Azure Basics
VMs, Blob Storage, App Service, Entra ID overview.
Theory
Azure Resource Manager (ARM) is the deployment plane — resources live in resource groups within a subscription. Tags drive cost allocation and policy.
Virtual Machines pair with Virtual Networks (VNets), subnets, NSGs (firewall rules), and Azure Load Balancer or Application Gateway for traffic.
Azure Blob Storage provides hot/cool/archive tiers for objects; Azure Files offers SMB shares. Use managed identities instead of storage keys in apps.
Azure Kubernetes Service (AKS) hosts container workloads — control plane is managed; you pay for node pools. Integrate with ACR for images and Key Vault for secrets.
Azure Functions is the serverless compute tier (consumption or premium plans). Bind to Event Grid, Service Bus, or HTTP triggers; watch cold start on consumption.
Entra ID provides SSO, conditional access, and RBAC across subscriptions. Prefer managed identities for Azure-to-Azure auth.
Monitor with Azure Monitor + Log Analytics; Application Insights for APM. Set action groups for alert routing.
Architecture Diagram
Entra ID (RBAC)
|
Subscription --> Resource Group
|
+----+----+----+----+
v v v v v
VM AKS Blob Func AppSvc
|
Log Analytics / MonitorExamples
az group create -n rg-app -l eastus
az storage account create -n mystore -g rg-app -l eastus --sku Standard_LRS
az aks create -g rg-app -n myaks --node-count 2 --generate-ssh-keys
resource stg 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: 'mystore'
location: resourceGroup().location
sku: { name: 'Standard_LRS' }
kind: 'StorageV2'
}
Interview Questions
Resource group vs subscription?
Subscription is billing/admin boundary; resource group is lifecycle container for related resources.
NSG vs Azure Firewall?
NSG is subnet/NIC level rules; Azure Firewall is centralized L3-L7 appliance with FQDN filtering.
AKS vs Container Apps?
AKS full Kubernetes control; Container Apps is serverless container hosting with simpler ops for microservices.
Managed identity vs service principal?
Managed identities are Azure-managed credentials for resources; service principals are app registrations with secrets/certificates for external apps.
Bicep vs ARM JSON templates?
Bicep transpiles to ARM — cleaner syntax, modules, and type safety; ARM JSON is the deployment plane artifact.
How do you control Azure costs?
Tags for chargeback, budgets/alerts, right-size VMs, reserved capacity, and delete unused public IPs/NAT gateways in dev.
App Service vs AKS for a web API?
App Service for simple deploy and built-in scaling; AKS when you need K8s ecosystem, sidecars, or multi-service mesh.
Best Practices
- Version-control all Azure Basics configuration and review changes like application code.
- Automate validation (lint, policy checks) in CI before production apply.
- Document ownership, on-call runbooks, and rollback for every production change.
- Use least privilege for credentials and rotate secrets regularly.
- Measure before/after: error rate, deploy time, cost, or toil hours saved.
Common Mistakes
- Adopting Azure Basics without a written problem statement or success metric.
- Skipping staging that mirrors production networking and data volume.
- No rollback path — forward-only changes during incidents.
- Alert noise without actionable runbooks — on-call ignores pages.
Cheat Sheet
Practical Exercises
Deploy Linux VM with NSG allowing SSH only from your IP.
Push image to ACR; deploy to AKS with liveness probe.
Apply tags and review Cost Management breakdown.