Azure Complete Reference Guide

PART 1: COMPUTE SERVICES

1.1 Azure Virtual Machines (VMs)

Overview

Azure VMs provide on-demand, scalable compute resources. You choose the OS (Windows/Linux), size, and configuration. You manage everything above the hypervisor; Azure manages the physical hardware.

VM Families

Family	Use Case	Examples
B-series	Burstable, low-cost dev/test	B1s, B2s, B2ms
D-series	General purpose, balanced CPU/memory	D2s_v5, D4s_v5
E-series	Memory-optimized	E2s_v5, E4s_v5
F-series	Compute-optimized (high CPU)	F2s_v2, F4s_v2
N-series	GPU-enabled (AI/ML, rendering)	NC6s_v3, ND40rs_v2
H-series	High-performance computing (HPC)	HB120rs_v2
Ls-series	Storage-optimized (NoSQL, data warehousing)	L8s_v3
M-series	Memory-intensive (SAP HANA, large DBs)	M128s, M416ms_v2
NP-series	FPGA workloads	NP10s

VM Sizing Naming Convention

Format: [Family][vCPUs][Sub-family][Feature][Version]

Example: D4s_v5 = D-family, 4 vCPUs, s=Premium SSD support, v5=5th generation

Storage Options for VMs

Premium SSD v2 — Configurable IOPS/throughput, cost-optimized
Premium SSD — Production workloads, low latency
Standard SSD — Web servers, light workloads
Standard HDD — Backups, non-critical
Ultra Disk — Sub-millisecond latency, configurable IOPS (SAP HANA, tier-1 DBs)

Availability

Availability Sets — Fault domains (FD) + Update domains (UD) within a datacenter. Min 2 FDs, up to 20 UDs. Protects against hardware failure and planned maintenance.
Availability Zones — Physically separate datacenters within a region. 3 zones per region. VMs in different zones = 99.99% SLA.
Proximity Placement Groups — Co-locate VMs for low latency

Key Concepts

VMSS (VM Scale Sets) — Auto-scaling groups of identical VMs. Supports autoscale rules, custom images.
Spot VMs — Up to 90% discount. Can be evicted with 30s notice. Good for batch, dev/test, stateless workloads.
Reserved Instances — 1-year or 3-year commitment. Up to 72% savings. Can be exchanged/cancelled.
Azure Dedicated Host — Single-tenant physical server. For licensing (e.g., SQL Server BYOL) and compliance.

Interview Q&A

Q: When would you use Availability Set vs Availability Zone? A: Availability Sets protect within a single datacenter (FD/UD). Availability Zones spread across physical datacenters in a region. Zones give higher SLA (99.99% vs 99.95%) but cost more and not all regions support them. Use Zones for mission-critical workloads.

Q: How do you optimize VM costs? A: Reserved Instances for predictable workloads, Spot VMs for fault-tolerant workloads, right-sizing via Azure Advisor, auto-shutdown for dev/test, use B-series for burstable workloads.

1.2 Azure App Service

Overview

Fully managed PaaS for building and hosting web apps, mobile backends, REST APIs, and containerized workloads. Zero infrastructure management — focus on code.

App Service Types

Type	Purpose
Web App	Web applications (.NET, Node.js, Python, Java, PHP, Ruby)
Web App for Containers	Run custom Linux containers
API App	REST API hosting with Swagger support
Mobile App	Mobile backend with offline sync, auth

App Service Plans (Tiers)

Tier	Use Case	Key Feature
Free (F1)	Dev/test	60 min/day, shared infrastructure
Shared (D1)	Dev/test	Custom domain, no SSL
Basic (B1-B3)	Small production	Dedicated compute, SSL, auto-scale
Standard (S1-S3)	Production	Auto-scale, traffic manager, slots
Premium (P1v3-P3v3)	High-scale production	VNet integration, more memory
Isolated (I1-I3)	Enterprise/compliance	App Service Environment (ASE), max isolation
Isolated v2 (I1v2-I6v2)	Largest workloads	ASE v3, more cores

