Azure Cloud FAQ & Answers

Use the command: winget install --exact --id Microsoft.AzureCLI. This installs Azure CLI 2.65+ (latest as of 2025) with the 64-bit version by default on 64-bit OS. WinGet is available by default in Windows 11 and modern Windows 10 versions. After installation, close and reopen any active terminal window to use the Azure CLI, as the PATH is updated during installation. For specific versions: winget install --exact --id Microsoft.AzureCLI --version 2.67.0. Verify installation: az version. WinGet enables automatic updates via Windows Package Manager.

Azure CLI is installed at C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd on Windows. The installation directory contains the CLI runtime, Python interpreter, and all Azure CLI modules. You can execute commands using the full path immediately after installation without restarting: "C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" login. After restarting your terminal, use the simple az command as the installer adds the path to the system PATH environment variable. Configuration files are stored in %USERPROFILE%.azure\ directory. For programmatic execution in scripts, always use the full path for reliability.

The error means the requested VM SKU is unavailable in the specified region due to capacity constraints or unprecedented demand. Solutions: (1) Check available SKUs: az vm list-skus --location westus2 --output table; (2) Try alternative regions with better capacity: eastus2, centralus, northeurope, westeurope; (3) Switch to smaller VM sizes in same family (Standard_D2s_v5 instead of Standard_D4s_v5); (4) Change Availability from "Zone pinned" to "On-demand availability" for flexibility across zones; (5) Use Standard_B1s (generally available across all regions); (6) Wait 15-30 minutes and retry (capacity is dynamic); (7) Use On-demand Capacity Reservations for guaranteed capacity. Submit SKU request to Azure Support if critical. Check real-time availability: https://aka.ms/azureskunotavailable.

MissingSubscriptionRegistration error occurs when your Azure subscription is not registered to use a specific resource provider namespace. Resource providers are Azure services that manage resources (like Microsoft.Compute for VMs, Microsoft.Network for networks, Microsoft.Storage for storage). When you first use a resource type, the provider must be registered with your subscription. Common providers requiring registration: Microsoft.Compute, Microsoft.Network, Microsoft.Storage, Microsoft.Web, Microsoft.KeyVault. Registration is automatic in Azure Portal for most providers but may be required when using CLI, PowerShell, or ARM templates.

Use 'az provider register --namespace --wait' to register a provider and wait for completion. Examples: 'az provider register --namespace Microsoft.Compute --wait' (for VMs), 'az provider register --namespace Microsoft.Network --wait' (for networks), 'az provider register --namespace Microsoft.Storage --wait' (for storage). Check registration status with 'az provider show --namespace Microsoft.Compute --query registrationState' which returns NotRegistered, Registering, or Registered. Registration takes 1-2 minutes. The --wait flag blocks until registration completes. List all providers: 'az provider list --query "[?namespace=='Microsoft.Compute']" --output table'.

Use 'Register-AzResourceProvider -ProviderNamespace ' to register a provider. Examples: 'Register-AzResourceProvider -ProviderNamespace Microsoft.Compute' (for VMs), 'Register-AzResourceProvider -ProviderNamespace Microsoft.Network' (for networks), 'Register-AzResourceProvider -ProviderNamespace Microsoft.Storage' (for storage). Check status: 'Get-AzResourceProvider -ProviderNamespace Microsoft.Compute | Select-Object ProviderNamespace, RegistrationState'. List all providers with status: 'Get-AzResourceProvider -ListAvailable | Select-Object ProviderNamespace, RegistrationState'. Bulk register all providers: 'Get-AzResourceProvider -ListAvailable | Register-AzResourceProvider'. Requires Contributor or Owner role permissions at subscription level. Registration takes 1-2 minutes.

