cloud-solution-architect
por microsoft
Diseñe sistemas de nube bien diseñados y de nivel de producción siguiendo las mejores prácticas del Centro de arquitectura de Azure. Esta habilidad proporciona:
npx skills add https://github.com/microsoft/agent-skills --skill cloud-solution-architectCloud Solution Architect
Overview
Design well-architected, production-grade cloud systems following Azure Architecture Center best practices. This skill provides:
- 10 design principles for Azure applications
- 6 architecture styles with selection guidance
- 44 cloud design patterns mapped to WAF pillars
- Technology choice frameworks for compute, storage, data, messaging
- Performance antipatterns to avoid
- Architecture review workflow for systematic design validation
Ten Design Principles for Azure Applications
| # | Principle | Key Tactics |
|---|---|---|
| 1 | Design for self-healing | Retry with backoff, circuit breaker, bulkhead isolation, health endpoint monitoring, graceful degradation |
| 2 | Make all things redundant | Eliminate single points of failure, use availability zones, deploy multi-region, replicate data |
| 3 | Minimize coordination | Decouple services, use async messaging, embrace eventual consistency, use domain events |
| 4 | Design to scale out | Horizontal scaling, autoscaling rules, stateless services, avoid session stickiness, partition workloads |
| 5 | Partition around limits | Data partitioning (shard/hash/range), respect compute & network limits, use CDNs for static content |
| 6 | Design for operations | Structured logging, distributed tracing, metrics & dashboards, runbook automation, infrastructure as code |
| 7 | Use managed services | Prefer PaaS over IaaS, reduce operational burden, leverage built-in HA/DR/scaling |
| 8 | Use an identity service | Microsoft Entra ID, managed identity, RBAC, avoid storing credentials, zero-trust principles |
| 9 | Design for evolution | Loose coupling, versioned APIs, backward compatibility, async messaging for integration, feature flags |
| 10 | Build for business needs | Define SLAs/SLOs, establish RTO/RPO targets, domain-driven design, cost modeling, composite SLAs |
Architecture Styles
| Style | Description | When to Use | Key Services |
|---|---|---|---|
| N-tier | Horizontal layers (presentation, business, data) | Traditional enterprise apps, lift-and-shift | App Service, SQL Database, VNets |
| Web-Queue-Worker | Web frontend → message queue → backend worker | Moderate-complexity apps with long-running tasks | App Service, Service Bus, Functions |
| Microservices | Small autonomous services, bounded contexts, independent deploy | Complex domains, independent team scaling | AKS, Container Apps, API Management |
| Event-driven | Pub/sub model, event producers/consumers | Real-time processing, IoT, reactive systems | Event Hubs, Event Grid, Functions |
| Big data | Batch + stream processing pipeline | Analytics, ML pipelines, large-scale data | Synapse, Data Factory, Databricks |
| Big compute | HPC, parallel processing | Simulations, modeling, rendering, genomics | Batch, CycleCloud, HPC VMs |
Selection Criteria
- Domain complexity → Microservices (high), N-tier (low-medium)
- Team autonomy → Microservices (independent teams), N-tier (single team)
- Data volume → Big data (TB+), others (GB)
- Latency requirements → Event-driven (real-time), Web-Queue-Worker (tolerant)
Cloud Design Patterns
44 patterns organized by primary concern. WAF pillar mapping: R=Reliability, S=Security, CO=Cost Optimization, OE=Operational Excellence, PE=Performance Efficiency.
