Azure is Microsoft's public cloud platform with 200+ services across compute, storage, networking, databases, AI, and IoT
Resource Groups are the fundamental unit: every resource belongs to one, and deleting the group deletes everything inside
Compute options: VMs (IaaS), App Service (PaaS), AKS (Kubernetes), Functions (serverless) – each fits different operational models
Storage comes in four types: Blob (object), File (SMB), Queue (messaging), and Table (NoSQL key-value)
Performance: choose regions wisely – eastus vs westeurope adds ~20ms latency; inter-region traffic costs egress
Production trap: deleting a Resource Group is irreversible – no recycle bin, no soft-delete for most resources
Biggest mistake: assuming Azure names are globally unique – some (like storage accounts) must be globally unique, others (like VMs) only within a region
✦ Definition~90s read
What is Introduction to Azure?
Azure Resource Groups are logical containers that bundle related Azure resources—like VMs, storage accounts, virtual networks, and monitoring configurations—under a single lifecycle. When you delete a resource group, Azure performs a cascading delete of every resource inside it, with no built-in recovery mechanism.
This is the nuclear option because it doesn't just remove compute or storage; it tears down networking, identity assignments, and monitoring data in one irreversible action. For example, deleting a resource group that hosts a production app's VMs, its Azure SQL database, and its Application Insights instance will erase all of them simultaneously, often within seconds.
The only safeguard is a manual lock (Delete or Read-Only) applied at the resource group level, which blocks deletion until explicitly removed. Without that lock, a single click in the portal, a misrouted CLI command, or an automation script bug can wipe out weeks of configuration and data.
Azure's shared responsibility model means Microsoft won't restore deleted resource groups—you'd need point-in-time backups for individual services like Azure Backup or geo-redundant storage, but those don't protect against the group-level deletion itself. This is why production deployments typically enforce Azure Policy to require resource locks on critical groups, and why teams use infrastructure-as-code (Terraform, Bicep) to rebuild from scratch if deletion occurs.
Alternatives include using separate resource groups per environment (dev, staging, prod) with distinct RBAC permissions, or deploying resources into a management group hierarchy that limits deletion scope. When not to use a single resource group: for any multi-tier application where you need independent lifecycle management—for instance, keeping a shared VNet in one group while app VMs live in another, so deleting the app group doesn't strand the network.
Why Deleting an Azure Resource Group Is a Nuclear Option
An Azure Resource Group is a logical container that holds related resources for an application — VMs, databases, storage accounts, App Services, and more. The core mechanic: deleting the resource group is an atomic, irreversible operation that removes every resource inside it. There is no recycle bin, no soft delete for the group itself. One REST API call or portal click cascades into a delete operation on each child resource, each of which may have its own hard-delete semantics (e.g., a SQL database is dropped, a storage account is purged).
Practically, resource groups enforce a lifecycle boundary. Every resource must belong to exactly one group, and the group’s Azure Resource Manager (ARM) lock or RBAC permissions apply to all contained resources. The group itself has no cost — it’s a management construct — but its deletion triggers a synchronous, ordered teardown. If any child resource fails to delete (e.g., due to a lock or a pending backup), the entire group deletion fails, leaving the group in a partially deleted state that requires manual cleanup.
Use resource groups to model deployment units — one group per environment (dev, staging, prod) or per microservice. The critical rule: never grant delete permissions on a resource group to anyone who doesn’t need to destroy the entire application. In production, always apply a CanNotDelete lock on the resource group to prevent accidental deletion. This is not optional — it’s the single most effective guard against a self-inflicted outage.
Deletion Is Not Reversible
There is no undo for resource group deletion. Even with Azure’s soft-delete features for individual services (like blob storage), the group-level delete bypasses them.
Production Insight
A junior engineer clicked 'Delete resource group' instead of 'Stop' on a dev environment that shared a subscription with production.
The symptom: all production VMs, databases, and App Services vanished within 90 seconds — no gradual degradation, no warning.
Rule of thumb: always apply a CanNotDelete lock on every production resource group and use Azure Policy to enforce it at subscription scope.
Key Takeaway
Resource group deletion is atomic and irreversible — treat it like rm -rf on the entire application.
Always apply a CanNotDelete lock on production resource groups; it’s the cheapest insurance against human error.
Model resource groups as deployment units, not cost centers — one group per environment or service, never mix lifecycles.
thecodeforge.io
Azure Resource Group Deletion Cascade
Introduction Azure
Core Compute Services
Azure offers four primary compute models. The choice depends on how much infrastructure you want to manage and how predictable your workload is.
Azure Virtual Machines (VMs) – Full IaaS. You manage the OS, updates, scaling. Good for lift-and-shift migrations and apps that require OS-level access.
Azure App Service – PaaS for web apps. No server management. Supports .NET, Java, Node, Python. Auto-scaling based on demand. Best for stateless web applications with standard request-response patterns.
Azure Kubernetes Service (AKS) – Managed Kubernetes. Microsoft handles the control plane; you manage worker nodes and pods. Ideal for containerized microservices.
Azure Functions – Serverless. Pay per execution, scale to zero automatically. Use for event-driven workloads, webhooks, or scheduled tasks.
BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# AzureCLI — must-know commands
# Login
az login
# Create a resource group (logical container forAzure resources)
az group create --name myapp-rg --location eastus
# Create a VM
az vm create \
--resource-group myapp-rg \
--name myapp-vm \
--image Ubuntu2204 \
--admin-username azureuser \
--generate-ssh-keys
# Deploy a container to AzureContainerInstances (quick, no K8s needed)
az container create \
--resource-group myapp-rg \
--name myapp-container \
--image myapp:latest \
--cpu 1 \
--memory 1.5 \
--ports 8000
# Create an AzureFunction (serverless)
az functionapp create \
--resource-group myapp-rg \
--consumption-plan-location eastus \
--runtime python \
--functions-version 4 \
--name myapp-functions \
--storage-account mystorageaccount
The Spectrum of Control
VMs give you full control but you own patching, HA, and capacity planning
App Service abstracts the OS but you still manage the app and scale settings
AKS gives you Kubernetes without the control plane pain, but you need cluster expertise
Functions remove servers entirely – you just write code and define triggers
Production Insight
VMs in Azure cost you even when they are stopped (allocated). Deallocate (stop deallocate) to avoid compute charges.
App Service scales slowly under sudden load – configure pre-warming rules for production traffic.
Functions have a cold start penalty (1-5 seconds) – use Premium plan if latency is critical.
Key Takeaway
Compute is a trade-off between control and convenience.
Choose the model that matches your team's operational maturity.
Buy only the infra you are willing to manage – everything else is a liability.
Choose Your Compute Model
IfNeed full OS control or legacy app lift-and-shift
→
UseUse Virtual Machines
IfBuilding a new stateless web app with auto-scaling
→
UseUse App Service
IfRunning containerised microservices with complex networking
→
UseUse AKS
IfEvent-driven or infrequent workloads that should scale to zero
→
UseUse Azure Functions
Azure Storage
Azure Storage is the umbrella for four data services. They share a common authentication mechanism (storage account keys or Azure AD) and redundancy options.
Blob Storage – Object storage for unstructured data like images, backups, logs. Supports tiered access (hot, cool, archive) to optimise cost.
File Storage – Fully managed SMB file shares. Mountable from VMs and on-premises via VPN. Ideal for shared config files or legacy apps.
Queue Storage – Simple message queue for asynchronous task passing. Cheaper than Service Bus but only supports basic FIFO and no pub/sub.
Table Storage – NoSQL key-value store with schema-less entities. Useful for logs, metadata, or any dataset that needs fast key lookups but not complex queries.
