Azure Fundamentals for Agents

Resource Groups and Subscriptions#

Azure organizes resources in a hierarchy: Management Groups > Subscriptions > Resource Groups > Resources. An agent interacts most frequently with resource groups and the resources inside them.

A resource group is a logical container. Every Azure resource belongs to exactly one resource group. Resource groups are regional, but can contain resources from any region. They serve as the deployment boundary, the access control boundary, and the lifecycle boundary – deleting a resource group deletes everything inside it.

# Create a resource group
az group create --name prod-rg --location eastus

# List all resources in a group
az resource list --resource-group prod-rg --output table

# Delete a resource group and everything in it
az group delete --name staging-rg --yes --no-wait

Subscriptions are billing and policy boundaries. Most organizations use separate subscriptions for production, staging, and development. List subscriptions and set the active one:

az account list --output table
az account set --subscription "Production"

Entra ID (formerly Azure Active Directory)#

Entra ID is Azure’s identity provider. It manages users, groups, service principals, and managed identities. Where AWS has IAM roles, Azure has service principals and managed identities.

A service principal is an identity for an application or automation tool. A managed identity is a service principal that Azure manages automatically – no credential rotation needed. Always prefer managed identities for Azure-hosted workloads.

Create a service principal for CI/CD:

az ad sp create-for-rbac \
  --name "github-actions-deploy" \
  --role Contributor \
  --scopes /subscriptions/SUBSCRIPTION_ID/resourceGroups/prod-rg

This outputs appId, password, and tenant – store these securely. The password is shown only once.

Assign a role to a managed identity:

# Get the principal ID of a VM's managed identity
PRINCIPAL_ID=$(az vm show --name web-01 --resource-group prod-rg \
  --query identity.principalId --output tsv)

# Assign Storage Blob Data Reader role
az role assignment create \
  --assignee $PRINCIPAL_ID \
  --role "Storage Blob Data Reader" \
  --scope /subscriptions/SUB_ID/resourceGroups/prod-rg/providers/Microsoft.Storage/storageAccounts/myorgstorage

RBAC (Role-Based Access Control) uses three elements: a security principal (who), a role definition (what they can do), and a scope (where). Built-in roles include Owner, Contributor, Reader, and many service-specific roles. Always assign the narrowest scope possible.

# List role assignments for a resource group
az role assignment list --resource-group prod-rg --output table

# List available built-in roles
az role definition list --query "[?contains(roleName, 'Storage')].[roleName,description]" --output table

VNets, Subnets, and NSGs#

A Virtual Network (VNet) is Azure’s equivalent of a VPC. It defines an isolated address space within a region.

# Create a VNet
az network vnet create \
  --resource-group prod-rg \
  --name prod-vnet \
  --address-prefix 10.0.0.0/16

# Create subnets
az network vnet subnet create \
  --resource-group prod-rg \
  --vnet-name prod-vnet \
  --name public-subnet \
  --address-prefixes 10.0.1.0/24

az network vnet subnet create \
  --resource-group prod-rg \
  --vnet-name prod-vnet \
  --name private-subnet \
  --address-prefixes 10.0.2.0/24

Network Security Groups (NSGs) are stateful firewalls applied to subnets or individual NICs. They contain prioritized rules evaluated from lowest to highest number.

# Create an NSG
az network nsg create --resource-group prod-rg --name web-nsg

# Allow HTTPS inbound
az network nsg rule create \
  --resource-group prod-rg \
  --nsg-name web-nsg \
  --name AllowHTTPS \
  --priority 100 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --destination-port-ranges 443

# Associate NSG with a subnet
az network vnet subnet update \
  --resource-group prod-rg \
  --vnet-name prod-vnet \
  --name public-subnet \
  --network-security-group web-nsg

VNet peering connects two VNets so resources can communicate using private IPs:

az network vnet peering create \
  --resource-group prod-rg \
  --name prod-to-shared \
  --vnet-name prod-vnet \
  --remote-vnet /subscriptions/SUB_ID/resourceGroups/shared-rg/providers/Microsoft.Network/virtualNetworks/shared-vnet \
  --allow-vnet-access

Virtual Machines#

Azure VMs follow a similar sizing pattern to AWS. The naming convention is: Standard_D4s_v5 means family D (general purpose), 4 vCPUs, s (premium storage capable), version 5. Key families: B for burstable, D for general purpose, E for memory-optimized, F for compute-optimized, N for GPU.

# Create a VM
az vm create \
  --resource-group prod-rg \
  --name web-01 \
  --image Ubuntu2204 \
  --size Standard_D2s_v5 \
  --vnet-name prod-vnet \
  --subnet private-subnet \
  --nsg web-nsg \
  --admin-username azureuser \
  --generate-ssh-keys \
  --assign-identity \
  --output table

The --assign-identity flag creates a system-assigned managed identity automatically. List available VM sizes for a region:

az vm list-sizes --location eastus --query "[?contains(name, 'Standard_D')]" --output table

Check VM status:

az vm get-instance-view --resource-group prod-rg --name web-01 \
  --query "[powerState, provisioningState]" --output table

AKS: Azure Kubernetes Service#

AKS is Azure’s managed Kubernetes. The control plane is free – you pay only for worker nodes.