Messaging & Communication
| Pattern | Summary | Pillars |
|---|---|---|
| Asynchronous Request-Reply | Decouple request/response with polling or callbacks | R, PE |
| Claim Check | Split large messages; store payload separately, pass reference | R, PE |
| Choreography | Services coordinate via events without central orchestrator | R, OE |
| Competing Consumers | Multiple consumers process messages from shared queue concurrently | R, PE |
| Messaging Bridge | Connect incompatible messaging systems | R, OE |
| Pipes and Filters | Decompose complex processing into reusable filter stages | R, OE |
| Priority Queue | Prioritize requests so higher-priority work is processed first | R, PE |
| Publisher/Subscriber | Decouple senders from receivers via topics/subscriptions | R, PE |
| Queue-Based Load Leveling | Buffer requests with a queue to smooth intermittent loads | R, PE |
| Sequential Convoy | Process related messages in order while allowing parallel groups | R, PE |
Reliability & Resilience
| Pattern | Summary | Pillars |
|---|---|---|
| Bulkhead | Isolate resources per workload to prevent cascading failure | R |
| Circuit Breaker | Stop calling a failing service; fail fast to protect resources | R |
| Compensating Transaction | Undo previously committed steps when a later step fails | R |
| Health Endpoint Monitoring | Expose health checks for load balancers and orchestrators | R, OE |
| Leader Election | Coordinate distributed instances by electing a leader | R |
| Retry | Handle transient faults by retrying with exponential backoff | R |
| Saga | Manage data consistency across microservices with compensating transactions | R |
| Scheduler Agent Supervisor | Coordinate distributed actions with retry and failure handling | R |
Data Management
| Pattern | Summary | Pillars |
|---|---|---|
| Cache-Aside | Load data on demand into cache from data store | PE |
| CQRS | Separate read and write models for independent scaling | PE, R |
| Event Sourcing | Store state as append-only sequence of domain events | R, OE |
| Index Table | Create indexes over frequently queried fields in data stores | PE |
| Materialized View | Pre-compute views over data for efficient queries | PE |
| Sharding | Distribute data across partitions for scale and performance | PE, R |
| Static Content Hosting | Serve static content from cloud storage/CDN directly | PE, CO |
| Valet Key | Grant clients limited direct access to storage resources | S, PE |
Design & Structure
| Pattern | Summary | Pillars |
|---|---|---|
| Ambassador | Offload cross-cutting concerns to a helper sidecar proxy | OE |
| Anti-Corruption Layer | Translate between new and legacy system models | OE, R |
| Backends for Frontends | Create separate backends per frontend type (mobile, web, etc.) | OE, PE |
| Compute Resource Consolidation | Combine multiple workloads into fewer compute instances | CO |
| External Configuration Store | Externalize configuration from deployment packages | OE |
| Sidecar | Deploy helper components alongside the main service | OE |
| Strangler Fig | Incrementally migrate legacy systems by replacing pieces | OE, R |
Security & Access
| Pattern | Summary | Pillars |
|---|---|---|
| Federated Identity | Delegate authentication to an external identity provider | S |
| Gatekeeper | Protect services using a dedicated broker that validates requests | S |
| Quarantine | Isolate and validate external assets before allowing use | S |
| Rate Limiting | Control consumption rate of resources by consumers | R, S |
| Throttling | Control resource consumption to sustain SLAs under load | R, PE |
Deployment & Scaling
| Pattern | Summary | Pillars |
|---|---|---|
| Deployment Stamps | Deploy multiple independent copies of application components | R, PE |
| Edge Workload Configuration | Configure workloads differently across diverse edge devices | OE |
| Gateway Aggregation | Aggregate multiple backend calls into a single client request | PE |
| Gateway Offloading | Offload shared functionality (SSL, auth) to a gateway | OE, S |
| Gateway Routing | Route requests to multiple backends using a single endpoint | OE |
| Geode | Deploy backends to multiple regions for active-active serving | R, PE |
See Design Patterns Reference for detailed implementation guidance.
