cloud-solution-architect
par microsoft
Concevez des systèmes cloud de qualité production, bien architecturés, en suivant les meilleures pratiques du centre d'architecture Azure. Cette compétence fournit :
npx skills add https://github.com/microsoft/skills --skill cloud-solution-architectCloud Solution Architect
Overview
Design well-architected, production-grade cloud systems following Azure Architecture Center best practices. This skill provides:
- 10 design principles for Azure applications
- 6 architecture styles with selection guidance
- 44 cloud design patterns mapped to WAF pillars
- Technology choice frameworks for compute, storage, data, messaging
- Performance antipatterns to avoid
- Architecture review workflow for systematic design validation
Ten Design Principles for Azure Applications
| # | Principle | Key Tactics |
|---|---|---|
| 1 | Design for self-healing | Retry with backoff, circuit breaker, bulkhead isolation, health endpoint monitoring, graceful degradation |
| 2 | Make all things redundant | Eliminate single points of failure, use availability zones, deploy multi-region, replicate data |
| 3 | Minimize coordination | Decouple services, use async messaging, embrace eventual consistency, use domain events |
| 4 | Design to scale out | Horizontal scaling, autoscaling rules, stateless services, avoid session stickiness, partition workloads |
| 5 | Partition around limits | Data partitioning (shard/hash/range), respect compute & network limits, use CDNs for static content |
| 6 | Design for operations | Structured logging, distributed tracing, metrics & dashboards, runbook automation, infrastructure as code |
| 7 | Use managed services | Prefer PaaS over IaaS, reduce operational burden, leverage built-in HA/DR/scaling |
| 8 | Use an identity service | Microsoft Entra ID, managed identity, RBAC, avoid storing credentials, zero-trust principles |
| 9 | Design for evolution | Loose coupling, versioned APIs, backward compatibility, async messaging for integration, feature flags |
| 10 | Build for business needs | Define SLAs/SLOs, establish RTO/RPO targets, domain-driven design, cost modeling, composite SLAs |
Architecture Styles
| Style | Description | When to Use | Key Services |
|---|---|---|---|
| N-tier | Horizontal layers (presentation, business, data) | Traditional enterprise apps, lift-and-shift | App Service, SQL Database, VNets |
| Web-Queue-Worker | Web frontend → message queue → backend worker | Moderate-complexity apps with long-running tasks | App Service, Service Bus, Functions |
| Microservices | Small autonomous services, bounded contexts, independent deploy | Complex domains, independent team scaling | AKS, Container Apps, API Management |
| Event-driven | Pub/sub model, event producers/consumers | Real-time processing, IoT, reactive systems | Event Hubs, Event Grid, Functions |
| Big data | Batch + stream processing pipeline | Analytics, ML pipelines, large-scale data | Synapse, Data Factory, Databricks |
| Big compute | HPC, parallel processing | Simulations, modeling, rendering, genomics | Batch, CycleCloud, HPC VMs |
Selection Criteria
- Domain complexity → Microservices (high), N-tier (low-medium)
- Team autonomy → Microservices (independent teams), N-tier (single team)
- Data volume → Big data (TB+), others (GB)
- Latency requirements → Event-driven (real-time), Web-Queue-Worker (tolerant)
Cloud Design Patterns
44 patterns organized by primary concern. WAF pillar mapping: R=Reliability, S=Security, CO=Cost Optimization, OE=Operational Excellence, PE=Performance Efficiency.
Messaging & Communication
| Pattern | Summary | Pillars |
|---|---|---|
| Asynchronous Request-Reply | Decouple request/response with polling or callbacks | R, PE |
| Claim Check | Split large messages; store payload separately, pass reference | R, PE |
| Choreography | Services coordinate via events without central orchestrator | R, OE |
| Competing Consumers | Multiple consumers process messages from shared queue concurrently | R, PE |
| Messaging Bridge | Connect incompatible messaging systems | R, OE |
| Pipes and Filters | Decompose complex processing into reusable filter stages | R, OE |
| Priority Queue | Prioritize requests so higher-priority work is processed first | R, PE |
| Publisher/Subscriber | Decouple senders from receivers via topics/subscriptions | R, PE |
| Queue-Based Load Leveling | Buffer requests with a queue to smooth intermittent loads | R, PE |
| Sequential Convoy | Process related messages in order while allowing parallel groups | R, PE |
Reliability & Resilience
| Pattern | Summary | Pillars |
|---|---|---|
| Bulkhead | Isolate resources per workload to prevent cascading failure | R |
| Circuit Breaker | Stop calling a failing service; fail fast to protect resources | R |
| Compensating Transaction | Undo previously committed steps when a later step fails | R |
| Health Endpoint Monitoring | Expose health checks for load balancers and orchestrators | R, OE |
| Leader Election | Coordinate distributed instances by electing a leader | R |
| Retry | Handle transient faults by retrying with exponential backoff | R |
| Saga | Manage data consistency across microservices with compensating transactions | R |
| Scheduler Agent Supervisor | Coordinate distributed actions with retry and failure handling | R |
Data Management
| Pattern | Summary | Pillars |
|---|---|---|
| Cache-Aside | Load data on demand into cache from data store | PE |
| CQRS | Separate read and write models for independent scaling | PE, R |
| Event Sourcing | Store state as append-only sequence of domain events | R, OE |
| Index Table | Create indexes over frequently queried fields in data stores | PE |
| Materialized View | Pre-compute views over data for efficient queries | PE |
| Sharding | Distribute data across partitions for scale and performance | PE, R |
| Static Content Hosting | Serve static content from cloud storage/CDN directly | PE, CO |
| Valet Key | Grant clients limited direct access to storage resources | S, PE |
Design & Structure
| Pattern | Summary | Pillars |
|---|---|---|
| Ambassador | Offload cross-cutting concerns to a helper sidecar proxy | OE |
| Anti-Corruption Layer | Translate between new and legacy system models | OE, R |
| Backends for Frontends | Create separate backends per frontend type (mobile, web, etc.) | OE, PE |
| Compute Resource Consolidation | Combine multiple workloads into fewer compute instances | CO |
| External Configuration Store | Externalize configuration from deployment packages | OE |
| Sidecar | Deploy helper components alongside the main service | OE |
| Strangler Fig | Incrementally migrate legacy systems by replacing pieces | OE, R |
Security & Access
| Pattern | Summary | Pillars |
|---|---|---|
| Federated Identity | Delegate authentication to an external identity provider | S |
| Gatekeeper | Protect services using a dedicated broker that validates requests | S |
| Quarantine | Isolate and validate external assets before allowing use | S |
| Rate Limiting | Control consumption rate of resources by consumers | R, S |
| Throttling | Control resource consumption to sustain SLAs under load | R, PE |
Deployment & Scaling
| Pattern | Summary | Pillars |
|---|---|---|
| Deployment Stamps | Deploy multiple independent copies of application components | R, PE |
| Edge Workload Configuration | Configure workloads differently across diverse edge devices | OE |
| Gateway Aggregation | Aggregate multiple backend calls into a single client request | PE |
| Gateway Offloading | Offload shared functionality (SSL, auth) to a gateway | OE, S |
| Gateway Routing | Route requests to multiple backends using a single endpoint | OE |
| Geode | Deploy backends to multiple regions for active-active serving | R, PE |
See Design Patterns Reference for detailed implementation guidance.
