Microsoft Azure Intermediate

Azure SQL Database is a fully managed Platform-as-a-Service (PaaS) relational database built on the SQL Server engine. Unlike a SQL Server running on a VM, you never patch the operating system, install the engine, or schedule your own backups — Azure handles high availability, patching and automated backups for you.

You choose a purchasing model: the DTU model bundles compute, memory and I/O into a single unit, while the newer vCore model lets you size CPU and storage independently and is required for advanced tiers like Hyperscale and Serverless. A single logical server is just an administrative container for one or more databases; it is not a machine you can log into.

Azure Cosmos DB is a globally distributed, multi-model NoSQL database designed for low latency and elastic scale. You pick an API when you create an account — the native Core (SQL) API for JSON documents, or compatibility APIs for MongoDB, Cassandra, Gremlin (graph) and Table.

Throughput is measured in Request Units per second (RU/s): every read or write costs a number of RUs depending on item size and complexity. You either provision RU/s or use the serverless mode for spiky workloads. Cosmos DB also offers five well-defined consistency levels — Strong, Bounded Staleness, Session, Consistent Prefix and Eventual — trading consistency for latency and availability.

Azure Functions lets you run small pieces of code (“functions”) without managing servers. Each function is started by a trigger — an HTTP request, a timer, a new blob, a queue message or an Event Grid event — and can use bindings to read and write other services declaratively, without writing connection boilerplate.

The Consumption plan bills per-execution and scales to zero when idle, but can suffer cold starts. The Premium plan keeps pre-warmed instances and adds VNet integration, while the Dedicated (App Service) plan runs on VMs you already pay for. A function app groups functions and shares one configuration and storage account.

Azure App Service is a managed platform for hosting web apps, REST APIs and mobile back ends in many languages (.NET, Java, Node.js, Python, PHP). You deploy your code or a container and Azure runs it; you do not manage the OS or web server.

Apps run inside an App Service Plan, which defines the region, the VM size and the number of instances — and therefore the cost. Multiple apps can share one plan. Key features include deployment slots for staging and zero-downtime swaps, built-in autoscale, custom domains with managed TLS certificates, and App Settings that surface as environment variables.

Azure Container Registry (ACR) is a managed, private registry for storing and distributing OCI container images and Helm charts. It comes in three tiers — Basic, Standard and Premium — differing in storage, throughput and features like geo-replication and private endpoints (Premium only).

You authenticate with Azure AD identities rather than long-lived passwords where possible. ACR can also build images in the cloud with ACR Tasks (az acr build), so you do not need a local Docker daemon. To let a cluster pull images securely, you attach the registry to the cluster identity instead of embedding credentials.

Azure Kubernetes Service (AKS) is a managed Kubernetes offering. Azure runs and patches the control plane for free; you pay only for the node pools (the VMs that run your pods). A cluster can have a system node pool for cluster services and separate user node pools for workloads.

AKS integrates with Azure AD for authentication, with ACR for pulling images, and with Azure Monitor for observability. The cluster autoscaler adds and removes nodes based on pending pods, while the Horizontal Pod Autoscaler scales pod replicas based on metrics. You connect with kubectl after fetching credentials.

Azure Container Instances (ACI) runs a single container or a small container group without any cluster to manage. It is ideal for short-lived jobs, batch processing, build agents and simple microservices where the orchestration features of AKS would be overkill. Billing is per-second based on the CPU and memory you request.

ACI starts in seconds and supports public IPs, mounted Azure Files shares, and environment variables. AKS can even burst excess pods to ACI through virtual nodes. The trade-off versus AKS is that ACI has no built-in scheduling, self-healing or service discovery — it simply runs the containers you ask for.

Azure offers several ways to distribute traffic, and choosing the right one matters. Azure Load Balancer works at Layer 4 (TCP/UDP): it is fast and protocol-agnostic but cannot read HTTP paths or host names. Application Gateway works at Layer 7: it understands HTTP, supports path- and host-based routing, TLS termination, and an optional Web Application Firewall (WAF) — but it is regional.

