The Maps provided in this chapter are available at https://github.com/PacktPublishing/The-Azure-Cloud-Native-Architecture-Mapbook/tree/master/Chapter01.

Before we define what an Azure architect is, let's first define what an architect's role is and how our maps specialize to reflect these different profiles. The word architect is used everywhere on the IT planet. Many organizations have their own expectations when it comes to defining the tasks and duties of an architect. Let's share our own definitions as well as some illustrative diagrams.

Enterprise architects

Enterprise architects oversee the IT and business strategies, and they make sure that every IT initiative is in line with the enterprise business goals. They are directly reporting to the IT leadership and are sometimes scattered across business lines. They are also the guardians of building coherent and consistent overall IT landscapes for their respective companies. Given their broad role, enterprise architects have a helicopter view of the IT landscape, and they are not directly dealing with deep-dive technical topics, nor are they looking in detail at specific solutions or platforms, such as Azure, unless a company would put all its assets in Azure. In terms of modeling, they often rely on the TOGAF (short for The Open Group Architecture Framework) modeling framework and ArchiMate. The typical type of diagrams they deal with looks like the following:

Figure 1.1 – Capability viewpoint: ArchiMate

As you can see, this is very high level and not directly related to any technology or platform. Therefore, this book focusing on Azure is not intended for enterprise architects, but they are, of course, still welcome to read it!

Domain architects

Domain architects own a single domain, such as the cloud. In this case, the cloud is broader than just Azure, as it would probably encompass both public and private cloud providers. Domain architects are tech-savvy, and they define their domain roadmaps while supervising domain-related initiatives. Compared to enterprise architects, their scope is more limited, but it is still too broad to master the bits and bytes of an entire domain. This book, and more particularly our generic maps, will certainly be of great interest for cloud domain architects. Diagram-wise, the domain architects will also rely on TOGAF and other architecture frameworks, but scoped to their domain.

Solution architects

Solution architects help different teams to build solutions. They have T-shaped skills, which means that they are specialists in a given field (the base of the T), but they can also collaborate across disciplines with the other experts (the top of the T). Solution architects are usually in charge of designing solution diagrams, and they tackle non-functional requirements, such as security, performance, and scalability. Their preferred readings will be our chapter dedicated to solution architecture, as well as some reference architectures. Solution architects may build both high-level technology-agnostic, and platform-specific diagrams. Azure solution architects may build reference architectures, such as, for instance, one that we can find on the Azure Architecture Center (https://docs.microsoft.com/en-us/azure/architecture/):

Figure 1.2 – AI at the edge with Azure Stack

The preceding diagram illustrates how to leverage both Azure Stack and Azure, together with artificial intelligence services. Such architectures can be instantiated per asset, but still remain rather high-level. They depict the components and their interactions, and must be completed by the non-functional requirements. We will explore this in more detail in the next chapter.

Data architects

Data architects oversee the entire data landscape. They mostly focus on designing data platforms, for storage, insights, and advanced analytics. They deal with data modeling, data quality, and business intelligence, which consists of extracting valuable insights from the data, in order to realize substantial business benefits. A well-organized data architecture should ultimately deliver the DIKW (Data, Information, Knowledge, Wisdom) pyramid as shown in Figure 1.3:

Figure 1.3 – DIKW pyramid

Organizations have a lot of data, from which they try to extract valuable information, knowledge, and wisdom over time. The more you climb the pyramid, the higher the value. Consider the following scenario to understand the DIKW pyramid:

Figure 1.4 – DIKW pyramid example

Figure 1.4 shows that we start with raw data, which does not really make sense without context. These are just numbers. At the information stage, we understand that 31 stands for a day, 3 is March, and 3,000 is the number of visits. Now, these numbers mean something. The knowledge block is self-explanatory. We have analyzed our data and noticed that year after year, March 31 is a busy day. Thanks to this valuable insight, we can take the wise decision to restock our warehouses up front to make sure we do not run short on goods.

That is, among other things, the work of a data architect to help organizations learn from their data.

Data is the new gold rush, and Azure has a ton of data services as part of its catalog, which we will cover in Chapter 6, Data Architecture.