Navigate to Azure Portal → search 'Subscriptions' → select your subscription → 'Resource providers' in left menu. Search for the required provider (e.g., Microsoft.Compute, Microsoft.Network). Providers show registration status: NotRegistered, Registering, or Registered. Click provider name → click 'Register' button at top. Registration takes 1-2 minutes and status updates automatically. Most providers auto-register when creating resources via Portal. Manual registration needed for: CLI/PowerShell deployments, ARM templates, first-time resource types. Common providers: Microsoft.Compute (VMs), Microsoft.Network (VNets, NSGs), Microsoft.Storage (storage accounts), Microsoft.Web (App Services), Microsoft.KeyVault (Key Vault). Portal method is easiest for beginners.

Priority regions with best capacity in 2025: East US 2, West US 2, Central US, North Europe, West Europe, Southeast Asia. These regions often receive new services first, have higher capacity, and better redundancy with availability zones. As of 2025, D-series SKU requests face capacity challenges requiring support tickets for approval, even in major regions. Regions with availability zones (East US 2, West US 2, Central US, West Europe, France Central) offer better resilience. Check SKU availability: az vm list-skus --location eastus2 --output table. Balance factors: cost efficiency (Central India 20-30% cheaper than US), latency (proximity to users), redundancy, and capacity. Smaller/newer regions may have limited SKU selections. Always verify capacity before production deployments.

Use az login --use-device-code. The CLI displays a device code (8-character alphanumeric) and URL https://microsoft.com/devicelogin. Navigate to the URL in any browser (different device allowed), enter the code, and complete authentication with your Azure credentials. The CLI waits for authentication before proceeding. Use cases: headless servers, SSH sessions without X11 forwarding, WSL environments, CI/CD pipelines, restricted browser environments, Docker containers. Alternative: az login --service-principal for automation. For specific tenants: az login --use-device-code --tenant . Tokens are cached in ~/.azure/ directory for 90 days. Device code authentication is part of OAuth 2.0 device authorization grant flow, ideal for environments lacking browser support.

Azure Sponsorship provides pre-allocated credits ($100-$150 typically) with 100% discount on standard Pay-As-You-Go rates, offered to students, non-profits, or eligible organizations as grants. Key differences: Payment model - Sponsorship uses credits vs Pay-As-You-Go direct billing; Billing - Sponsorship has spending limits and no automatic charges vs Pay-As-You-Go charges based on usage with no limits; Duration - Sponsorship expires when credits exhausted or term ends vs Pay-As-You-Go continues indefinitely; Conversion - Sponsorship automatically converts to Pay-As-You-Go when credits depleted; Limitations - Sponsorship cannot combine with other offers (Enterprise Agreement, CSP, Azure Pass, Action Pack). Ideal for: Sponsorship for learning/testing/non-profits; Pay-As-You-Go for production workloads with fluctuating usage. Check balance: Cost Management + Billing in Azure Portal.

Azure resource provider registration takes 1-2 minutes typically. Register and wait: az provider register --namespace Microsoft.Compute --wait (blocks until completion). Check status: az provider show --namespace Microsoft.Compute --query registrationState --output tsv. Status values: NotRegistered (not registered), Registering (in progress), Registered (ready for use). Proceed with resource creation only when status is Registered. List all providers with status: az provider list --query "[].{Namespace:namespace, State:registrationState}" --output table. PowerShell equivalent: Register-AzResourceProvider -ProviderNamespace Microsoft.Compute; Get-AzResourceProvider -ProviderNamespace Microsoft.Compute. Portal method: Subscriptions → Resource providers → Select provider → Register button. Requires Contributor or Owner role. No cost for registration. Registration is subscription-scoped, not resource group-scoped.

