Glossary¶

Introduction¶

This glossary provides clear, concise definitions of key terms and concepts used throughout the Azure Hybrid Continuum CookBook. Each term is grounded in official Microsoft documentation and includes links to authoritative sources. Use this reference to ensure consistent understanding of concepts spanning the continuum from public cloud to disconnected environments.

Definitions¶

Air-Gapped Environment: An isolated environment with no network connectivity to external systems, including the internet or other networks. Air-gapped deployments require all software, updates, and data to be physically transferred via approved media. Common in high-security scenarios such as classified government systems, critical infrastructure, and facilities requiring complete network isolation.; Learn more about disconnected scenarios
Azure Arc: A management plane that extends Azure governance, security, and services to any infrastructure—on-premises, multicloud, and edge. Azure Arc enables you to manage servers, Kubernetes clusters, databases, and applications consistently using Azure Resource Manager APIs, Azure Policy, and Azure Monitor, regardless of where they run.; Azure Arc documentation
Azure Arc-enabled Data Services: Azure data services (SQL Managed Instance, PostgreSQL) that run on Azure Arc-enabled Kubernetes clusters, providing cloud-like provisioning, scaling, and updates on-premises or in other clouds. Supports both directly connected and indirectly connected modes for varying levels of Azure integration.; Azure Arc-enabled data services documentation
Azure Arc-enabled Kubernetes: Kubernetes clusters running anywhere—on-premises, edge, or multicloud—that are connected to Azure for centralized configuration management using GitOps, Azure Policy enforcement, and monitoring via Azure Monitor. Enables consistent application of governance and operational practices across heterogeneous environments.; Azure Arc-enabled Kubernetes documentation
Azure Confidential Computing: Azure services and infrastructure that protect data while it is being processed using hardware-based Trusted Execution Environments (TEEs). Confidential computing ensures that data remains encrypted in memory during computation, protecting against unauthorized access even from privileged system administrators and hypervisor-level threats.; Azure Confidential Computing documentation
Azure ExpressRoute: A dedicated private network connection from on-premises infrastructure to Microsoft Azure that does not traverse the public internet. ExpressRoute provides higher security, reliability, faster speeds, consistent latencies, and predictable performance compared to internet-based connections, with support for Layer 3 connectivity via BGP.; Azure ExpressRoute documentation
Azure Key Vault Managed HSM: A fully managed, highly available, single-tenant Hardware Security Module (HSM) service that safeguards cryptographic keys for cloud applications using FIPS 140-3 Level 3 validated HSMs. Provides isolated access control, private endpoints, and dedicated security domains ensuring cryptographic isolation between customers.; Azure Key Vault Managed HSM documentation
Azure Kubernetes Service (AKS): A managed Kubernetes service that simplifies deploying, managing, and scaling containerized applications. Azure manages the Kubernetes control plane at no cost, while you maintain control over worker nodes. AKS reduces operational overhead through automated health monitoring, maintenance, and integration with Azure services.; Azure Kubernetes Service documentation
Azure Local (formerly Azure Stack HCI): A hyperconverged infrastructure platform that runs on validated hardware in your datacenter, providing virtualized compute, storage, and networking with Azure hybrid services integration. Azure Local enables you to run workloads on-premises while benefiting from Azure management, security, and innovation through Arc integration.; Azure Local documentation
Azure Managed HSM: See Azure Key Vault Managed HSM.
