Core Compute Services
Azure offers four primary compute models. The choice depends on how much infrastructure you want to manage and how predictable your workload is.
Azure Virtual Machines (VMs) – Full IaaS. You manage the OS, updates, scaling. Good for lift-and-shift migrations and apps that require OS-level access.
Azure App Service – PaaS for web apps. No server management. Supports .NET, Java, Node, Python. Auto-scaling based on demand. Best for stateless web applications with standard request-response patterns.
Azure Kubernetes Service (AKS) – Managed Kubernetes. Microsoft handles the control plane; you manage worker nodes and pods. Ideal for containerized microservices.
Azure Functions – Serverless. Pay per execution, scale to zero automatically. Use for event-driven workloads, webhooks, or scheduled tasks.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# Azure CLI — must-know commands
# Login
az login
# Create a resource group (logical container for Azure resources)
az group create --name myapp-rg --location eastus
# Create a VM
az vm create \
--resource-group myapp-rg \
--name myapp-vm \
--image Ubuntu2204 \
--admin-username azureuser \
--generate-ssh-keys
# Deploy a container to Azure Container Instances (quick, no K8s needed)
az container create \
--resource-group myapp-rg \
--name myapp-container \
--image myapp:latest \
--cpu 1 \
--memory 1.5 \
--ports 8000
# Create an Azure Function (serverless)
az functionapp create \
--resource-group myapp-rg \
--consumption-plan-location eastus \
--runtime python \
--functions-version 4 \
--name myapp-functions \
--storage-account mystorageaccount
The Spectrum of Control
- VMs give you full control but you own patching, HA, and capacity planning
- App Service abstracts the OS but you still manage the app and scale settings
- AKS gives you Kubernetes without the control plane pain, but you need cluster expertise
- Functions remove servers entirely – you just write code and define triggers
Production Insight
VMs in Azure cost you even when they are stopped (allocated). Deallocate (stop deallocate) to avoid compute charges.
App Service scales slowly under sudden load – configure pre-warming rules for production traffic.
Functions have a cold start penalty (1-5 seconds) – use Premium plan if latency is critical.
Key Takeaway
Compute is a trade-off between control and convenience.
Choose the model that matches your team's operational maturity.
Buy only the infra you are willing to manage – everything else is a liability.
IfNeed full OS control or legacy app lift-and-shift
→
UseUse Virtual Machines
IfBuilding a new stateless web app with auto-scaling
→
UseUse App Service
IfRunning containerised microservices with complex networking
→
UseUse AKS
IfEvent-driven or infrequent workloads that should scale to zero
→
UseUse Azure Functions
Azure Storage
Azure Storage is the umbrella for four data services. They share a common authentication mechanism (storage account keys or Azure AD) and redundancy options.
Blob Storage – Object storage for unstructured data like images, backups, logs. Supports tiered access (hot, cool, archive) to optimise cost.
File Storage – Fully managed SMB file shares. Mountable from VMs and on-premises via VPN. Ideal for shared config files or legacy apps.
Queue Storage – Simple message queue for asynchronous task passing. Cheaper than Service Bus but only supports basic FIFO and no pub/sub.
Table Storage – NoSQL key-value store with schema-less entities. Useful for logs, metadata, or any dataset that needs fast key lookups but not complex queries.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# pip install azure-storage-blob
from azure.storage.blob import BlobServiceClient
connection_string = 'DefaultEndpointsProtocol=https;AccountName=...'
client = BlobServiceClient.from_connection_string(connection_string)
# Upload file to blob storage
container = client.get_container_client('documents')
with open('report.pdf', 'rb') as data:
container.upload_blob('reports/2025/report.pdf', data, overwrite=True)
# Download
blob = container.get_blob_client('reports/2025/report.pdf')
with open('local-report.pdf', 'wb') as f:
f.write(blob.download_blob().readall())
# List blobs
for blob in container.list_blobs(name_starts_with='reports/2025/'):
print(blob.name, blob.size)Storage Account Name Uniqueness
Storage account names must be globally unique across all Azure (all tenants). They are also DNS names (yourapp.blob.core.windows.net). Use a company-specific prefix plus a random suffix to avoid collisions.
Production Insight
Archive storage tier has a 30-day minimum bill – uploading a file and deleting it after a day still incurs 30 days of archive cost.