Technology Choices
Decision Framework
For each technology area, evaluate: requirements → constraints → tradeoffs → select.
| Area | Key Options | Selection Criteria |
|---|---|---|
| Compute | App Service, Functions, Container Apps, AKS, VMs, Batch | Hosting model, scaling, cost, team skills |
| Storage | Blob Storage, Data Lake, Files, Disks, Managed Lustre | Access patterns, throughput, cost tier |
| Data stores | SQL Database, Cosmos DB, PostgreSQL, Redis, Table Storage | Consistency model, query patterns, scale |
| Messaging | Service Bus, Event Hubs, Event Grid, Queue Storage | Ordering, throughput, pub/sub vs queue |
| Networking | Front Door, Application Gateway, Load Balancer, Traffic Manager | Global vs regional, L4 vs L7, WAF |
| AI services | Azure OpenAI, AI Search, AI Foundry, Document Intelligence | Model needs, data grounding, orchestration |
| Containers | Container Apps, AKS, Container Instances | Operational control vs simplicity |
See Technology Choices Reference for detailed decision trees.
Best Practices
| Practice | Key Guidance |
|---|---|
| API design | RESTful conventions, resource-oriented URIs, HATEOAS, versioning via URL path or header |
| API implementation | Async operations, pagination, idempotent PUT/DELETE, content negotiation, ETag caching |
| Autoscaling | Scale on metrics (CPU, queue depth, custom), cool-down periods, predictive scaling, scale-in protection |
| Background jobs | Use queues or scheduled triggers, idempotent processing, poison message handling, graceful shutdown |
| Caching | Cache-aside pattern, TTL policies, cache invalidation strategies, distributed cache for multi-instance |
| CDN | Static asset offloading, cache-busting with versioned URLs, geo-distribution, HTTPS enforcement |
| Data partitioning | Horizontal (sharding), vertical, functional partitioning; partition key selection for even distribution |
| Partitioning strategies | Hash-based, range-based, directory-based; rebalancing approach, cross-partition query avoidance |
| Host name preservation | Preserve original host header through proxies/gateways for cookies, redirects, auth flows |
| Message encoding | Schema evolution (Avro/Protobuf), backward/forward compatibility, schema registry |
| Monitoring & diagnostics | Structured logging, distributed tracing (W3C Trace Context), metrics, alerts, dashboards |
| Transient fault handling | Retry with exponential backoff + jitter, circuit breaker, idempotency keys, timeout budgets |
See Best Practices Reference for implementation details.
Performance Antipatterns
Avoid these common patterns that degrade performance under load:
| Antipattern | Problem | Fix |
|---|---|---|
| Busy Database | Offloading too much processing to the database | Move logic to application tier, use caching |
| Busy Front End | Resource-intensive work on frontend request threads | Offload to background workers/queues |
| Chatty I/O | Many small I/O requests instead of fewer large ones | Batch requests, use bulk APIs, buffer writes |
| Extraneous Fetching | Retrieving more data than needed | Project only required fields, paginate, filter server-side |
| Improper Instantiation | Recreating expensive objects per request | Use singletons, connection pooling, HttpClientFactory |
| Monolithic Persistence | Single data store for all data types | Polyglot persistence — right store for each workload |
| No Caching | Repeatedly fetching unchanged data | Cache-aside pattern, CDN, output caching, Redis |
| Noisy Neighbor | One tenant consuming all shared resources | Bulkhead isolation, per-tenant quotas, throttling |
| Retry Storm | Aggressive retries overwhelming a recovering service | Exponential backoff + jitter, circuit breaker, retry budgets |
| Synchronous I/O | Blocking threads on I/O operations | Async/await, non-blocking I/O, reactive streams |
Mission-Critical Design
For workloads targeting 99.99%+ SLO, address these design areas:
| Design Area | Key Considerations |
|---|---|
| Application platform | Multi-region active-active, availability zones, Container Apps or AKS with zone redundancy |
| Application design | Stateless services, idempotent operations, graceful degradation, bulkhead isolation |
| Networking | Azure Front Door (global LB), DDoS Protection, private endpoints, redundant connectivity |
| Data platform | Multi-region Cosmos DB, zone-redundant SQL, async replication, conflict resolution |
| Deployment & testing | Blue-green deployments, canary releases, chaos engineering, automated rollback |
| Health modeling | Composite health scores, dependency health tracking, automated remediation, SLI dashboards |
| Security | Zero-trust, managed identity everywhere, key rotation, WAF policies, threat modeling |
| Operational procedures | Automated runbooks, incident response playbooks, game days, postmortems |
See Mission-Critical Reference for detailed guidance.