For compute-intensive workloads in 2025: D-series (General Purpose) - Standard_D4s_v5, Standard_D8s_v5, Standard_D16s_v5 for balanced CPU/memory, enterprise apps, web servers, batch processing. Features: Intel Ice Lake or AMD EPYC processors, 2-4 GB RAM per vCPU. F-series (Compute-Optimized) - Standard_F16s_v2, Standard_F32s_v2 for CPU-intensive tasks. Features: 2 GB RAM per vCPU, 16 GB local SSD per core, Intel Xeon Platinum 8168 (Skylake), highest CPU-to-memory ratio, ideal for analytics, gaming servers, web servers. E-series (Memory-Optimized) - Standard_E8s_v5, Standard_E16s_v5 for memory-intensive workloads. Features: 8 GB RAM per vCPU, ideal for SAP HANA, large databases, in-memory analytics. 'v5' generation = best 2025 price/performance; 's' suffix = premium storage support. Reserved instances: 30-72% savings vs Pay-As-You-Go. Central India: 20-30% cheaper than US regions.

Resource groups are mandatory logical containers for Azure resources. Every Azure resource must belong to exactly one resource group - no exceptions. Benefits: (1) Organization - group related resources (VM + disk + NIC + NSG); (2) Access Control - assign RBAC permissions at resource group level for inheritance; (3) Cost Tracking - view aggregated costs for all resources; (4) Lifecycle Management - delete resource group deletes all contained resources; (5) Tagging - apply tags for billing, environment separation; (6) Policy Enforcement - apply Azure Policy at resource group scope. Create command: az group create --name myResourceGroup --location eastus2. Resource group location stores metadata only, not resources. Resources within can be in different regions. Delete group: az group delete --name myResourceGroup --yes --no-wait (deletes all resources). Resource groups cannot be nested. Best practice: one resource group per application environment (app-prod-rg, app-dev-rg).

Hot tier is optimized for frequent access with highest storage costs but lowest access costs. Best for: active workloads, frequently accessed files, data requiring low-latency access, web applications serving content, active databases, frequently accessed media files. Characteristics: data available for immediate read/write, millisecond latency, highest per-GB storage cost, lowest per-10,000 transaction cost. Ideal when access frequency exceeds once per month. Automatic tiering available to move infrequently accessed data to lower-cost tiers. Use for production workloads where performance is critical and data access patterns are predictable.

Cool tier balances storage and access costs for infrequent access patterns. Best for: short-term backup, disaster recovery data, dataset training files, batch processing results, media content accessed occasionally, old customer orders. Characteristics: lower storage cost than Hot (about 20% of Hot), higher access cost than Hot, data available for immediate access, millisecond latency, minimum 30-day storage recommended. Ideal for data accessed less than once per month but more than once per quarter. Automatic tiering can move data between Hot and Cool based on access patterns.

Cold tier is optimized for rarely accessed data with even lower storage costs than Cool tier. Best for: long-term archival, compliance data, rarely accessed backups, historical datasets, legal hold data. Characteristics: lowest storage cost before Archive, data available for immediate access (unlike Archive), higher retrieval latency than Hot/Cool, minimum 90-day storage recommended. Differs from Cool: lower storage cost but higher access cost, longer retrieval time, designed for data accessed less than quarterly. Ideal for data that must remain accessible but is rarely used.

Archive tier provides lowest storage cost for offline data with highest retrieval latency. Best for: long-term archival, compliance retention, data rarely accessed, bulk data storage, cold backups. Characteristics: lowest per-GB storage cost (about 1% of Hot), highest retrieval cost, data must be rehydrated before access (hours), minimum 180-day storage, supports standard/priority rehydration. Use when data is accessed less than once per year and retrieval delay is acceptable. Perfect for regulatory compliance, disaster recovery archives, and complete dataset retention where immediate access isn't required.

Azure Virtual Network (VNet) is the fundamental building block for private networks in Azure, providing software-defined networking with full IP address space control. Core capabilities: (1) Isolation - dedicated private address space (RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) with complete network segmentation; (2) Segmentation - divide VNet into subnets for security zones; (3) Internet Connectivity - outbound by default, inbound via Public IP or Load Balancer; (4) Azure Resource Communication - VMs, App Services, AKS communicate within VNet; (5) Traffic Filtering - Network Security Groups (NSGs) and Azure Firewall; (6) Routing Control - User Defined Routes (UDR) and Virtual Network Appliances; (7) On-Premises Integration - VPN Gateway or ExpressRoute for hybrid connectivity; (8) VNet Peering - connect VNets globally with low latency. Create: az network vnet create --name myVNet --resource-group myRG --address-prefix 10.0.0.0/16. No cost for VNets, only egress bandwidth charges.

