DevOps help for Cloud Platform Engineers
  • Welcome!
  • Quick Start Guide
  • About Me
  • CV
  • 🧠DevOps & SRE Foundations
    • DevOps Overview
      • Engineering Fundamentals
      • Implementing DevOps Strategy
      • DevOps Readiness Assessment
      • Lifecycle Management
      • The 12 Factor App
      • Design for Self Healing
      • Incident Management Best Practices (2025)
    • SRE Fundamentals
      • Toil Reduction
      • System Simplicity
      • Real-world Scenarios
        • AWS VM Log Monitoring API
    • Agile Development
      • Team Agreements
        • Definition of Done
        • Definition of Ready
        • Team Manifesto
        • Working Agreement
    • Industry Scenarios
      • Finance and Banking
      • Public Sector (UK/EU)
      • Energy Sector Edge Computing
  • DevOps Practices
    • Platform Engineering
    • FinOps
    • Observability
      • Modern Practices
  • 🚀Modern DevOps Practices
    • Infrastructure Testing
    • Modern Development
    • Database DevOps
  • 🛠️Infrastructure as Code (IaC)
    • Terraform
      • Getting Started - Installation and initial setup [BEGINNER]
      • Cloud Integrations - Provider-specific implementations
        • Azure Scenarios
        • AWS Scenarios
        • GCP Scenarios
      • Testing and Validation - Ensuring infrastructure quality
        • Unit Testing
        • Integration Testing
        • End-to-End Testing
        • Terratest Guide
      • Best Practices - Production-ready implementation strategies
        • State Management
        • Security
        • Code Organization
        • Performance
      • Tools & Utilities - Enhancing the Terraform workflow
        • Terraform Docs
        • TFLint
        • Checkov
        • Terrascan
      • CI/CD Integration - Automating infrastructure deployment
        • GitHub Actions - GitHub-based automation workflows
        • Azure Pipelines - Azure DevOps integration
        • GitLab CI - GitLab-based deployment pipelines
    • Bicep
      • Getting Started - First steps with Bicep [BEGINNER]
      • Template Specs
      • Best Practices - Guidelines for effective Bicep implementations
      • Modules - Building reusable components [INTERMEDIATE]
      • Examples - Sample implementations for common scenarios
      • Advanced Features
      • CI/CD Integration - Automating Bicep deployments
        • GitHub Actions
        • Azure Pipelines
  • 💰Cost Management & FinOps
    • Cloud Cost Optimization
  • 🐳Containers & Orchestration
    • Containerization Overview
    • Docker
      • Dockerfile Best Practices
      • Docker Compose
    • Kubernetes
      • CLI Tools - Essential command-line utilities
        • Kubectl
        • Kubens
        • Kubectx
      • Core Concepts
      • Components
      • Best Practices
        • Pod Security
        • Security Monitoring
        • Resource Limits
      • Advanced Features - Beyond the basics [ADVANCED]
        • Service Mesh
        • Ingress Controllers
          • NGINX
          • Traefik
          • Kong
          • Gloo Edge
      • Troubleshooting - Diagnosing and resolving common issues
        • Pod Troubleshooting Commands
      • Enterprise Architecture
      • Health Management
      • Security & Compliance
      • Virtual Clusters
    • OpenShift
  • Service Mesh & Networking
    • Service Mesh Implementation
  • Architecture Patterns
    • Data Mesh
    • Multi-Cloud Networking
    • Disaster Recovery
    • Chaos Engineering
  • Edge Computing
    • Implementation Guide
    • Serverless Edge
    • IoT Edge Patterns
    • Real-Time Processing
    • Edge AI/ML
    • Security Hardening
    • Observability Patterns
    • Network Optimization
    • Storage Patterns
  • 🔄CI/CD & GitOps
    • CI/CD Overview
    • Continuous Integration
    • Continuous Delivery
      • Deployment Strategies
      • Secrets Management
      • Blue-Green Deployments
      • Deployment Metrics
      • Progressive Delivery
      • Release Management for DevOps/SRE (2025)
    • CI/CD Platforms - Tool selection and implementation
      • Azure DevOps
        • Pipelines
          • Stages
          • Jobs
          • Steps
          • Templates - Reusable pipeline components
          • Extends
          • Service Connections - External service authentication
          • Best Practices for 2025
          • Agents and Runners
          • Third-Party Integrations
          • Azure DevOps CLI
        • Boards & Work Items
      • GitHub Actions
      • GitLab
        • GitLab Runner
        • Real-life scenarios
        • Installation guides
        • Pros and Cons
        • Comparison with alternatives