Technology Choices
Decision Framework
For each technology area, evaluate: requirements → constraints → tradeoffs → select.
| Area | Key Options | Selection Criteria |
|---|---|---|
| Compute | App Service, Functions, Container Apps, AKS, VMs, Batch | Hosting model, scaling, cost, team skills |
| Storage | Blob Storage, Data Lake, Files, Disks, Managed Lustre | Access patterns, throughput, cost tier |
| Data stores | SQL Database, Cosmos DB, PostgreSQL, Redis, Table Storage | Consistency model, query patterns, scale |
| Messaging | Service Bus, Event Hubs, Event Grid, Queue Storage | Ordering, throughput, pub/sub vs queue |
| Networking | Front Door, Application Gateway, Load Balancer, Traffic Manager | Global vs regional, L4 vs L7, WAF |
| AI services | Azure OpenAI, AI Search, AI Foundry, Document Intelligence | Model needs, data grounding, orchestration |
| Containers | Container Apps, AKS, Container Instances | Operational control vs simplicity |
See Technology Choices Reference for detailed decision trees.
Best Practices
| Practice | Key Guidance |
|---|---|
| API design | RESTful conventions, resource-oriented URIs, HATEOAS, versioning via URL path or header |
| API implementation | Async operations, pagination, idempotent PUT/DELETE, content negotiation, ETag caching |
| Autoscaling | Scale on metrics (CPU, queue depth, custom), cool-down periods, predictive scaling, scale-in protection |
| Background jobs | Use queues or scheduled triggers, idempotent processing, poison message handling, graceful shutdown |
| Caching | Cache-aside pattern, TTL policies, cache invalidation strategies, distributed cache for multi-instance |
| CDN | Static asset offloading, cache-busting with versioned URLs, geo-distribution, HTTPS enforcement |
| Data partitioning | Horizontal (sharding), vertical, functional partitioning; partition key selection for even distribution |
| Partitioning strategies | Hash-based, range-based, directory-based; rebalancing approach, cross-partition query avoidance |
| Host name preservation | Preserve original host header through proxies/gateways for cookies, redirects, auth flows |
| Message encoding | Schema evolution (Avro/Protobuf), backward/forward compatibility, schema registry |
| Monitoring & diagnostics | Structured logging, distributed tracing (W3C Trace Context), metrics, alerts, dashboards |
| Transient fault handling | Retry with exponential backoff + jitter, circuit breaker, idempotency keys, timeout budgets |
See Best Practices Reference for implementation details.
Performance Antipatterns
Avoid these common patterns that degrade performance under load:
| Antipattern | Problem | Fix |
|---|---|---|
| Busy Database | Offloading too much processing to the database | Move logic to application tier, use caching |
| Busy Front End | Resource-intensive work on frontend request threads | Offload to background workers/queues |
| Chatty I/O | Many small I/O requests instead of fewer large ones | Batch requests, use bulk APIs, buffer writes |
| Extraneous Fetching | Retrieving more data than needed | Project only required fields, paginate, filter server-side |
| Improper Instantiation | Recreating expensive objects per request | Use singletons, connection pooling, HttpClientFactory |
| Monolithic Persistence | Single data store for all data types | Polyglot persistence — right store for each workload |
| No Caching | Repeatedly fetching unchanged data | Cache-aside pattern, CDN, output caching, Redis |
| Noisy Neighbor | One tenant consuming all shared resources | Bulkhead isolation, per-tenant quotas, throttling |
| Retry Storm | Aggressive retries overwhelming a recovering service | Exponential backoff + jitter, circuit breaker, retry budgets |
| Synchronous I/O | Blocking threads on I/O operations | Async/await, non-blocking I/O, reactive streams |
Mission-Critical Design
For workloads targeting 99.99%+ SLO, address these design areas:
| Design Area | Key Considerations |
|---|---|
| Application platform | Multi-region active-active, availability zones, Container Apps or AKS with zone redundancy |
| Application design | Stateless services, idempotent operations, graceful degradation, bulkhead isolation |
| Networking | Azure Front Door (global LB), DDoS Protection, private endpoints, redundant connectivity |
| Data platform | Multi-region Cosmos DB, zone-redundant SQL, async replication, conflict resolution |
| Deployment & testing | Blue-green deployments, canary releases, chaos engineering, automated rollback |
| Health modeling | Composite health scores, dependency health tracking, automated remediation, SLI dashboards |
| Security | Zero-trust, managed identity everywhere, key rotation, WAF policies, threat modeling |
| Operational procedures | Automated runbooks, incident response playbooks, game days, postmortems |
See Mission-Critical Reference for detailed guidance.
Well-Architected Framework (WAF) Pillars
Every architecture decision should be evaluated against all five pillars:
| Pillar | Focus | Key Questions |
|---|---|---|
| Reliability | Resiliency, availability, disaster recovery | What is the RTO/RPO? How does it handle failures? Is there redundancy? |
| Security | Threat protection, identity, data protection | Is identity managed? Is data encrypted? Are there network controls? |
| Cost Optimization | Cost management, efficiency, right-sizing | Is compute right-sized? Are there reserved instances? Is there waste? |
| Operational Excellence | Monitoring, deployment, automation | Is deployment automated? Is there observability? Are there runbooks? |
| Performance Efficiency | Scaling, load testing, performance targets | Can it scale horizontally? Are there performance baselines? Is caching used? |
WAF Tradeoff Matrix
| Optimizing for... | May impact... |
|---|---|
| Reliability (redundancy) | Cost (more resources) |
| Security (isolation) | Performance (added latency) |
| Cost (consolidation) | Reliability (shared failure domains) |
| Performance (caching) | Cost (cache infrastructure), Reliability (stale data) |
Architecture Review Workflow
When reviewing or designing a system, follow this structured approach:
Step 1: Identify Requirements
Functional: What must the system do?
Non-functional:
- Availability target (e.g., 99.9%, 99.99%)
- Latency requirements (p50, p95, p99)
- Throughput (requests/sec, messages/sec)
- Data residency and compliance
- Recovery targets (RTO, RPO)
- Cost constraints
Step 2: Select Architecture Style
Match requirements to architecture style using the selection criteria table above.
Step 3: Choose Technology Stack
Use the technology choices decision framework. Prefer managed services (PaaS) over IaaS.
Step 4: Apply Design Patterns
Select relevant patterns from the 44 cloud design patterns based on identified concerns.
Step 5: Address Cross-Cutting Concerns
- Identity & access — Microsoft Entra ID, managed identity, RBAC
- Monitoring — Application Insights, Azure Monitor, Log Analytics
- Security — Network segmentation, encryption at rest/in transit, Key Vault
- CI/CD — GitHub Actions, Azure DevOps Pipelines, infrastructure as code
Step 6: Validate Against WAF Pillars
Review each pillar systematically. Document tradeoffs explicitly.
Step 7: Document Decisions
Use Architecture Decision Records (ADRs):
# ADR-NNN: [Decision Title]
## Status: [Proposed | Accepted | Deprecated]
## Context
[What is the issue we're addressing?]
## Decision
[What did we decide and why?]
## Consequences
[What are the positive and negative impacts?]
References
- Design Patterns Reference — Detailed pattern implementations
- Technology Choices Reference — Decision trees for Azure services
- Best Practices Reference — Implementation guidance
- Mission-Critical Reference — High-availability design
Source
Content derived from the Azure Architecture Center — Microsoft's official guidance for cloud solution architecture on Azure. Covers design principles, architecture styles, cloud design patterns, technology choices, best practices, performance antipatterns, mission-critical design, and the Well-Architected Framework.
Más skills de microsoft
oss-growth
microsoft
Persona de growth hacker de OSS
official
microsoft-foundry
microsoft
Implementar, evaluar y gestionar agentes de Foundry de extremo a extremo: compilación de Docker, envío a ACR, creación de agente alojado/de prompt, inicio de contenedor, evaluación por lotes, evaluación continua, flujos de trabajo del optimizador de prompts, agent.yaml, curación de conjuntos de datos a partir de trazas. USAR PARA: implementar agente en Foundry, agente alojado, crear agente, invocar agente, evaluar agente, ejecutar evaluación por lotes, evaluación continua, monitoreo continuo, estado de evaluación continua, optimizar prompt, mejorar prompt, optimizador de prompts, optimizar instrucciones del agente, mejorar agente...
