Azure Solutions Architect — Gotchas, Playbook & WAF

Networking Gotchas

1. VNet Peering Is NOT Transitive

If A↔B and B↔C, A cannot reach C.

2. NSG Evaluation Order

Inbound: Subnet → NIC. Both must allow traffic.

3. GatewaySubnet Naming

Must be exactly GatewaySubnet.

4. AzureFirewallSubnet Size

Minimum /26 required.

5. Service Endpoint vs Private Endpoint

Service Endpoint still uses public endpoint. Private Endpoint = true private access.

6. Private Endpoint DNS

Requires Private DNS Zone + correct resolution setup.

Compute Gotchas

App Service Charges

Billing is for App Service Plan, not the app itself.

Functions Timeout

Consumption plan default 5 minutes.

Container Apps Cold Start

Scale-to-zero causes latency on first request.

Storage Gotchas

• Storage account names must be globally unique
• Soft delete not enabled by default
• Archive tier takes hours to rehydrate
• Access keys = full access

Database Gotchas

• Cosmos DB partition key cannot be changed
• RU/s charged even if unused
• SQL geo-replication has lag
• Redis Basic has no SLA

Security Gotchas

• Conditional Access must be tested in report-only
• Break-glass accounts are mandatory
• WAF Detection mode does NOT block traffic
• Managed Identity has propagation delay

Architecture Playbook

Step 1: Understand Requirements

• Business goals
• Availability, scalability, security
• Cost constraints

Step 2: Choose Architecture Pattern

Pattern	Use Case
Simple Web App	Small apps
Microservices	Complex systems
Event-driven	Async processing

Step 3: Networking

• Hub-spoke design
• Private Endpoints
• Firewall + WAF

Step 4: Compute

• App Service → standard apps
• AKS → microservices
• Functions → serverless

Step 5: Data

• SQL → relational
• Cosmos → NoSQL
• Blob → storage

Well-Architected Framework

1. Reliability

• Availability Zones
• Geo-redundancy
• Retry + circuit breaker

2. Security

• Zero Trust
• Managed Identity
• Private Endpoints

3. Cost Optimization

• Right-sizing
• Reserved Instances
• Auto-scaling

4. Operational Excellence

• IaC (Bicep/Terraform)
• CI/CD pipelines
• Monitoring + alerts

5. Performance Efficiency

• Autoscaling
• Caching (Redis)
• CDN