Advisor Azure Champion

A comprehensive Azure cloud development agent that guides you through building, deploying, and managing applications on the Azure platform, covering compute, storage, networking, security, and DevOps best practices.

When to Use This Agent

Choose Advisor Azure Champion when:

• Getting started with Azure development and need guidance across services
• Building cloud-native applications using Azure PaaS services
• Making service selection decisions (which Azure service for which use case)
• Implementing Azure security, monitoring, and cost optimization
• Solving cross-cutting Azure concerns (identity, networking, governance)

Consider alternatives when:

• Working exclusively with Azure Logic Apps (use Azure Logic Apps Guru)
• Designing multi-tenant SaaS architecture (use Azure SaaS Consultant)
• Writing Bicep IaC templates (use Expert Bicep Implement)

Quick Start

Copy
# .claude/agents/advisor-azure-champion.yml
name: Advisor Azure Champion
description: Comprehensive Azure cloud development guidance
model: claude-sonnet
tools:
  - Read
  - Write
  - Edit
  - Bash
  - Glob
  - Grep
  - WebSearch

Example invocation:

claude "Help me choose the right Azure services for a real-time data processing pipeline that ingests IoT sensor data, processes it, and displays dashboards"

Core Concepts

Azure Service Selection Guide

Use Case	Service	Alternative	Choose When
Web apps	App Service	Container Apps	Need managed platform, custom domains
Containers	AKS	Container Apps	Need full K8s control, complex orchestration
Serverless	Functions	Logic Apps	Event-driven, short-lived compute
SQL Database	Azure SQL	CosmosDB	Relational data, ACID transactions
NoSQL	CosmosDB	Table Storage	Global distribution, multi-model
Caching	Redis Cache	-	Session state, query caching
Messaging	Service Bus	Event Hub	Enterprise messaging, queues, topics
Streaming	Event Hubs	IoT Hub	High-throughput event ingestion
Storage	Blob Storage	Data Lake	Unstructured data, files, backups
CDN	Front Door	CDN	Global routing, WAF, SSL

Azure Development Patterns

Copy
// Azure SDK — Best practices pattern
using Azure.Identity;
using Azure.Storage.Blobs;
using Azure.Security.KeyVault.Secrets;

// Use DefaultAzureCredential for local + cloud auth
var credential = new DefaultAzureCredential();

// Key Vault for secrets
var secretClient = new SecretClient(
    new Uri("https://myvault.vault.azure.net/"),
    credential
);
var dbConnectionString = (await secretClient.GetSecretAsync("DbConnection")).Value.Value;

// Blob Storage with retry policy
var blobServiceClient = new BlobServiceClient(
    new Uri("https://mystorage.blob.core.windows.net/"),
    credential,
    new BlobClientOptions
    {
        Retry = {
            MaxRetries = 3,
            Delay = TimeSpan.FromSeconds(1),
            Mode = Azure.Core.RetryMode.Exponential
        }
    }
);

Cost Management Strategy

Copy
## Azure Cost Optimization Checklist

### Compute
- [ ] Right-size VMs based on actual utilization (<40% CPU = over-provisioned)
- [ ] Use Reserved Instances for stable workloads (1yr: 30%, 3yr: 60% savings)
- [ ] Auto-scale App Service plans based on traffic patterns
- [ ] Shut down dev/test environments outside business hours

### Storage
- [ ] Implement lifecycle policies (Hot → Cool → Archive)
- [ ] Delete orphaned disks and snapshots
- [ ] Use appropriate redundancy (LRS for dev, GRS for prod)

### Database
- [ ] Use serverless tier for intermittent workloads
- [ ] Elastic Pools for multiple databases with varying loads
- [ ] Review DTU/vCore utilization and downsize where possible

### Networking
- [ ] Use Private Endpoints instead of VPN Gateway where possible
- [ ] Monitor bandwidth charges across regions

Configuration

Parameter	Description	Default
subscription_type	Azure subscription (payg, ea, csp, dev-test)	Auto-detect
preferred_region	Primary Azure region	eastus2
development_language	Primary development language	Auto-detect
iac_tool	Infrastructure tool (bicep, terraform, pulumi)	bicep
security_baseline	Security standard (cis, azure-benchmark)	azure-benchmark
cost_sensitivity	Cost priority (low, medium, high)	medium

Best Practices

1. Use Managed Identity and DefaultAzureCredential everywhere. Stop storing connection strings and API keys in configuration. Managed Identity provides automatic, rotation-free authentication to Azure services. DefaultAzureCredential from the Azure SDK works transparently in local development (using Azure CLI auth), in CI/CD (using service principals), and in production (using managed identity). One credential class for all environments.

2. Choose PaaS over IaaS unless you have a specific reason not to. App Service, Azure SQL, and CosmosDB handle patching, scaling, and availability automatically. VMs require you to manage OS updates, security patches, monitoring agents, and backup configuration. Every VM is a maintenance liability. Use IaaS only when PaaS cannot meet a specific requirement (custom OS, specific network configuration, legacy software).

3. Implement Azure Policy for preventive governance. Do not rely on reviews and audits to catch misconfiguration — prevent it. Policies that deny public IP creation on databases, require encryption at rest, enforce tagging standards, and restrict resource types to approved services prevent mistakes before they reach production. Start with audit mode, review findings, then switch to deny mode.

4. Design for regional resilience from the architecture phase. Add a secondary region to your architecture design before the first deployment, even if you do not activate it immediately. Configure geo-redundant storage, database geo-replication, and multi-region DNS routing. Activating a pre-designed secondary region takes hours. Designing one from scratch during an outage takes days.

5. Centralize identity with Azure AD (Entra ID) and role-based access control. Use Azure AD for both user authentication and service-to-service authorization. Assign Azure RBAC roles at the narrowest scope possible (resource level, not subscription level). Use Privileged Identity Management for just-in-time access to sensitive resources. Centralized identity eliminates the scattered credential management that causes security incidents.

Common Issues

Azure costs exceed expectations due to hidden charges. Common surprise costs: outbound data transfer between regions, premium storage transactions, Log Analytics data ingestion, and IP address charges for unused public IPs. Review the Azure pricing calculator before deploying, set up Cost Management budgets with alerts, and review the cost analysis dashboard weekly during the first month of any new deployment.

Applications fail in production because they were tested only with local emulators. Azure Storage Emulator and CosmosDB Emulator do not perfectly replicate the behavior of real Azure services, especially around throttling, consistency, and authentication. Test against real Azure services in a dev/test subscription with the same configuration as production. Use Azure Dev/Test pricing (up to 80% discount) to reduce the cost of realistic testing environments.

Network configuration blocks traffic between Azure services. Private Endpoints, NSG rules, and VNet service endpoints create complex networking that is easy to misconfigure. A common failure: App Service deployed with VNet integration cannot reach a database with a private endpoint because the DNS resolution is not configured or the NSG blocks the traffic. Test connectivity with az network watcher tools and document the expected traffic flow with a network diagram.