-
Notifications
You must be signed in to change notification settings - Fork 7
Layer Architecture
The az prototype extension organizes all Azure resources and application code into a four-level taxonomy: Layer, Capability, Component, and Resource. This hierarchy drives deployment ordering, agent ownership, and service placement throughout the pipeline.
The canonical source of truth for this taxonomy is azext_prototype/knowledge/taxonomy.yaml. The az prototype validate command checks that stage capability and service component values match this file.
Layer --> Capability --> Component --> Resource
| Level | Description | Example |
|---|---|---|
| Layer | Top-level architectural boundary | infra |
| Capability | Sub-classification within a layer | core-networking |
| Component | Functional role within a capability | api-gateway |
| Resource | Azure resource type or code artifact | Microsoft.ApiManagement/service |
Cross-cutting foundations -- identity and observability.
| Capability | Component | Description |
|---|---|---|
| Identity | managed-identity | User/system-assigned managed identities |
| Observability | log-analytics | Log Analytics workspace |
| application-insights | Application Insights | |
| monitoring | Azure Monitor |
Azure resource provisioning via IaC.
| Capability | Component | Description |
|---|---|---|
| Core Networking | connectivity | VNet, subnets, peering, gateways |
| load-balancing | Load Balancer, App Gateway, Front Door | |
| private-access | Private Endpoints, Private DNS Zones | |
| dns | DNS Zones, DNS records | |
| api-gateway | API Management | |
| Compute | container-hosting | Container Apps, AKS |
| web-hosting | App Service | |
| serverless | Azure Functions | |
| static-hosting | Static Web Apps | |
| Security | secrets-management | Key Vault |
| threat-protection | Azure Defender | |
| identity-protection | Microsoft Sentinel | |
| AI Services | cognitive | Azure OpenAI, Cognitive Services |
| search | Azure AI Search | |
| ml | ML Workspace, AI Foundry | |
| Supporting | container-registry | Azure Container Registry |
| configuration | Azure App Configuration | |
| communication | Communication Services, Notification Hubs |
Databases, storage, and messaging services.
| Capability | Component | Description |
|---|---|---|
| Data Services | relational-db | Azure SQL, PostgreSQL, MySQL |
| nosql-db | Cosmos DB | |
| caching | Azure Cache for Redis | |
| analytics | Databricks, Synapse, Data Factory | |
| Storage Services | blob-storage | Blob containers |
| file-storage | Azure Files, Premium File Shares | |
| data-lake | Data Lake Storage Gen2 | |
| Messaging | message-broker | Service Bus |
| event-streaming | Event Hubs | |
| event-routing | Event Grid | |
| iot-ingestion | IoT Hub |
Application source code with distinct sub-layers.
| Capability | Component | Description |
|---|---|---|
| Presentation | controllers | API controllers (Blazor/MVC server-side) |
| views | UI pages, Razor views, React components | |
| components | Reusable UI components | |
| routing | Client-side routing, navigation | |
| Domain (Business Logic) | services | Business logic service classes |
| entities | Domain models, value objects | |
| validation | Business rule validation | |
| workflows | Workflow orchestration, sagas | |
| Data Access | repositories | Repository pattern implementations |
| orm-adapters | Entity Framework Core, SQLAlchemy, Prisma | |
| query-builders | Custom query builders, specifications | |
| Background | workers | Background hosted services |
| message-handlers | Service Bus / Event Hub consumers | |
| scheduled-tasks | Timer-triggered functions, cron jobs |
Architecture and deployment documentation.
| Capability | Component | Description |
|---|---|---|
| Documentation | architecture-doc | Architecture documentation |
| deployment-guide | Deployment guides and runbooks |
Each layer is owned by a specific architect agent that maintains awareness of all services and patterns within that boundary.
| Layer | Owner Agent | Delegates To |
|---|---|---|
| core | cloud-architect |
terraform-agent, bicep-agent |
| infra | infrastructure-architect |
terraform-agent, bicep-agent |
| data | data-architect |
terraform-agent, bicep-agent |
| app | application-architect |
csharp-developer, python-developer, react-developer |
| docs | doc-agent |
(none) |
The cloud-architect serves as the top-level coordinator across all layers and owns the core cross-cutting layer directly. The security-architect operates as a cross-cutting reviewer across all layers (infra, data, and app) but does not own a layer.
Layers are deployed in a strict dependency order. Each layer's resources may depend on outputs from the previous layer:
core --> infra --> data --> app --> docs
| Order | Layer | Rationale |
|---|---|---|
| 1 | core | Identity and observability must exist before any resources reference them |
| 2 | infra | Networking, compute, and supporting services must be provisioned before data or app layers can use them |
| 3 | data | Databases and storage must exist before application code can connect |
| 4 | app | Application code deploys into infrastructure, connects to data services |
| 5 | docs | Documentation is generated last, referencing the deployed architecture |
Within a layer, stages are further ordered by capability dependencies (e.g., networking before compute, compute before supporting services).
Services are placed into layers and capabilities based on their primary architectural role, not their ARM namespace alone. Key placement decisions:
| Service | Layer | Capability | Component | Rationale |
|---|---|---|---|---|
| Key Vault | infra | security | secrets-management | Infrastructure-level secrets management |
| API Management | infra | core-networking | api-gateway | Network-layer API gateway/routing |
| IoT Hub | data | messaging | iot-ingestion | Data ingestion endpoint |
| Event Grid | data | messaging | event-routing | Event routing between services |
| Service Bus | data | messaging | message-broker | Async message brokering |
| Event Hubs | data | messaging | event-streaming | High-throughput event streaming |
| Cosmos DB | data | data-services | nosql-db | NoSQL database |
| Container Apps | infra | compute | container-hosting | Compute hosting for containers |
| Static Web Apps | infra | compute | static-hosting | Frontend hosting |
Layers communicate through well-defined boundaries:
| From | To | Communication Pattern |
|---|---|---|
| core | infra | Managed identities attached to infrastructure resources |
| infra | data | Private endpoints from VNets to data services; RBAC role assignments |
| data | app | Connection endpoints (not secrets) consumed via environment variables; managed identity for auth |
| app (presentation) | app (domain) | Direct method calls via dependency injection |
| app (domain) | app (data-access) | Repository interfaces; dependency injection |
| app (frontend) | app (backend) | REST API calls with Bearer token (MSAL) |
Cross-layer rules:
- Application code NEVER accesses infrastructure directly (uses SDKs and endpoints)
- Frontend NEVER accesses Azure services directly (uses backend API endpoints)
- All service-to-service authentication uses managed identity
- Data access from the application layer uses managed identity, never connection strings with secrets
The canonical taxonomy definition is in:
azext_prototype/knowledge/taxonomy.yaml
The az prototype validate command validates that all stage capability values and service component values in deployment plans match the entries in this file. Any new service or capability must be added to the taxonomy before it can be used in a build.
See also: Application Architecture for details on the app layer's sub-layer structure, Agent System for the full agent roster and contracts.
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration