Security architecture design

Microsoft Entra ID
Azure Firewall
Azure Front Door
Azure Key Vault
Azure Private Link

Information security has always been a complex subject, and it evolves quickly with the creative ideas and implementations of attackers and security researchers.

Security is one of the most important aspects of any architecture. Good security provides confidentiality, integrity, and availability assurances against deliberate attacks and abuse of your valuable data and systems. Losing these assurances can harm your business operations and revenue, and your organization's reputation.


Learn how cloud security is an ongoing journey of incremental progress and maturity, in Security in the Microsoft Cloud Adoption Framework for Azure. Learn how to build security into your solution, in the Azure Well-Architected Framework Overview of the security pillar.

Here are some broad categories to consider when you design a security system:

Image that shows categories to consider when you design a security system.

Azure provides a wide range of security tools and capabilities. These are just some of the key security services available in Azure:

  • Microsoft Defender for Cloud. A unified infrastructure security management system that strengthens the security posture of your datacenters. It also provides advanced threat protection across your hybrid workloads in the cloud and on-premises.
  • Microsoft Entra ID. The Microsoft cloud-based identity and access management service.
  • Azure Front Door. A global, scalable entry-point that uses the Microsoft global edge network to create fast, highly secure, and widely scalable web applications.
  • Azure Firewall. A cloud-native, intelligent network firewall security service that provides threat protection for your cloud workloads that run in Azure.
  • Azure Key Vault. A high-security secret store for tokens, passwords, certificates, API keys, and other secrets. You can also use Key Vault to create and control the encryption keys used to encrypt your data.
  • Azure Private Link. A service that enables you to access Azure PaaS services, Azure-hosted services that you own, or partner services over a private endpoint in your virtual network.
  • Azure Application Gateway. An advanced web traffic load balancer that enables you to manage traffic to your web applications.
  • Azure Policy. A service that helps you enforce organizational standards and assess compliance.

For a more comprehensive description of Azure security tools and capabilities, see End-to-end security in Azure.

Introduction to security on Azure

If you're new to security on Azure, the best way to learn more is with Microsoft Learn training. This free online platform provides interactive training for Microsoft products and more.

Here are two learning paths to get you started:

Path to production

  • To secure Azure application workloads, you use protective measures like authentication and encryption in the applications themselves. You can also add security layers to the virtual machine (VM) networks that host the applications. See Firewall and Application Gateway for virtual networks for an overview.
  • Zero Trust is a proactive, integrated approach to security across all layers of the digital estate. It explicitly and continuously verifies every transaction, asserts least privilege, and relies on intelligence, advanced detection, and real-time response to threats.
  • Azure governance establishes the tooling needed to support cloud governance, compliance auditing, and automated guardrails. See Azure governance design area guidance for information about governing your Azure environment.

Best practices

The Azure Well-Architected Framework is a set of guiding tenets, based on five pillars, that you can use to improve the quality of your architectures. For information, see Overview of the security pillar and Security design principles in Azure.

The Well-Architected Framework also provides these checklists:

For information about security for sensitive IaaS workloads, see Security considerations for highly sensitive IaaS apps in Azure.

Security architectures

Identity and access management

Threat protection

Information protection

Discover and respond

Stay current with security

Get the latest updates on Azure security services and features.

Additional resources

Example solutions

Browse all our security architectures.

AWS or Google Cloud professionals

Next steps

Security architecture is part of a comprehensive set of security guidance that also includes: