Skill

deploy-azure

Azure cloud deployment pattern library — leverages the official Microsoft Azure MCP server (200+ structured tools across 40+ Azure services) for Azure App Service, Azure Functions, Azure Container Apps, Azure Kubernetes Service (AKS), Azure Container Registry (ACR), Azure SQL Database, Azure Cosmos DB, Azure Storage (Blob/File/Queue/Table), Azure Cache for Redis, Azure Service Bus, Azure Event Grid, Azure Front Door + CDN, Azure DNS, Azure Key Vault, Azure Active Directory / Entra ID app registrations, Azure Monitor / Application Insights, Azure DevOps Pipelines, GitHub Actions OIDC for Azure, ARM templates / Bicep / Terraform azurerm provider, Azure RBAC, Azure Policy + Azure Blueprint compliance, Azure Cost Management, and Azure Foundry for AI model deployment. Use when deploying any application to Azure (web app, API, container, serverless, AI workload), migrating from on-prem or other clouds to Azure, hardening an existing Azure subscription, or auditing Azure costs. References the `azure` MCP server declared in this plugin's .mcp.json — Claude Code can directly invoke 200+ Azure tools at runtime via the official Microsoft MCP. Differentiates from generic terraform-patterns by Azure-specific service patterns and the deep Microsoft tooling integration.

Install

npx claudepluginhub arnwaldn/atum-plugins-collection --plugin atum-workflows

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Ce skill couvre les patterns canoniques pour déployer sur **Azure** en s'appuyant sur le **MCP server officiel Microsoft** (`@azure/mcp@latest`) déclaré dans `plugins/atum-workflows/.mcp.json`.

SKILL.md

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.6k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.6k

executing-plans

Executes pre-written implementation plans: critically reviews, follows bite-sized steps exactly, runs verifications, tracks progress with checkpoints, uses git worktrees, stops on blockers.

superpowers

150.3k

Stats

Parent Repo Stars0

Parent Repo Forks0

Last CommitApr 8, 2026

Actions

View Source View Plugin View on GitHub View README

Azure Deployment Patterns

Ce skill couvre les patterns canoniques pour déployer sur Azure en s'appuyant sur le MCP server officiel Microsoft (@azure/mcp@latest) déclaré dans plugins/atum-workflows/.mcp.json.

MCP server Azure disponible : 200+ outils structurés couvrant 40+ services Azure (App Service, Functions, AKS, ACR, Cosmos DB, Storage, Key Vault, Monitor, etc.). Claude Code peut directement provisionner, déployer et inspecter via cet MCP au runtime.

Prérequis utilisateur : Node.js installé + Azure CLI (az login) authentifié + abonnement Azure actif.

1. Decision tree — quel service Azure pour quel besoin ?

Type de workload
├── Web app full-stack (Node.js, Python, .NET, Java)
│   ├── PaaS managed → Azure App Service (Linux ou Windows)
│   ├── Containers → Azure Container Apps (KEDA scaling)
│   └── K8s natif → Azure Kubernetes Service (AKS)
├── API REST / GraphQL / Webhooks
│   ├── Code-first PaaS → App Service
│   ├── Serverless event-driven → Azure Functions (Premium plan pour latence)
│   └── Container → Container Apps
├── Static website (Next.js export, Vite, Astro)
│   └── Azure Static Web Apps (avec API Functions intégrée)
├── Background jobs / queues
│   ├── Azure Functions Timer trigger (cron)
│   ├── Service Bus + Functions queue trigger
│   └── Container Apps jobs
├── Database
│   ├── Postgres / MySQL / MariaDB → Azure Database for PostgreSQL Flexible Server
│   ├── SQL Server → Azure SQL Database / SQL Managed Instance
│   ├── NoSQL document → Cosmos DB (API SQL, MongoDB, Cassandra, Gremlin, Table)
│   └── Cache → Azure Cache for Redis
├── Storage
│   ├── Objects → Azure Blob Storage
│   ├── Files SMB/NFS → Azure Files
│   └── Queue lightweight → Azure Queue Storage
├── AI/ML
│   ├── Foundation models hosted → Azure AI Foundry (anciennement Azure OpenAI)
│   ├── Custom training → Azure Machine Learning
│   └── Vision/Speech/Language → Azure AI Services
└── Edge / CDN
    └── Azure Front Door + CDN

2. Authentication — OIDC depuis GitHub Actions (recommandé)

# .github/workflows/deploy-azure.yml
permissions:
  id-token: write   # OIDC
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Deploy to App Service
        uses: azure/webapps-deploy@v3
        with:
          app-name: my-app
          package: ./dist

Setup côté Azure : enregistrer l'app GitHub Actions dans Entra ID, configurer le federated credential pointant vers repo:owner/repo:ref:refs/heads/main, attribuer le rôle Contributor sur la resource group cible. Plus de secret long-lived — uniquement OIDC short-lived.