Key Features

Deployment Slots — Staging environments. Swap slots for zero-downtime deployment. Up to 1 (Standard), 5 (Premium), unlimited (Isolated).
Auto-scaling — Scale up (bigger tier) vs Scale out (more instances). Rules based on CPU, memory, queue length, schedule.
Custom Domains & SSL — Bind custom domains, free managed certificates, bring your own SSL.
VNet Integration — Connect App Service to your VNet for accessing on-prem/private resources. Regional VNet integration (outbound) + VNet-injected ASE (inbound+outbound).
Authentication — Built-in auth with Entra ID, Google, Facebook, Twitter, Microsoft Account.
CI/CD — Deploy from GitHub, Azure DevOps, Bitbucket, local Git.
Backups — Scheduled backups to storage account (Standard+).
Private Endpoints — Access App Service via private IP. Inbound private endpoint.

App Service Environment (ASE)

Runs in your own VNet (fully isolated)
Single-tenant App Service
For compliance (PCI, HIPAA), high scale, internal-only apps
ASE v3 is simpler and cheaper than v2
Internal ILB ASE = no public endpoint; External ASE = public endpoint

Interview Q&A

Q: What’s the difference between Scale Up and Scale Out? A: Scale Up = increase compute resources (e.g., S1 → S3, more CPU/RAM). Scale Out = add more instances (e.g., 2 → 5 instances). Scale Up has downtime; Scale Out doesn’t.

Q: When to use App Service vs AKS? A: App Service for simple web apps/APIs with standard frameworks — faster to deploy, less management. AKS when you need microservices architecture, container orchestration, custom networking, or workloads that don’t fit App Service constraints.

Q: How do deployment slots work? A: Create a staging slot, deploy new version there, test it, then swap with production. Swap is near-instant. You can also route % traffic (canary). Rollback by swapping back.

1.3 Azure Kubernetes Service (AKS)

Overview

Managed Kubernetes. Azure manages the control plane (free). You manage the agent nodes (pay for VMs).

Key Features

Cluster Autoscaler — Automatically adds/removes nodes based on pod scheduling needs.
KEDA — Scale pods based on external events (queue length, etc.).
Virtual Nodes — Serverless burst using ACI.
Azure CNI — Each pod gets an IP from VNet.
Kubenet — Pods use NAT. Simpler but less network control.
Private Cluster — API server has no public IP.
Entra ID Integration — Use Entra ID for K8s RBAC.
Azure Policy for AKS — Enforce policies on K8s resources.
Secret Store CSI Driver — Mount Key Vault secrets as volumes in pods.
AGIC — Use App Gateway as K8s ingress.
Workload Identity — Use managed identities for pods.

Networking Models

Model	How It Works	When to Use
Kubenet	Pods get internal IPs, use NAT for outbound	Simple workloads, IP-constrained VNets
Azure CNI	Each pod gets a VNet IP	Enterprise, pod IP visibility needed
Azure CNI Overlay	Pods get overlay IPs, nodes get VNet IPs	Scale without IP exhaustion
Cilium	eBPF-based networking + network policy	Advanced networking, better performance

Interview Q&A

Q: How does AKS cluster autoscaler work? A: When pods can’t be scheduled, the autoscaler adds nodes. When nodes are underutilized, it removes them. Configured per node pool with min/max counts.

Q: How do you secure secrets in AKS? A: Use Azure Key Vault with Secret Store CSI Driver — secrets mounted as volumes, not stored in etcd. Use Workload Identity for pod-to-Azure-service auth.

1.4 Azure Functions

Overview

Serverless compute. Write code that runs on events. Pay only for execution time.