Azure Front Door is a global, Layer-7 entry point that adds a CDN, anycast routing to the nearest edge, and global failover across regions. A common pattern is Front Door at the edge, Application Gateway inside a region, and Load Balancer for internal Layer-4 traffic.

A Virtual Machine Scale Set (VMSS) manages a group of identical VMs from a single configuration, making it easy to run many copies of a workload behind a load balancer. You can scale manually by setting an instance count, or attach autoscale rules that add and remove instances based on metrics like CPU percentage or queue length, or on a schedule.

Autoscale rules use a cooldown period to avoid flapping and should always pair a scale-out rule with a scale-in rule. VMSS supports rolling upgrades, availability zones and spot instances for cost savings. The cloud sometimes calls the metric-driven engine autoscale settings, attached to the scale set resource.

A Virtual Network (VNet) is isolated by default. To let resources in two VNets talk directly — even across regions or subscriptions — you create a VNet peering. Peered traffic stays on the Microsoft backbone, is low-latency, and uses private IPs; peering is non-transitive, so if A peers with B and B peers with C, A still cannot reach C without its own peering or a hub.

Routing inside a VNet is controlled by system routes plus your own User-Defined Routes (UDRs) in a route table. A common pattern forces traffic through a firewall using a UDR with next hop Virtual Appliance. The hub-and-spoke topology relies on peering plus UDRs to centralise shared services.

By default, PaaS services like Storage and SQL have public endpoints. To restrict access, Azure offers two mechanisms. A Service Endpoint extends your VNet identity to the service over the Azure backbone and lets the service firewall allow specific subnets — but the service keeps its public IP.

A Private Endpoint goes further: it places a network interface with a private IP from your subnet in front of the service, so the resource is reachable over a truly private address and can be locked down from the public internet entirely. Private Endpoints are powered by Azure Private Link and usually pair with a private DNS zone so the service hostname resolves to the private IP.

Azure DNS hosts DNS domains on Microsoft infrastructure. A public DNS zone resolves names on the internet — you delegate your domain by pointing its registrar at the Azure name servers. A private DNS zone resolves names only inside linked VNets, which is essential for Private Endpoints to map a hostname to a private IP.

You manage records (A, AAAA, CNAME, MX, TXT, SRV) as resources, and Azure DNS supports alias records that point directly at Azure resources (like a Public IP or Front Door) and update automatically if the target changes. With auto-registration, a private zone can record VM hostnames automatically.

A Content Delivery Network (CDN) caches static content — images, scripts, video — at edge points of presence (PoPs) close to users, cutting latency and offloading your origin. Azure CDN defines an endpoint that fronts an origin (a storage account, web app or any public host).

You control freshness with caching rules and Time-To-Live (TTL), and you can purge the cache to force re-fetching after a deploy. Dynamic content can use query-string caching modes. Note that Azure Front Door now includes CDN capabilities, so new designs often consolidate on Front Door rather than a standalone CDN profile.

A managed identity is an Azure AD identity that Azure manages for you, eliminating credentials in code. A system-assigned identity is tied to one resource and deleted with it; a user-assigned identity is a standalone resource you can attach to many resources and reuse.

What an identity can do is governed by Role-Based Access Control (RBAC): a role assignment binds a security principal to a role definition (a set of allowed actions) over a scope (management group, subscription, resource group or resource). Permissions are additive and inherited down the hierarchy, while an explicit deny assignment overrides allows. Prefer least-privilege built-in roles like Storage Blob Data Reader over the broad Contributor.

Azure Key Vault centrally stores secrets (passwords, connection strings), keys (for encryption) and certificates, keeping them out of code and config files. Apps read secrets at runtime using a managed identity, so credentials never live in source control.

Access is controlled either by the legacy access policies or, preferably, by Azure RBAC data-plane roles like Key Vault Secrets User. Vaults support soft delete and purge protection to recover from accidental deletion, and secrets can be versioned. App Service and Functions can fetch a secret automatically with a Key Vault reference in App Settings.