PYTHON
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# pip install azure-storage-blobfrom azure.storage.blob importBlobServiceClient
connection_string = 'DefaultEndpointsProtocol=https;AccountName=...'
client = BlobServiceClient.from_connection_string(connection_string)
# Upload file to blob storage
container = client.get_container_client('documents')
withopen('report.pdf', 'rb') as data:
container.upload_blob('reports/2025/report.pdf', data, overwrite=True)
# Download
blob = container.get_blob_client('reports/2025/report.pdf')
withopen('local-report.pdf', 'wb') as f:
f.write(blob.download_blob().readall())
# List blobsfor blob in container.list_blobs(name_starts_with='reports/2025/'):
print(blob.name, blob.size)
Storage Account Name Uniqueness
Storage account names must be globally unique across all Azure (all tenants). They are also DNS names (yourapp.blob.core.windows.net). Use a company-specific prefix plus a random suffix to avoid collisions.
Production Insight
Archive storage tier has a 30-day minimum bill – uploading a file and deleting it after a day still incurs 30 days of archive cost.
File shares over VPN can suffer from latency if on-premises line is slow – consider Azure File Sync for caching.
Blob storage soft delete is disabled by default – enable it to protect against accidental deletion.
Key Takeaway
Azure Storage is not one thing – it is four services under one auth model.
Never use Queue Storage for high-throughput or pub/sub – that's what Service Bus is for.
Enable soft delete, replication (RA-GRS for production), and use the right access tier to avoid billing shocks.
Choose Your Storage Type
IfUnstructured files, images, backups
→
UseBlob Storage
IfShared file system mountable from multiple VMs
→
UseFile Storage
IfSimple message queue for decoupling components
→
UseQueue Storage
IfNoSQL key-value data with cheap storage
→
UseTable Storage
Azure Networking — Virtual Networks (VNet)
Azure Virtual Network (VNet) is the building block for private networking. Think of it as your own isolated segment of Azure's network.
Subnets – Divide a VNet into address ranges. Resources inside the same VNet can communicate by private IP unless blocked by Network Security Groups (NSGs).
Network Security Groups (NSGs) – Stateful firewalls that filter traffic based on source/destination IP, port, and protocol. Applied to subnets or individual NICs.
Peering – Connect VNets across regions for low-latency communication. Global peering is possible but data moves over Microsoft backbone.
Load Balancer & Application Gateway – Distribute traffic. Load Balancer works at Layer 4, Application Gateway at Layer 7 (HTTP/HTTPS with path-based routing and WAF).
BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Create a VNet with two subnets
az network vnet create \
--resource-group myapp-rg \
--name myapp-vnet \
--address-prefix 10.0.0.0/16 \
--subnet-name web-subnet \
--subnet-prefixes 10.0.1.0/24
az network vnet subnet create \
--resource-group myapp-rg \
--vnet-name myapp-vnet \
--name db-subnet \
--address-prefixes 10.0.2.0/24
# Create an NSG rule to allow HTTP from internet
az network nsg rule create \
--resource-group myapp-rg \
--nsg-name web-nsg \
--name AllowHTTP \
--priority 100 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--destination-port-ranges 80
# Peer two VNets
az network vnet peering create \
--resource-group myapp-rg \
--name myapp-to-other \
--vnet-name myapp-vnet \
--remote-vnet /subscriptions/.../resourceGroups/other-rg/providers/Microsoft.Network/virtualNetworks/other-vnet \
--allow-vnet-access
NSG Deny-All Default
NSGs are deny-by-default. If you create a subnet without any NSG rules, all inbound traffic (except from within the same VNet) is blocked. Always explicitly allow required flows.
Production Insight
VNet peering is not transitive – if VNet-A peers with VNet-B and VNet-B peers with VNet-C, VNet-A cannot reach VNet-C unless a direct peering is created.
NSG flow logs are not enabled by default – turn them on for security auditing. Costs ~$2 per month per NSG.
Overlapping address spaces break peering – plan your CIDR blocks carefully.
Key Takeaway
VNets are free – subnets inside them are free – but everything attached (VPN, peering, public IP) costs money.
NSGs are the first line of defence – use them at the subnet level for broad rules, at the NIC level for fine-grained control.