Azure Policy: A service that enables you to enforce organizational standards and assess compliance at scale by defining, assigning, and managing policy rules. Azure Policy evaluates Azure resources (and Arc-enabled resources outside Azure) against business rules, enabling consistent governance for resource deployment, configuration, and ongoing compliance.; Azure Policy documentation
Azure Private Link: A service that enables private access to Azure PaaS services and customer-owned services over a private endpoint within your virtual network. Traffic between your network and Azure services travels exclusively over the Microsoft backbone network, eliminating exposure to the public internet and providing protection against data leakage.; Azure Private Link documentation
Azure Stack Edge: An Azure-managed edge computing appliance that brings compute, storage, and machine learning capabilities to edge locations. Provides hardware-accelerated AI inference, data transfer, and local processing with integration to Azure cloud services for centralized management and orchestration.; Azure Stack Edge documentation
Azure Stack Hub: An integrated hardware and software system that delivers Azure services from your datacenter, designed primarily for disconnected or intermittently connected environments. Unlike Azure Local, Azure Stack Hub provides Azure-consistent PaaS capabilities (App Service, Functions, etc.) for scenarios requiring cloud services in isolated locations.; Azure Stack Hub documentation
Cloud Adoption Framework (CAF): Microsoft's proven guidance and best practices to help organizations create and implement business and technology strategies for cloud adoption. CAF provides methodologies spanning strategy, planning, readiness, migration, modernization, governance, and management to ensure successful Azure adoption aligned with business outcomes.; Cloud Adoption Framework documentation
Cloud Exit / Cloud Repatriation: The process of moving workloads from public cloud back to on-premises or private cloud infrastructure. Motivations include cost optimization, data sovereignty requirements, regulatory compliance, performance needs, or reduced dependency on cloud providers. Requires careful planning around data migration, architecture changes, and operational model shifts.
Confidential Computing: See Azure Confidential Computing.
Connected Mode: An operational mode for Azure Arc-enabled services where continuous network connectivity to Azure enables real-time management via Azure portal, Azure Resource Manager APIs, Microsoft Entra ID authentication, and Azure RBAC. Provides the fullest Azure integration experience with automatic telemetry, billing, and monitoring data transmission.; Azure Arc connectivity modes
Customer Lockbox: An Azure service that provides an interface for customers to review and approve (or reject) Microsoft support engineer access requests to customer data. Used in rare circumstances when a Microsoft engineer requires access to customer data for troubleshooting, ensuring customers maintain explicit control over data access with audit trails.; Customer Lockbox documentation
Data Residency: The physical or geographic location where data is stored and processed. Data residency requirements specify that data must remain within certain geographic boundaries (countries, regions, or specific datacenters) to meet legal, regulatory, or business requirements. Distinct from data sovereignty, which addresses legal jurisdiction.
Data Sovereignty: The principle that data is subject to the laws and governance of the country or region where it is located. Data sovereignty encompasses who can access data, under what conditions, legal frameworks governing data protection, and the rights of data subjects. Critical for regulated industries and government entities.
Data Gravity: The concept that as data accumulates in a location, it becomes increasingly difficult and costly to move it, attracting applications and services to run near that data. Data gravity influences architecture decisions around workload placement, latency requirements, and data residency, with larger datasets exerting stronger gravitational pull on compute resources.
Defense in Depth: A layered security strategy that employs multiple defensive mechanisms across different levels—physical, network, perimeter, identity, compute, application, and data. If one layer is compromised, additional layers continue to provide protection, reducing the attack surface and impact of security breaches.; Azure security best practices
Digital Sovereignty: A broader concept encompassing data sovereignty, software sovereignty, and operational sovereignty. Digital sovereignty represents an organization's or nation's ability to control their digital assets, infrastructure, and operations independently, including technology choices, data location, access controls, and freedom from foreign jurisdiction.
Disconnected Mode: An operational mode for Azure Arc-enabled services where periodic (rather than continuous) connectivity to Azure is used to exchange billing, inventory, and monitoring data. Requires local management tools and credentials, with limited Azure portal functionality. Formerly called "indirectly connected mode," now retired in favor of direct-only connectivity.; Azure Arc connectivity modes
ExpressRoute: See Azure ExpressRoute.
