Microsoft Azure Beginner

Cloud computing is the on-demand delivery of computing resources — servers, storage, databases, networking and software — over the internet, billed for what you use. Instead of buying and running your own hardware, you rent capacity from a provider and scale it up or down in minutes.

Microsoft Azure is Microsoft’s public cloud platform. It offers hundreds of services across compute, storage, networking, databases, AI and more, hosted in data centres around the world. You access it through a web portal, a command-line tool, or programmatic APIs.

• Pay-as-you-go — you pay only for the resources you actually consume.
• Elastic — add or remove capacity to match demand.
• Global — deploy close to your users in many regions.

To use Azure you first need an Azure account, created at azure.microsoft.com with a Microsoft account, an email address and (for verification) a phone number and credit card. The card is used to confirm identity; you are not charged unless you move beyond free limits.

New accounts get the Azure free account, which includes:

• A credit (a fixed amount) to spend on most services for the first 30 days.
• A set of services that are always free within monthly limits (for example a small amount of Blob storage and certain functions).
• Selected services free for 12 months (such as a small Linux VM for a limited number of hours).

Spending limits help avoid surprise bills while you learn. Always review which resources are free versus billable before you create them.

The Azure portal (portal.azure.com) is the web-based graphical console for managing Azure. It is a single place to create, configure, monitor and delete resources.

• Search bar — jump to any service or resource by name.
• Dashboard — pin tiles for the resources you use most.
• Resource blades — each resource opens a panel with its settings, metrics and actions.
• Cloud Shell — a built-in terminal you can open from the top bar.
• Notifications — the bell icon shows the status of long-running operations.

The portal is great for learning and for occasional changes. For repeatable work, the CLI or templates are usually better because they can be scripted.

The Azure CLI (the az command) lets you manage Azure from a terminal and from scripts. Commands follow a predictable pattern: az <group> <subgroup> <action>, for example az vm create or az group list.

Azure Cloud Shell is a browser-based shell built into the portal. It comes with the CLI, PowerShell and common tools pre-installed and pre-authenticated, so you do not have to install anything locally. It offers Bash or PowerShell.

• az login — sign in (not needed inside Cloud Shell, which is already authenticated).
• az account show — display the active subscription.
• az --help — explore available commands.

Azure runs in physical data centres grouped into regions — geographic locations such as West Europe or East US. You choose a region when creating most resources, usually one close to your users to reduce latency, or one that meets data-residency rules.

Within many regions there are availability zones: physically separate data centres, each with independent power, cooling and networking. Spreading resources across zones protects an application from the failure of a single data centre.

Region pairs are two regions within the same geography paired for resilience; Microsoft replicates certain services between them and avoids updating both at once.

Azure organises everything in a hierarchy that helps with management, access control and billing.

• Resources — individual items like a VM, disk or storage account.
• Resource groups — logical containers that hold related resources (often for one application or environment). Resources live in exactly one group.
• Subscriptions — a billing and access boundary that contains resource groups.
• Management groups — containers above subscriptions used to apply governance and policy across many subscriptions at once.

Deleting a resource group deletes everything inside it, which makes groups handy for cleaning up an entire project.

Microsoft Entra ID (formerly Azure Active Directory) is Azure’s cloud identity and access management service. It stores users, groups and applications, and handles authentication — verifying who you are when you sign in.

Every Azure subscription trusts one Entra ID tenant, which is a dedicated instance of the directory for your organisation. Identity is the foundation of cloud security: before any permission can be granted, the system must first know who is asking.

• Authentication — proving identity (password, plus optional multi-factor).
• Authorization — deciding what that identity is allowed to do (handled with RBAC).
• Service principals / managed identities — identities for applications, not people.

Azure role-based access control (RBAC) decides what an identity is allowed to do. It works by combining three things into a role assignment:

• Security principal — who (a user, group, service principal or managed identity).
• Role definition — what they can do (a set of permissions, such as Reader, Contributor or Owner).
• Scope — where it applies (management group, subscription, resource group or a single resource).

Permissions are inherited downward: a role granted at the subscription scope applies to all resource groups and resources inside it. Following least privilege, grant the narrowest role at the smallest scope that gets the job done.

An Azure Virtual Machine (VM) is an on-demand, scalable computer running in Azure. You choose an operating-system image (Linux or Windows), a size, a region and networking, and Azure provisions it for you.

How you connect depends on the OS:

• Linux — connect over SSH (port 22), typically with an SSH key pair rather than a password.
• Windows — connect with RDP (Remote Desktop, port 3389).

When you create a Linux VM with the CLI, Azure can generate SSH keys for you and place the public key on the machine, so you can log in immediately with the matching private key.

Azure offers many VM sizes, grouped into families tuned for different workloads:

• General purpose (for example the B and D series) — balanced CPU and memory for web servers and dev/test.
• Compute optimised (F series) — high CPU-to-memory ratio for batch and application servers.
• Memory optimised (E series) — large memory for databases and caches.

Cost depends on size, region, OS and how you pay. Options include pay-as-you-go, reserved instances (commit to 1 or 3 years for a discount) and spot VMs (cheap, but can be reclaimed). You are billed for compute while a VM is running; stopping and deallocating a VM stops compute charges, though storage for its disks still costs.

Azure Blob Storage holds large amounts of unstructured data — images, videos, backups, logs and documents — inside a storage account. Within an account, blobs are organised into containers (similar to folders), and each blob has a unique URL.