Hosting Plans

Plan	Scaling	Duration Limit	Cold Start	Use Case
Consumption	Automatic	10 min (default 5)	Yes	Event-driven, unpredictable load
Premium	Automatic (pre-warmed)	Unlimited	Minimal	No cold start, VNet, long runs
App Service (Dedicated)	Manual/Auto-scale	Unlimited	No	Full control, existing plan
Flex Consumption	Automatic, per-function	60 min	Low	Fast scaling, per-function config

Triggers & Bindings

Triggers — What starts the function: HTTP, Timer, Blob, Queue, Service Bus, Event Grid, Event Hubs, Cosmos DB, SignalR, Durable
Bindings — Declarative connection to data/services (input/output). No SDK code needed.

Durable Functions

Stateful orchestration patterns: - Function Chaining — Sequential steps - Fan-out/Fan-in — Parallel execution then aggregate - Async HTTP API — Long-running operations with polling - Monitor — Recurring checks - Human Interaction — Wait for external approval

Interview Q&A

Q: When to use Functions vs Logic Apps? A: Functions = code-first, complex logic, performance-sensitive. Logic Apps = designer-first, no-code, integration with 200+ connectors.

1.5 Azure Container Apps

Overview

Serverless container platform built on K8s + Envoy + KEDA. No cluster management.

Key Features

Built-in KEDA scaling (scale to zero)
Revision management with traffic splitting (blue/green, canary)
Built-in ingress (HTTP/TCP)
Dapr integration for microservices
Service discovery within environment

Container Apps vs AKS vs App Service

Feature	Container Apps	AKS	App Service
Management	Fully serverless	Manage nodes	Fully managed
K8s features	Subset	Full K8s	None
Scaling	KEDA (scale to zero)	Cluster autoscaler + KEDA	Auto-scale (min 1)
Best for	Microservices, event-driven	Complex K8s workloads	Web apps, APIs

1.6 Azure Container Instances (ACI)

Overview

Fastest way to run a container. No VMs, no orchestration.

Key Features

Fast startup (seconds)
Container groups (multiple containers sharing network/lifecycle — like a pod)
VNet integration, GPU support, persistent storage via Azure Files

Use Cases

Quick batch jobs, CI/CD agents
Testing containers before AKS deployment
Burst capacity for AKS (virtual nodes)

1.7 Azure Static Web Apps

Overview

Full-stack static app hosting + serverless APIs. Built-in CI/CD from GitHub/Azure DevOps.

Free tier available
Auto-deploy from GitHub Actions
Built-in Azure Functions for API
Free SSL, custom domains, built-in auth
Preview environments per PR

1.8 Azure Spring Apps

Overview

Managed Spring Boot microservice platform.

Run Spring Boot without managing K8s
Built-in service discovery, config server
Blue/green deployments, VNet integration, auto-scaling

PART 2: NETWORKING SERVICES

2.1 Azure Virtual Network (VNet)

Overview

Your private network in Azure. Fundamental building block — all IaaS/PaaS resources connect here.

Key Concepts

Address Space — CIDR blocks (e.g., 10.0.0.0/16). Up to 65,536 IPs per VNet.
Subnets — Segments within VNet. Smallest /29 (3 usable IPs).
NSGs — L3/L4 firewall on subnet or NIC. Priority 100-4096 (lower = higher priority).
ASGs — Logical grouping of VMs for simpler NSG rules.
Route Tables (UDR) — Custom routing. Next hop: Virtual Appliance, VNet Gateway, Internet, None.
Service Endpoints — Extend VNet identity to PaaS services. Traffic stays on Azure backbone.
Private Endpoints — Private IP in your VNet for PaaS services. No public internet.

VNet Peering

Connect VNets (same region or cross-region)
Traffic stays on Microsoft backbone
NOT transitive — If A↔︎B and B↔︎C, A cannot reach C
Gateway Transit — Peered VNet can use your VPN/ExpressRoute gateway
Charge for ingress/egress across peering

Interview Q&A

Q: Is VNet peering transitive? A: No. Hub-spoke uses hub VNet peered with each spoke. Spokes don’t communicate directly. Use Azure Firewall/NVA in hub for spoke-to-spoke.

