Azure Basics Skill
Purpose
Provide Azure cloud platform best practices, CLI command patterns, and resource organization strategies for reliable, secure, and cost-effective cloud infrastructure.
Key Capabilities:
- Azure CLI command patterns
- Resource organization and naming
- Networking fundamentals (VNet, NSG, routing)
- RBAC and security
- Cost management
- ARM template patterns
When to Use This Skill
Auto-activates when:
- Working with Azure resources (VMs, storage, databases, AKS)
- Running Azure CLI commands (
azcommands) - Creating ARM templates or Bicep files
- Managing Azure resource groups
- Configuring Azure networking (VNets, subnets, NSGs)
- Implementing Azure RBAC policies
- Optimizing Azure costs
Quick Start
New Azure Project Checklist
- [ ] Subscription Setup: Verify subscription access and limits
- [ ] Naming Convention: Define resource naming standard
- [ ] Resource Groups: Organize by environment/workload
- [ ] Networking: Plan IP addressing (VNet, subnets)
- [ ] RBAC: Configure least-privilege access
- [ ] Tagging Strategy: Define required tags
- [ ] Cost Budgets: Set spending alerts
- [ ] Monitoring: Enable Azure Monitor and Log Analytics
Resource Deployment Checklist
- [ ] Resource Group: Create or select target RG
- [ ] Location: Choose Azure region
- [ ] SKU Selection: Right-size resources for workload
- [ ] Networking: Configure VNet integration
- [ ] Security: Apply NSG rules, enable managed identity
- [ ] Tags: Apply environment, owner, cost center tags
- [ ] Backup: Configure backup policies (if applicable)
- [ ] Monitoring: Enable diagnostics and alerts
Core Principles (7 Key Rules)
1. Use Resource Groups for Organization
Resource groups are lifecycle boundaries - group resources by lifecycle.
✅ GOOD - Organized by lifecycle
az group create --name prod-app-rg --location eastus
az group create --name prod-data-rg --location eastus
az group create --name shared-network-rg --location eastus
# App resources in app RG
# Data resources in data RG (longer lifecycle)
# Network resources in network RG (shared)
❌ BAD - All resources in one RG
az group create --name everything-rg --location eastus
# Deleting one resource risks deleting everything
Why: Simplifies resource management, enables batch operations, clear ownership.
2. Follow Azure Naming Conventions
Use consistent, descriptive naming patterns.
✅ GOOD - Consistent naming
# Pattern: {environment}-{workload}-{resource-type}-{region}
prod-webapp-vm-eastus
prod-webapp-storage-eastus
dev-api-aks-westus
❌ BAD - Inconsistent naming
vm1
storage-account-production
my-kubernetes
Recommended Pattern:
{env}-{workload}-{resource-type}[-{instance}]
env: dev, test, stage, prod
workload: webapp, api, data
resource-type: vm, vnet, storage, aks
instance: 01, 02 (for multiple instances)
3. Apply Tags for Cost Management
Tag all resources for cost tracking and organization.
✅ GOOD - Comprehensive tagging
az resource tag \
--resource-group prod-app-rg \
--name prod-webapp-vm \
--resource-type Microsoft.Compute/virtualMachines \
--tags \
Environment=production \
CostCenter=engineering \
Owner=team-platform \
Project=customer-portal
❌ BAD - No tags or inconsistent tags
# No visibility into cost allocation
Required Tags:
- Environment (dev/test/prod)
- CostCenter (billing allocation)
- Owner (team/email)
- Project (initiative/product)
4. Use Managed Identities (No Credentials)
Never store credentials - use Azure managed identities.
✅ GOOD - Managed identity
# Create VM with system-assigned identity
az vm create \
--name prod-webapp-vm \
--resource-group prod-app-rg \
--assign-identity
# Grant access to Key Vault
az keyvault set-policy \
--name prod-keyvault \
--object-id $IDENTITY_ID \
--secret-permissions get list
# Application uses identity (no credentials in code)
❌ BAD - Hardcoded credentials
# Connection strings in app config
# Service principal credentials in environment variables
Why: Eliminates credential rotation, reduces security risk, simplifies access management.
5. Implement Network Security Groups (NSGs)
Control traffic with NSGs - default deny, explicit allow.
✅ GOOD - Explicit NSG rules
az network nsg create --name frontend-nsg --resource-group prod-network-rg
# Allow HTTPS from internet
az network nsg rule create \
--nsg-name frontend-nsg \
--name allow-https \
--priority 100 \
--source-address-prefixes Internet \
--destination-port-ranges 443 \
--access Allow \
--protocol Tcp
# Deny all other inbound
# (Default rule: DenyAllInbound at priority 65500)
❌ BAD - No NSG or overly permissive
az network nsg rule create \
--name allow-all \
--source-address-prefixes '*' \
--destination-port-ranges '*' \
--access Allow
# Security nightmare!
6. Use Azure Regions Strategically
Choose regions based on latency, compliance, cost.
✅ GOOD - Region strategy
# Primary: East US (closest to users)
# Secondary: West US (disaster recovery)
# Data residency: North Europe (GDPR compliance)
az group create --name prod-primary-rg --location eastus
az group create --name prod-dr-rg --location westus
❌ BAD - Random region selection
# No disaster recovery plan
# High latency for users
# Compliance violations
7. Right-Size Resources (Cost Optimization)
Start small, scale up - not reverse.