Plan your IP ranges like you plan your budget – once resources are created, changing a VNet's address space is destructive.
Choose Your Traffic Distributor
IfLayer 4 load balancing (TCP/UDP) with low overhead
→
UseAzure Load Balancer
IfLayer 7 routing, SSL termination, web application firewall
→
UseApplication Gateway
IfGlobal load balancing across regions
→
UseTraffic Manager or Front Door
Identity and Access Management (Entra ID / Azure AD)
Azure Active Directory (now called Microsoft Entra ID) is the identity backbone of Azure. It authenticates users, groups, and service principals (service accounts for apps).
Role-Based Access Control (RBAC) – Assign roles at management group, subscription, resource group, or individual resource scope. Built-in roles include Owner, Contributor, Reader. Custom roles are also possible.
Managed Identities – Azure gives your app an identity without requiring explicit credentials. Use system-assigned (tied to a resource) or user-assigned (shared across resources) identities to access other Azure services securely.
Conditional Access – Policies that evaluate signals (user, device, location) before granting access. For example, require multi-factor authentication (MFA) when accessing from outside the corporate network.
Service Principals – App-level identities used for automated tooling (CI/CD, Terraform). Authenticate with client ID + secret or certificate.
BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# List roles assignable at subscription scope
az role definition list --custom-role-only true --output table
# AssignReader role to a user at resource group scope
az role assignment create \
--assignee user@company.com \
--role Reader \
--resource-group myapp-rg
# Create a managed identity for a VM
az vm identity assign --resource-group myapp-rg --name myapp-vm
# Assign managed identity to StorageBlobDataContributor role
az role assignment create \
--assignee $(az vm show --resource-group myapp-rg --name myapp-vm --query identity.principalId -o tsv) \
--role 'Storage Blob Data Contributor' \
--scope /subscriptions/.../resourceGroups/myapp-rg/providers/Microsoft.Storage/storageAccounts/mystorage
Least Privilege by Default
RBAC roles are additive – if you assign both Reader and Contributor, the user gets Contributor permissions
UseUse Service Principal with client secret or certificate
Management and Monitoring — Azure Monitor
Azure Monitor aggregates logs, metrics, and alerts from across your Azure estate. It consists of:
Metrics – Numerical data points collected at regular intervals (CPU usage, requests per minute). Stored for 93 days by default.
Logs – Full text log files from Azure resources (VM system logs, App Service errors, SQL audit logs). Requires a Log Analytics workspace.
Alerts – Rules that trigger when a metric crosses a threshold or a log query returns results. Actions can notify via email, SMS, or push to ITSM tools.
Application Insights – Application Performance Management (APM) for your apps. Tracks request rates, response times, exceptions, and dependency calls. Works for .NET, Java, Node.js, Python.
BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Create a LogAnalytics workspace
az monitor log-analytics workspace create \
--resource-group myapp-rg \
--workspace-name myapp-logs \
--location eastus
# Query logs using KQL (example: failed requests in last hour)
# Not a direct CLI command – uses the portal or RESTAPI
# KQL: requests | where timestamp > ago(1h) and success == false
# Create an alert rule for high CPU
az monitor metrics alert create \
--resource-group myapp-rg \
--name 'High CPU Alert' \
--scopes /subscriptions/.../resourceGroups/myapp-rg/providers/Microsoft.Compute/virtualMachines/myapp-vm \
--condition 'avg Percentage CPU > 80' \
--window-size 5m \
--evaluation-frequency 1m \
--action email admin@company.com
Log Query Costs
Every GB ingested into Log Analytics costs ~$2.30. Use Basic Logs tier for infrequently accessed data, reserved capacity for high-volume workloads. Set daily caps to avoid bill shock.
Production Insight
Application Insights sampling can mask low-frequency errors – use fixed-rate sampling (e.g., 50%) or head-based sampling for critical apps.
Log Analytics retention default is 31 days. Extend to 1 year for compliance but expect higher costs.
Metrics alerts have a 1-minute evaluation frequency but a 5-minute window – no real-time alerting natively. Consider Azure Sentinel for near-real-time.