NSG rules filter network traffic using 5-tuple information: source IP address, source port, destination IP address, destination port, and protocol (TCP/UDP/ICMP/). Each rule specifies Allow or Deny action. Rules evaluate inbound and outbound traffic separately. Once a matching rule is found, processing stops (first-match behavior). NSGs support service tags (AzureServices, VirtualNetwork, Storage), application security groups, and IP address ranges. Rules can use '' for any IP, port, or protocol. Essential for implementing network security policies and access control at the subnet or network interface level.

NSG rules are processed by priority number (100-4096), with lower numbers processed first. Once a matching rule is found, processing stops - no further rules are evaluated. Best practice: leave gaps between priority numbers (100, 200, 300) for future rules. Azure default rules have priorities 65000+ and can't be changed. Custom rules should use 100-4096 range. Priority 100 = highest priority, 4096 = lowest. Rule evaluation order is critical for security - a deny rule at priority 200 won't be checked if an allow rule at priority 100 matches first.

Deployment slots are live apps with separate hostnames running in the same App Service plan, enabling zero-downtime deployments through instant slot swapping. Benefits: (1) Zero Downtime - deploy to staging, validate, swap to production with no interruptions; (2) Warm-Up - slots run actively, ensuring production-ready performance on swap; (3) Rollback - instantly swap back to previous slot if issues detected; (4) Validation - test in production-like environment before go-live; (5) Settings Management - slot-specific settings (connection strings, feature flags) or swap-with-slot settings. Slot swap exchanges VIPs, not code or files. Tier requirements: Standard (5 slots), Premium/PremiumV2/PremiumV3 (20 slots). No additional cost - uses same App Service plan resources. Swap command: az webapp deployment slot swap --name myApp --resource-group myRG --slot staging. Best practice: staging → production workflow with automated CI/CD.

Triggers define how a function is invoked - every function must have exactly one trigger. Types: HTTP (REST APIs, webhooks), Timer (scheduled execution), Queue (Service Bus, Azure Storage), Blob (file operations), Event Hub (streaming data), Event Grid (reactive events), Cosmos DB (database changes), Service Bus (messaging), SignalR (real-time). Each trigger type has specific binding configurations and trigger patterns. HTTP triggers support authentication and authorization. Timer triggers use CRON expressions for scheduling. Queue triggers process messages automatically. Essential for event-driven serverless architectures.

Bindings are declarative connections to data sources and services, eliminating boilerplate code for integration. Input bindings read data into function parameters, output bindings write function results. Functions can have multiple bindings of each type. Supported services: Storage (blobs, queues, tables), Cosmos DB, SQL, Service Bus, Event Hubs, Event Grid, SignalR, HTTP, Twilio, SendGrid. Bindings handle authentication, serialization, and connection management automatically. Use connection strings or managed identities for credentials. Direction property (in/out) specifies data flow. Essential for building integration-focused serverless applications.

Use Azure Managed Identities for credential-free Key Vault access (most secure 2025 best practice). Setup: (1) Enable managed identity on resource: az webapp identity assign --name myApp --resource-group myRG; (2) Grant Key Vault access via RBAC (recommended): az role assignment create --role "Key Vault Secrets User" --assignee --scope /subscriptions/.../vaults/myKeyVault; (3) Use Azure SDK with DefaultAzureCredential: from azure.identity import DefaultAzureCredential; from azure.keyvault.secrets import SecretClient; credential = DefaultAzureCredential(); client = SecretClient(vault_url="https://mykeyvault.vault.azure.net", credential=credential); secret = client.get_secret("mySecret"). App Service alternative: Key Vault references in app settings: @Microsoft.KeyVault(SecretUri=https://mykeyvault.vault.azure.net/secrets/mySecret/). Best practices: Use RBAC over legacy access policies, enable purge protection, enable audit logging, restrict to specific IP ranges or private endpoints. Never use connection strings or API keys in code.

