apply to documents, emails, datasets across M365 and Azure.
VMs (DCsv3, DCasv5) and containers running in Trusted Execution Environments — Intel SGX, AMD SEV-SNP. Data encrypted in use.
Verify the integrity of a TEE before releasing secrets to it. Used by confidential computing and confidential ledger.
Tamper-evident, blockchain-backed log for high-value records — built on confidential computing.
16 DevOps
Azure DevOps and GitHub are both Microsoft properties. Most new projects standardize on GitHub + GitHub Actions + Azure; Azure DevOps remains for existing investments and government clouds.
Suite: Repos (Git), Pipelines (CI/CD), Boards (work items), Test Plans, Artifacts (package registry).
Repos, Actions, Packages, Codespaces, Advanced Security, Copilot Enterprise — Microsoft-billed alongside Azure.
First-party actions for OIDC federated login, deployment to App Service / Functions / AKS / Container Apps, Bicep deploy.
Microsoft's IaC DSL that compiles to ARM JSON. First-class linter, modules, what-if, decompile from JSON.
Original declarative deployment language. Verbose; usually compiled from Bicep today.
Self-service environments for dev teams — IaC templates, governed catalogs, costs by environment.
Managed load testing built on Apache JMeter; integrates with App Insights for end-to-end correlation.
Chaos engineering — inject faults (CPU pressure, network loss, AKS pod kill, region failure simulation) to validate resilience.
Run CI on your own VMs or AKS — for IP egress control, custom tools, GPU build steps.
17 IoT & edge
Connect, manage, and analyze devices and the data they produce — from low-power sensors to industrial PLCs.
Edge-native, Kubernetes-based platform for industrial IoT — MQTT broker, OPC UA connector, data flows, Akri for device discovery, Arc-enabled.
Bidirectional cloud gateway for millions of devices — device twins, direct methods, file upload, message routing. MQTT, AMQP, HTTPS.
App platform for IoT — UI, dashboards, rules, device templates. Lower-effort path than IoT Hub for standard scenarios.
Graph model of physical environments (buildings, factories, cities). DTDL ontology, real-time queries.
Container runtime that ships cloud workloads (Functions, ML models, Stream Analytics) to edge devices. Now largely subsumed by Azure IoT Operations / Arc.
Secure MCU + OS + cloud security service for greenfield secure IoT devices. End-of-support announced; see Azure IoT Operations roadmap.
Location services — base maps, search, routing, traffic, geofencing, weather, mobility, indoor maps.
18 Hybrid & multi-cloud
Run Azure services on-premises, at the edge, or in other clouds — extend the management plane outward.
Project non-Azure resources into Azure as first-class objects — servers (Linux/Windows), Kubernetes clusters, SQL Servers, VMware vCenter. Apply Policy, RBAC, Monitor, Defender, Update Manager uniformly.
On-prem hyperconverged cluster validated by Microsoft + OEMs. Runs Azure services, AKS, AVD on your hardware.
2024 evolution of Stack HCI — distributed, Arc-managed Azure infrastructure for the edge.
Pre-built appliance shipped by Microsoft — local compute + storage + GPU + accelerators, managed from Azure portal.
Full Azure consistent cloud in your datacenter — disconnected operation supported. Niche but mature.
SQL MI and Postgres Hyperscale running on any Kubernetes — billed and managed through Azure.
19 Management & governance
Standards, policy, cost control, and operational tooling that apply across every service.
The control plane API. Everything you do in Azure ultimately resolves to ARM. Knows tags, locks, RBAC, what-if.
Define rules ("all storage accounts must use TLS 1.2", "no public IPs in prod"). Audit existing, deny new, or remediate.
Composable templates of policy + RBAC + ARM. Being replaced by Bicep + Deployment Stacks.
Group resources to deploy / update / delete as a unit; protect from accidental deletion.
Cost analysis, budgets, alerts, recommendations, exports to ADLS / Power BI. Cross-cloud cost (AWS) supported.
Personalized recommendations across cost, security, reliability, performance, operational excellence.
Cross-tenant management for MSPs and large enterprises — see and operate customer / subsidiary tenants from one portal.
Runbooks (PowerShell, Python), state config (DSC), update management (now Update Manager), shared modules.
Patch orchestration for Azure VMs, Arc-enabled servers, on-prem.
20 Monitoring & observability
One platform — Azure Monitor — with several feature surfaces stacked on top of a shared metrics, logs, and traces store.
Unified metrics, logs (Log Analytics), distributed traces. Underpins everything below.