Key Takeaway
You cannot fix what you do not measure – set up Azure Monitor before you deploy your first production workload.
Alerts should not be firehoses – tune conditions to avoid noise. A noisy alert that gets ignored is worse than no alert.
Log Analytics is powerful but expensive – use basic logs for debug data, and filter logs aggressively in your application.
What Prerequisites Actually Matter (and What Doesn't)
Before you touch Azure, forget the fluff. You don't need a PhD in networking or a certification in cloud architecture. What you do need is a working understanding of how operating systems handle memory and I/O, because every VM, function, and container you spin up will fight for those resources. You also need to know the basics of TCP/IP—subnets, CIDR notation, and DNS resolution. If you can't explain why your app's connection pool exhausted under load, Azure will make that failure spectacularly public. Finally, have a credit card ready. The free tier gives you $200 credit for 30 days, but forget to delete a resource group and you'll wake up to a bill that teaches you the cost of laziness. The rest—machine learning, IoT, cognitive services—you'll learn when the business need arrives. Focus on the fundamentals first.
check-prereqs.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#!/bin/bash
# io.thecodeforge
# Validate you have the baseline knowledge before touching Azure
echo "Checking prerequisites..."
# Can you explain CIDR?
if [[ ! $(ipcalc 10.0.0.0/24) ]]; then
echo "FAIL: install ipcalc and learn subnetting"
exit 1
fi
# Do you understand memory pressure?
top -b -n1 | head -20
echo "If 'used'RAM exceeds 90%, you are not ready for cloud scaling."
echo "PREREQ CHECK PASSED"
Output
Checking prerequisites...
FAIL: install ipcalc and learn subnetting
Production Trap:
The free tier's $200 credit expires in 30 days, but leftover resources will accrue charges. Script a cleanup job on day 1 using Azure CLI, or set a budget alert through Cost Management. Failure to do so is how junior devs explain $5,000 bills to their manager.
Key Takeaway
Understanding TCP/IP and OS resource management is non-negotiable; everything else you pick up on the job.
Cognitive Services: Don't Train a Model You Can Buy
Every new team wants to build their own machine learning model for sentiment analysis or object detection. Stop. Azure Cognitive Services gives you pre-built, API-accessible models for vision, speech, language, and decision-making. You call a REST endpoint with your data and get back structured JSON—no GPU clusters, no training data curation. The why is simple: training a custom model costs time and money, and your business probably doesn't have a competitive advantage in recognizing handwritten text. Use the pre-built APIs to ship features in days, not quarters. If you genuinely have a unique dataset and need customization, you can fine-tune using Custom Vision or Custom Translator later. But start with the off-the-shelf solution. Production tip: these APIs throttle at 20 requests per second on the free tier. Move to standard pricing before your demo goes viral.
Pre-built Cognitive Services APIs cost about $1 per 1,000 transactions for most tiers. A custom training job on a GPU VM can run $10/hour. Use the API first; fine-tune only when the baseline accuracy (usually 85-95%) isn't enough.
Key Takeaway
Azure Cognitive Services are good enough for production—don't waste budget building what's already served on an API.
Databases: Choose the Wrong One and You Redesign in 6 Months
Azure offers a spectrum of database flavors: Cosmos DB for global NoSQL, Azure SQL for relational, Azure Database for PostgreSQL, MySQL, and MariaDB, plus managed services like Azure Cache for Redis. The rookie mistake is picking what's familiar over what fits the data. If your workload needs ACID transactions and complex joins, use Azure SQL or PostgreSQL—don't force relational data into Cosmos DB and hack around lack of joins. Conversely, if you're storing session state or IoT telemetry with a flexible schema, Cosmos DB's multi-master replication and 99.999% SLA justifies its higher cost. The why: re-architecting data access patterns six months into production costs ten times more than choosing correctly upfront. Use the Azure Portal's Data Migration Assistant to test your schema against each service before committing. And for the love of everything, always use connection pooling and enable geo-redundancy if your users span regions.
