Azure Solutions Architect Guide

Networking Gotchas

1. VNet Peering Is NOT Transitive

If A↔B and B↔C, A cannot reach C.

2. NSG Evaluation Order

Inbound: Subnet → NIC. Outbound: NIC → Subnet.

3. GatewaySubnet Naming

Must be exactly GatewaySubnet.

4. Private Endpoint DNS

Requires Private DNS Zone + A record.

Compute Gotchas

App Service Still Charges

Stopping app does NOT stop billing.

VM Stop Behavior

Portal stop = no compute cost. OS stop = still charged.

AKS Cost

Control plane free, nodes are billed.

Storage Gotchas

Storage Account Name

Must be globally unique.

Archive Tier

Rehydration takes hours.

Access Keys

Provide full access — avoid in production.

Database Gotchas

Cosmos DB Partition Key

Cannot be changed after creation.

SQL Geo-Replication

Asynchronous — slight lag possible.

Security Gotchas

Conditional Access

Always test in report-only mode first.

Break Glass Accounts

Maintain 2 emergency admin accounts.

WAF Mode

Detection ≠ Protection. Use Prevention mode.

Architecture Playbook

Step 1: Understand Requirements

Business needs
Availability (SLA)
Security
Cost

Step 2: Choose Pattern

Simple Web App
Microservices
Event-driven

Step 3: Design Components

Networking
Compute
Database
Security

Azure Well-Architected Framework

1. Reliability

Design for failure and recovery.

2. Security

Zero Trust, least privilege, encryption.

3. Cost Optimization

Right-size, use reserved instances.

4. Operational Excellence

Use IaC, monitoring, automation.

5. Performance Efficiency

Scale out, use caching and CDN.

Azure Solutions Architect — Gotchas, Playbook & WAF