返回 Skill 列表
extension
分类: 开发与工程无需 API Key

azure-basics

Azure云服务、资源管理和Azure CLI模式。在处理Azure资源、资源组、ARM模板、az命令(如az vm、az network、az storage、az aks)、Azure命名约定、RBAC策略、网络(VNet、NSG、应用程序网关)或实施Azure最佳实践以优化资源组织、成本管理和安全性时使用。

person作者: jakexiaohubgithub

Azure Basics Skill

Purpose

Provide Azure cloud platform best practices, CLI command patterns, and resource organization strategies for reliable, secure, and cost-effective cloud infrastructure.

Key Capabilities:

  • Azure CLI command patterns
  • Resource organization and naming
  • Networking fundamentals (VNet, NSG, routing)
  • RBAC and security
  • Cost management
  • ARM template patterns

When to Use This Skill

Auto-activates when:

  • Working with Azure resources (VMs, storage, databases, AKS)
  • Running Azure CLI commands (az commands)
  • Creating ARM templates or Bicep files
  • Managing Azure resource groups
  • Configuring Azure networking (VNets, subnets, NSGs)
  • Implementing Azure RBAC policies
  • Optimizing Azure costs

Quick Start

New Azure Project Checklist

  • [ ] Subscription Setup: Verify subscription access and limits
  • [ ] Naming Convention: Define resource naming standard
  • [ ] Resource Groups: Organize by environment/workload
  • [ ] Networking: Plan IP addressing (VNet, subnets)
  • [ ] RBAC: Configure least-privilege access
  • [ ] Tagging Strategy: Define required tags
  • [ ] Cost Budgets: Set spending alerts
  • [ ] Monitoring: Enable Azure Monitor and Log Analytics

Resource Deployment Checklist

  • [ ] Resource Group: Create or select target RG
  • [ ] Location: Choose Azure region
  • [ ] SKU Selection: Right-size resources for workload
  • [ ] Networking: Configure VNet integration
  • [ ] Security: Apply NSG rules, enable managed identity
  • [ ] Tags: Apply environment, owner, cost center tags
  • [ ] Backup: Configure backup policies (if applicable)
  • [ ] Monitoring: Enable diagnostics and alerts

Core Principles (7 Key Rules)

1. Use Resource Groups for Organization

Resource groups are lifecycle boundaries - group resources by lifecycle.

✅ GOOD - Organized by lifecycle
az group create --name prod-app-rg --location eastus
az group create --name prod-data-rg --location eastus
az group create --name shared-network-rg --location eastus

# App resources in app RG
# Data resources in data RG (longer lifecycle)
# Network resources in network RG (shared)

❌ BAD - All resources in one RG
az group create --name everything-rg --location eastus
# Deleting one resource risks deleting everything

Why: Simplifies resource management, enables batch operations, clear ownership.

2. Follow Azure Naming Conventions

Use consistent, descriptive naming patterns.

✅ GOOD - Consistent naming
# Pattern: {environment}-{workload}-{resource-type}-{region}
prod-webapp-vm-eastus
prod-webapp-storage-eastus
dev-api-aks-westus

❌ BAD - Inconsistent naming
vm1
storage-account-production
my-kubernetes

Recommended Pattern:

{env}-{workload}-{resource-type}[-{instance}]

env: dev, test, stage, prod
workload: webapp, api, data
resource-type: vm, vnet, storage, aks
instance: 01, 02 (for multiple instances)

3. Apply Tags for Cost Management

Tag all resources for cost tracking and organization.

✅ GOOD - Comprehensive tagging
az resource tag \
  --resource-group prod-app-rg \
  --name prod-webapp-vm \
  --resource-type Microsoft.Compute/virtualMachines \
  --tags \
    Environment=production \
    CostCenter=engineering \
    Owner=team-platform \
    Project=customer-portal

❌ BAD - No tags or inconsistent tags
# No visibility into cost allocation

Required Tags:

  • Environment (dev/test/prod)
  • CostCenter (billing allocation)
  • Owner (team/email)
  • Project (initiative/product)

4. Use Managed Identities (No Credentials)

Never store credentials - use Azure managed identities.

✅ GOOD - Managed identity
# Create VM with system-assigned identity
az vm create \
  --name prod-webapp-vm \
  --resource-group prod-app-rg \
  --assign-identity

# Grant access to Key Vault
az keyvault set-policy \
  --name prod-keyvault \
  --object-id $IDENTITY_ID \
  --secret-permissions get list

# Application uses identity (no credentials in code)

❌ BAD - Hardcoded credentials
# Connection strings in app config
# Service principal credentials in environment variables

Why: Eliminates credential rotation, reduces security risk, simplifies access management.

5. Implement Network Security Groups (NSGs)

Control traffic with NSGs - default deny, explicit allow.

✅ GOOD - Explicit NSG rules
az network nsg create --name frontend-nsg --resource-group prod-network-rg

# Allow HTTPS from internet
az network nsg rule create \
  --nsg-name frontend-nsg \
  --name allow-https \
  --priority 100 \
  --source-address-prefixes Internet \
  --destination-port-ranges 443 \
  --access Allow \
  --protocol Tcp

# Deny all other inbound
# (Default rule: DenyAllInbound at priority 65500)

❌ BAD - No NSG or overly permissive
az network nsg rule create \
  --name allow-all \
  --source-address-prefixes '*' \
  --destination-port-ranges '*' \
  --access Allow
# Security nightmare!

6. Use Azure Regions Strategically

Choose regions based on latency, compliance, cost.

✅ GOOD - Region strategy
# Primary: East US (closest to users)
# Secondary: West US (disaster recovery)
# Data residency: North Europe (GDPR compliance)

az group create --name prod-primary-rg --location eastus
az group create --name prod-dr-rg --location westus

❌ BAD - Random region selection
# No disaster recovery plan
# High latency for users
# Compliance violations

7. Right-Size Resources (Cost Optimization)

Start small, scale up - not reverse.

