Short, honest write-ups of one Azure idea at a time — the kind of thing you wish someone had drawn on a whiteboard for you before the interview. Each one teaches the concept properly, cites the Microsoft documentation, and points back to the class that drills it until it sticks.
One idea, drawn once Every note underlines the single sentence you would actually be asked about — then earns it.
A budget is the thirty-second insurance policy against a runaway cloud bill — it emails you as actual or forecasted spend climbs toward your threshold. The catch everyone misses: it warns, it does not stop the spending.
Policy guards the door for new resources, but the hundreds already deployed and non-compliant just sit there flagged. Remediation tasks run a policy's deployIfNotExists or modify effect across them — governance that heals the estate you inherited.
A private endpoint is how you consume a service privately; Private Link Service is the mirror image — how you publish yours, behind a Standard Load Balancer, so customers connect over a private endpoint instead of a public IP. The pattern behind private SaaS on Azure.
The oldest sin in web apps is a password in a config file. Key Vault references delete it with no code change: the app setting stops holding the secret and starts pointing at it, resolved at runtime by a managed identity.
Running one VM is easy; running forty identical ones that add and remove themselves with demand is a job you do not want to do by hand. A scale set is Azure doing it from a single image — the building block under autoscale and AKS node pools.
The scariest moment in running a web app is the deploy. Slots turn it into a non-event: push to a warm staging copy, swap it into production with nothing dropped, and swap straight back if the new build misbehaves.
They share a portal and get confused constantly, but they answer opposite questions. Backup is a time machine for your data; Site Recovery is a standby engine that keeps the whole workload running when a site goes down. Most estates need both.
One workspace per team, per environment, per region? Microsoft's answer is blunt: start with one and split only when a hard requirement forces it. The real drivers are residency, access, retention, and cost — not the org chart.
Most traffic is encrypted now, which is great for privacy and terrible for a firewall reading nothing. The Premium tier adds TLS inspection and a signature-based IDPS so it can open the tunnel and match what is really flowing against known attacks.
Both route users to the nearest healthy region — but Front Door stands in the traffic path with a CDN, TLS offload, and a WAF, while Traffic Manager just answers a DNS query and vanishes. Which one you need depends entirely on where it sits.
Give a VM a public IP and open port 3389, and the internet's bots start guessing passwords within minutes. Bastion is how you get a shell on a private VM over TLS from the portal — no public IP, no open management port, no jump box to patch.
Your VMs need to reach the internet without wearing a target. One managed resource gives a whole subnet a clean, private way out through static IPs — and quietly fixes the SNAT-port-exhaustion bug most people only meet at 2am.
Every connection starts with one question: what IP is this name? Public zones answer the internet, private zones answer your virtual network, and a surprising amount of "the network is down" turns out to be DNS in a trench coat.
It does not read your requests — it reads your connections. A layer-4 look at how Azure spreads TCP and UDP across a backend pool, skips the sick instances with health probes, and where Application Gateway takes over.
A datacenter losing power and a whole geography going offline are two different disasters. A zone protects you from one, a second region from the other — here is which insurance your workload actually needs.
The moment your Bicep grows past a toy, one giant file becomes unreadable and you start pasting the same block everywhere. Modules are how infrastructure-as-code learns what every programmer knows: factor it into reusable functions.
Someone with legitimate delete rights fat-fingers the wrong resource group and the production database goes with it. Resource locks make that specific disaster impossible — even for people who are allowed to delete.
People say "Azure DevOps" meaning the pipeline, but that is one of five services. The suite covers the whole journey a feature takes — planned, coded, built, tested, shipped — and the integration is the point.
Your datacenter needs to talk to Azure. You can send that traffic through an encrypted tunnel over the public internet, or over a private circuit that never touches it — shared road or private rail.
Sizing a server for your worst hour means paying for that hour all day. Autoscale flips it: the app grows instances when the crowd arrives and gives them back when it leaves — the elasticity you moved to the cloud for.
Tags are the difference between a bill that says "$40,000" and one that says which team, project, and environment spent it. But they only work if they exist and stay consistent — which means enforcing them.
You need to let one client read one blob for one hour — without handing over the master key to your whole storage account. A shared access signature is exactly that: scoped, time-limited access baked into a URL.
Terraform's state file is the ledger of everything it built — and by default it sits on one person's machine. In a team, that is a corruption or a deleted file away from disaster. The fix is a remote backend in Azure Storage.
Every VM needs a disk, and Azure gives you a spectrum from bargain spinning-platter to blistering SSD. Choose the wrong end and you overpay for speed you never use, or throttle the workload you were trying to run.
Hosting a web app used to mean owning a server — patching an OS, praying on release night. App Service takes all of that off your plate and leaves the one thing that matters: your code.
One subscription is easy to govern. Fifty is a nightmare if you configure each by hand. Management groups are the layer above subscriptions where you set a rule once and let inheritance push it to all of them.
