Azure control plane and data plane
Azure operations can be divided into two categories - control plane and data plane. This article describes the differences between those two types of operations.
You use the control plane to manage resources in your subscription. You use the data plane to use capabilities exposed by your instance of a resource type.
You create a virtual machine through the control plane. After the virtual machine is created, you interact with it through data plane operations, such as Remote Desktop Protocol (RDP).
You create a storage account through the control plane. You use the data plane to read and write data in the storage account.
You create an Azure Cosmos DB database through the control plane. To query data in the Azure Cosmos DB database, you use the data plane.
All requests for control plane operations are sent to the Azure Resource Manager URL. That URL varies by the Azure environment.
- For Azure global, the URL is
- For Azure Government, the URL is
- For Azure Germany, the URL is
- For Microsoft Azure operated by 21Vianet, the URL is
Azure Resource Manager handles all control plane requests. It automatically applies the Azure features you've implemented to manage your resources, such as:
After authenticating the request, Azure Resource Manager sends it to the resource provider, which completes the operation. Even during periods of unavailability for the control plane, you can still access the data plane of your Azure resources. For instance, you can continue to access and operate on data in your storage account resource via its separate storage URI
https://myaccount.blob.core.windows.net even when
https://management.azure.com is not available.
The control plane includes two scenarios for handling requests - "green field" and "brown field". Green field refers to new resources. Brown field refers to existing resources. As you deploy resources, Azure Resource Manager understands when to create new resources and when to update existing resources. You don't have to worry that identical resources will be created.
Requests for data plane operations are sent to an endpoint that's specific to your instance. For example, the Detect Language operation in Azure AI services is a data plane operation because the request URL is:
Data plane operations aren't limited to REST API. They may require other credentials such as logging in to a virtual machine or database server.
Features that enforce management and governance might not apply to data plane operations. You need to consider the different ways users interact with your solutions. For example, a lock that prevents users from deleting a database doesn't prevent users from deleting data through queries.
You can use some policies to govern data plane operations. For more information, see Resource Provider modes (preview) in Azure Policy.
For an overview of Azure Resource Manager, see What is Azure Resource Manager?
To learn more about the effect of policy definitions on new resources and existing resources, see Evaluate the impact of a new Azure Policy definition.