✅ GOOD - Right-sized VM
az vm create \
  --name prod-webapp-vm \
  --size Standard_B2s \  # 2 vCPU, 4 GB RAM
  --resource-group prod-app-rg

# Monitor, scale up if needed

❌ BAD - Oversized VM
az vm create \
  --size Standard_D16s_v3 \  # 16 vCPU, 64 GB RAM
  # For workload needing 2 vCPU
  # Wasting 87.5% of capacity

Cost Optimization:

  • Use Reserved Instances (1-3 year commit = 40-60% discount)
  • Auto-shutdown for dev/test VMs
  • Use Azure Advisor recommendations
  • Right-size based on actual metrics

Common Azure CLI Commands

| Command | Purpose | |---------|---------| | az login | Authenticate to Azure | | az account list | List subscriptions | | az account set | Switch subscription | | az group create | Create resource group | | az group delete | Delete resource group | | az resource list | List resources | | az vm create | Create virtual machine | | az network vnet create | Create virtual network | | az storage account create | Create storage account | | az aks create | Create AKS cluster |


Quick Reference

Resource Naming Patterns

| Resource Type | Pattern | Example | |---------------|---------|---------| | Resource Group | {env}-{workload}-rg | prod-webapp-rg | | Virtual Machine | {env}-{workload}-vm[-{instance}] | prod-api-vm-01 | | Storage Account | {env}{workload}storage | prodwebappstorage | | Virtual Network | {env}-{region}-vnet | prod-eastus-vnet | | Subnet | {purpose}-subnet | frontend-subnet | | NSG | {purpose}-nsg | frontend-nsg | | AKS Cluster | {env}-{workload}-aks | prod-api-aks |

Common Azure Regions

| Region | Location | Use Case | |--------|----------|----------| | eastus | East US | General purpose, low cost | | westus2 | West US 2 | West coast users | | centralus | Central US | Central location | | northeurope | North Europe | GDPR compliance | | westeurope | West Europe | European users | | southeastasia | Southeast Asia | APAC users |


Anti-Patterns to Avoid

❌ Anti-Pattern 1: Single Resource Group for Everything

Problem: All resources in one RG Issue: Cannot manage lifecycle independently Fix: Separate by environment, workload, or lifecycle

❌ Anti-Pattern 2: No Tagging Strategy

Problem: Resources without tags Issue: Cannot track costs or ownership Fix: Enforce required tags via Azure Policy

❌ Anti-Pattern 3: Overprivileged RBAC

Problem: Everyone has Contributor role Issue: Security risk, accidental deletions Fix: Least-privilege access (Reader, specific roles)

❌ Anti-Pattern 4: No Cost Budgets

Problem: No spending alerts Issue: Surprise bills, cost overruns Fix: Set budgets and alerts in Azure Cost Management

❌ Anti-Pattern 5: Public IP on Everything

Problem: All VMs have public IPs Issue: Increased attack surface Fix: Private networking with VPN/Bastion access


Common Workflows

Workflow 1: Create VNet with Subnets

# 1. Create resource group
az group create --name prod-network-rg --location eastus

# 2. Create VNet
az network vnet create \
  --name prod-eastus-vnet \
  --resource-group prod-network-rg \
  --address-prefix 10.0.0.0/16

# 3. Create frontend subnet
az network vnet subnet create \
  --vnet-name prod-eastus-vnet \
  --name frontend-subnet \
  --resource-group prod-network-rg \
  --address-prefix 10.0.1.0/24

# 4. Create backend subnet
az network vnet subnet create \
  --vnet-name prod-eastus-vnet \
  --name backend-subnet \
  --resource-group prod-network-rg \
  --address-prefix 10.0.2.0/24

# 5. Create NSG for frontend
az network nsg create \
  --name frontend-nsg \
  --resource-group prod-network-rg

# 6. Associate NSG with subnet
az network vnet subnet update \
  --vnet-name prod-eastus-vnet \
  --name frontend-subnet \
  --resource-group prod-network-rg \
  --network-security-group frontend-nsg

Workflow 2: Deploy VM with Managed Identity

# 1. Create VM with system-assigned identity
az vm create \
  --name prod-webapp-vm-01 \
  --resource-group prod-app-rg \
  --image Ubuntu2204 \
  --size Standard_B2s \
  --vnet-name prod-eastus-vnet \
  --subnet frontend-subnet \
  --assign-identity \
  --tags Environment=production Owner=platform-team

# 2. Get identity principal ID
IDENTITY_ID=$(az vm identity show \
  --name prod-webapp-vm-01 \
  --resource-group prod-app-rg \
  --query principalId -o tsv)

# 3. Grant access to Key Vault
az keyvault set-policy \
  --name prod-keyvault \
  --object-id $IDENTITY_ID \
  --secret-permissions get list

# 4. Application can now access secrets without credentials

Navigation Guide

| Need to... | Read this | |------------|-----------| | Organize Azure resources | resource-groups.md | | Create ARM templates | arm-templates.md | | Master Azure CLI | cli-patterns.md |


Resource Files

resource-groups.md

Resource organization strategies, naming conventions, tagging policies, RBAC patterns

arm-templates.md

ARM template structure, parameter patterns, outputs, deployment strategies

cli-patterns.md

Azure CLI automation, scripting patterns, JMESPath queries, output formatting


Related Skills

  • terraform-basics - Infrastructure-as-code for Azure provisioning
  • task-management - Dependency analysis for Azure resource ordering

Skill Status: COMPLETE ✅ Line Count: 458 ✅ Progressive Disclosure: 3 resource files ✅