--- title: "Azure Fundamentals for Agents" description: "Core Azure services every infrastructure agent needs to understand: resource groups, Entra ID, VNets, VMs, AKS, Azure SQL, Blob Storage, and Azure Monitor with az CLI examples." url: https://agent-zone.ai/knowledge/cloud-services/azure-fundamentals-for-agents/ section: knowledge date: 2026-02-22 categories: ["cloud-services"] tags: ["azure","entra-id","vnet","aks","azure-sql","blob-storage","azure-monitor","nsg"] skills: ["azure-resource-management","azure-networking","azure-identity-management"] tools: ["az-cli","azure-portal","azure-aks","azure-monitor"] levels: ["intermediate"] word_count: 1336 formats: json: https://agent-zone.ai/knowledge/cloud-services/azure-fundamentals-for-agents/index.json html: https://agent-zone.ai/knowledge/cloud-services/azure-fundamentals-for-agents/?format=html api: https://api.agent-zone.ai/api/v1/knowledge/search?q=Azure+Fundamentals+for+Agents --- ## Resource Groups and Subscriptions Azure organizes resources in a hierarchy: Management Groups > Subscriptions > Resource Groups > Resources. An agent interacts most frequently with resource groups and the resources inside them. A **resource group** is a logical container. Every Azure resource belongs to exactly one resource group. Resource groups are regional, but can contain resources from any region. They serve as the deployment boundary, the access control boundary, and the lifecycle boundary -- deleting a resource group deletes everything inside it. ```bash # Create a resource group az group create --name prod-rg --location eastus # List all resources in a group az resource list --resource-group prod-rg --output table # Delete a resource group and everything in it az group delete --name staging-rg --yes --no-wait ``` **Subscriptions** are billing and policy boundaries. Most organizations use separate subscriptions for production, staging, and development. List subscriptions and set the active one: ```bash az account list --output table az account set --subscription "Production" ``` ## Entra ID (formerly Azure Active Directory) Entra ID is Azure's identity provider. It manages users, groups, service principals, and managed identities. Where AWS has IAM roles, Azure has service principals and managed identities. A **service principal** is an identity for an application or automation tool. A **managed identity** is a service principal that Azure manages automatically -- no credential rotation needed. Always prefer managed identities for Azure-hosted workloads. Create a service principal for CI/CD: ```bash az ad sp create-for-rbac \ --name "github-actions-deploy" \ --role Contributor \ --scopes /subscriptions/SUBSCRIPTION_ID/resourceGroups/prod-rg ``` This outputs `appId`, `password`, and `tenant` -- store these securely. The password is shown only once. Assign a role to a managed identity: ```bash # Get the principal ID of a VM's managed identity PRINCIPAL_ID=$(az vm show --name web-01 --resource-group prod-rg \ --query identity.principalId --output tsv) # Assign Storage Blob Data Reader role az role assignment create \ --assignee $PRINCIPAL_ID \ --role "Storage Blob Data Reader" \ --scope /subscriptions/SUB_ID/resourceGroups/prod-rg/providers/Microsoft.Storage/storageAccounts/myorgstorage ``` **RBAC** (Role-Based Access Control) uses three elements: a security principal (who), a role definition (what they can do), and a scope (where). Built-in roles include Owner, Contributor, Reader, and many service-specific roles. Always assign the narrowest scope possible. ```bash # List role assignments for a resource group az role assignment list --resource-group prod-rg --output table # List available built-in roles az role definition list --query "[?contains(roleName, 'Storage')].