CosmosConnection.csCSHARP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
// io.thecodeforgeusingMicrosoft.Azure.Cosmos;
// Use connection pooling via singleton client// NEVER create a new CosmosClient per requestpublicclassCosmosService
{
privatestaticreadonlyCosmosClient _client = newCosmosClient(
accountEndpoint: Environment.GetEnvironmentVariable("COSMOS_ENDPOINT"),
authKeyOrResourceToken: Environment.GetEnvironmentVariable("COSMOS_KEY"),
newCosmosClientOptions()
{
ConnectionMode = ConnectionMode.Direct,
MaxRetryAttemptsOnRateLimitedRequests = 9
});
publicasyncTask<ItemResponse<T>> GetItemAsync<T>(string id, string partitionKey)
{
Container container = _client.GetContainer("mydb", "mycontainer");
returnawait container.ReadItemAsync<T>(id, newPartitionKey(partitionKey));
}
}
Output
ItemResponse with requested document or 404 CosmosException
Production Trap:
Cosmos DB charges based on Request Units (RU/s). Under-provision RUs and requests get throttled with HTTP 429. Over-provision and you burn budget. Use autoscale with a minimum RU/s that matches your baseline, and set alerts when usage exceeds 80% of provisioned throughput.
Key Takeaway
Match database to data access patterns upfront—relational queries on Azure SQL, flexible schema on Cosmos DB—or pay for a painful redesign later.
● Production incidentPOST-MORTEMseverity: high
The Resource Group That Vanished at 2 AM
Symptom
Entire application goes down. Azure portal shows Resource Group missing; all VMs, databases, and storage accounts in that group are gone.
Assumption
Deleting a Resource Group only removes the logical container, not the resources inside.
Root cause
Resource Groups in Azure are not just tags – they are the life cycle boundary. Deleting the group sends a delete command to every resource within it, regardless of lock or soft-delete settings.
Fix
Restore from backups (if any). Azure does not have a built-in Resource Group recycle bin. Use Azure Policy to enforce a resource lock on critical groups that prevents deletion.
Key lesson
Always apply a CanNotDelete lock to production Resource Groups.
Never grant delete permissions on Resource Groups to junior engineers without a change request process.
Production debug guideSymptom → Action guide for the issues every Azure beginner hits4 entries
Symptom · 01
VM SSH connection times out
→
Fix
Check NSG rules: ensure inbound SSH (port 22) is allowed from your IP. Verify VM is running (az vm get-instance-view). Check boot diagnostics for OS-level issues.
Symptom · 02
Storage account access denied (403)
→
Fix
Check firewall rules and network ACLs. Ensure connection string is correct and not expired. Verify the identity (user or managed identity) has Storage Blob Data Contributor role.
Symptom · 03
Function app fails with 500
→
Fix
Check Application Insights logs. Verify runtime stack version matches the code. Ensure storage account connection string is valid (Functions depend on it for state).
Symptom · 04
AKS pod cannot pull image
→
Fix
Verify the Azure Container Registry (ACR) exists and is accessible. Check AKS cluster has AcrPull role assigned. Ensure image name and tag exist in the registry.