✅ GOOD - Right-sized VM
az vm create \
--name prod-webapp-vm \
--size Standard_B2s \ # 2 vCPU, 4 GB RAM
--resource-group prod-app-rg
# Monitor, scale up if needed
❌ BAD - Oversized VM
az vm create \
--size Standard_D16s_v3 \ # 16 vCPU, 64 GB RAM
# For workload needing 2 vCPU
# Wasting 87.5% of capacity
Cost Optimization:
- Use Reserved Instances (1-3 year commit = 40-60% discount)
- Auto-shutdown for dev/test VMs
- Use Azure Advisor recommendations
- Right-size based on actual metrics
Common Azure CLI Commands
| Command | Purpose |
|---------|---------|
| az login | Authenticate to Azure |
| az account list | List subscriptions |
| az account set | Switch subscription |
| az group create | Create resource group |
| az group delete | Delete resource group |
| az resource list | List resources |
| az vm create | Create virtual machine |
| az network vnet create | Create virtual network |
| az storage account create | Create storage account |
| az aks create | Create AKS cluster |
Quick Reference
Resource Naming Patterns
| Resource Type | Pattern | Example |
|---------------|---------|---------|
| Resource Group | {env}-{workload}-rg | prod-webapp-rg |
| Virtual Machine | {env}-{workload}-vm[-{instance}] | prod-api-vm-01 |
| Storage Account | {env}{workload}storage | prodwebappstorage |
| Virtual Network | {env}-{region}-vnet | prod-eastus-vnet |
| Subnet | {purpose}-subnet | frontend-subnet |
| NSG | {purpose}-nsg | frontend-nsg |
| AKS Cluster | {env}-{workload}-aks | prod-api-aks |
Common Azure Regions
| Region | Location | Use Case | |--------|----------|----------| | eastus | East US | General purpose, low cost | | westus2 | West US 2 | West coast users | | centralus | Central US | Central location | | northeurope | North Europe | GDPR compliance | | westeurope | West Europe | European users | | southeastasia | Southeast Asia | APAC users |
Anti-Patterns to Avoid
❌ Anti-Pattern 1: Single Resource Group for Everything
Problem: All resources in one RG Issue: Cannot manage lifecycle independently Fix: Separate by environment, workload, or lifecycle
❌ Anti-Pattern 2: No Tagging Strategy
Problem: Resources without tags Issue: Cannot track costs or ownership Fix: Enforce required tags via Azure Policy
❌ Anti-Pattern 3: Overprivileged RBAC
Problem: Everyone has Contributor role Issue: Security risk, accidental deletions Fix: Least-privilege access (Reader, specific roles)
❌ Anti-Pattern 4: No Cost Budgets
Problem: No spending alerts Issue: Surprise bills, cost overruns Fix: Set budgets and alerts in Azure Cost Management
❌ Anti-Pattern 5: Public IP on Everything
Problem: All VMs have public IPs Issue: Increased attack surface Fix: Private networking with VPN/Bastion access
Common Workflows
Workflow 1: Create VNet with Subnets
# 1. Create resource group
az group create --name prod-network-rg --location eastus
# 2. Create VNet
az network vnet create \
--name prod-eastus-vnet \
--resource-group prod-network-rg \
--address-prefix 10.0.0.0/16
# 3. Create frontend subnet
az network vnet subnet create \
--vnet-name prod-eastus-vnet \
--name frontend-subnet \
--resource-group prod-network-rg \
--address-prefix 10.0.1.0/24
# 4. Create backend subnet
az network vnet subnet create \
--vnet-name prod-eastus-vnet \
--name backend-subnet \
--resource-group prod-network-rg \
--address-prefix 10.0.2.0/24
# 5. Create NSG for frontend
az network nsg create \
--name frontend-nsg \
--resource-group prod-network-rg
# 6. Associate NSG with subnet
az network vnet subnet update \
--vnet-name prod-eastus-vnet \
--name frontend-subnet \
--resource-group prod-network-rg \
--network-security-group frontend-nsg
Workflow 2: Deploy VM with Managed Identity
# 1. Create VM with system-assigned identity
az vm create \
--name prod-webapp-vm-01 \
--resource-group prod-app-rg \
--image Ubuntu2204 \
--size Standard_B2s \
--vnet-name prod-eastus-vnet \
--subnet frontend-subnet \
--assign-identity \
--tags Environment=production Owner=platform-team
# 2. Get identity principal ID
IDENTITY_ID=$(az vm identity show \
--name prod-webapp-vm-01 \
--resource-group prod-app-rg \
--query principalId -o tsv)
# 3. Grant access to Key Vault
az keyvault set-policy \
--name prod-keyvault \
--object-id $IDENTITY_ID \
--secret-permissions get list
# 4. Application can now access secrets without credentials
Navigation Guide
| Need to... | Read this | |------------|-----------| | Organize Azure resources | resource-groups.md | | Create ARM templates | arm-templates.md | | Master Azure CLI | cli-patterns.md |
Resource Files
resource-groups.md
Resource organization strategies, naming conventions, tagging policies, RBAC patterns
arm-templates.md
ARM template structure, parameter patterns, outputs, deployment strategies
cli-patterns.md
Azure CLI automation, scripting patterns, JMESPath queries, output formatting
Related Skills
- terraform-basics - Infrastructure-as-code for Azure provisioning
- task-management - Dependency analysis for Azure resource ordering
Skill Status: COMPLETE ✅ Line Count: 458 ✅ Progressive Disclosure: 3 resource files ✅
微信扫一扫