Fault Domain: A logical grouping of hardware that shares a common power source and network switch, representing a single point of failure. Distributing virtual machines across multiple fault domains in Azure Local or Azure ensures that hardware failures affect only a subset of workloads, improving overall availability.; Azure availability zones and fault domains
GitOps: A declarative approach to continuous delivery that uses Git as the single source of truth for infrastructure and application configuration. Changes are made through Git commits, with automated agents ensuring that the deployed state matches the desired state in Git. GitOps is particularly valuable in hybrid environments for consistent configuration management across clusters.; Azure Arc-enabled Kubernetes with GitOps
Harbor: An open-source container registry that stores, signs, and scans container images. Harbor provides role-based access control, vulnerability scanning, image replication, and supports disconnected scenarios through offline image distribution. Often used in sovereign and air-gapped environments where public container registries cannot be accessed.; Harbor Project
Helm: A package manager for Kubernetes that uses templates called "charts" to define, install, and upgrade Kubernetes applications. Helm simplifies deployment of complex applications by bundling related Kubernetes resources together. Helm charts are essential for repeatable deployments across hybrid environments.; Helm documentation
Hybrid Cloud: An IT architecture that combines on-premises infrastructure, private cloud services, and public cloud services with orchestration and management across environments. Hybrid cloud enables workload portability, consistent security and governance, and flexibility to place workloads based on performance, cost, compliance, and sovereignty requirements.
Hybrid Continuum: The spectrum of deployment options ranging from fully public cloud (Azure), through connected hybrid (Azure Local with Arc), to fully disconnected on-premises infrastructure. The continuum reflects varying degrees of connectivity, cloud service availability, and operational models, enabling organizations to choose placement strategies matching their sovereignty, security, and operational needs.
Infrastructure as Code (IaC): The practice of managing and provisioning infrastructure through machine-readable definition files rather than manual processes. IaC enables version control, automated deployment, consistency, repeatability, and disaster recovery. Azure supports IaC through ARM templates, Bicep, Terraform, and other declarative tools.; Infrastructure as Code on Azure
K3s: A lightweight, certified Kubernetes distribution designed for resource-constrained and edge environments. K3s simplifies installation and operations by packaging all Kubernetes components into a single binary under 100MB. Commonly used in edge computing, IoT scenarios, and disconnected environments where full Kubernetes would be too heavyweight.; K3s documentation
Landing Zone: A pre-configured Azure environment that provides governance, security, networking, identity, and management capabilities aligned with the Cloud Adoption Framework. Landing zones serve as the foundational platform for workload deployment, ensuring compliance with organizational policies and best practices from day one.; Azure landing zones
Management Group: A container that helps manage access, policy, and compliance across multiple Azure subscriptions. Management groups provide hierarchical organization, enabling efficient application of governance controls at scale. Policies and RBAC assignments applied to a management group are inherited by all child subscriptions and resources.; Azure management groups
MetalLB: A load balancer implementation for bare-metal Kubernetes clusters that provides network load balancing capabilities similar to cloud providers. MetalLB announces service IPs using standard routing protocols (BGP) or Layer 2 mode. Critical for on-premises Kubernetes deployments on Azure Local where cloud load balancers are unavailable.; MetalLB documentation
MinIO: A high-performance, S3-compatible object storage system that runs on-premises or in disconnected environments. MinIO provides API compatibility with Amazon S3, enabling applications to use the same code across cloud and on-premises deployments. Often used as a blob storage replacement in hybrid and sovereign scenarios.; MinIO documentation
Observability: The ability to understand the internal state of a system by examining its external outputs, including logs, metrics, traces, and events. Observability goes beyond monitoring by enabling exploration of system behavior to answer unexpected questions. Essential for managing complex distributed systems across hybrid environments.; Azure Monitor observability
Operational Sovereignty: The ability to independently operate, manage, and maintain IT infrastructure and services without dependency on external entities. Includes control over updates, maintenance schedules, access to infrastructure, incident response, and operational procedures—critical for organizations requiring operational autonomy for security or regulatory reasons.
Platform Engineering: The discipline of designing and building toolchains and workflows that enable self-service capabilities for software engineering teams. Platform engineering creates internal developer platforms (IDPs) that abstract away infrastructure complexity, providing standardized, secure, and compliant paths to production. Increasingly important in hybrid environments requiring consistent developer experiences.
Private Cloud: Cloud computing resources dedicated to a single organization, deployed either on-premises or hosted by a third party. Private clouds provide greater control over infrastructure, security, and compliance compared to public cloud, while still offering cloud characteristics like self-service, scalability, and resource pooling.
Regulated Industry: Industries subject to strict regulatory frameworks governing data protection, security, operational practices, and compliance. Examples include financial services (PCI DSS, SOX), healthcare (HIPAA, GDPR), government (FedRAMP, ITAR), and critical infrastructure. Regulated industries often require enhanced sovereignty, audit trails, and data residency controls.
RKE2: Rancher Kubernetes Engine 2, a fully conformant Kubernetes distribution focused on security and compliance. RKE2 combines the ease of use of RKE with security hardening to meet U.S. government standards (FIPS 140-2, STIG compliance). Used in government and regulated environments requiring certified, hardened Kubernetes.; RKE2 documentation
Service Mesh: An infrastructure layer that manages service-to-service communication in microservices architectures, providing capabilities like traffic management, security (mTLS), observability, and resilience (retries, circuit breakers). Service meshes decouple these concerns from application code. Examples include Istio, Linkerd, and Open Service Mesh.; Service mesh patterns
Site Reliability Engineering (SRE): A discipline that incorporates software engineering practices into IT operations to build and maintain highly reliable, scalable systems. SRE emphasizes automation, monitoring, incident response, and balancing reliability with feature velocity through error budgets. Foundational for operating complex hybrid infrastructure.; SRE principles
Sovereign Cloud: Cloud infrastructure and services designed to meet specific sovereignty requirements for governments and regulated industries. Microsoft provides sovereign cloud offerings (Azure Government, Azure China) with physical and logical separation, data residency guarantees, local operations, and restricted access to meet national security and compliance mandates.; Azure sovereign clouds
Sovereign Landing Zone (SLZ): A specialized Azure landing zone architecture that incorporates enhanced sovereignty controls including data residency, encryption, access restrictions, and compliance frameworks required by governments and highly regulated organizations. SLZ extends standard landing zone patterns with additional guardrails and sovereign-specific policies.; Sovereign Landing Zone
Software Sovereignty: The ability to control software supply chains, understand and audit source code, avoid vendor lock-in, and maintain independence from foreign technology dependencies. Software sovereignty concerns include open-source vs. proprietary software choices, hosting location of software providers, and ability to modify or replace components as needed.
Total Cost of Ownership (TCO): A comprehensive assessment of all costs associated with acquiring, deploying, operating, and maintaining IT infrastructure over its entire lifecycle. TCO includes capital expenses (hardware, software licenses), operational expenses (power, cooling, maintenance, personnel), and hidden costs (downtime, complexity). Critical for evaluating cloud vs. on-premises decisions and cloud exit scenarios.; Azure TCO Calculator
Trusted Execution Environment (TEE): A secure, isolated area within a processor that guarantees code and data loaded inside are protected with respect to confidentiality and integrity. TEEs use hardware-based security mechanisms (Intel SGX, AMD SEV, ARM TrustZone) to create encrypted enclaves where sensitive computations occur, protected even from privileged system software.; Azure confidential computing TEE
Trusted Launch: An Azure VM security feature that protects against boot kits, rootkits, and kernel-level malware using secure boot, virtual Trusted Platform Module (vTPM), and measured boot capabilities. Trusted Launch provides foundational security for virtual machines, establishing a hardware-rooted chain of trust from firmware through operating system boot.; Trusted Launch for Azure VMs
Update Domain: A logical grouping of hardware in Azure Local or Azure that can be updated and rebooted simultaneously during maintenance. Distributing virtual machines across multiple update domains ensures that not all instances are unavailable during planned maintenance, maintaining application availability during platform updates.; Update domains
Well-Architected Framework (WAF): Microsoft's set of guiding principles and best practices for designing and operating reliable, secure, efficient, and cost-effective workloads in Azure. WAF is organized around five pillars: Reliability, Security, Cost Optimization, Operational Excellence, and Performance Efficiency, with architecture patterns and assessment tools.; Azure Well-Architected Framework
Zero Trust: A security strategy based on the principle "never trust, always verify," which assumes breach and verifies every access request regardless of origin. Zero Trust is built on three core principles: verify explicitly using all available data points, use least privilege access with just-in-time and just-enough-access policies, and assume breach with end-to-end encryption and analytics.; Zero Trust security

References¶

Next: Azure Service Mapping →