Azure Monitor is the umbrella platform for observability. It collects two kinds of data: numeric metrics (fast, time-series, near real time) and richer logs (events, traces). Logs are sent to a Log Analytics workspace, where you query them with the Kusto Query Language (KQL).

On top of this you build alerts (metric, log or activity-log based) that fire action groups (email, SMS, webhook, Logic App), and dashboards and workbooks for visualisation. Application Insights extends Monitor with deep application telemetry — request rates, dependencies and exceptions. Diagnostic settings route resource logs into the workspace.

Azure provides distinct messaging services for distinct jobs. Azure Service Bus is an enterprise message broker for reliable command and work-queue scenarios: it offers queues (point-to-point) and topics/subscriptions (publish-subscribe), with ordering (sessions), dead-lettering, transactions and at-least-once delivery. Consumers pull messages.

Azure Event Grid is a lightweight event router built for reactive, event-driven architectures. It pushes small event notifications (“a blob was created”) to many subscribers via HTTP webhooks or functions, with massive fan-out and filtering. Rule of thumb: Service Bus for commands/work that must not be lost; Event Grid for broadcasting that something happened.

Azure Blob Storage offers access tiers that trade storage price against access price. Hot is cheapest to read but most expensive to store; Cool (min 30 days) suits infrequently accessed data; Cold (min 90 days) is cheaper still; and Archive is the cheapest to store but offline — you must rehydrate a blob (hours) before reading it.

Rather than re-tier blobs by hand, you attach a lifecycle management policy: rules that automatically move blobs to cooler tiers or delete them after a number of days since last modification or last access. Combined with the right redundancy (LRS, ZRS, GRS), this controls both cost and durability.

Azure resources are described declaratively with Infrastructure as Code (IaC). The original format is the ARM template: a verbose JSON document listing resources, parameters and outputs that the Azure Resource Manager deploys idempotently. JSON is hard to author and review at scale.

Bicep is a cleaner domain-specific language that transpiles to ARM JSON. It removes boilerplate, adds modules, type safety and simple expressions, and needs no state file because Azure itself is the source of truth. Deployments are idempotent: re-running converges to the declared state, and what-if previews changes before you apply them.

Once you have a Bicep file you deploy it through the Resource Manager. From the CLI you run az deployment group create against a resource group, passing parameters. The deployment is idempotent, so committing the file and re-deploying keeps environments consistent.

For automation you put the deployment in a pipeline. With GitHub Actions you authenticate using OpenID Connect (OIDC) federation to a service principal — no stored secret — then run the same az deployment command on every push. Azure DevOps Pipelines achieve the same with a service connection and an AzureCLI task.

Resilience needs more than redundancy. Azure Backup, centred on a Recovery Services vault, provides application-consistent backups for VMs, Azure Files, SQL in VMs and more, governed by backup policies (schedule plus retention). It supports point-in-time restore and is isolated from the source so ransomware on a VM cannot delete its backups.

A managed disk snapshot is a cheaper, point-in-time read-only copy of a disk, handy for quick clones or pre-change safety points; you can create a new disk from a snapshot. Databases have their own story: Azure SQL keeps automated backups enabling point-in-time restore within the retention window, and Cosmos DB offers continuous backup.

A typical intermediate Azure design layers the services from this course. At the edge, Front Door (with WAF and CDN) routes global traffic to a regional Application Gateway, which load-balances across an App Service or AKS back end. Compute reaches data through Private Endpoints into Azure SQL or Cosmos DB, with a private DNS zone resolving the names.

Secrets live in Key Vault, accessed via managed identities and least-privilege RBAC. Service Bus and Event Grid decouple components, Azure Monitor and Application Insights provide observability, and the whole estate is described in Bicep and shipped by a GitHub Actions pipeline. This separation of edge, compute, data, identity, messaging and IaC is the backbone of well-architected Azure solutions.