Technical architects

Technical architects have a deep vertical knowledge of a platform or technology stack, and they have hands-on practical experience. They usually coach developers, IT professionals, and DevOps engineers in the day-to-day implementation of a solution. They contribute to reference architectures by zooming inside some of the high-level components. For instance, if a reference architecture, designed by a solution architect, uses Azure Kubernetes Services (AKS) as part of the diagram, the technical architect might zoom inside the AKS cluster, to bring extra information on the cluster internals and some specific technologies. To illustrate this, Figure 1.5 shows a high-level diagram a solution architect might have done:

Figure 1.5 – Reference architecture example

Figure 1.6 shows the extra contribution of a technical architect:

Figure 1.6 – Reference architecture refined by a technical architect

We see that the reviewed diagram contains precise technologies, such as KEDA (Kubernetes-based Event Driven Autoscaling), and Dapr (Distributed Application Runtime), for both autoscaling and interactions with event and data stores.

The technical architect will mostly be interested in our detailed maps.

Security architects

In this hyper-connected world, the importance of security architecture has grown a lot. Security architects have a vertical knowledge of the security field. They usually deal with regulatory or in-house compliance requirements. The cloud and, more particularly, the public cloud, often emphasizes security concerns (much more than for equivalent on-premises systems and applications). With regard to diagrams, security architects will add a security view (or request one) to the reference solution architectures, such as the following:

Figure 1.7 – Simplified security view example

In the preceding example, the focus is set on pure security concerns: encryption in transit (TLS 1.2) between the browser and the web application firewall (WAF). The WAF enforces a security ruleset to protect against the Open Web Application Security Project (OWASP) top 10 vulnerabilities. The API gateway acts as a policy enforcement point before it forwards the request to the backend service. The backend authenticates to the database using managed service identity (MSI), and the database is encrypted at REST with customer-managed keys. Figure 1.7 clearly emphasizes what security architects are interested in.

However, as we will explore further in Chapter 7, Security Architecture, mastering cloud and cloud-native security is a tough challenge for a traditional (on-premises) security architect. Cloud native's defense in depth primarily relies on identity, while traditional defense in depth relies heavily on the network perimeter. This gap is often a source of tension between the cloud and non-cloud worlds.

Infrastructure architects

Infrastructure architects focus on building IT systems that host applications, or systems that are sometimes shared across workloads. They play a prominent role in setting up hybrid infrastructures, which bridge both the cloud and the on-premises world. Their diagrams reflect an infrastructure-only view, often related to the concept of a landing zone, which consists of defining how and where business assets will be hosted. A typical infrastructure diagram that comes to mind for a hybrid setup is the Hub & Spoke architecture (https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke):

Figure 1.8 – Hub and spoke architecture

Figure 1.8 is a simplified view of the hub and spoke, which, in reality, is much more complex than this. We will explore this further in Chapter 3, Infrastructure Design. We will also stress some important aspects related to legacy processes, so as to maximize the chances of a successful cloud journey.

Application architects

Application architects focus on building features that are requested by the business. Unlike other architects, they are not primarily concerned by non-functional requirements. Their role is to enforce industry best practices and coding patterns in order to make maintainable and readable applications. Their primary concerns are to integrate with the various Azure services and SDKs, as well as leverage cloud and cloud-native design patterns that are immensely different from traditional systems. Beyond this book, a good source of information for them is the Microsoft documentation on cloud design patterns (https://docs.microsoft.com/en-us/azure/architecture/patterns/).

What is challenging for application architects is to correctly understand the ecosystem in which the application runs. Today, there is a clear trend that entails breaking the monolith. In other words, we slice the architecture into multiple decoupled pieces, and we end up with a very distributed architecture. In most modern applications, a lot of common duties are offloaded to specialized services, often not so well known by old school application architects. For instance, an API gateway already has built-in policies for API throttling, token validation, and caching. Instead of writing your own plumbing in code to handle this, it is better to offload it. Another attention point for application architects is the horizontal scaling story of the cloud, meaning that applications/services must be multi-instance aware, which is rarely the case with monoliths. We will explore these concerns further in Chapter 5, Application Architecture.

Azure architects

From the top to the bottom of our enumeration, the IT landscape shrinks, from the broadest to the narrowest scope. It would be very surprising to ever meet an Azure enterprise architect. Similarly, it is unlikely that we will stumble upon an Azure domain architect, since the parent domain would rather be the cloud (which is much broader than just Azure).

However, it makes sense to have Azure-focused solution architects, technical architects, and data architects, because they get closer to the actual implementation of a solution or platform. Depending on your interest and background, you might specialize in one or more service models, which are depicted in the following section. Thus, some Azure architects will be interested in specialized maps, and some simply won't be interested, although it is always highly recommended to look at the broader picture.

