04 azure management data plane

assets/diagrams/04-azure-management-data-plane.html
Original HTML source
<!doctype html>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Azure Management Plane vs Data Plane</title>
<style>
  :root {
    color-scheme: light dark;
    --bg: #f8fafc;
    --fg: #172033;
    --muted: #5b6475;
    --line: #64748b;
    --neutral: #e2e8f0;
    --input: #bfdbfe;
    --process: #c7d2fe;
    --storage: #99f6e4;
    --external: #fde68a;
    --risk: #fecaca;
  }
  @media (prefers-color-scheme: dark) {
    :root {
      --bg: #0f172a;
      --fg: #e5e7eb;
      --muted: #a3adbd;
      --line: #94a3b8;
      --neutral: #334155;
      --input: #1d4ed8;
      --process: #4338ca;
      --storage: #0f766e;
      --external: #92400e;
      --risk: #991b1b;
    }
  }
  body {
    margin: 0;
    background: var(--bg);
    color: var(--fg);
    font: 14px/1.4 ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
  }
  main {
    max-width: 980px;
    margin: 32px auto;
    padding: 0 20px;
  }
  svg {
    width: 100%;
    height: auto;
    display: block;
  }
  .title {
    font-size: 22px;
    font-weight: 700;
    fill: var(--fg);
  }
  .zone-label {
    font-size: 16px;
    font-weight: 700;
    fill: var(--fg);
  }
  .label {
    font-size: 14px;
    font-weight: 650;
    fill: var(--fg);
  }
  .small {
    font-size: 12px;
    fill: var(--muted);
  }
  .node {
    stroke: var(--line);
    stroke-width: 1;
  }
  .input {
    fill: var(--input);
  }
  .process {
    fill: var(--process);
  }
  .storage {
    fill: var(--storage);
  }
  .external {
    fill: var(--external);
  }
  .risk {
    fill: var(--risk);
  }
  .edge {
    stroke: var(--line);
    stroke-width: 1.6;
    fill: none;
  }
  .zone {
    fill: none;
    stroke: var(--line);
    stroke-width: 1.2;
    stroke-dasharray: 7 6;
    opacity: 0.9;
  }
</style>
<main>
  <svg viewBox="0 0 980 560" role="img" aria-labelledby="title desc">
    <title id="title">Azure Management Plane vs Data Plane</title>
    <desc id="desc">A principal can manage Azure resources through ARM while data access for Storage and Key Vault is evaluated separately through data roles or service-specific authorization.</desc>
    <defs>
      <marker id="arrow" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto-start-reverse">
        <path d="M 0 0 L 10 5 L 0 10 z" fill="var(--line)"></path>
      </marker>
    </defs>

    <text class="title" x="32" y="42">Azure Management Plane vs Data Plane</text>
    <text class="small" x="32" y="66">Teaching point: being able to manage a resource does not automatically mean being able to read its data.</text>

    <path class="edge" fill="none" marker-end="url(#arrow)" d="M 206 178 C 270 178 286 178 350 178"></path>
    <path class="edge" fill="none" marker-end="url(#arrow)" d="M 494 178 C 560 178 576 178 642 178"></path>
    <path class="edge" fill="none" marker-end="url(#arrow)" d="M 206 380 C 280 380 296 342 362 302"></path>
    <path class="edge" fill="none" marker-end="url(#arrow)" d="M 506 302 C 574 342 596 380 664 380"></path>
    <path class="edge" fill="none" marker-end="url(#arrow)" d="M 506 426 C 574 426 596 426 664 426"></path>

    <rect class="node input" x="58" y="140" width="148" height="76" rx="10"></rect>
    <text class="label" x="92" y="170">Principal</text>
    <text class="small" x="92" y="192">user, group, SP</text>

    <rect class="zone" x="326" y="106" width="204" height="146" rx="14"></rect>
    <text class="zone-label" x="356" y="136">Management plane</text>
    <rect class="node process" x="350" y="156" width="144" height="62" rx="9"></rect>
    <text class="label" x="390" y="184">Azure ARM</text>
    <text class="small" x="390" y="204">role assignment</text>

    <rect class="node storage" x="642" y="140" width="172" height="76" rx="10"></rect>
    <text class="label" x="682" y="170">Resource</text>
    <text class="small" x="682" y="192">configure / deploy</text>

    <rect class="node external" x="58" y="342" width="148" height="76" rx="10"></rect>
    <text class="label" x="90" y="372">Data Role</text>
    <text class="small" x="90" y="394">service-specific</text>

    <rect class="zone" x="326" y="268" width="548" height="206" rx="14"></rect>
    <text class="zone-label" x="356" y="300">Data plane examples</text>

    <rect class="node storage" x="362" y="326" width="144" height="76" rx="9"></rect>
    <text class="label" x="394" y="356">Storage</text>
    <text class="small" x="394" y="378">Blob data access</text>

    <rect class="node storage" x="362" y="416" width="144" height="76" rx="9"></rect>
    <text class="label" x="392" y="446">Key Vault</text>
    <text class="small" x="392" y="468">secret access</text>

    <rect class="node risk" x="664" y="326" width="168" height="76" rx="9"></rect>
    <text class="label" x="698" y="356">Can read data?</text>
    <text class="small" x="698" y="378">check data auth</text>

    <rect class="node risk" x="664" y="416" width="168" height="76" rx="9"></rect>
    <text class="label" x="698" y="446">Can read secret?</text>
    <text class="small" x="698" y="468">check vault model</text>

    <text class="small" x="58" y="510">Decision rule: always name the plane, the scope, and the resource-specific authorization path.</text>
  </svg>
</main>