★ Azure CLI Quick Debug CommandsFive commands every Azure engineer should know to diagnose problems fast
Resource creation fails with quota error−
Immediate action
Check current usage and limits
Commands
az vm list-usage --location eastus --output table
az account show --query '?quota.id == standardDSv3Family' --output table
Fix now
Request quota increase via Azure Portal or use az vm create --size Standard_B2s to use a smaller family
Cannot connect to VM via private IP+
Immediate action
Verify VNet and subnet existence
Commands
az network vnet list --resource-group myapp-rg --output table
az network nic show --ids /subscriptions/.../networkInterfaces/myvm-nic --query 'ipConfigurations[].privateIpAddress' -o tsv
Fix now
If NIC is in wrong VNet, delete and recreate the VM with correct --subnet
Storage account name already taken+
Immediate action
Check for conflicts and generate a unique name
Commands
az storage account check-name --name myuniquename --query 'nameAvailable'
az storage account create --name $(date +%s)myappsa --resource-group myapp-rg
Fix now
Use a naming convention with a random suffix, e.g., myappsa$(uuidgen | head -c 8)
Azure function fails to deploy+
Immediate action
Validate function app configuration
Commands
az functionapp config show --resource-group myapp-rg --name myapp-func --query 'linuxFxVersion' -o tsv
Ensure runtime stack matches your code. For Python, use --runtime python --functions-version 4
Azure vs AWS: Service Mapping
AWS Service
Azure Equivalent
Purpose
EC2
Azure VMs
Virtual machines (IaaS)
EKS
AKS
Managed Kubernetes
Lambda
Azure Functions
Serverless compute
S3
Azure Blob Storage
Object storage
RDS
Azure SQL Database
Managed relational DB
CloudWatch
Azure Monitor
Monitoring and logging
IAM
Azure Active Directory (Entra ID)
Identity and access management
VPC
Azure Virtual Network (VNet)
Private networking
Route 53
Azure DNS
DNS management
CloudFront
Azure CDN / Front Door
Content delivery network
Elastic Beanstalk
Azure App Service
PaaS for web apps
SQS
Azure Queue Storage / Service Bus
Message queuing
Key takeaways
1
Resource Groups are the fundamental organisation unit in Azure
all resources belong to one.
2
Azure App Service
easiest way to deploy a web app — no server management.
3
AKS
managed Kubernetes — Microsoft handles the control plane.
4
Azure Functions
serverless — pay per execution, scale to zero.
5
Azure AD (now Entra ID) handles identity
integrates with existing corporate Microsoft accounts.
6
Azure Monitor is essential for operational visibility
enable it before production deployment.
7
Soft delete on Blob Storage should be enabled by default
it saves you from accidental deletions.
8
Managed identities are the safest way for Azure resources to authenticate to other Azure services
prefer them over connection strings or keys.
Common mistakes to avoid
5 patterns
×
Creating resources without a Resource Group
Symptom
You cannot create any Azure resource without specifying a Resource Group; the portal or CLI will refuse.
Fix
Always create a Resource Group first using az group create. Use a naming convention with environment and app name (e.g., prod-myapp-rg).
×
Assuming VM stops stop billing
Symptom
High costs on stopped VMs. Stopped (not deallocated) VMs still consume compute charges.
Fix
Use az vm deallocate or 'Stop (deallocate)' in portal. For dev/test, consider auto-shutdown schedules.
×
Forgetting to enable soft delete on Blob Storage
Symptom
Accidental deletion of blobs results in permanent data loss with no recovery.
Fix
Enable soft delete on storage account: az storage blob service-properties delete-policy update --enable true --days-retained 7
×
Opening all ports in NSG (0.0.0.0/0 for SSH/RDP)
Symptom
Brute-force attacks on SSH/RDP ports from internet; compromised credentials lead to breach.
Fix
Restrict SSH/RDP to your office IP range or use Azure Bastion for secure access without public IP.
×
Using shared access key for application connections
Symptom
Key leaked in code repo or logs; attacker gains full access to storage account.
Fix
Use managed identity for Azure resources (VMs, App Service) to access storage without keys. If keys must be used, store in Key Vault and rotate regularly.
INTERVIEW PREP · PRACTICE MODE
Interview Questions on This Topic
Q01JUNIOR
What is an Azure Resource Group?
Q02JUNIOR
What is the Azure equivalent of AWS Lambda?
Q03SENIOR
What is the difference between Azure App Service and Azure Functions?
Q04SENIOR
Explain how Azure RBAC works and give an example of least privilege.
Q05SENIOR
What is the difference between Azure Load Balancer and Application Gatew...
Q01 of 05JUNIOR
What is an Azure Resource Group?
ANSWER
A logical container for Azure resources. Every resource you create must belong to one Resource Group. You can apply RBAC, tags, and cost tracking at the group level. Deleting a Resource Group deletes all resources inside it – it's a life cycle boundary, not just a label.