File shares over VPN can suffer from latency if on-premises line is slow – consider Azure File Sync for caching.
Blob storage soft delete is disabled by default – enable it to protect against accidental deletion.
Key Takeaway
Azure Storage is not one thing – it is four services under one auth model.
Never use Queue Storage for high-throughput or pub/sub – that's what Service Bus is for.
Enable soft delete, replication (RA-GRS for production), and use the right access tier to avoid billing shocks.
IfUnstructured files, images, backups
→
UseBlob Storage
IfShared file system mountable from multiple VMs
→
UseFile Storage
IfSimple message queue for decoupling components
→
UseQueue Storage
IfNoSQL key-value data with cheap storage
→
UseTable Storage
Azure Networking — Virtual Networks (VNet)
Azure Virtual Network (VNet) is the building block for private networking. Think of it as your own isolated segment of Azure's network.
Subnets – Divide a VNet into address ranges. Resources inside the same VNet can communicate by private IP unless blocked by Network Security Groups (NSGs).
Network Security Groups (NSGs) – Stateful firewalls that filter traffic based on source/destination IP, port, and protocol. Applied to subnets or individual NICs.
Peering – Connect VNets across regions for low-latency communication. Global peering is possible but data moves over Microsoft backbone.
Load Balancer & Application Gateway – Distribute traffic. Load Balancer works at Layer 4, Application Gateway at Layer 7 (HTTP/HTTPS with path-based routing and WAF).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Create a VNet with two subnets
az network vnet create \
--resource-group myapp-rg \
--name myapp-vnet \
--address-prefix 10.0.0.0/16 \
--subnet-name web-subnet \
--subnet-prefixes 10.0.1.0/24
az network vnet subnet create \
--resource-group myapp-rg \
--vnet-name myapp-vnet \
--name db-subnet \
--address-prefixes 10.0.2.0/24
# Create an NSG rule to allow HTTP from internet
az network nsg rule create \
--resource-group myapp-rg \
--nsg-name web-nsg \
--name AllowHTTP \
--priority 100 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--destination-port-ranges 80
# Peer two VNets
az network vnet peering create \
--resource-group myapp-rg \
--name myapp-to-other \
--vnet-name myapp-vnet \
--remote-vnet /subscriptions/.../resourceGroups/other-rg/providers/Microsoft.Network/virtualNetworks/other-vnet \
--allow-vnet-access
NSG Deny-All Default
NSGs are deny-by-default. If you create a subnet without any NSG rules, all inbound traffic (except from within the same VNet) is blocked. Always explicitly allow required flows.
Production Insight
VNet peering is not transitive – if VNet-A peers with VNet-B and VNet-B peers with VNet-C, VNet-A cannot reach VNet-C unless a direct peering is created.
NSG flow logs are not enabled by default – turn them on for security auditing. Costs ~$2 per month per NSG.
Overlapping address spaces break peering – plan your CIDR blocks carefully.
Key Takeaway
VNets are free – subnets inside them are free – but everything attached (VPN, peering, public IP) costs money.
NSGs are the first line of defence – use them at the subnet level for broad rules, at the NIC level for fine-grained control.
Plan your IP ranges like you plan your budget – once resources are created, changing a VNet's address space is destructive.
IfLayer 4 load balancing (TCP/UDP) with low overhead
→
UseAzure Load Balancer
IfLayer 7 routing, SSL termination, web application firewall
→
UseApplication Gateway
IfGlobal load balancing across regions
→
UseTraffic Manager or Front Door
Identity and Access Management (Entra ID / Azure AD)
Azure Active Directory (now called Microsoft Entra ID) is the identity backbone of Azure. It authenticates users, groups, and service principals (service accounts for apps).
Role-Based Access Control (RBAC) – Assign roles at management group, subscription, resource group, or individual resource scope. Built-in roles include Owner, Contributor, Reader. Custom roles are also possible.
Managed Identities – Azure gives your app an identity without requiring explicit credentials. Use system-assigned (tied to a resource) or user-assigned (shared across resources) identities to access other Azure services securely.
Conditional Access – Policies that evaluate signals (user, device, location) before granting access. For example, require multi-factor authentication (MFA) when accessing from outside the corporate network.
