Azure | Control and Data Planes
Explaining the two planes of existence within Azure.
Knowing about the control and data planes in Azure can be a useful way to understand how the backend Azure infrastructure works. It’s not that hard a concept to get your head around, but having this deeper understanding allows you to design infrastructure more securely.
The operation of Azure is divided into two planes: control and data.
Control Plane
The control plane is used to manage resources in your subscription, like a layer for the management of creating, modifying, and deleting resources. All requests go via the Azure Resource Manager URL, which varies depending on the Azure environment, and it automatically applies the setting or feature you implement or change on your resource.
During periods of unavailability for the control plane, you can still access the data plane of your Azure resources.
Examples might be the creation of a virtual machine or storage account, updating firewall rules, or setting up a Postgres instance. And once they are created, the interaction is done through the data plane.
Data Plane
This plane is related to the capabilities that are exposed on a resource type and how you interact with them. They are specific to the resource itself (so not always the same across resources), and there are usually different endpoints and APIs used, unlike the control plane.
Requests to access a resource on a data plane are normally sent to an endpoint specific to that instance and might require providing credentials for authentication.
Examples might be:
Uploading a picture to an Azure Blob Storage container with RBAC;
Mounting a file share and reading/writing files from it;
Using RDP or SSH to interact with the operating system of a virtual machine and run applications.
Retrieving a secret from Key Vault.
That’s the two planes in a nutshell, and it’s important to understand how they operate and interact when deploying and managing resources.