Strong consistency provides linearizability - guarantees that reads always return the most recent write operation across all regions. Characteristics: highest latency, highest cost (RU consumption), global coordination required, limited to single region accounts. Use cases: financial transactions, inventory management, banking systems, airline reservations, voting systems - scenarios where consistency is more important than availability. Trade-offs: higher latency (10-15ms), limited global scale, higher cost. Only available when using single-region write. Use rarely due to strict performance and cost implications.

Bounded Staleness guarantees reads lag behind writes by at most K versions or T time period. Configurable staleness window (max lag: number of operations or time interval). Characteristics: strong consistency guarantees within bounded window, better performance than Strong, supports multi-region writes. Use cases: social media feeds, messaging apps, collaboration platforms where slightly stale data is acceptable. Example: 100 operations OR 5 seconds staleness means reads will never be more than 5 seconds behind writes. Good balance between consistency and performance for most applications.

Session consistency guarantees read-your-writes, monotonic reads, and monotonic writes within a single client session. Characteristics: consistent reads for same client, eventually consistent across clients, lowest latency among strong-like consistencies, supports multi-region writes. Default for 99% of applications due to optimal balance. Use cases: user profiles, shopping carts, order history - any scenario where individual user sees consistent data. Client session maintained through session token. Automatically handles session continuity across requests. Best choice for most web and mobile applications.

Consistent Prefix: reads never see out-of-order writes - guarantees ordering within partitions, but may see stale data. Best for use cases requiring write ordering without strict recency. Eventual consistency: weakest level, lowest latency and cost, no ordering guarantees, eventually converges to consistent state across regions. Use cases: social media likes, counters, analytics, IoT telemetry where occasional staleness is acceptable. Eventual provides highest throughput and lowest cost. Both support unlimited scale and multi-region writes with minimal overhead.

Use ACI (serverless, simple) for: single containers without orchestration, batch jobs, CI/CD build agents, task automation, dev/test environments, short-lived workloads. Benefits: fastest deployment (seconds), per-second billing ($0.0000015/GB/sec + $0.0000135/vCPU/sec in Central US 2025), no infrastructure management, no cluster overhead. Use AKS (orchestrated, complex) for: microservices architectures, multi-container apps requiring coordination, production workloads at scale, auto-scaling needs (HPA, cluster autoscaling), service mesh implementations, GPU workloads (ML/AI), hybrid cloud deployments, private clusters with network policies. AKS pricing: pay only for worker node VMs, free control plane, supports Azure Savings Plan and Reserved Instances. Key differences: ACI = no orchestration, instant start, pay-per-second; AKS = full Kubernetes, complex orchestration, cluster management required. For simple tasks: ACI. For production microservices: AKS.

LRS (Locally Redundant Storage) creates 3 copies of data within a single datacenter in the primary region. Characteristics: lowest cost, highest performance, protects against drive and rack failures, synchronous replication within datacenter. Use cases: dev/test environments, non-critical applications, local backup, cost-sensitive workloads where regional disaster protection isn't required. Limitations: no protection against datacenter failures or regional disasters. Available for all storage account types. Best choice when cost is primary concern and data can be recreated or has other backup mechanisms.

ZRS (Zone Redundant Storage) creates 3 copies across different availability zones within a single region. Characteristics: synchronous replication across zones, protects against datacenter failures, higher availability than LRS, moderate cost increase. Use cases: production workloads requiring high availability, applications with compliance requirements for zone-level resilience, databases, critical applications. Differs from LRS: zone-level protection vs single datacenter, slightly higher latency, higher cost. Not available in all regions or for all storage account types (Premium, Blob, General Purpose v2).