3. App Service — déploiement type

# Via az CLI
az group create --name my-rg --location westeurope
az appservice plan create --name my-plan --resource-group my-rg --sku B1 --is-linux
az webapp create --resource-group my-rg --plan my-plan --name my-app --runtime "NODE:20-lts"

# Configuration runtime
az webapp config appsettings set --resource-group my-rg --name my-app --settings \
  NODE_ENV=production \
  WEBSITE_NODE_DEFAULT_VERSION=20

# Deploy depuis local zip
az webapp deploy --resource-group my-rg --name my-app --src-path dist.zip --type zip

Via Bicep (préféré pour IaC) :

param location string = resourceGroup().location
param appName string

resource plan 'Microsoft.Web/serverfarms@2023-01-01' = {
  name: '${appName}-plan'
  location: location
  sku: { name: 'B1', tier: 'Basic' }
  properties: { reserved: true }  // Linux
}

resource app 'Microsoft.Web/sites@2023-01-01' = {
  name: appName
  location: location
  properties: {
    serverFarmId: plan.id
    siteConfig: {
      linuxFxVersion: 'NODE|20-lts'
      appSettings: [
        { name: 'NODE_ENV', value: 'production' }
      ]
    }
    httpsOnly: true
  }
  identity: { type: 'SystemAssigned' }
}

output url string = 'https://${app.properties.defaultHostName}'

4. Azure Container Apps (recommandé pour containers)

# Crée l'environment + log analytics
az containerapp env create --name my-env --resource-group my-rg --location westeurope

# Deploy un container
az containerapp create \
  --name my-api \
  --resource-group my-rg \
  --environment my-env \
  --image ghcr.io/myorg/api:1.2.3 \
  --target-port 8080 \
  --ingress external \
  --min-replicas 1 \
  --max-replicas 10 \
  --cpu 0.5 \
  --memory 1.0Gi \
  --secrets "db-url=secretref:db-url" \
  --env-vars "DATABASE_URL=secretref:db-url"

Avantages Container Apps vs AKS :

KEDA scaling natif (event-driven)
Pas de gestion du control plane K8s
Pricing pay-per-use (scale-to-zero)
Idéal pour 80% des workloads containerisés sans complexité K8s

5. Azure Functions (serverless)

// HTTP trigger TypeScript
import { app, HttpRequest, HttpResponseInit, InvocationContext } from '@azure/functions'

export async function httpTrigger(request: HttpRequest, context: InvocationContext): Promise<HttpResponseInit> {
  const name = request.query.get('name') || 'world'
  return {
    status: 200,
    jsonBody: { message: `Hello ${name}` },
  }
}

app.http('hello', {
  methods: ['GET'],
  authLevel: 'anonymous',
  handler: httpTrigger,
})

func azure functionapp publish my-func-app

Cold start mitigation :

Premium plan (instances pré-warmed)
Min instances configurables
Préférer TypeScript compilé que JavaScript dynamique

6. AKS (Azure Kubernetes Service) — pour vraiment K8s

# Provisioning
az aks create \
  --resource-group my-rg \
  --name my-aks \
  --node-count 3 \
  --enable-managed-identity \
  --node-vm-size Standard_D2s_v3 \
  --generate-ssh-keys \
  --enable-cluster-autoscaler --min-count 1 --max-count 10

# Get kubeconfig
az aks get-credentials --resource-group my-rg --name my-aks

Ensuite utiliser les patterns du skill kubernetes-patterns (ce plugin) pour le déploiement workloads.