    • GitOps
      • Modern GitOps Practices
      • GitOps Patterns for Multi-Cloud (2025)
      • Flux
        • Overview
        • Progressive Delivery
        • Use GitOps with Flux, GitHub and AKS
  • Source Control
    • Source Control Overview
    • Git Branching Strategies
    • Component Versioning
    • Kubernetes Manifest Versioning
    • GitLab
    • Creating a Fork
    • Naming Branches
    • Pull Requests
    • Integrating LLMs into Source Control Workflows
  • ☁️Cloud Platforms
    • Cloud Strategy
    • Azure
      • Best Practices
      • Landing Zones
      • Services
      • Monitoring
      • Administration Tools - Platform management interfaces
        • Azure PowerShell
        • Azure CLI
      • Tips & Tricks
    • AWS
      • Authentication
      • Best Practices
      • Tips & Tricks
    • Google Cloud
      • Services
    • Private Cloud
  • 🔐Security & Compliance
    • DevSecOps Overview
    • DevSecOps Pipeline Security
    • DevSecOps
      • Real-life Examples
      • Scanning & Protection - Automated security tooling
        • Dependency Scanning
        • Credential Scanning
        • Container Security Scanning
        • Static Code Analysis
          • Best Practices
          • Tool Integration Guide
          • Pipeline Configuration
      • CI/CD Security
      • Secrets Rotation
    • Supply Chain Security
      • SLSA Framework
      • Binary Authorization
      • Artifact Signing
    • Security Best Practices
      • Threat Modeling
      • Kubernetes Security
    • SecOps
    • Zero Trust Model
    • Cloud Compliance
      • ISO/IEC 27001:2022
      • ISO 22301:2019
      • PCI DSS
      • CSA STAR
    • Security Frameworks
    • SIEM and SOAR
  • Security Architecture
    • Zero Trust Implementation
      • Identity Management
      • Network Security
      • Access Control
  • 🔍Observability & Monitoring
    • Observability Fundamentals
    • Logging
    • Metrics
    • Tracing
    • Dashboards
    • SLOs and SLAs
    • Observability as Code
    • Pipeline Observability
  • 🧪Testing Strategies
    • Testing Overview
    • Modern Testing Approaches
    • End-to-End Testing
    • Unit Testing
    • Performance Testing
      • Load Testing
    • Fault Injection Testing
    • Integration Testing
    • Smoke Testing
  • 🤖AI Integration
    • AIops Overview
      • Workflow Automation
      • Predictive Analytics
      • Code Quality
  • 🧠AI & LLM Integration
    • Overview
    • Claude
      • Installation Guide
      • Project Guides
      • MCP Server Setup
      • LLM Comparison
    • Ollama
      • Installation Guide
      • Configuration
      • Models and Fine-tuning
      • DevOps Usage
      • Docker Setup
      • GPU Setup
      • Open WebUI
    • Copilot
      • Installation Guide
      • VS Code Integration
      • CLI Usage
    • Gemini
      • Installation Guides - Platform-specific setup
        • Linux Installation
        • WSL Installation
        • NixOS Installation
      • Gemini 2.5 Features
      • Roles and Agents
      • NotebookML Guide
      • Cloud Infrastructure Deployment
      • Summary
  • 💻Development Environment
    • Tools Overview
    • DevOps Tools
    • Operating Systems - Development platforms
      • NixOS
        • Installation
        • Nix Language Guide
        • DevEnv with Nix
        • Cloud Deployments
      • WSL2
        • Distributions
        • Terminal Setup
    • Editor Environments
    • CLI Tools
      • Azure CLI
      • PowerShell
      • Linux Commands
      • YAML Tools
  • 📚Programming Languages
    • Python
    • Go
    • JavaScript/TypeScript
    • Java
    • Rust
  • 📖Documentation Best Practices
    • Documentation Strategy
    • Project Documentation
    • Release Notes
    • Static Sites
    • Documentation Templates
    • Real-World Examples
  • 📋Reference Materials
    • Glossary
    • Tool Comparison
    • Recommended Reading
    • Troubleshooting Guide
  • Platform Engineering
    • Implementation Guide
  • FinOps
    • Implementation Guide
  • AIOps
    • LLMOps Guide
  • Development Setup
    • Development Setup
Powered by GitBook
On this page
  • Landing Zone Deployment
  • Multi-Region Active-Active Architecture
  • Secure AKS Deployment
  • Azure Front Door with Web Apps
  • Azure Database Deployment
  • Best Practices for Azure Deployments
  • 1. Resource Naming and Tagging
  • 2. Network Security
  • 3. Monitoring and Alerting
  • CI/CD Pipeline Integration
  • Azure DevOps Pipeline
  • Testing and Validation
  • Policy Testing
Edit on GitHub
  1. Infrastructure as Code (IaC)
  2. Terraform
  3. Cloud Integrations - Provider-specific implementations

Azure Scenarios

This guide provides practical deployment scenarios for Azure using Terraform, incorporating modern best practices and patterns.

Landing Zone Deployment

A secure, scalable Azure landing zone implementation:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.75.0"
    }
  }
  backend "azurerm" {}
}

module "landing_zone" {
  source = "./modules/landing-zone"

  tenant_id       = var.tenant_id
  subscription_id = var.subscription_id
  location       = var.primary_location

  network_config = {
    hub_vnet_cidr         = "10.0.0.0/16"
    spoke_vnet_cidr       = "10.1.0.0/16"
    enable_vwan           = true
    enable_firewall       = true
    enable_bastion        = true
  }

  security_config = {
    enable_defender         = true
    enable_sentinel        = true
    enable_private_links   = true
    enable_policy         = true
  }

  governance_config = {
    resource_tags = local.common_tags
    enable_cost_management = true
    enable_resource_locks  = true
  }
}

Multi-Region Active-Active Architecture

Deploy highly available services across multiple Azure regions:

locals {
  regions = {
    primary = {
      location = "westeurope"
      cidr     = "10.1.0.0/16"
    }
    secondary = {
      location = "northeurope"
      cidr     = "10.2.0.0/16"
    }
  }
}

module "traffic_manager" {
  source = "./modules/traffic-manager"
  
  profile_name = "app-tm-profile"
  endpoints = [
    {
      name      = "primary"
      target    = module.primary_region.app_service_fqdn
      priority  = 1
    },
    {
      name      = "secondary"
      target    = module.secondary_region.app_service_fqdn
      priority  = 2
    }
  ]
}

module "primary_region" {
  source = "./modules/region"
  
  location = local.regions.primary.location
  vnet_cidr = local.regions.primary.cidr
  
  app_service_config = {
    sku             = "P1v3"
    zone_redundant  = true
    auto_scale      = true
  }
}

module "secondary_region" {
  source = "./modules/region"
  
  location = local.regions.secondary.location
  vnet_cidr = local.regions.secondary.cidr
  
  app_service_config = {
    sku             = "P1v3"
    zone_redundant  = true
    auto_scale      = true
  }
}