GRS (Geo-Redundant Storage) provides LRS in primary region plus asynchronous replication to secondary region hundreds of miles away. Characteristics: regional disaster protection, automatic failover capability, read-only access to secondary with RA-GRS, 6-12 hours RPO. Use cases: business continuity, disaster recovery, compliance requirements, applications needing geographic resilience. Secondary region data is not directly accessible for writes. Failover requires manual intervention. Available for all storage account types. Higher cost than LRS/ZRS. Best for critical workloads requiring regional protection.

GZRS (Geo-Zone Redundant Storage) combines ZRS in the primary region with asynchronous geo-replication to a secondary region. Replication process: data is copied synchronously across 3 Azure availability zones in primary region using ZRS, then copied asynchronously to secondary region where it's replicated synchronously using LRS. Total: 6 copies of data (3 in primary across zones, 3 in secondary in one datacenter). Provides maximum protection against both datacenter failures (zone redundancy) and regional disasters (geo-replication). Available for General Purpose v2 and Blob Storage accounts. Highest cost replication option.

GZRS provides 99.99999999999999% durability (16 nines) of objects over a given year. This is the highest durability level offered by Azure Storage, matching GRS durability. Durability calculation accounts for protection against: hardware failures (6 copies total), zone-level failures (3 zones in primary), datacenter failures (secondary region LRS), and regional disasters (geo-replication to secondary region). RPO (Recovery Point Objective): typically 6-12 hours for geo-replication. No data loss guarantee within primary region availability zones. For read access to secondary during outages, use RA-GZRS variant.

Use GZRS for mission-critical workloads requiring maximum durability and availability. Best for: financial services (banking, payments), healthcare data (medical records, patient data), compliance-critical applications, enterprise disaster recovery, production databases, regulatory data retention, any workload where data loss is unacceptable. Choose GZRS when: you need protection against both zone failures AND regional disasters, your workload cannot tolerate data loss, availability is more important than cost. Cost: most expensive replication option (~$0.1265 per GB for RA-GZRS Tables). Trade-off: higher cost for maximum protection. Not needed for: dev/test, non-critical data, easily recreated data.

RA-GZRS (Read-Access Geo-Zone Redundant Storage) extends GZRS by providing read-only access to data in the secondary region. Characteristics: all GZRS benefits plus ability to read from secondary during primary region outage, read endpoint uses '-secondary' suffix (e.g., myaccount-secondary.blob.core.windows.net), secondary data may lag behind primary by 15 minutes or less. Use cases: high-availability read scenarios, disaster recovery testing, geo-distributed applications needing low-latency reads. Cost: slightly higher than GZRS. Secondary region data: read-only until failover occurs. Primary use: applications that need continuous read availability even during regional outages. Check Last Sync Time (LST) to monitor replication lag.

Azure RBAC is authorization system that manages access to Azure resources based on roles. Core principle: grant minimum required permissions (least privilege). How it works: assign roles to security principals at specific scopes. Role assignments determine access - permissions are additive across multiple roles. RBAC evaluation happens at resource access time, checking all role assignments at scope hierarchy. Supports inheritance - child scopes inherit parent scope permissions. Built-in roles available (Owner, Contributor, Reader) plus custom roles can be created. Integration with Azure AD for identity management. Essential for security governance and compliance in Azure environments.

Security principals are entities that can be assigned roles: User (individual Azure AD account), Group (collection of users for easier management), Service Principal (application identity for automated access), Managed Identity (Azure service identity for accessing resources without credentials). Role definitions are collections of permissions with assignable scopes. Built-in roles: Owner (full access), Contributor (all permissions except management), Reader (view-only), Custom roles (user-defined with specific permissions). Role definitions include assignable scopes (management groups, subscriptions, resource groups, resources) and actions/dataActions specifying allowed operations.