To balance cost and performance, blobs can be stored in different access tiers:

• Hot — frequent access; highest storage cost, lowest access cost.
• Cool — infrequent access; lower storage cost, higher access cost.
• Archive — rarely accessed; cheapest storage, but data must be rehydrated before reading.

A VM needs durable storage for its operating system and data. Azure provides this through managed disks: block-level storage volumes that Azure manages for you, handling availability and replication behind the scenes.

• OS disk — holds the operating system, attached automatically when the VM is created.
• Data disks — extra volumes you attach for application data.
• Temporary disk — fast local storage that is not persistent and can be lost on deallocation.

Disk types trade cost against performance: Standard HDD, Standard SSD, Premium SSD and Ultra Disk. Managed disks can be resized and snapshotted, and they persist independently of the VM’s running state.

An Azure Virtual Network (VNet) is your private, isolated network in the cloud. It defines a private IP address range (using CIDR notation, for example 10.0.0.0/16) within which your resources communicate securely.

A VNet is divided into subnets, smaller address ranges (such as 10.0.1.0/24) that group related resources — for example a subnet for web servers and another for databases. Resources in the same VNet can reach each other by private IP by default.

• VNets are scoped to a single region.
• VNets can be connected to each other (peering) or to on-premises networks (VPN / ExpressRoute).

A Network Security Group (NSG) is a virtual firewall that controls traffic to and from resources. It contains a list of security rules, each allowing or denying traffic based on:

• Direction — inbound or outbound.
• Source and destination — IP addresses or ranges.
• Port and protocol — for example TCP on port 22 (SSH) or 443 (HTTPS).
• Priority — a number; lower numbers are evaluated first, and the first matching rule wins.

NSGs can be attached to a subnet or to a VM’s network interface. Azure also adds default rules (for example allowing traffic within the VNet) that you can override with higher-priority rules.

Resources can have two kinds of IP address:

• Private IP — used inside a VNet for communication between resources; not reachable from the internet.
• Public IP — reachable from the internet, used when a resource must be accessed externally (for example a web server).

An Azure Load Balancer distributes incoming traffic across a pool of back-end resources (such as several VMs). This improves availability — if one VM fails, traffic goes to the others — and scalability, by spreading load. A public load balancer faces the internet; an internal one balances traffic inside a VNet. Health probes let it route only to healthy instances.

Security in the cloud is a partnership described by the shared responsibility model. The provider and the customer each own different parts, and the split shifts depending on the service type (IaaS, PaaS, SaaS).

• Microsoft always manages the physical data centres, hosts and network hardware.
• The customer always manages their own data, accounts and identities, and access policies.
• For IaaS (like VMs) the customer also manages the operating system, patches and applications; for SaaS the provider handles almost everything except data and identity.

The key idea: moving to the cloud does not remove your responsibility for protecting your own data and controlling who can access it.

Because you pay for what you use, keeping an eye on cost is essential. Azure provides tools to estimate, track and control spending.

• Azure Pricing Calculator — a web tool to estimate the cost of a planned deployment before you build it.
• Cost Management + Billing — in the portal, shows actual spend, breakdowns by resource and forecasts.
• Budgets and cost alerts — set a spending threshold and get notified (or trigger actions) when usage approaches or exceeds it.
• Total Cost of Ownership (TCO) calculator — compares on-premises costs with Azure.

Setting a budget with alerts is one of the simplest ways to avoid an unexpected bill.

As the number of resources grows, tags and consistent naming keep things organised.

Tags are name/value pairs you attach to resources, such as environment=production or owner=team-web. They are invaluable for:

• Cost allocation — group spend by project, team or environment.
• Automation — scripts and policies can act on tagged resources.
• Organisation — filter and search the portal by tag.

A clear naming convention (for example rg-web-prod-weu) encodes the resource type, workload, environment and region, making resources self-documenting and easier to manage at scale.

Every request to create, update or delete an Azure resource goes through Azure Resource Manager (ARM) — the management and deployment layer of Azure. The portal, the CLI, PowerShell and the APIs all ultimately call ARM.

ARM enables Infrastructure as Code: you describe the resources you want in a declarative template (an ARM template in JSON, or the friendlier Bicep language), and ARM figures out how to make reality match the description.

• Declarative — you state the desired end result, not the steps.
• Idempotent — deploying the same template repeatedly produces the same result.
• Consistent — the same template recreates an identical environment every time.

Now let us combine what you have learned into one small deployment: a public web server.

1. Create a resource group to hold everything.
2. Create a VM (which automatically creates a VNet, subnet, NIC and public IP).
3. Open port 80 so the web server is reachable.
4. Install a web server such as nginx on the VM.

After these steps, browsing to the VM’s public IP shows the default web page. When you are finished, deleting the resource group removes every resource in one command — a clean, cost-saving way to tear down a test.

Microsoft offers role-based certifications that map naturally onto a learning journey.

• AZ-900: Azure Fundamentals — the entry-level exam covering cloud concepts, core Azure services, security, governance, pricing and the shared responsibility model. No hands-on prerequisites; ideal right after this beginner track.
• AZ-104: Azure Administrator Associate — the next step, focused on managing identities, governance, storage, compute, virtual networking and monitoring in practice.

Beyond these, specialised paths lead to roles such as Solutions Architect (AZ-305), Developer (AZ-204) and Security Engineer (AZ-500). Starting with AZ-900 to confirm the fundamentals, then AZ-104 for hands-on administration, is a well-trodden route.