Azure control plane and data plane

Azure operations can be divided into two categories - control plane and data plane. This article describes the differences between those two types of operations.

You use the control plane to manage resources in your subscription. You use the data plane to use capabilities exposed by your instance of a resource type.

For example:

  • You create a virtual machine through the control plane. After the virtual machine is created, you interact with it through data plane operations, such as Remote Desktop Protocol (RDP).

  • You create a storage account through the control plane. You use the data plane to read and write data in the storage account.

  • You create a Cosmos database through the control plane. To query data in the Cosmos database, you use the data plane.

Control plane

All requests for control plane operations are sent to the Azure Resource Manager URL. That URL varies by the Azure environment.

  • For Azure global, the URL is
  • For Azure Government, the URL is
  • For Azure Germany, the URL is
  • For Microsoft Azure China 21Vianet, the URL is

To discover which operations use the Azure Resource Manager URL, see the Azure REST API. For example, the create or update operation for MySql is a control plane operation because the request URL is:


Azure Resource Manager handles all control plane requests. It automatically applies the Azure features you've implemented to manage your resources, such as:

After authenticating the request, Azure Resource Manager sends it to the resource provider, which completes the operation.

The control plane includes two scenarios for handling requests - "green field" and "brown field". Green field refers to new resources. Brown field refers to existing resources. As you deploy resources, Azure Resource Manager understands when to create new resources and when to update existing resources. You don't have to worry that identical resources will be created.

Data plane

Requests for data plane operations are sent to an endpoint that is specific to your instance. For example, the Detect Language operation in Cognitive Services is a data plane operation because the request URL is:

POST {Endpoint}/text/analytics/v2.0/languages

Data plane operations aren't limited to REST API. They may require additional credentials such as logging in to a virtual machine or database server.

Features that enforce management and governance might not applied to data plane operations. You need to consider the different ways users interact with your solutions. For example, a lock that prevents users from deleting a database doesn't prevent users from deleting data through queries.

You can use some policies to govern data plane operations. For more information, see Resource Provider modes (preview) in Azure Policy.

Next steps