Secure AKS Deployment

Deploy a production-ready AKS cluster with security best practices:

module "aks_cluster" {
  source = "./modules/aks"

  cluster_name = "prod-aks"
  location     = var.location
  
  network_config = {
    vnet_cidr              = "10.0.0.0/16"
    pod_cidr               = "10.244.0.0/16"
    service_cidr          = "10.245.0.0/16"
    enable_network_policy = true
  }

  security_config = {
    enable_azure_policy    = true
    enable_pod_security   = true
    enable_workload_identity = true
    enable_defender       = true
  }

  node_pools = {
    system = {
      vm_size    = "Standard_D4s_v5"
      node_count = 3
      zones      = [1, 2, 3]
    }
    user = {
      vm_size    = "Standard_D8s_v5"
      node_count = 5
      zones      = [1, 2, 3]
    }
  }

  addons = {
    azure_policy                     = true
    azure_key_vault_secrets_provider = true
    open_service_mesh               = true
  }
}

# Private ACR with Managed Identity access
module "container_registry" {
  source = "./modules/acr"

  name                = "prodacr"
  sku                = "Premium"
  enable_private_link = true
  allowed_subnets    = [module.aks_cluster.subnet_id]
}

# Key Vault for secrets management
module "key_vault" {
  source = "./modules/key-vault"

  name                = "prod-kv"
  enable_private_link = true
  allowed_subnets    = [module.aks_cluster.subnet_id]
  
  access_policies = {
    aks = {
      object_id = module.aks_cluster.kubelet_identity_object_id
      key_permissions    = ["Get", "List"]
      secret_permissions = ["Get", "List"]
    }
  }
}

Azure Front Door with Web Apps

Deploy globally distributed web applications:

module "front_door" {
  source = "./modules/front-door"

  name = "global-web-app"
  
  frontend_endpoints = {
    default = {
      host_name = "app.example.com"
      waf_policy_id = module.waf_policy.id
    }
  }

  routing_rules = {
    default = {
      accepted_protocols = ["Https"]
      patterns_to_match = ["/*"]
      backend_pool_name = "app-backend"
    }
  }

  backend_pools = {
    app-backend = {
      backends = [
        {
          address = module.webapp_eu.default_site_hostname
          weight  = 100
          enabled = true
        },
        {
          address = module.webapp_us.default_site_hostname
          weight  = 100
          enabled = true
        }
      ]
      health_probe_settings = {
        protocol = "Https"
        path     = "/health"
      }
    }
  }
}

module "waf_policy" {
  source = "./modules/waf-policy"

  name     = "global-waf"
  mode     = "Prevention"
  
  managed_rules = {
    enable_core_ruleset = true
    enable_php_ruleset  = true
  }

  custom_rules = {
    rate_limiting = {
      priority = 1
      rule_type = "RateLimiting"
      match_conditions = {
        match_variables = [{
          variable_name = "RemoteAddr"
        }]
      }
      rate_limit_duration = "MINUTE"
      rate_limit_threshold = 100
    }
  }
}

Azure Database Deployment

Deploy a highly available database with geo-replication:

module "database" {
  source = "./modules/azure-sql"

  name                = "prod-sql"
  location           = var.primary_location
  dr_location        = var.secondary_location
  
  networking = {
    enable_private_endpoint = true
    allowed_subnets        = var.app_subnet_ids
  }

  high_availability = {
    enable_zone_redundancy = true
    enable_geo_replication = true
    failover_group_name   = "prod-sql-fog"
  }

  security = {
    enable_auditing      = true
    enable_threat_detection = true
    enable_data_encryption = true
  }

  performance = {
    sku_name            = "GP_Gen5_8"
    max_size_gb         = 256
    auto_pause_delay    = 60
    min_capacity       = 4
  }

  maintenance = {
    window_start_hour   = 2
    window_duration_hrs = 4
  }
}

Best Practices for Azure Deployments

1. Resource Naming and Tagging

locals {
  required_tags = {
    Environment = var.environment
    Project     = var.project_name
    Owner       = var.team_name
    CostCenter  = var.cost_center
    CreatedBy   = "Terraform"
  }
}

resource "azurerm_resource_group" "example" {
  name     = format("%s-%s-%s-rg", var.prefix, var.environment, var.purpose)
  location = var.location
  tags     = local.required_tags
}