RBAC scope follows Azure resource hierarchy: Management Groups (highest) → Subscriptions → Resource Groups → Resources (lowest). Inheritance rules: assignments at higher scope automatically apply to all child scopes. Best practice: assign permissions at highest possible scope while maintaining security principle. Example: assign Reader role at subscription level for organization-wide access, or Contributor at resource group level for department access. Permissions are additive - user gets combined permissions from all role assignments at different scopes. Deny not supported in Azure RBAC - use resource locks or other mechanisms for blocking. Scope inheritance enables efficient permission management while allowing granular control.

Create budgets in Azure Cost Management + Billing → Budgets → Create. Configuration: (1) Scope - subscription or resource group level; (2) Budget Amount - set spending target; (3) Time Period - monthly, quarterly, annually, or custom; (4) Reset Period - recurrence (monthly, quarterly, annually). Alert types (2025 features): Budget Alerts - trigger at thresholds (0.01%-1000% of budget); Forecasted Alerts - predict spending will exceed budget (uses AI forecasting); Anomaly Alerts - detect unusual spending patterns automatically. Configure notifications: email recipients list + Action Groups for automation (Azure Functions, Logic Apps, webhooks). Alerts trigger within 1 hour of threshold breach. Example: 50% (warning), 80% (urgent), 100% (critical). Important: budgets are informational only - they do NOT stop resources. For enforcement, use Azure Policy or automation via Action Groups. View budgets: Cost Management → Budgets. CLI: az consumption budget create. 2025 enhancement: Microsoft Copilot integration for AI-powered cost insights.

Azure Monitor is the unified observability platform for collecting, analyzing, and acting on telemetry from Azure, on-premises, and multi-cloud environments. Metrics vs Logs: Metrics - numerical time-series data (CPU %, memory usage, request count) collected at 1-minute intervals, stored in time-series database, lightweight (KB), near real-time (<1 min latency), 93-day default retention, ideal for alerting and dashboards, queried via Metrics Explorer, free for platform metrics. Logs - text-based structured events (traces, errors, custom logs) stored in Log Analytics workspace, queried with KQL (Kusto Query Language), detailed contextual information, longer retention (up to 2 years), pay-per-GB ingestion ($2.76/GB in 2025), ideal for troubleshooting, root cause analysis, complex cross-resource queries, compliance auditing. When to use: Metrics for real-time monitoring/alerting; Logs for deep investigation and multi-resource correlation. Integration: Application Insights, Log Analytics, Alerts, Dashboards, Action Groups.

DTU (Database Transaction Unit) - bundled measure of CPU, memory, I/O. Characteristics: simpler pricing, pre-configured bundles, fixed monthly cost, good for predictable workloads. Tiers: Basic ($4.90/mo), Standard ($14.72-$4,415.59/mo), Premium ($456.25-$15,698.89/mo) as of 2025. Pros: simple to understand, no tuning needed. Cons: less flexibility, no Azure Hybrid Benefit. vCore (Virtual Core) - separate compute and storage. Characteristics: flexible resource selection (0.5-80 vCores), granular control, supports Azure Hybrid Benefit (cost savings for SQL Server license holders), serverless option (auto-pause when idle). Tiers: General Purpose ($0.001/vCore/sec), Business Critical ($1.35/hr for 2 vCores), Hyperscale ($0.366/hr). Serverless: $0.52/vCore-hour + $0.115/GB-month, auto-scales 0.5-16 vCores. When to switch: >300 DTUs = consider vCore. Conversion: 100 DTU = 1 vCore (General Purpose), 125 DTU = 1 vCore (Business Critical). Microsoft recommendation 2025: vCore for new deployments due to flexibility and cost optimization.

Azure Managed Identities provide Azure services with automatically managed service principals in Microsoft Entra ID (formerly Azure AD) for authenticating to Azure resources without storing credentials in code. Key benefits: no credential management required, credentials never accessible to developers, automatic rotation handled by Azure, eliminates secrets in code repositories and logs. Managed identities use Azure RBAC for permission assignment. Two types available: system-assigned (tied to resource lifecycle) and user-assigned (independent lifecycle). Supported by 100+ Azure services including VMs, App Services, Functions, Container Instances, AKS. Essential for secure, credential-free authentication between Azure resources.

