DevOps · Guide

Azure Basics

VMs, Blob Storage, App Service, Entra ID overview.

— min read DevOps

Theory

Azure organizes everything under subscriptions and resource groups — IAM via Entra ID (formerly Azure AD) is the security backbone.

Azure Resource Manager (ARM) is the deployment plane — resources live in resource groups within a subscription. Tags drive cost allocation and policy.

Virtual Machines pair with Virtual Networks (VNets), subnets, NSGs (firewall rules), and Azure Load Balancer or Application Gateway for traffic.

Azure Blob Storage provides hot/cool/archive tiers for objects; Azure Files offers SMB shares. Use managed identities instead of storage keys in apps.

Azure Kubernetes Service (AKS) hosts container workloads — control plane is managed; you pay for node pools. Integrate with ACR for images and Key Vault for secrets.

Azure Functions is the serverless compute tier (consumption or premium plans). Bind to Event Grid, Service Bus, or HTTP triggers; watch cold start on consumption.

Entra ID provides SSO, conditional access, and RBAC across subscriptions. Prefer managed identities for Azure-to-Azure auth.

Monitor with Azure Monitor + Log Analytics; Application Insights for APM. Set action groups for alert routing.

Architecture Diagram

  Entra ID (RBAC)
       |
  Subscription --> Resource Group
       |
  +----+----+----+----+
  v    v    v    v    v
 VM  AKS  Blob Func AppSvc
       |
  Log Analytics / Monitor

Examples

azure cli
az group create -n rg-app -l eastus
az storage account create -n mystore -g rg-app -l eastus --sku Standard_LRS
az aks create -g rg-app -n myaks --node-count 2 --generate-ssh-keys
bicep snippet
resource stg 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: 'mystore'
  location: resourceGroup().location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
}

Interview Questions

Resource group vs subscription?

Subscription is billing/admin boundary; resource group is lifecycle container for related resources.

NSG vs Azure Firewall?

NSG is subnet/NIC level rules; Azure Firewall is centralized L3-L7 appliance with FQDN filtering.

AKS vs Container Apps?

AKS full Kubernetes control; Container Apps is serverless container hosting with simpler ops for microservices.

Managed identity vs service principal?

Managed identities are Azure-managed credentials for resources; service principals are app registrations with secrets/certificates for external apps.

Bicep vs ARM JSON templates?

Bicep transpiles to ARM — cleaner syntax, modules, and type safety; ARM JSON is the deployment plane artifact.

How do you control Azure costs?

Tags for chargeback, budgets/alerts, right-size VMs, reserved capacity, and delete unused public IPs/NAT gateways in dev.

App Service vs AKS for a web API?

App Service for simple deploy and built-in scaling; AKS when you need K8s ecosystem, sidecars, or multi-service mesh.

Best Practices

  • Version-control all Azure Basics configuration and review changes like application code.
  • Automate validation (lint, policy checks) in CI before production apply.
  • Document ownership, on-call runbooks, and rollback for every production change.
  • Use least privilege for credentials and rotate secrets regularly.
  • Measure before/after: error rate, deploy time, cost, or toil hours saved.

Common Mistakes

  • Adopting Azure Basics without a written problem statement or success metric.
  • Skipping staging that mirrors production networking and data volume.
  • No rollback path — forward-only changes during incidents.
  • Alert noise without actionable runbooks — on-call ignores pages.

Cheat Sheet

az loginAuthenticate CLI
Managed IdentityPasswordless Azure auth
ARM/BicepIaC deployments

Practical Exercises

RG + VM

Deploy Linux VM with NSG allowing SSH only from your IP.

AKS deploy

Push image to ACR; deploy to AKS with liveness probe.

Cost tags

Apply tags and review Cost Management breakdown.