officialdevelopmentdevops
azure-ai
microsoft
Útil para Azure AI: Search, Speech, OpenAI, Document Intelligence. Ayuda con búsqueda, búsqueda vectorial/híbrida, voz a texto, texto a voz, transcripción, OCR. CUANDO: AI Search, búsqueda de consultas, búsqueda vectorial, búsqueda híbrida, búsqueda semántica, voz a texto, texto a voz, transcribir, OCR, convertir texto a voz.
officialdevelopmentapi
azure-deploy
microsoft
Ejecuta despliegues en Azure para aplicaciones YA PREPARADAS que tengan archivos .azure/deployment-plan.md e infraestructura existentes. NO uses esta habilidad cuando el usuario solicite CREAR una nueva aplicación — usa azure-prepare en su lugar. Esta habilidad ejecuta comandos azd up, azd deploy, terraform apply y az deployment con recuperación de errores integrada. Requiere .azure/deployment-plan.md de azure-prepare y estado validado de azure-validate. CUANDO: "ejecutar azd up", "ejecutar azd deploy", "ejecutar despliegue",...
officialdevopsaws
azure-storage
microsoft
Servicios de Azure Storage que incluyen Blob Storage, File Shares, Queue Storage, Table Storage y Data Lake. Responde preguntas sobre niveles de acceso de almacenamiento (hot, cool, cold, archive), cuándo usar cada nivel y comparación entre niveles. Proporciona almacenamiento de objetos, recursos compartidos de archivos SMB, mensajería asíncrona, NoSQL clave-valor y análisis de big data. Incluye gestión del ciclo de vida. USAR PARA: blob storage, file shares, queue storage, table storage, data lake, subir archivos, descargar blobs, cuentas de almacenamiento, niveles de acceso,...
officialdevelopmentdatabase
azure-diagnostics
microsoft
Depura problemas de producción en Azure usando AppLens, Azure Monitor, estado de recursos y triaje seguro. CUANDO: depurar problemas de producción, solucionar problemas de App Service, CPU alta en App Service, fallo de implementación de App Service, solucionar problemas de Container Apps, solucionar problemas de Functions, solucionar problemas de AKS, kubectl no puede conectar, fallos de kube-system/CoreDNS, pod pendiente, crashloop, nodo no listo, fallos de actualización, analizar registros, KQL, información, fallos de extracción de imágenes, problemas de arranque en frío, fallos de sondeo de estado,...
officialdevopsdevelopment
azure-prepare
microsoft
Prepara aplicaciones de Azure para el despliegue (infra Bicep/Terraform, azure.yaml, Dockerfiles). Úselo para crear/modernizar o crear+desplegar; no para migración entre nubes (use azure-cloud-migrate). NO USAR PARA: aplicaciones copilot-sdk (use azure-hosted-copilot-sdk). CUANDO: "crear aplicación", "construir aplicación web", "crear API", "crear API HTTP sin servidor", "crear frontend", "crear backend", "construir un servicio", "modernizar aplicación", "actualizar aplicación", "agregar autenticación", "agregar almacenamiento en caché", "alojar en Azure", "crear y...
officialdevelopmentdevops
azure-validate
microsoft
Validación previa al despliegue para la preparación en Azure. Realiza verificaciones exhaustivas de configuración, infraestructura (Bicep o Terraform), asignaciones de roles RBAC, permisos de identidad administrada y requisitos previos antes de desplegar. CUÁNDO: validar mi aplicación, verificar preparación para el despliegue, ejecutar comprobaciones previas, verificar configuración, comprobar si está listo para desplegar, validar azure.yaml, validar Bicep, probar antes de desplegar, solucionar errores de despliegue, validar Azure Functions, validar aplicación de funciones, validar serverless...
officialdevopstesting