APM — auto-instrumentation for .NET / Java / Node / Python / Go via OpenTelemetry. Live metrics, profiler, snapshot debugger, dependency map.
Storage + KQL query engine for logs and traces. Single workspace pattern is recommended for most orgs.
Container and AKS observability — node, pod, deployment metrics; Live Data tail; Prometheus-managed scrape.
Per-VM CPU/memory/disk + dependency mapping using Azure Monitor Agent.
Topology, NSG flow, connection monitor, ExpressRoute monitoring.
Managed Grafana with Entra SSO and built-in datasources for Monitor, Prometheus, ADX.
Fully-managed PromQL-compatible metrics service — auto-scrape AKS, Arc clusters, public endpoints.
Curated views of metrics, logs, and KQL — share within team or pin to portal.
21 Web & mobile
Build and host web and mobile front-ends — from static sites to push-notification fan-out.
Managed web hosting for .NET, Java, Node, Python, PHP, Ruby. Linux or Windows; Free → Premium V3 → Isolated tiers.
Build static sites + serverless API in one product. Free tier with Functions; built-in auth, custom domains, preview environments per PR.
Voice, video, SMS, email, chat APIs powered by the Teams platform — bring multi-modal communication into your apps.
Cross-platform push notifications (APNs, FCM, WNS) at very large scale.
WebSocket-based real-time messaging for web/mobile clients.
Maps SDK for web, Android, iOS — routing, search, traffic, indoor.
Mobile DevOps — build, test, distribute, crash analytics, push for iOS/Android. Sunsetting in 2025; migrate to GitHub Actions + Codemagic / Bitrise.
22 Migration & backup
Move existing workloads to Azure and protect them once they arrive.
Hub for discovery, assessment, and migration of servers, databases, web apps, virtual desktops. Includes assessments, dependency analysis, cost projections.
Backup for VMs, SQL/SAP HANA in VMs, Files, Blobs, Azure Database for Postgres. Vaulted-only mode for ransomware protection.
DR — replicate VMs to another region, fail over with one click, fail back when source recovers.
Online and offline DB migrations to managed Azure databases (SQL, Postgres, MySQL, MongoDB).
Physical disks / appliances for offline bulk data transfer.
Migrate file shares from on-prem NAS to Azure Files / Blob.
23 Media & communication
Note: Azure Media Services retired June 2024. Replacements live in Communication Services and AI Services.
WebRTC voice and video built on the Teams stack. Embed into apps; recording, captioning, live events.
(Listed under AI services.) Replaces Media Services for transcription, scene detection, OCR on video.
Mixed Reality services — ARM is winding down legacy mixed-reality offerings; check current availability.
24 Quantum & HPC
Frontier compute for research workloads.
Cloud access to multiple quantum hardware backends (IonQ, Quantinuum, Rigetti, PASQAL) and simulators. Q# language and quantum development kit.
Cloud HPC + AI for chemistry and materials science — DFT at scale, generative models for molecules.
Orchestration for HPC clusters — Slurm, PBS Pro, LSF, GridEngine on Azure compute.
(Listed under compute.) Scale-out parallel batch processing.
GPU and accelerator VMs — InfiniBand-clustered for distributed training; available in dedicated AI capacity zones.
25 Architectural patterns
Recurring shapes — what good Azure architectures tend to look like.
Hub-and-spoke networking
One hub VNet hosts shared services: Azure Firewall, ExpressRoute / VPN gateway, DNS, Bastion. Workload VNets ("spokes") peer to the hub. All north-south and inter-spoke traffic flows through the hub for inspection. Virtual WAN automates this at global scale.
Landing zone
The Microsoft Cloud Adoption Framework defines a "landing zone" — a pre-built, opinionated foundation: management groups, subscriptions, networking, identity, policy, monitoring. Two flavors: Azure Landing Zones (enterprise-scale) and Sovereign Landing Zones (regulated). Use the official Bicep / Terraform accelerator instead of building from scratch.
Three-tier web app
- Front Door + WAF at the global edge.
- App Service (or Container Apps / AKS) behind a Private Endpoint.
- SQL Database / Cosmos DB behind a Private Endpoint.
- Key Vault for secrets, accessed via Managed Identity.
- App Insights + Log Analytics for telemetry.
Event-driven serverless
Producer (e.g. Blob upload) → Event Grid → Azure Function → Service Bus → downstream worker (Function or Container App). Cosmos DB change feed or Event Hubs for higher volume.