System-assigned managed identity is directly tied to a single Azure resource lifecycle. Characteristics: automatically created and deleted with the resource, one-to-one mapping (one identity per resource), cannot be shared across resources, identity deleted when resource is deleted. Use cases: resource-specific authentication, unique permissions per resource, automatic cleanup when resource is removed. Configuration: enable via Azure Portal, CLI (--assign-identity), or ARM templates. RBAC assignment: assign roles directly to the resource's system identity. Best for: individual VMs, App Services, or Functions requiring isolated permissions. Limitation: deleted role assignments must be manually cleaned up even after identity deletion.

User-assigned managed identity is a standalone Azure resource with lifecycle independent of compute resources. Characteristics: created separately from resources, can be assigned to multiple resources simultaneously, survives resource deletion, many-to-many mapping possible. Benefits: single identity shared across resources reduces role assignment overhead, separate identity administration from resource creation, fewer distinct identities to manage. Configuration: create identity resource first, then assign to VMs, App Services, or other resources. RBAC efficiency: 4 VMs with user-assigned identity = 2 role assignments vs 8 with system-assigned. Best for: multi-resource scenarios, shared authentication, centralized identity management. Important: manual cleanup required - identity and role assignments persist after resource deletion.

Microsoft recommends user-assigned identities for most scenarios due to efficiency benefits. Use system-assigned when: each resource requires unique permissions, identity should be deleted with resource, single-resource authentication needed, automatic cleanup desired. Use user-assigned when: multiple resources need same permissions (reduces role assignments), separating identity management from resource creation, sharing identity across VMs/App Services/Functions, identity should survive resource deletion. Example efficiency: 4 VMs with user-assigned = 2 role assignments vs 8 with system-assigned. Resources can have both types simultaneously for flexibility. Best practice: user-assigned for shared access, system-assigned for resource-specific isolation. Always apply least privilege principle regardless of identity type chosen.

Key lifecycle practices for managed identities: (1) Manual cleanup required: user-assigned identities must be manually deleted when no longer needed, even if no resources use them. (2) Role assignment cleanup: role assignments are NOT automatically deleted when identities are deleted (system or user-assigned) - manually remove to avoid hitting subscription limits. (3) Least privilege: grant minimum required permissions only (e.g., Storage Blob Data Reader instead of Contributor). (4) Direct role assignment: assign roles directly to managed identities, not through Entra ID groups, for faster permission propagation. (5) Separate identities: use different user-assigned identities for dev centers vs projects for security separation. (6) Regular audits: review inactive (stale) identities and over-privileged permissions. (7) Propagation delay: allow up to 60 minutes for RBAC changes to take effect.

Azure Load Balancer types: Public (External) - distributes internet traffic to VMs, provides outbound internet connectivity via SNAT, frontend has public IP, use for web applications, APIs exposed to internet. Internal (Private) - distributes traffic within VNet, frontend has private IP, use for internal tier applications (app tier to database tier), microservices communication. Both support: Layer 4 (TCP/UDP) load balancing, high performance (millions of flows), health probes (TCP, HTTP, HTTPS), multiple frontend IPs, session persistence. SKUs: Basic Load Balancer (RETIRED September 30, 2025) - no longer available. Standard Load Balancer (required 2025) - production-grade, supports availability zones, zone redundancy, HTTPS health probes, published SLA 99.99%, security by default (requires NSG rules), pricing $0.025/hour ($18/month) for up to 5 rules + per-GB data processed. Gateway Load Balancer - for Network Virtual Appliances (NVAs), third-party firewalls, deep packet inspection. Use Standard SKU for all production workloads in 2025. Configuration: az network lb create.