Azure Infra Engineer Partner

An Azure infrastructure specialist that designs scalable, secure cloud architectures, builds PowerShell-based operational tooling, and ensures deployments follow Azure best practices and the Well-Architected Framework.

When to Use This Agent

Choose Azure Infra Engineer Partner when:

• Designing Azure resource architectures (VNets, App Services, AKS, SQL)
• Building PowerShell automation scripts for Azure operations
• Implementing Azure landing zones and governance policies
• Setting up monitoring, alerting, and cost management
• Configuring Azure networking (VNet peering, Private Endpoints, NSGs)

Consider alternatives when:

• Working with Azure Logic Apps specifically (use Expert Azure Bot)
• Exporting existing resources to IaC (use Specialist Azure IaC Exporter)
• Managing Kubernetes workloads (use a Kubernetes specialist)

Quick Start

Copy
# .claude/agents/azure-infra-engineer-partner.yml
name: Azure Infra Engineer Partner
description: Design and automate Azure infrastructure
model: claude-sonnet
tools:
  - Read
  - Write
  - Edit
  - Bash
  - Glob
  - Grep

Example invocation:

claude "Design an Azure architecture for a multi-region web application with App Service, Azure SQL, Redis Cache, and Front Door with failover"

Core Concepts

Azure Architecture Patterns

Pattern	Components	Use Case
Web App	App Service + SQL + Storage	Standard web applications
Microservices	AKS + Service Bus + CosmosDB	Distributed systems
Serverless	Functions + Event Grid + Storage	Event-driven processing
Data Platform	Synapse + Data Factory + Data Lake	Analytics workloads
Multi-Region	Front Door + Traffic Manager + Geo-replication	High availability

PowerShell Automation

Copy
# Azure resource deployment automation
function Deploy-WebApplication {
    param(
        [Parameter(Mandatory)]
        [string]$Environment,
        [string]$Location = 'eastus2',
        [string]$ResourceGroupName = "myapp-$Environment-rg"
    )

    # Create resource group
    New-AzResourceGroup -Name $ResourceGroupName -Location $Location -Force

    # Deploy Bicep template
    New-AzResourceGroupDeployment `
        -ResourceGroupName $ResourceGroupName `
        -TemplateFile './infra/main.bicep' `
        -TemplateParameterFile "./infra/parameters.$Environment.json" `
        -Verbose

    # Configure diagnostic settings
    $webApp = Get-AzWebApp -ResourceGroupName $ResourceGroupName
    $workspace = Get-AzOperationalInsightsWorkspace -ResourceGroupName $ResourceGroupName

    Set-AzDiagnosticSetting `
        -ResourceId $webApp.Id `
        -WorkspaceId $workspace.ResourceId `
        -Enabled $true `
        -Category @('AppServiceHTTPLogs', 'AppServiceConsoleLogs')
}

Networking Architecture

Copy
// Secure networking with Private Endpoints
resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
  name: 'myapp-vnet'
  location: location
  properties: {
    addressSpace: { addressPrefixes: ['10.0.0.0/16'] }
    subnets: [
      {
        name: 'app-subnet'
        properties: {
          addressPrefix: '10.0.1.0/24'
          delegations: [{
            name: 'appServiceDelegation'
            properties: { serviceName: 'Microsoft.Web/serverFarms' }
          }]
        }
      }
      {
        name: 'data-subnet'
        properties: {
          addressPrefix: '10.0.2.0/24'
          privateEndpointNetworkPolicies: 'Disabled'
        }
      }
    ]
  }
}

resource sqlPrivateEndpoint 'Microsoft.Network/privateEndpoints@2023-05-01' = {
  name: 'sql-pe'
  location: location
  properties: {
    subnet: { id: vnet.properties.subnets[1].id }
    privateLinkServiceConnections: [{
      name: 'sql-connection'
      properties: {
        privateLinkServiceId: sqlServer.id
        groupIds: ['sqlServer']
      }
    }]
  }
}

Configuration

Parameter	Description	Default
subscription_type	Azure subscription model (payg, ea, csp)	Auto-detect
naming_convention	Resource naming pattern	{app}-{env}-{type}-{region}
iac_tool	Infrastructure as Code tool (bicep, terraform, arm)	bicep
governance	Governance framework (caf, custom)	caf
networking_model	Network topology (hub-spoke, flat, mesh)	hub-spoke
monitoring	Monitoring stack (azure-monitor, datadog, custom)	azure-monitor

Best Practices

1. Follow the Cloud Adoption Framework naming convention for all resources. Consistent naming like myapp-prod-app-eastus2 makes resources discoverable and manageable. Include: application name, environment, resource type abbreviation, and region. Apply Azure tags for cost center, owner, and environment. Naming conventions prevent the "what is this resource?" problem that plagues large Azure subscriptions.

2. Use Private Endpoints for all PaaS data services. Azure SQL, Storage, CosmosDB, and Key Vault should be accessible only through private endpoints within your VNet, not through public internet endpoints. This eliminates data exfiltration risk through the public internet. Disable public network access on data services after configuring private endpoints.

3. Implement Azure Policy for governance guardrails. Policies enforce compliance automatically: deny public IP creation, require encryption at rest, enforce tagging standards, restrict allowed VM sizes. Apply policies at the management group level to cover all subscriptions. Start with audit mode to assess impact, then switch to deny mode after confirming no legitimate resources are blocked.

4. Design for zone redundancy and multi-region failover. Use Availability Zones for database and compute resources within a region. For critical workloads, deploy to a secondary region with Azure Front Door routing traffic. Configure active-passive with Azure SQL geo-replication and Storage GRS. Test failover procedures quarterly to verify they actually work under real conditions.

5. Centralize logging in a Log Analytics workspace. Route all diagnostic logs, activity logs, and metrics to a single Log Analytics workspace per environment. This enables cross-resource correlation, unified alerting, and centralized access control. Use diagnostic settings on every resource to forward logs. The cost is proportional to data ingested, so filter out verbose logs that provide no operational value.

Common Issues

Deployment failures due to Azure resource provider registration. New subscriptions may not have required resource providers registered, causing deployments to fail with "subscription is not registered to use namespace" errors. Register providers before deployment: az provider register --namespace Microsoft.Sql. Include provider registration as the first step in deployment scripts, as registration is idempotent and safe to run repeatedly.

Private Endpoint DNS resolution fails from on-premises or peered networks. Private Endpoints require Private DNS Zones for name resolution. If DNS is not configured correctly, clients resolve the public IP instead of the private IP, bypassing the Private Endpoint. Configure Azure Private DNS Zones and link them to all VNets that need access. For hybrid scenarios, configure conditional forwarders on on-premises DNS servers to forward Azure DNS queries to Azure's DNS resolver.

Cost overruns from resources left running in non-production environments. Development and staging environments left running 24/7 accumulate significant costs. Implement auto-shutdown schedules for dev/test VMs, scale down non-production App Service Plans to Free/Basic tiers outside business hours, and use Azure Dev/Test pricing for eligible subscriptions. Set up Azure Cost Management budgets with alerts at 80% and 100% of monthly targets.