Service Principals – App-level identities used for automated tooling (CI/CD, Terraform). Authenticate with client ID + secret or certificate.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# List roles assignable at subscription scope
az role definition list --custom-role-only true --output table
# Assign Reader role to a user at resource group scope
az role assignment create \
--assignee user@company.com \
--role Reader \
--resource-group myapp-rg
# Create a managed identity for a VM
az vm identity assign --resource-group myapp-rg --name myapp-vm
# Assign managed identity to Storage Blob Data Contributor role
az role assignment create \
--assignee $(az vm show --resource-group myapp-rg --name myapp-vm --query identity.principalId -o tsv) \
--role 'Storage Blob Data Contributor' \
--scope /subscriptions/.../resourceGroups/myapp-rg/providers/Microsoft.Storage/storageAccounts/mystorage
Least Privilege by Default
- RBAC roles are additive – if you assign both Reader and Contributor, the user gets Contributor permissions
- Deny assignments (via Azure Policy) override allowed roles
- Managed identities eliminate the need to store credentials in code
- Always use custom roles for granular permissions instead of using Contributor
Production Insight
Subscription-scoped roles apply to all resource groups inside – be careful granting Contributor at subscription level.
Service principal secrets expire – you can set them for up to 2 years. Rotate them in CI/CD pipelines.
Conditional Access policies can lock you out of Azure itself – always have a break-glass admin account with separate MFA method.
Key Takeaway
Entra ID is not optional – every Azure resource uses it under the hood, even if you never configure it.
RBAC is not a firewall – it controls who can perform actions, not network traffic. Combine with NSGs.
Managed identities are the safest way to let your apps talk to Azure services – use them over connection strings.
IfHuman user accessing Azure Portal
→
UseUse user account with RBAC via Entra ID
IfApp running on an Azure resource (VM, App Service, AKS)
→
UseUse Managed Identity
IfAutomated tool (Terraform, GitHub Actions) running outside Azure
→
UseUse Service Principal with client secret or certificate
Management and Monitoring — Azure Monitor
Azure Monitor aggregates logs, metrics, and alerts from across your Azure estate. It consists of:
Metrics – Numerical data points collected at regular intervals (CPU usage, requests per minute). Stored for 93 days by default.
Logs – Full text log files from Azure resources (VM system logs, App Service errors, SQL audit logs). Requires a Log Analytics workspace.
Alerts – Rules that trigger when a metric crosses a threshold or a log query returns results. Actions can notify via email, SMS, or push to ITSM tools.
Application Insights – Application Performance Management (APM) for your apps. Tracks request rates, response times, exceptions, and dependency calls. Works for .NET, Java, Node.js, Python.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Create a Log Analytics workspace
az monitor log-analytics workspace create \
--resource-group myapp-rg \
--workspace-name myapp-logs \
--location eastus
# Query logs using KQL (example: failed requests in last hour)
# Not a direct CLI command – uses the portal or REST API
# KQL: requests | where timestamp > ago(1h) and success == false
# Create an alert rule for high CPU
az monitor metrics alert create \
--resource-group myapp-rg \
--name 'High CPU Alert' \
--scopes /subscriptions/.../resourceGroups/myapp-rg/providers/Microsoft.Compute/virtualMachines/myapp-vm \
--condition 'avg Percentage CPU > 80' \
--window-size 5m \
--evaluation-frequency 1m \
--action email admin@company.com
Log Query Costs
Every GB ingested into Log Analytics costs ~$2.30. Use Basic Logs tier for infrequently accessed data, reserved capacity for high-volume workloads. Set daily caps to avoid bill shock.
Production Insight
Application Insights sampling can mask low-frequency errors – use fixed-rate sampling (e.g., 50%) or head-based sampling for critical apps.
Log Analytics retention default is 31 days. Extend to 1 year for compliance but expect higher costs.
Metrics alerts have a 1-minute evaluation frequency but a 5-minute window – no real-time alerting natively. Consider Azure Sentinel for near-real-time.
Key Takeaway
You cannot fix what you do not measure – set up Azure Monitor before you deploy your first production workload.
Alerts should not be firehoses – tune conditions to avoid noise. A noisy alert that gets ignored is worse than no alert.
Log Analytics is powerful but expensive – use basic logs for debug data, and filter logs aggressively in your application.