Architects versus engineers

Before we move on, we need to address the engineer that we all have inside of us! What differentiates architects from engineers is probably the fact that most architects have to deal with the non-functional requirements piece. In contrast, engineers, such as developers and IT professionals, are focused on delivering and maintaining the features and systems requested by the business, which makes them very close to the final solution. Nevertheless, this book also contains some sections that are likely to help engineers build effective solutions.

Now that we are clear with what the role of an architect is all about, it is time to get started with the different service models and acquire the essential vocabulary that every Azure architect should know.

In this section, we will cover the essential basic skills every Azure architect should have. The cloud has different service models, which all serve different purposes. It is very important to understand the advantages and inconveniences of each model, and to get acquainted with the jargon relating to the cloud.

Cloud service models map

Figure 1.9 demonstrates our first map (not counting our sample map), which depicts the different cloud service models and introduces some vocabulary. This map features two additional dimensions (costs and ops) to each service model, as well as some typical use cases:

Figure 1.9 – Cloud service models

In terms of cost models, we see two big trends: consumption and pre-paid compute/plans. The consumption billing model is based on the actual consumption of dynamically allocated resources. Pre-paid plans guarantee a certain compute capacity that is immediately made available to the cloud consumer. In terms of operations, the map highlights what is done by the cloud provider, and what you still have to do yourself. For instance, very low means that you have almost nothing to do yourself. We will now walk through each service model.

IaaS (Infrastructure as a Service)

IaaS is probably the least disruptive model. It is basically the process of renting a data center from a cloud provider. It is business as usual (the most common scenario) in the cloud. IaaS is not the service model of choice to accomplish a digital transformation, but there are a number of scenarios that we can tackle with IaaS:

• The lift-and-shift of existing workloads to the cloud.
• IaaS is a good alternative for smaller companies that do not want to invest in their own data center.
• In the context of a disaster recovery strategy, when adding a cloud-based data center to your existing on-premises servers.
• When you are short on compute in your own data center(s).
• When launching a new geography (for which you do not already have a data center), and to inherit the cloud provider's compatibility with local regulations.
• To speed up the time to market, providing some legacy practices and processes were adjusted upfront to align with the cloud delivery model.

With regard to costs and operations, they are almost equivalent to on-premises, although it is very hard to compare the total cost of ownership (TCO) of IaaS versus on-premises.

Of course, facilities, physical access to the data center, and more are all managed by the cloud provider. It is no longer necessary to buy and manage the hardware and infrastructure software by yourself. However, you should be aware that most companies today have a hybrid strategy, which consists of keeping a certain number of assets on-premises, while gradually expanding their cloud footprint. In this context, IaaS is a required model to some extent, in order to bridge the on-premises and cloud worlds.

PaaS (Platform as a Service)

PaaS is a fully managed service model that helps you build new solutions (or refactor existing ones) much faster. PaaS reuses off-the-shelves services that already come with built-in functionalities and whose underlying infrastructure is fully outsourced to the cloud provider. PaaS is quite disruptive with regard to legacy systems and practices.

Unlike IaaS, in order to make a successful cloud journey, PaaS requires a heavy involvement from all the layers of the company and a top sponsor from the company's leadership. Make no mistake: this is a journey. With PaaS, much of the infrastructure and most operations are delegated to the cloud provider. The multi-tenant offerings are cost-friendly, and you can easily leverage the economies of scale, providing you adopt the PaaS model. PaaS is suitable for many scenarios:

• Green-field projects
• Internet-facing workloads
• The modernization of existing workloads
• API-driven architectures
• A mobile-first user experience
• An anytime-anywhere scenario, and on any device

The preceding list of use cases is not exhaustive, but it should give you an idea of what this service model's value proposition is.