Well-Architected Framework (WAF) Pillars
Every architecture decision should be evaluated against all five pillars:
| Pillar | Focus | Key Questions |
|---|---|---|
| Reliability | Resiliency, availability, disaster recovery | What is the RTO/RPO? How does it handle failures? Is there redundancy? |
| Security | Threat protection, identity, data protection | Is identity managed? Is data encrypted? Are there network controls? |
| Cost Optimization | Cost management, efficiency, right-sizing | Is compute right-sized? Are there reserved instances? Is there waste? |
| Operational Excellence | Monitoring, deployment, automation | Is deployment automated? Is there observability? Are there runbooks? |
| Performance Efficiency | Scaling, load testing, performance targets | Can it scale horizontally? Are there performance baselines? Is caching used? |
WAF Tradeoff Matrix
| Optimizing for... | May impact... |
|---|---|
| Reliability (redundancy) | Cost (more resources) |
| Security (isolation) | Performance (added latency) |
| Cost (consolidation) | Reliability (shared failure domains) |
| Performance (caching) | Cost (cache infrastructure), Reliability (stale data) |
Architecture Review Workflow
When reviewing or designing a system, follow this structured approach:
Step 1: Identify Requirements
Functional: What must the system do?
Non-functional:
- Availability target (e.g., 99.9%, 99.99%)
- Latency requirements (p50, p95, p99)
- Throughput (requests/sec, messages/sec)
- Data residency and compliance
- Recovery targets (RTO, RPO)
- Cost constraints
Step 2: Select Architecture Style
Match requirements to architecture style using the selection criteria table above.
Step 3: Choose Technology Stack
Use the technology choices decision framework. Prefer managed services (PaaS) over IaaS.
Step 4: Apply Design Patterns
Select relevant patterns from the 44 cloud design patterns based on identified concerns.
Step 5: Address Cross-Cutting Concerns
- Identity & access — Microsoft Entra ID, managed identity, RBAC
- Monitoring — Application Insights, Azure Monitor, Log Analytics
- Security — Network segmentation, encryption at rest/in transit, Key Vault
- CI/CD — GitHub Actions, Azure DevOps Pipelines, infrastructure as code
Step 6: Validate Against WAF Pillars
Review each pillar systematically. Document tradeoffs explicitly.
Step 7: Document Decisions
Use Architecture Decision Records (ADRs):
# ADR-NNN: [Decision Title]
## Status: [Proposed | Accepted | Deprecated]
## Context
[What is the issue we're addressing?]
## Decision
[What did we decide and why?]
## Consequences
[What are the positive and negative impacts?]
References
- Design Patterns Reference — Detailed pattern implementations
- Technology Choices Reference — Decision trees for Azure services
- Best Practices Reference — Implementation guidance
- Mission-Critical Reference — High-availability design
Source
Content derived from the Azure Architecture Center — Microsoft's official guidance for cloud solution architecture on Azure. Covers design principles, architecture styles, cloud design patterns, technology choices, best practices, performance antipatterns, mission-critical design, and the Well-Architected Framework.
Plus de skills de microsoft
oss-growth
microsoft
Persona de growth hacker OSS
official
microsoft-foundry
microsoft
Déployer, évaluer et gérer les agents Foundry de bout en bout : build Docker, push ACR, création d’agent hébergé/par prompt, démarrage de conteneur, évaluation par lots, évaluation continue, workflows d’optimisation de prompt, agent.yaml, curation de jeux de données à partir de traces. UTILISER POUR : déployer un agent vers Foundry, agent hébergé, créer un agent, invoquer un agent, évaluer un agent, exécuter une évaluation par lots, évaluation continue, surveillance continue, statut d’évaluation continue, optimiser un prompt, améliorer un prompt, optimiseur de prompt, optimiser les instructions d’un agent, améliorer un agent...