You built an image; now it needs a home your pipeline can push to and production can pull from — privately, securely, close to where it runs. That home is a registry, and Azure's is ACR.
The create dialog asks for a "type" before you have stored a byte — and unlike most Azure settings, you cannot change it later. What the choices mean, and why standard general-purpose v2 is almost always right.
Sooner or later two Azure networks need to talk. Peering lets them — privately, over Microsoft's backbone, no gateway, no public internet. There is just one rule (non-transitivity) that surprises everyone.
Collecting telemetry is worthless if nobody looks until a customer complains. An alert rule watches the data; an action group decides who gets told and what happens next — three alerts that fire beat forty that get muted.
A language model is confident and often wrong about your data, because it never saw it. Azure AI Search finds the right passages from your own content and hands them to the model — so the answer is grounded, not guessed.
"Is our cloud secure?" is really three questions — are we configured well, is our pipeline safe, are our workloads under attack? Defender for Cloud answers all three, and gives your posture a number you can move.
Three services move data between components, and picking wrong makes a system lose things it needed or over-engineer things it didn't. It gets easy once you learn one distinction: an event is not a message.
Both are fully managed, so the choice is not who patches the servers — it is the shape of your data and where in the world it needs to be. Relational depth, or global reach with a flexible schema.
You may never write one by hand — Bicep spared you — but ARM templates are the native language Azure deployments actually speak. Knowing what they are makes everything above them make sense.
Microsoft owns both, both build-test-deploy your code, and both deploy beautifully to Azure. The choice is rarely capability — it is where your code already lives and what else you need around the pipeline.
Two features with confusingly similar names both keep a service off the open internet — in opposite ways. One locks the public door to your subnet; the other gives the service a private IP. The difference decides which is right.
Most cloud code spends its life waiting — a server billed by the hour to work for a few seconds a day. Functions flips that: your code sleeps for free, wakes on an event, does its job, and goes back to sleep.
A correct password used to mean "you're in" — which is how accounts get breached. Conditional Access replaces that with a question: given who you are, where you are, and what you're on, should you get in, and on what terms?
A policy's rule decides what it looks for; its effect decides what happens when it finds it. Deny blocks, Audit flags, Modify fixes, and DeployIfNotExists deploys what was missing — governance that heals itself.
Three names that sound like rival products trip up nearly everyone. They are one observability service and two of its parts — and once you see how the telemetry flows, the confusion evaporates.
Azure has a shelf of places to run your code, and the beginner mistake is reaching for the most powerful one. The real question is not what can run this, but how much platform your team can actually operate.
Storing a file you touch daily and one you touch once a year at the same price is money on fire. Access tiers match cost to how often data is read — if you know the one tradeoff and the one trap (archive is offline).
Three roles cover most of what you do — and the difference between two of them is the most common access mistake in the cloud. Contributor builds everything and grants nothing; that gap is the whole point.
A connection string in a config file is a breach waiting for a git push. Key Vault is the central, access-controlled store those secrets go instead — so your code holds a reference, never the secret itself.
You pick one in every create dialog and never think about it again. But the subscription is three boundaries wearing one name — management, billing, and scale — and where you draw it shapes everything inside.
Both are layer-7, both route by URL, both bolt on a WAF — so people pick wrong. The difference is one word: where. One lives inside a single region; the other lives at Microsoft's global edge.
Connecting a pipeline to Azure used to mean pasting a client secret and praying. Workload identity federation ends that — your workflow trades a short-lived token for an Azure token at run time, with nothing to store, rotate, or steal.
Most overspend is not clever waste — it is idle VMs, over-sized everything, and pay-as-you-go prices on workloads that run all year. The levers that move the bill, in order of effort to payoff.
A landing zone is the prepared runway workloads land on — secure, networked, and governed before the first application ships. The eight design areas and the platform/application split, without the enterprise-scale intimidation.
Kusto Query Language looks intimidating until you see the trick: start with a table and push it through a pipe, one small operator at a time. Learn five of them and you can answer real questions about your environment today.
One is Azure's own language, stateless and native. The other is the multi-cloud standard that keeps a ledger of everything it built. An honest comparison — and why the choice is rarely a religion.
A network security group is a free packet filter that reasons about IP addresses and ports. Azure Firewall is a managed service that reasons about names and threats. They work at different altitudes — mature networks run both.
Azure keeps multiple copies of everything in a storage account — the only question is where. One letter of the redundancy setting is the difference between surviving a dead drive and surviving a dead region.
They are the same identity underneath — but one hands you a password to guard and the other never does. Here is the difference, when to reach for each, and why the interview answer is almost always "managed identity."
A private endpoint drops a real network card, with a private IP from your own subnet, in front of a public Azure service. Here is what that actually means, how it differs from a service endpoint, and the one DNS gotcha that trips everyone.
Not a folder, not a billing bucket, not a security boundary — although it touches all three. A resource group is a lifecycle boundary, and once that clicks, half of Azure's organizational rules stop feeling arbitrary.