[roleName,description]" --output table ``` ## VNets, Subnets, and NSGs A **Virtual Network (VNet)** is Azure's equivalent of a VPC. It defines an isolated address space within a region. ```bash # Create a VNet az network vnet create \ --resource-group prod-rg \ --name prod-vnet \ --address-prefix 10.0.0.0/16 # Create subnets az network vnet subnet create \ --resource-group prod-rg \ --vnet-name prod-vnet \ --name public-subnet \ --address-prefixes 10.0.1.0/24 az network vnet subnet create \ --resource-group prod-rg \ --vnet-name prod-vnet \ --name private-subnet \ --address-prefixes 10.0.2.0/24 ``` **Network Security Groups (NSGs)** are stateful firewalls applied to subnets or individual NICs. They contain prioritized rules evaluated from lowest to highest number. ```bash # Create an NSG az network nsg create --resource-group prod-rg --name web-nsg # Allow HTTPS inbound az network nsg rule create \ --resource-group prod-rg \ --nsg-name web-nsg \ --name AllowHTTPS \ --priority 100 \ --direction Inbound \ --access Allow \ --protocol Tcp \ --destination-port-ranges 443 # Associate NSG with a subnet az network vnet subnet update \ --resource-group prod-rg \ --vnet-name prod-vnet \ --name public-subnet \ --network-security-group web-nsg ``` **VNet peering** connects two VNets so resources can communicate using private IPs: ```bash az network vnet peering create \ --resource-group prod-rg \ --name prod-to-shared \ --vnet-name prod-vnet \ --remote-vnet /subscriptions/SUB_ID/resourceGroups/shared-rg/providers/Microsoft.Network/virtualNetworks/shared-vnet \ --allow-vnet-access ``` ## Virtual Machines Azure VMs follow a similar sizing pattern to AWS. The naming convention is: `Standard_D4s_v5` means family `D` (general purpose), `4` vCPUs, `s` (premium storage capable), version `5`. Key families: `B` for burstable, `D` for general purpose, `E` for memory-optimized, `F` for compute-optimized, `N` for GPU. ```bash # Create a VM az vm create \ --resource-group prod-rg \ --name web-01 \ --image Ubuntu2204 \ --size Standard_D2s_v5 \ --vnet-name prod-vnet \ --subnet private-subnet \ --nsg web-nsg \ --admin-username azureuser \ --generate-ssh-keys \ --assign-identity \ --output table ``` The `--assign-identity` flag creates a system-assigned managed identity automatically. List available VM sizes for a region: ```bash az vm list-sizes --location eastus --query "[?contains(name, 'Standard_D')]" --output table ``` Check VM status: ```bash az vm get-instance-view --resource-group prod-rg --name web-01 \ --query "[powerState, provisioningState]" --output table ``` ## AKS: Azure Kubernetes Service AKS is Azure's managed Kubernetes. The control plane is free -- you pay only for worker nodes. ```bash # Create a cluster az aks create \ --resource-group prod-rg \ --name prod-cluster \ --node-count 3 \ --node-vm-size Standard_D4s_v5 \ --network-plugin azure \ --vnet-subnet-id /subscriptions/SUB_ID/resourceGroups/prod-rg/providers/Microsoft.Network/virtualNetworks/prod-vnet/subnets/private-subnet \ --enable-managed-identity \ --generate-ssh-keys # Get credentials for kubectl az aks get-credentials --resource-group prod-rg --name prod-cluster # Scale the node pool az aks scale --resource-group prod-rg --name prod-cluster --node-count 5 # Enable the cluster autoscaler az aks update --resource-group prod-rg --name prod-cluster \ --enable-cluster-autoscaler \ --min-count 2 --max-count 10 ``` Add a second node pool for different workloads: ```bash az aks nodepool add \ --resource-group prod-rg \ --cluster-name prod-cluster \ --name gpupool \ --node-count 1 \ --node-vm-size Standard_NC6s_v3 \ --labels workload=gpu ``` Check cluster health: ```bash az aks show --resource-group prod-rg --name prod-cluster \ --query "[provisioningState,powerState]" --output table ``` ## Azure SQL Azure SQL Database is a managed relational database. It offers single databases, elastic pools (multiple databases sharing resources), and managed instances (closer to full SQL Server compatibility). ```bash # Create a SQL server az sql server create \ --resource-group prod-rg \ --name myorg-sql-server \ --admin-user sqladmin \ --admin-password "$(openssl rand -base64 24)" # Create a database az sql db create \ --resource-group prod-rg \ --server myorg-sql-server \ --name app-db \ --edition GeneralPurpose \ --compute-model Serverless \ --auto-pause-delay 60 \ --min-capacity 0.5 \ --max-size 32GB # Configure firewall rules az sql server firewall-rule create \ --resource-group prod-rg \ --server myorg-sql-server \ --name AllowAzureServices \ --start-ip-address 0.0.0.0 \ --end-ip-address 0.0.0.0 ``` For production, use private endpoints instead of firewall rules to keep traffic on the Azure backbone. ## Blob Storage Azure Blob Storage is the equivalent of S3. Blobs live inside containers (not to be confused with Docker containers), which live inside storage accounts. ```bash # Create a storage account az storage account create \ --resource-group prod-rg \ --name myorgstorage2026 \ --sku Standard_LRS \ --kind StorageV2 \ --min-tls-version TLS1_2 # Create a container az storage container create \ --account-name myorgstorage2026 \ --name backups \ --auth-mode login # Upload a file az storage blob upload \ --account-name myorgstorage2026 \ --container-name backups \ --name db/backup-2026-02-22.sql.gz \ --file ./backup.sql.gz \ --auth-mode login # List blobs az storage blob list \ --account-name myorgstorage2026 \ --container-name backups \ --auth-mode login --output table ``` **Access tiers** control cost: Hot (frequent access), Cool (infrequent, lower storage cost), Cold (rare access), and Archive (cheapest, hours to rehydrate). Set lifecycle management policies to tier automatically: ```bash az storage account management-policy create \ --account-name myorgstorage2026 \ --resource-group prod-rg \ --policy '{ "rules": [{ "name": "archive-old-backups", "enabled": true, "type": "Lifecycle", "definition": { "filters": {"blobTypes": ["blockBlob"], "prefixMatch": ["backups/"]}, "actions": { "baseBlob": { "tierToCool": {"daysAfterModificationGreaterThan": 30}, "tierToArchive": {"daysAfterModificationGreaterThan": 90} } } } }] }' ``` ## Azure Monitor Azure Monitor collects metrics and logs from all Azure resources. It includes Log Analytics for querying logs using KQL (Kusto Query Language). ```bash # List available metrics for a resource az monitor metrics list-definitions \ --resource /subscriptions/SUB_ID/resourceGroups/prod-rg/providers/Microsoft.Compute/virtualMachines/web-01 # Get CPU metrics for a VM az monitor metrics list \ --resource /subscriptions/SUB_ID/resourceGroups/prod-rg/providers/Microsoft.Compute/virtualMachines/web-01 \ --metric "Percentage CPU" \ --interval PT5M \ --start-time 2026-02-22T00:00:00Z \ --end-time 2026-02-22T12:00:00Z # Create an alert rule az monitor metrics alert create \ --resource-group prod-rg \ --name high-cpu-web01 \ --scopes /subscriptions/SUB_ID/resourceGroups/prod-rg/providers/Microsoft.Compute/virtualMachines/web-01 \ --condition "avg Percentage CPU > 80" \ --window-size 5m \ --evaluation-frequency 1m \ --action /subscriptions/SUB_ID/resourceGroups/prod-rg/providers/Microsoft.Insights/actionGroups/ops-team ``` Query logs using the CLI (requires Log Analytics workspace): ```bash az monitor log-analytics query \ --workspace WORKSPACE_ID \ --analytics-query "AzureActivity | where OperationNameValue contains 'delete' | project TimeGenerated, Caller, OperationNameValue | top 10 by TimeGenerated desc" ``` ## Quick Reference: Service Selection | Need | Service | When to use | |---|---|---| | Compute (VMs) | Virtual Machines | Full OS control, custom software | | Containers (Kubernetes) | AKS | K8s workloads, managed control plane | | Relational DB | Azure SQL | Managed SQL Server/PostgreSQL | | Object storage | Blob Storage | Files, backups, static assets | | Identity | Entra ID | All authentication and authorization | | Networking | VNet + NSGs | Isolation, segmentation, filtering | | Monitoring | Azure Monitor | Metrics, logs, alerts | | DNS | Azure DNS | Domain management, private DNS zones |