officialdevelopmentdevops
azure-ai
microsoft
Utiliser pour Azure AI : Recherche, Parole, OpenAI, Intelligence documentaire. Aide pour la recherche, la recherche vectorielle/hybride, la reconnaissance vocale, la synthèse vocale, la transcription, l'OCR. QUAND : Recherche AI, recherche par requête, recherche vectorielle, recherche hybride, recherche sémantique, reconnaissance vocale, synthèse vocale, transcrire, OCR, convertir du texte en parole.
officialdevelopmentapi
azure-deploy
microsoft
Exécutez les déploiements Azure pour les applications DÉJÀ PRÉPARÉES disposant de fichiers .azure/deployment-plan.md et d'infrastructure existants. N'utilisez PAS cette compétence lorsque l'utilisateur demande de CRÉER une nouvelle application — utilisez plutôt azure-prepare. Cette compétence exécute les commandes azd up, azd deploy, terraform apply et az deployment avec une récupération d'erreur intégrée. Nécessite .azure/deployment-plan.md de azure-prepare et un état validé de azure-validate. QUAND : "exécuter azd up", "exécuter azd deploy", "exécuter le déploiement",...
officialdevopsaws
azure-storage
microsoft
Services Azure Storage incluant Blob Storage, File Shares, Queue Storage, Table Storage et Data Lake. Répond aux questions sur les niveaux d'accès au stockage (chaud, froid, froid, archive), quand utiliser chaque niveau et comparaison des niveaux. Fournit du stockage d'objets, des partages de fichiers SMB, de la messagerie asynchrone, du NoSQL clé-valeur et de l'analyse de big data. Inclut la gestion du cycle de vie. À UTILISER POUR : stockage blob, partages de fichiers, stockage de files d'attente, stockage de tables, data lake, téléchargement de fichiers, téléchargement de blobs, comptes de stockage, niveaux d'accès,...
officialdevelopmentdatabase
azure-diagnostics
microsoft
Déboguer les problèmes de production Azure à l'aide d'AppLens, Azure Monitor, l'état des ressources et un triage sécurisé. QUAND : déboguer des problèmes de production, résoudre les problèmes d'App Service, CPU élevé d'App Service, échec de déploiement d'App Service, résoudre les problèmes de Container Apps, résoudre les problèmes de Functions, résoudre les problèmes d'AKS, kubectl ne peut pas se connecter, échecs kube-system/CoreDNS, pod en attente, crashloop, nœud non prêt, échecs de mise à niveau, analyser les logs, KQL, insights, échecs de pull d'image, problèmes de démarrage à froid, échecs de sonde de santé,...
officialdevopsdevelopment
azure-prepare
microsoft
Préparer les applications Azure pour le déploiement (infra Bicep/Terraform, azure.yaml, Dockerfiles). Utiliser pour créer/moderniser ou créer+déployer ; pas pour la migration cross-cloud (utiliser azure-cloud-migrate). NE PAS UTILISER POUR : les applications copilot-sdk (utiliser azure-hosted-copilot-sdk). QUAND : "créer une application", "construire une application web", "créer une API", "créer une API HTTP serverless", "créer un frontend", "créer un backend", "construire un service", "moderniser une application", "mettre à jour une application", "ajouter une authentification", "ajouter un cache", "héberger sur Azure", "créer et...
officialdevelopmentdevops
azure-validate
microsoft
Validation pré-déploiement pour la préparation Azure. Effectuez des vérifications approfondies sur la configuration, l'infrastructure (Bicep ou Terraform), les attributions de rôles RBAC, les autorisations d'identité managée et les prérequis avant le déploiement. QUAND : valider mon application, vérifier l'état de préparation au déploiement, exécuter des contrôles préalables, vérifier la configuration, vérifier si prêt à déployer, valider azure.yaml, valider Bicep, tester avant le déploiement, résoudre les erreurs de déploiement, valider Azure Functions, valider l'application de fonction, valider serverless...
officialdevopstesting