Modern data platform (Fabric)
Sources → Data Factory → OneLake (lakehouse on ADLS) → Synapse Data Engineering (Spark) / Data Warehouse → Power BI semantic models. Governance via Purview.
Production RAG on Azure
- Ingest with Data Factory or Logic Apps; raw to Blob.
- Chunk & embed with AI Search integrated vectorization or a Function calling Azure OpenAI embeddings.
- Index in Azure AI Search (hybrid + semantic ranker) or Cosmos DB vector index.
- Generate via Azure OpenAI
gpt-4owith the retrieved context. - Safety: Content Safety + Prompt Shields + groundedness check on every response.
- Observability: trace prompts, retrievals, tools through App Insights and Foundry's eval.
Production agent on Azure
- AI Foundry Agent Service as the runtime.
- Tools: Logic Apps (workflows), Functions (custom logic), MCP servers, Cosmos DB, AI Search.
- Identity flows from the user via Entra ID (on-behalf-of); managed identities for downstream Azure resources.
- Memory in Cosmos DB (vector + scalar); short-lived state in Redis.
- Policy engine (APIM or custom) gates outbound tool calls.
- Traces to App Insights; evals and red-teaming in Foundry.
26 Pricing & cost optimization
Azure pricing varies by service. The general levers — which apply almost everywhere — are reservations, savings plans, spot, autoscale, right-sizing, and dev/test pricing.
| Lever | Where it applies | Typical savings |
|---|---|---|
| Reserved instances (1y / 3y) | VMs, SQL DB, Cosmos DB, Synapse, Cache for Redis | 40–70% |
| Savings plan for compute | Flexible across VMs / Container Apps / Functions / Spring Apps | ~ same as RI, more flexibility |
| Spot VMs | Interruptible workloads, batch, dev | 60–90% |
| Azure Hybrid Benefit | Bring Windows / SQL / RHEL / SUSE licenses | 30–80% on those SKUs |
| Provisioned Throughput Units | Azure OpenAI high-volume | Predictable cost vs PAYG |
| Batch deployments | Azure OpenAI offline jobs (24h SLA) | ~50% off PAYG |
| Auto-scale + scale-to-zero | App Service, Functions, Container Apps | varies — pay only when used |
| Storage tiering | Blob (Hot → Cool → Cold → Archive) | up to 95% on cold data |
| Right-sizing | Continuous via Advisor recommendations | 10–40% |
| Dev/Test subscription | Visual Studio subscribers | Discounted SKUs and OS licenses |
environment, cost-center, owner, workload. Without tags, Cost Management is useless after a few months.27 Choosing services
Quick decision aids when faced with multiple services that overlap.
Run my code
- Static site only? → Static Web Apps
- Web app or API? → App Service
- Event-driven, short-lived? → Functions
- Long-running container, scale-to-zero, no Kubernetes? → Container Apps
- Single container, no orchestration? → Container Instances
- Full Kubernetes control? → AKS
- Bring your OS / agents / GPU drivers? → Virtual Machines
Store my data
- Object data (files, blobs)? → Blob Storage
- SMB / NFS file share? → Files (Premium for IOPS, Standard for archive)
- Relational SQL? → SQL Database (most), SQL Managed Instance (lift-and-shift), SQL on VM (full control)
- Postgres / MySQL? → Database for Postgres / MySQL Flexible Server
- Global, low-latency NoSQL? → Cosmos DB
- Cache / session? → Cache for Redis
- Analytics warehouse? → Fabric Data Warehouse / Synapse / Databricks
Build a GenAI app
- Just call OpenAI models? → Azure OpenAI Service
- Build, evaluate, ship a chat / agent? → AI Foundry
- RAG over your documents? → AI Foundry + Azure AI Search (integrated vectorization)
- Tool-using agent? → Foundry Agent Service
- Custom small model on edge? → Phi-4 via Foundry → ONNX Runtime
- Train your own from scratch? → Azure Machine Learning + ND-series GPUs
Connect on-prem to Azure
- Encrypted IP tunnel over internet? → VPN Gateway
- Dedicated low-latency circuit? → ExpressRoute
- Both, multi-region, with SD-WAN? → Virtual WAN
- Manage on-prem servers/K8s/SQL with Azure tools? → Arc
Move data
- Online ETL/ELT with connectors? → Data Factory / Fabric Pipelines
- Streaming? → Event Hubs → Stream Analytics or Fabric Real-Time
- One-time bulk? → AzCopy (online) or Data Box (offline)
- DB migration? → Azure Migrate + Database Migration Service