Quand AKS vs Container Apps :

AKS : besoin de CRDs custom, service mesh, GPU, gros écosystème K8s, multi-tenant
Container Apps : 80% des cas, plus simple et moins cher

7. Database — Postgres Flexible Server

az postgres flexible-server create \
  --resource-group my-rg \
  --name my-pg \
  --location westeurope \
  --admin-user pgadmin \
  --admin-password "$(openssl rand -base64 24)" \
  --sku-name Standard_B1ms \
  --tier Burstable \
  --storage-size 32 \
  --version 15 \
  --high-availability Disabled \
  --public-access None  # Private endpoint only

Bonnes pratiques :

Toujours --high-availability Enabled (zone-redundant) en prod
Backups automatiques 7-35 jours
Private endpoint + VNet integration (pas d'IP publique)
Connection pooler (PgBouncer) intégré disponible

8. Cosmos DB

az cosmosdb create \
  --name my-cosmos \
  --resource-group my-rg \
  --kind GlobalDocumentDB \
  --default-consistency-level Session \
  --enable-automatic-failover true \
  --locations regionName=westeurope failoverPriority=0 isZoneRedundant=true \
  --locations regionName=northeurope failoverPriority=1 isZoneRedundant=true

5 APIs supportées : SQL (recommandé), MongoDB, Cassandra, Gremlin, Table.

Cost optim : préférer Serverless mode pour les workloads < 1M RU/s, ou Autoscale provisioned pour le reste. Éviter le mode "Standard provisioned" sans autoscale.

9. Key Vault + Managed Identity

# Create key vault
az keyvault create --name my-kv --resource-group my-rg --location westeurope

# Store a secret
az keyvault secret set --vault-name my-kv --name "DatabaseUrl" --value "postgres://..."

# Grant App Service managed identity access
az keyvault set-policy --name my-kv \
  --object-id $(az webapp identity show --name my-app --resource-group my-rg --query principalId -o tsv) \
  --secret-permissions get list

Dans le code : @azure/identity + @azure/keyvault-secrets pour récupérer au runtime.

JAMAIS de secret en clair dans appSettings — toujours via Key Vault references : @Microsoft.KeyVault(SecretUri=https://my-kv.vault.azure.net/secrets/DatabaseUrl/).

10. Monitoring — Application Insights

# Create Application Insights
az monitor app-insights component create \
  --app my-insights \
  --location westeurope \
  --resource-group my-rg \
  --workspace my-log-analytics

# Get connection string
az monitor app-insights component show --app my-insights --resource-group my-rg --query connectionString -o tsv

Configurer dans App Service via APPLICATIONINSIGHTS_CONNECTION_STRING setting → tout est instrumenté automatiquement (requests, dependencies, exceptions, perf counters).

11. Cost optimization

Reserved Instances (1 an / 3 ans) sur les workloads steady-state : -30 à -65%
Azure Hybrid Benefit si licences Windows Server / SQL Server existantes
Spot VMs pour batch / CI / dev : -60 à -90%
Auto-shutdown dev/test resources la nuit + week-ends
Azure Advisor régulièrement consulté
Cost Management + Billing alerts par budget
Tagging strict (Environment, Project, Owner, CostCenter)

12. Anti-patterns

Pas d'OIDC → secrets long-lived dans GitHub
Secrets en clair dans App Settings → utiliser Key Vault references
Public endpoint sur DBs prod → private endpoint obligatoire
App Service plan F1/D1 en prod → toujours B1+ minimum
Cosmos DB Standard provisioned sans autoscale → facture explosive
Pas de tagging → impossible d'allouer les coûts
Pas de policies Azure Policy → drift compliance
AKS pour un seul workload → préférer Container Apps
Pas d'Application Insights → debug impossible en prod
Pas de Reserved Instances sur workloads steady → overpaying 30-65%

Checklist livraison

Quand déléguer

K8s workloads → skill kubernetes-patterns (ce plugin)
IaC Terraform → skill terraform-patterns (ce plugin)
Architecture cloud → skill cloud-architecture (ce plugin)
Sécurité Azure → agent security-expert (atum-compliance)
Compliance EU AI Act → agent compliance-expert (atum-compliance)

Ressources

https://learn.microsoft.com/en-us/azure/
https://github.com/microsoft/azure-skills (source MIT)
https://github.com/Azure/azure-mcp (Azure MCP server officiel)
https://learn.microsoft.com/en-us/azure/architecture/framework/ (Well-Architected)