Q02 of 05JUNIOR
What is the Azure equivalent of AWS Lambda?
ANSWER
Azure Functions. They provide serverless, event-driven compute. You write code (C#, Java, Python, Node, etc.) and Azure runs it when triggered by events like HTTP requests, queue messages, or schedule timers. Consumption plan scales to zero and charges per execution.
Q03 of 05SENIOR
What is the difference between Azure App Service and Azure Functions?
ANSWER
App Service is a PaaS for web applications that are always running and need a consistent HTTP endpoint. Functions is serverless – it runs code only when triggered and can scale to zero. App Service requires an always-on plan (dedicated or premium), while Functions can use consumption plan where you pay per execution.
Q04 of 05SENIOR
Explain how Azure RBAC works and give an example of least privilege.
ANSWER
RBAC assigns roles to users, groups, or service principals at a specific scope (management group, subscription, resource group, or resource). Each role has a set of actions (e.g., Microsoft.Compute/virtualMachines/start/action). Least privilege means assigning only the permissions needed. For example, a CI/CD pipeline should have Contributor access only to a specific resource group, not the entire subscription.
Q05 of 05SENIOR
What is the difference between Azure Load Balancer and Application Gateway?
ANSWER
Load Balancer (Layer 4) balances TCP/UDP traffic based on source IP and port. It does not inspect HTTP headers. Application Gateway (Layer 7) understands HTTP/HTTPS – it can route based on URL paths, host names, and perform SSL termination. Application Gateway also includes a Web Application Firewall (WAF) to protect against common web exploits.
01
What is an Azure Resource Group?
JUNIOR
02
What is the Azure equivalent of AWS Lambda?
JUNIOR
03
What is the difference between Azure App Service and Azure Functions?
SENIOR
04
Explain how Azure RBAC works and give an example of least privilege.
SENIOR
05
What is the difference between Azure Load Balancer and Application Gateway?
SENIOR
FAQ · 5 QUESTIONS
Frequently Asked Questions
01
When should I choose Azure over AWS?
If your organisation already uses Microsoft 365, Azure Active Directory, or SQL Server — Azure integration is tighter and licensing often cheaper. If you are building .NET applications — Azure tooling and support is excellent. For greenfield projects with no Microsoft investment, AWS has a larger service catalog and broader community. GCP is preferred for data engineering and ML workloads.
Was this helpful?
02
What is an Azure Resource Group?
A Resource Group is a logical container for Azure resources — a VM, its storage account, its network interface, and its public IP address would all belong to the same Resource Group. You can apply RBAC (access control), tags, and cost tracking at the Resource Group level. Deleting a Resource Group deletes all resources in it.
Was this helpful?
03
What's the difference between stopping and deallocating a VM?
When you stop a VM (via guest OS shutdown or az vm stop), the VM enters a 'Stopped' state but still consumes compute charges because the underlying hardware is reserved. Deallocating (az vm deallocate) releases the hardware reservation – you then only pay for storage (disks, OS disk). Always deallocate VMs you are not using to save costs.
Was this helpful?
04
How do I secure a storage account?
Use firewall rules to restrict access to specific IPs or Virtual Networks. Use Azure AD authentication (managed identity) instead of access keys. Enable soft delete and versioning for blobs. Consider private endpoints to keep traffic within the Azure network. Encrypt data at rest (enabled by default with Microsoft-managed keys) and consider customer-managed keys for compliance.
Was this helpful?
05
What is the difference between Azure Front Door and Traffic Manager?
Both are global load balancers. Traffic Manager works at Layer 3/4 (DNS-level) – it directs traffic to endpoints based on routing method (performance, priority, weighted). It does not terminate connections. Front Door works at Layer 7 – it terminates HTTP/HTTPS, supports URL-based routing, SSL offload, and includes a Web Application Firewall. Use Front Door for web applications requiring advanced routing and security; use Traffic Manager for non-HTTP protocols or simpler DNS-level routing.