2. Network Security

module "network_security" {
  source = "./modules/network-security"

  resource_group_name = azurerm_resource_group.example.name
  location           = azurerm_resource_group.example.location

  network_watcher_enabled = true
  ddos_protection_enabled = true
  
  flow_logs_enabled = true
  flow_logs_retention = 30

  nsg_rules = {
    deny_all_inbound = {
      priority = 4096
      direction = "Inbound"
      access = "Deny"
      protocol = "*"
      source_port_range = "*"
      destination_port_range = "*"
      source_address_prefix = "*"
      destination_address_prefix = "*"
    }
  }
}

3. Monitoring and Alerting

module "monitoring" {
  source = "./modules/monitoring"

  resource_group_name = azurerm_resource_group.example.name
  location           = azurerm_resource_group.example.location

  log_analytics_workspace = {
    sku                 = "PerGB2018"
    retention_in_days   = 30
  }

  action_groups = {
    critical = {
      short_name = "critical"
      email_receivers = [{
        name = "ops-team"
        email_address = "ops@example.com"
      }]
    }
  }

  metric_alerts = {
    high_cpu = {
      name = "high-cpu-usage"
      description = "Alert when CPU usage is high"
      metric_namespace = "Microsoft.Compute/virtualMachines"
      metric_name = "Percentage CPU"
      aggregation = "Average"
      operator = "GreaterThan"
      threshold = 90
      window_size = "PT5M"
      frequency = "PT1M"
      severity = 1
      action_group_id = module.monitoring.action_group_ids["critical"]
    }
  }
}

CI/CD Pipeline Integration

Azure DevOps Pipeline

trigger:
  branches:
    include:
    - main
  paths:
    include:
    - terraform/**

variables:
  - group: terraform-variables

pool:
  vmImage: 'ubuntu-latest'

stages:
- stage: Validate
  jobs:
  - job: ValidateAndPlan
    steps:
    - task: TerraformInstaller@1
      inputs:
        terraformVersion: 'latest'
    
    - task: TerraformTaskV4@4
      inputs:
        provider: 'azurerm'
        command: 'init'
        backendServiceArm: 'Azure-Service-Connection'
        backendAzureRmResourceGroupName: 'terraform-state-rg'
        backendAzureRmStorageAccountName: 'tfstate'
        backendAzureRmContainerName: 'tfstate'
        backendAzureRmKey: '$(Environment).tfstate'
    
    - task: TerraformTaskV4@4
      inputs:
        provider: 'azurerm'
        command: 'plan'
        environmentServiceNameAzureRM: 'Azure-Service-Connection'

- stage: Apply
  condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
  jobs:
  - job: ApplyChanges
    steps:
    - task: TerraformTaskV4@4
      inputs:
        provider: 'azurerm'
        command: 'apply'
        environmentServiceNameAzureRM: 'Azure-Service-Connection'
        commandOptions: '-auto-approve'

Testing and Validation

Policy Testing

resource "azurerm_policy_definition" "require_tags" {
  name         = "require-resource-tags"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Require specified tags on resources"

  metadata = jsonencode({
    version  = "1.0.0"
    category = "Tags"
  })

  policy_rule = jsonencode({
    if = {
      allOf = [
        {
          field  = "tags['Environment']"
          exists = "false"
        },
        {
          field  = "tags['CostCenter']"
          exists = "false"
        }
      ]
    }
    then = {
      effect = "deny"
    }
  })
}

resource "azurerm_policy_assignment" "require_tags" {
  name                 = "require-resource-tags"
  scope                = data.azurerm_subscription.current.id
  policy_definition_id = azurerm_policy_definition.require_tags.id
  description          = "Requires specified tags on all resources"
  display_name         = "Require Resource Tags"

  parameters = jsonencode({
    tagNames = {
      value = ["Environment", "CostCenter"]
    }
  })
}
PreviousCloud Integrations - Provider-specific implementationsNextAWS Scenarios

Last updated 2 days ago

🛠️