FaaS (Function as a Service)

FaaS is also known as serverless. It emerged rather recently; it started with stateless functions that were executed on shared multi-tenant infrastructures. Nowadays, FaaS expanded to much more than just functions, and it is the most elastic flavor of cloud computing. While the infrastructure is also completely outsourced to the cloud provider, the associated costs are calculated based on the actual resource consumption (unlike PaaS, where the cloud consumer pre-pays a monthly fee based on a pricing tier). FaaS is ideal in numerous scenarios:

• Event-driven architectures: Receive event notifications and trigger activities accordingly. For example, having an Azure function being triggered by the arrival of a blob on Azure Blob Storage, parsing it, and notifying other processes about the current status of activities.
• Messaging: Azure Functions, Logic Apps, and even Event Grid can all be hooked to Azure Service Bus, handle upcoming messages, and, in turn, push their outcomes back to the bus.
• Batch jobs: You might trigger Azure Logic Apps or schedule Azure Functions to perform some jobs.
• Asynchronous scenarios of all kinds
• Unpredictable system resource growth: When you do not know in advance what the usage of your application is, but you do not want to invest too much in the underlying infrastructure, FaaS may help to absorb this sudden resource growth in a costly fashion.

FaaS allows cloud consumers to focus on building their applications without having to worry about system capacity, while still keeping an eye on costs. The price to pay for the flexibility and elasticity of FaaS is usually a little performance overhead that is caused by the dynamic allocation of system resources when needed, as well as less control over the network perimeter. This leads to some headaches for an internal Security Operations Center (SOC), which is the reason why FaaS cannot be used for everything.

CaaS (Containers as a Service)

CaaS is between PaaS and IaaS. Containerization has become mainstream, and cloud providers could not miss that train. CaaS often involves more operations than PaaS. For example, Azure Kubernetes Service (AKS) involves frequent upgrades of the Kubernetes version on both the control plane and the worker nodes. Rebooting OS-patched worker nodes remains the duty of the cloud consumer. We could say that AKS is a semi-managed service as it is less managed than a PaaS or FaaS one, but it is much more managed than a regular IaaS virtual machine.

On the other hand, Web App for Containers is a fully managed service that sits between PaaS and CaaS, from a feature standpoint. Azure Container Instances (ACI) is also fully managed and sits between serverless (the consumption-pricing model) and CaaS. Admittedly, CaaS is probably the hardest model when it comes to evaluating both costs and the level of operations. It is, nevertheless, suitable for the following scenarios:

• Lift-and-shift: During a transition to the cloud, a company might want to simply lift and shift its assets, which means migrating them as containers. Most assets can be packaged as containers without the need to refactor them entirely.
• Cloud-native workloads: By leveraging the latest cutting-edge and top-notch Kubernetes features and add-ons.
• Batch, asynchronous, or compute-intensive tasks through ACIs.
• Portability: CaaS offers a greater portability, and helps to reduce the vendor lock-in risk to some extent.
• Service meshes: Most microservice architectures rely on service meshes. We will cover them in Chapter 3, Infrastructure Design.
• Modern deployment: CaaS uses modern deployment techniques, such as A/B testing, canary releases, and blue-green deployment. These techniques prevent and reduce downtime in general, through self-healing orchestrated containers.

We will explore the CaaS world in Chapter 2, Solution Architecture, and AKS in Chapter 3, Infrastructure Design.

DBaaS (Database as a Service)

DBaaS is a fully managed service model that exposes storage capabilities. Data stores, such as Azure SQL, Cosmos DB, and Storage Accounts, significantly reduce operations, while offering strong high availability and disaster recovery options. Other services, such as Databricks and Data Factory, do not strictly belong to the DBaaS category, but we will combine them for the sake of simplicity. Until very recently, Azure DBaaS was mostly based on pre-paid resource allocation, but Microsoft introduced the serverless model in order to have more elastic databases. DBaaS brings the following benefits:

• A reduced number of operations, since backups are automatically taken by the cloud provider
• Fast processing with Table Storage
• Potentially infinite scalability with Cosmos DB, providing that the proper engineering practices were taken up front
• Cost optimization, when the pricing model is well chosen and fits the scenario

We will explore DBaaS in Chapter 6, Data Architecture.

XaaS or *aaS (Anything as a Service)

Other service models exist, such as IDaaS (Identity as a Service), to such an extent that the acronym XaaS, or *aaS, was born around 2016, to designate all the possible service models. It is important for an Azure architect to grasp these different models, as they serve different purposes, require different skills, and directly impact the cloud journey of a company.

Important note

We do not cover Software as a Service (SaaS) in this book. SaaS is a fully managed business suite of software that often relies on a cloud platform for its underlying infrastructure. SaaS examples include Salesforce and Adobe Creative Cloud, as well as Microsoft's own Office 365, Power BI, and Dynamics 365 (among others).

Now that we reviewed the most important service models, let's dive a little more into the rationale behind our maps.