| Landing zone |
Standardized Azure environment design for governance, identity, networking, and platform controls |
Core platform-boundary concept |
| Management group |
Azure scope above subscriptions used for policy and governance inheritance |
High-value governance scope term |
| Subscription |
Billing and administrative boundary for Azure resources |
Common scope and isolation question |
| Resource group |
Lifecycle boundary for related Azure resources |
Frequently confused with subscription scope |
| RBAC |
Azure authorization model for who can do what at a given scope |
Core authorization control |
| Policy |
Azure governance engine for allowed, denied, or modified resource configurations |
Core compliance and guardrail control |
| Private Endpoint |
Private IP mapping into a PaaS service through Azure Private Link |
Central private-access design term |
| Service Endpoint |
VNet-to-service routing enhancement without assigning a private IP inside the service |
Common distractor against Private Endpoint |
| Hub-spoke |
Network topology with shared central services and segmented workload spokes |
Classic Azure network architecture pattern |
| Zone redundancy |
Service deployment pattern spread across Azure availability zones |
High-availability term distinct from geo patterns |
| Failover group |
Managed database failover and endpoint abstraction across regions |
Continuity term for relational data |
| Managed identity |
Azure-managed workload identity used instead of stored secrets |
Strong identity-first design answer |
| Availability set |
VM distribution across fault and update domains within one datacenter pattern |
Often confused with zone design |
| Geo-redundancy |
Replication across regions for continuity and durability |
Distinct from zone redundancy |
| Log Analytics workspace |
Central Azure Monitor log store and query surface |
Core monitoring and routing term |
| Application Insights |
Application telemetry and tracing service |
Commonly confused with broader Monitor/Workspace roles |
| Front Door |
Global edge entry service with routing/WAF/CDN-style behavior |
Frequent ingress choice distractor |
| Application Gateway |
Regional Layer 7 load balancer with WAF and routing rules |
Needs to be separated from Front Door and Load Balancer |
| Traffic Manager |
DNS-based traffic routing service |
Commonly confused with proxying ingress tools |
| Recovery Services vault |
Azure vault for backup and some recovery workflows |
Core continuity term |