# Create a cluster
az aks create \
  --resource-group prod-rg \
  --name prod-cluster \
  --node-count 3 \
  --node-vm-size Standard_D4s_v5 \
  --network-plugin azure \
  --vnet-subnet-id /subscriptions/SUB_ID/resourceGroups/prod-rg/providers/Microsoft.Network/virtualNetworks/prod-vnet/subnets/private-subnet \
  --enable-managed-identity \
  --generate-ssh-keys

# Get credentials for kubectl
az aks get-credentials --resource-group prod-rg --name prod-cluster

# Scale the node pool
az aks scale --resource-group prod-rg --name prod-cluster --node-count 5

# Enable the cluster autoscaler
az aks update --resource-group prod-rg --name prod-cluster \
  --enable-cluster-autoscaler \
  --min-count 2 --max-count 10

Add a second node pool for different workloads:

az aks nodepool add \
  --resource-group prod-rg \
  --cluster-name prod-cluster \
  --name gpupool \
  --node-count 1 \
  --node-vm-size Standard_NC6s_v3 \
  --labels workload=gpu

Check cluster health:

az aks show --resource-group prod-rg --name prod-cluster \
  --query "[provisioningState,powerState]" --output table

Azure SQL#

Azure SQL Database is a managed relational database. It offers single databases, elastic pools (multiple databases sharing resources), and managed instances (closer to full SQL Server compatibility).

# Create a SQL server
az sql server create \
  --resource-group prod-rg \
  --name myorg-sql-server \
  --admin-user sqladmin \
  --admin-password "$(openssl rand -base64 24)"

# Create a database
az sql db create \
  --resource-group prod-rg \
  --server myorg-sql-server \
  --name app-db \
  --edition GeneralPurpose \
  --compute-model Serverless \
  --auto-pause-delay 60 \
  --min-capacity 0.5 \
  --max-size 32GB

# Configure firewall rules
az sql server firewall-rule create \
  --resource-group prod-rg \
  --server myorg-sql-server \
  --name AllowAzureServices \
  --start-ip-address 0.0.0.0 \
  --end-ip-address 0.0.0.0

For production, use private endpoints instead of firewall rules to keep traffic on the Azure backbone.

Blob Storage#

Azure Blob Storage is the equivalent of S3. Blobs live inside containers (not to be confused with Docker containers), which live inside storage accounts.

# Create a storage account
az storage account create \
  --resource-group prod-rg \
  --name myorgstorage2026 \
  --sku Standard_LRS \
  --kind StorageV2 \
  --min-tls-version TLS1_2

# Create a container
az storage container create \
  --account-name myorgstorage2026 \
  --name backups \
  --auth-mode login

# Upload a file
az storage blob upload \
  --account-name myorgstorage2026 \
  --container-name backups \
  --name db/backup-2026-02-22.sql.gz \
  --file ./backup.sql.gz \
  --auth-mode login

# List blobs
az storage blob list \
  --account-name myorgstorage2026 \
  --container-name backups \
  --auth-mode login --output table

Access tiers control cost: Hot (frequent access), Cool (infrequent, lower storage cost), Cold (rare access), and Archive (cheapest, hours to rehydrate). Set lifecycle management policies to tier automatically:

az storage account management-policy create \
  --account-name myorgstorage2026 \
  --resource-group prod-rg \
  --policy '{
    "rules": [{
      "name": "archive-old-backups",
      "enabled": true,
      "type": "Lifecycle",
      "definition": {
        "filters": {"blobTypes": ["blockBlob"], "prefixMatch": ["backups/"]},
        "actions": {
          "baseBlob": {
            "tierToCool": {"daysAfterModificationGreaterThan": 30},
            "tierToArchive": {"daysAfterModificationGreaterThan": 90}
          }
        }
      }
    }]
  }'

Azure Monitor#

Azure Monitor collects metrics and logs from all Azure resources. It includes Log Analytics for querying logs using KQL (Kusto Query Language).

# List available metrics for a resource
az monitor metrics list-definitions \
  --resource /subscriptions/SUB_ID/resourceGroups/prod-rg/providers/Microsoft.Compute/virtualMachines/web-01

# Get CPU metrics for a VM
az monitor metrics list \
  --resource /subscriptions/SUB_ID/resourceGroups/prod-rg/providers/Microsoft.Compute/virtualMachines/web-01 \
  --metric "Percentage CPU" \
  --interval PT5M \
  --start-time 2026-02-22T00:00:00Z \
  --end-time 2026-02-22T12:00:00Z

# Create an alert rule
az monitor metrics alert create \
  --resource-group prod-rg \
  --name high-cpu-web01 \
  --scopes /subscriptions/SUB_ID/resourceGroups/prod-rg/providers/Microsoft.Compute/virtualMachines/web-01 \
  --condition "avg Percentage CPU > 80" \
  --window-size 5m \
  --evaluation-frequency 1m \
  --action /subscriptions/SUB_ID/resourceGroups/prod-rg/providers/Microsoft.Insights/actionGroups/ops-team

Query logs using the CLI (requires Log Analytics workspace):

az monitor log-analytics query \
  --workspace WORKSPACE_ID \
  --analytics-query "AzureActivity | where OperationNameValue contains 'delete' | project TimeGenerated, Caller, OperationNameValue | top 10 by TimeGenerated desc"

Quick Reference: Service Selection#

Need	Service	When to use
Compute (VMs)	Virtual Machines	Full OS control, custom software
Containers (Kubernetes)	AKS	K8s workloads, managed control plane
Relational DB	Azure SQL	Managed SQL Server/PostgreSQL
Object storage	Blob Storage	Files, backups, static assets
Identity	Entra ID	All authentication and authorization
Networking	VNet + NSGs	Isolation, segmentation, filtering
Monitoring	Azure Monitor	Metrics, logs, alerts
DNS	Azure DNS	Domain management, private DNS zones