Azure Architecture Reference ← Back to index
One-Pager · 12 Services
Azure
Every Azure security service on one page — identity, network security, threat protection, and information protection. A quick reference for architects building secure environments.
Identity & Access
Microsoft Entra ID
Cloud identity platform. SSO, MFA, Conditional Access, PIM. Foundation for zero trust. Formerly Azure Active Directory.
Identity platform Zero trust SSO / MFA Conditional Access
Key Vault
Centralized secrets, keys, and certificate management. HSM-backed. RBAC and access policies. Integrates with App Service, AKS, VMs, DevOps pipelines.
Secrets mgmt Certificates HSM-backed RBAC
Managed Identities
Automatic credential management for Azure resources. No secrets in code. System-assigned or user-assigned. Works with any Entra ID-compatible service.
No credentials Auto-managed System/user assigned Best practice
Network Security
Azure Firewall
Managed stateful firewall. FQDN filtering, threat intelligence feed, TLS inspection (Premium). Integrates with Firewall Manager for multi-hub policies.
Network FW FQDN filtering Threat intel TLS inspection
Web Application Firewall
Protects web apps from OWASP top 10, bot attacks, and custom rules. Deployed on Application Gateway, Front Door, or CDN.
Web protection OWASP top 10 Bot protection Custom rules
DDoS Protection
Always-on volumetric attack mitigation. Adaptive tuning, rapid response team, cost guarantee. Standard tier includes metrics and alerting.
DDoS defense Always-on Cost protect Adaptive tuning
Private Link
Access PaaS services over private endpoints inside your VNet. No public internet exposure. Traffic stays on Microsoft backbone.
Private PaaS No exposure VNet native Backbone only
Threat Protection
Microsoft Defender for Cloud
CSPM and CWPP in one. Secure Score, regulatory compliance dashboards, workload protection for VMs, containers, SQL, storage, and more.
CSPM / CWPP Secure Score Compliance Workload protect
Microsoft Sentinel
Cloud-native SIEM and SOAR. Collects data at cloud scale, AI-driven detection, automated playbooks. Data connectors for 100+ sources.
SIEM / SOAR AI detection Playbooks 100+ connectors
Defender for Endpoint
Endpoint detection and response (EDR). Threat and vulnerability management, attack surface reduction, automated investigation. Cross-platform.
EDR Vuln mgmt Auto investigation Cross-platform
Information Protection
Microsoft Purview
Data governance across on-premises, multi-cloud, and SaaS. Data catalog, classification, lineage, and sensitivity labels. Unified data map.
Data governance Classification Lineage Sensitivity labels
Azure Information Protection
Classify and protect documents and emails with labels. Encryption, visual markings, and access controls that travel with the data.
Doc protection Labels Encryption Rights mgmt
Quick Comparison — Threat Protection
Service Scope Detection Response Best For
Defender for Cloud Azure workloads Secure Score, alerts Recommendations Posture management, compliance Sentinel Enterprise-wide AI analytics, KQL SOAR playbooks SIEM, incident response Defender for Endpoint Endpoints Behavioral, ML Auto investigation EDR, vulnerability mgmt