Q: Service Endpoint vs Private Endpoint? A: Service Endpoint = VNet identity extends to service, service still has public endpoint. Private Endpoint = private IP in VNet, no public endpoint. Private Endpoint preferred for zero-trust.

2.2 Azure Load Balancer

Overview

L4 (TCP/UDP) load balancer. High-performance, low-latency.

SKUs

Feature	Basic	Standard
Backend pool	Availability Set only	Any VM, IP, cross-VNet
HA Ports	No	Yes (internal LB)
Availability Zones	No	Zone-redundant/zonal
SLA	None	99.99%

Types

Public Load Balancer — Distributes inbound internet traffic
Internal Load Balancer — Distributes traffic within VNet

Key Concepts

Frontend IP — Public or private IP receiving traffic
Backend Pool — VMs/NICs/IPs receiving traffic
Health Probes — HTTP/TCP probes. Unhealthy = removed from rotation
Load Balancing Rules — Map frontend IP:port → backend pool:port
NAT Rules — Port forwarding (RDP/SSH)
HA Ports — Load balance all ports (internal LB, Standard only). For NVAs.
Outbound Rules — Control SNAT for outbound internet

Interview Q&A

Q: Load Balancer vs Application Gateway? A: LB = L4, any protocol, max performance. App Gateway = L7 (HTTP/HTTPS), WAF, SSL termination, URL routing. Use LB for non-HTTP; App Gateway for web apps.

2.3 Azure Application Gateway

Overview

L7 (HTTP/HTTPS) load balancer with WAF.

Key Features

URL-based routing, multi-site hosting
SSL Termination, Session Affinity (cookie-based)
WAF — OWASP Top 10 protection (CRS 3.2+)
Connection Draining, Header Rewrites
Autoscaling (v2 SKU)

SKUs

SKU	Scaling	WAF	Zone Redundancy
Standard v1	Manual	No	No
WAF v1	Manual	Yes	No
Standard v2	Auto	No	Yes
WAF v2	Auto	Yes	Yes

Interview Q&A

Q: App Gateway vs Front Door? A: App Gateway = regional L7 LB. Front Door = global L7 LB with anycast. Use App Gateway for regional; Front Door for global/multi-region. Many use Front Door → App Gateway (global + regional WAF).

Q: App Gateway to App Service? A: Yes, but set “Pick host name from backend target” in HTTP settings.

2.4 Azure Front Door

Overview

Global L7 load balancer and CDN. Anycast-based routing across regions.

Key Features

Global routing to nearest backend
SSL Termination at edge, WAF at edge
URL-based routing, Session Affinity
Caching, Health Probes
Traffic acceleration (anycast + split TCP + Microsoft backbone)

Front Door vs Traffic Manager

Feature	Front Door	Traffic Manager
Layer	L7 (HTTP/HTTPS)	DNS-based
Failover speed	Seconds	Minutes (DNS TTL)
Caching/WAF/SSL	Yes	No

2.5 Azure VPN Gateway

Overview

Encrypted traffic between VNet and on-prem over public internet.

Types

Policy-based — Legacy, low bandwidth (~100 Mbps)
Route-based — Modern, up to 10 Gbps, BGP support

Connection Types

Site-to-Site (S2S) — On-prem network to VNet (IPsec/IKE)
Point-to-Site (P2S) — Individual client (IKEv2, SSTP, OpenVPN)
VNet-to-VNet — Connect VNets via IPsec

Key Concepts

GatewaySubnet — Must be named exactly “GatewaySubnet”. Min /29.
Local Network Gateway — Represents on-prem VPN device
BGP — Dynamic routing on route-based gateways
Active-Active — Two gateway instances for higher throughput/redundancy

Interview Q&A

Q: VPN Gateway vs ExpressRoute? A: VPN = internet, encrypted, up to 10 Gbps, quick setup, cheap. ExpressRoute = private, up to 100 Gbps, consistent latency, expensive, weeks to provision.

2.6 Azure ExpressRoute

Overview

Private, dedicated connection to Azure. Not over public internet.

Peering Types

Azure Private Peering — Access Azure VNets
Microsoft Peering — Access Microsoft public services (M365, etc.)

Key Features

Bandwidth: 50 Mbps to 100 Gbps
Two connections per circuit (primary + secondary) for redundancy
ExpressRoute Global Reach — Connect on-prem locations via Microsoft backbone
ExpressRoute Direct — 100 Gbps, dual ports at peering location
Standard = regions in geopolitical area; Premium = all global regions

Interview Q&A

Q: How to achieve ExpressRoute redundancy? A: Each circuit has 2 connections. For full redundancy, use 2 circuits at different peering locations. VPN Gateway can serve as failover.

2.7 Azure Firewall

Overview

Cloud-native, managed, stateful firewall. L3-L7 filtering.

SKUs

Feature	Standard	Premium
Network/Application rules	Yes	Yes
DNAT	Yes	Yes
TLS Inspection	No	Yes
IDPS	No	Yes
URL filtering / Web categories	No	Yes

Key Features

Network Rules — L3/L4 (IP, port, protocol)
Application Rules — L7 (FQDN filtering)
NAT Rules — DNAT for inbound access
Threat Intelligence — Block known malicious IPs
DNS Proxy — Forward DNS queries, enable FQDN in network rules
Azure Firewall Manager — Central policy across multiple firewalls

Deployment

Dedicated “AzureFirewallSubnet” (min /26)
Hub-spoke: Firewall in hub, UDR on spokes routes through it
Force traffic: UDR 0.0.0.0/0 → Firewall private IP

2.8 Azure DNS

Overview

DNS hosting. 100% SLA. Ultra-fast resolution.

Azure DNS Zones — Host DNS records for your domain
Private DNS Zones — Internal DNS. Link to VNets. Auto-registration for VMs.
Alias Records — Point to Azure resources. Auto-updates when IP changes.
Record types: A, AAAA, CNAME, MX, NS, PTR, SOA, SRV, TXT

2.9 Azure Private Link & Private Endpoint

Overview

Access PaaS services over private IP in your VNet. Zero public internet exposure.

Private Endpoint

Network interface with private IP in VNet
Maps to Azure resource (Storage, SQL, Cosmos DB, Key Vault, App Service, etc.)
100+ services supported
Works across tenants

Private Link Service

Expose your own service (behind Standard LB) via Private Link
Consumers access via private endpoints in their VNets
For SaaS providers offering private connectivity

Interview Q&A

Q: Private Endpoint vs Service Endpoint? A: Service Endpoint = traffic on Azure backbone but service has public endpoint. Private Endpoint = private IP, no public endpoint. Private Endpoint is zero-trust choice.

2.10 Network Security Groups (NSGs)

Overview

L3/L4 firewall on subnet or NIC.

Rule Properties

Priority: 100-4096 (lower = higher priority)
Direction: Inbound/Outbound
Source/Destination: IP, CIDR, Service Tag, ASG
Protocol: TCP, UDP, ICMP, Any
Action: Allow or Deny

Default Rules

Allow VNet inbound/outbound
Allow Azure Load Balancer inbound
Deny all other inbound
Allow all outbound

Service Tags

VirtualNetwork, AzureLoadBalancer, Internet, Storage, Sql, AppService, AzureCloud

Flow Logs

Log all traffic to Storage Account. Feed into Traffic Analytics for visualization.

Interview Q&A

Q: NSG on both subnet and NIC — evaluation order? A: Inbound: Subnet first, then NIC. Outbound: NIC first, then Subnet. Both must allow; either deny = blocked.

2.11 Azure Traffic Manager

Overview

DNS-based global traffic routing.

Routing Methods

Method	How It Works
Priority	Primary then failover
Weighted	Distribute by weight (e.g., 80/20)
Performance	Route to closest (lowest latency)
Geographic	Route by user location
Subnet	Route specific IP ranges to specific endpoints
Multi-value	Return multiple endpoints

Limitation

DNS-based = failover depends on DNS TTL (not instant). For HTTP, prefer Front Door.

2.12 Azure Virtual WAN

Overview

Unified global networking for branch connectivity.

Hub — Microsoft-managed VNet with gateways
Spokes — VNets connected to hub
Branches — On-prem via VPN/ExpressRoute
Inter-hub routing, integrated Azure Firewall, SD-WAN partner integration

2.13 Azure Bastion

Overview

Managed RDP/SSH access to VMs without public IPs. Deploys in AzureBastionSubnet.

No public IP on VMs needed
RDP/SSH over TLS in browser
No agent on VMs
Standard and Premium SKUs

2.14 Azure CDN

Overview

Content delivery network. Cache content at edge locations worldwide.

Providers: Microsoft, Akamai, Verizon
Static content caching, dynamic site acceleration
Custom domains, SSL
Integration with Storage, App Service, Cloud Services

2.15 NAT Gateway

Overview

Outbound NAT for SNAT. Fixed public IP(s) for outbound connections from VNet.

Predictable public IP for outbound
Up to 50 Gbps throughput
No SNAT port exhaustion issues (unlike Load Balancer outbound)
Associate with subnet

2.16 Network Watcher

Overview

Network monitoring and diagnostics.

IP Flow Verify — Check if traffic allowed/denied by NSG
Next Hop — Determine next hop for a packet
NSG Flow Logs — Log traffic to Storage Account
Connection Troubleshoot — Test connectivity between endpoints
Packet Capture — Capture VM network traffic
Topology — Visualize network topology
Traffic Analytics — Analyze NSG flow logs

PART 3: STORAGE SERVICES

3.1 Azure Blob Storage

Overview

Object storage for unstructured data. Up to 190 TB per storage account.

Redundancy Options

Type	What It Does	Use Case
LRS	3 copies in one DC	Cheapest, non-critical
ZRS	3 zones in one region	HA within region
GRS	LRS + async copy to paired region	DR
GZRS	ZRS + async copy to paired region	Best HA + DR
RA-GRS / RA-GZRS	Read-access to secondary	Read during outage

Access Tiers

Tier	Storage Cost	Access Cost	Min Duration
Hot	Highest	Lowest	None
Cool	Lower	Higher	30 days
Cold	Even lower	Even higher	90 days
Archive	Lowest	Highest	180 days (rehydration takes hours)

Blob Types

Block Blobs — Most common. Text/binary. Up to 190.7 TB.
Append Blobs — Optimized for append (logs).
Page Blobs — Random R/W. Used by VM disks (VHDs). Up to 8 TB.

Security

Encryption — AES-256 at rest (default). Microsoft-managed or customer-managed keys (Key Vault).
SAS (Shared Access Signatures) — Time-limited access. Types: Service SAS, Account SAS, User Delegation SAS (Entra ID-backed, most secure).
Immutable Storage — WORM (Write Once, Read Many). Legal hold, time-based retention.
Soft Delete — Recover deleted blobs within retention period (7-365 days).
Versioning — Automatically save previous versions on overwrite.
Access Keys — Two keys for rotation. Full access to storage account. Avoid in production — use Entra ID or SAS.

Lifecycle Management

Automatically move blobs between tiers or delete them based on rules (e.g., move to Cool after 30 days, Archive after 90, delete after 365).

Interview Q&A

Q: When to use Hot vs Cool vs Archive? A: Hot = frequently accessed. Cool = infrequently accessed, stored ≥30 days. Archive = rarely accessed, stored ≥180 days. Rehydration from Archive takes hours. Use lifecycle policies to auto-tier.

Q: LRS vs ZRS vs GRS — when to use which? A: LRS = cheapest, single DC, non-critical data. ZRS = HA within region (survives DC failure). GRS = DR across regions (async, some data loss possible). GZRS = best: zone HA + geo DR.

3.2 Azure Files

Overview

Managed file shares in the cloud. Accessible via SMB and NFS.

Tiers

Premium — SSD-backed, high IOPS. For databases, high-performance workloads.
Transaction Optimized — Balanced. For general purpose.
Hot — Standard, frequently accessed.
Cool — Standard, infrequently accessed.

Key Features

SMB File Shares — Windows-compatible. AD integration for ACLs.
NFS File Shares — Linux-compatible. Premium tier only.
Azure File Sync — Sync on-prem Windows Server with Azure Files. Cloud tiering (cache hot files locally, cold files in cloud).
Snapshots — Point-in-time read-only snapshots.
Soft Delete — Recover deleted shares.

Interview Q&A

Q: When to use Azure Files vs Blob Storage? A: Azure Files = need SMB/NFS file share, shared access, existing app expects file system. Blob = object storage, massive scale, cheapest for archival, no file locking needed.

Q: What is Azure File Sync? A: Syncs on-prem Windows Server with Azure Files. Cloud tiering keeps frequently accessed files on-prem, cold files in Azure only. Replaces traditional file server backup.

3.3 Azure Managed Disks

Overview

Persistent block storage for VMs. Managed by Azure (no storage account management).

Disk Types

Type	IOPS	Throughput	Use Case
Ultra Disk	Up to 160,000	Up to 2,000 MB/s	Mission-critical, SAP HANA, tier-1 DBs
Premium SSD v2	Up to 80,000	Up to 1,200 MB/s	Production, configurable IOPS/throughput
Premium SSD	Up to 20,000	Up to 900 MB/s	Production workloads
Standard SSD	Up to 6,000	Up to 300 MB/s	Web servers, light workloads
Standard HDD	Up to 2,000	Up to 500 MB/s	Backups, non-critical

Key Features

Availability Zones — ZRS disks survive zone failure (Standard SSD, Premium SSD, Premium SSD v2)
Snapshots — Point-in-time read-only copy. Stored incrementally.
Encryption — SSE with PMK or CMK. Azure Disk Encryption (BitLocker/DM-Crypt) for OS-level encryption.
Shared Disks — Multi-VM shared access (SMB/CIFS). For clustered databases.

3.4 Azure Data Lake Storage (ADLS Gen2)

Overview

Enterprise data lake built on Blob Storage. Hadoop-compatible. Hierarchical namespace (folders).

Key Features

Built on Blob Storage (uses same infrastructure)
Hierarchical Namespace — True directories (vs flat namespace in Blob). Faster rename/directory operations.
POSIX ACLs — Fine-grained access control at file/folder level
Compatible with HDFS (Hadoop, Spark, Databricks)
Supports all Blob Storage tiers (Hot, Cool, Cold, Archive)
Lifecycle management same as Blob

ADLS Gen2 vs Blob Storage

Feature	Blob Storage	ADLS Gen2
Namespace	Flat (simulate folders)	Hierarchical (real folders)
Access control	RBAC, SAS	RBAC, SAS, POSIX ACLs
Hadoop compatible	No	Yes
Performance (rename/dir)	Slower	Faster
Use case	General object storage	Big data / analytics

Interview Q&A

Q: When to use ADLS Gen2 vs Blob Storage? A: ADLS Gen2 when doing big data/analytics (Databricks, Synapse, HDInsight) — needs hierarchical namespace, POSIX ACLs, HDFS compatibility. Blob Storage for general-purpose object storage, web content, backups.

3.5 Azure Table Storage

Overview

NoSQL key-value store. Schemaless. Very cheap. Part of Storage Account.

Partition key + Row key = unique identifier
Up to 1 TB per table
Cheap, simple, massive scale
For simple lookups by key — no complex queries
Often superseded by Cosmos DB Table API (more features, same API)

3.6 Azure Queue Storage

Overview

Message queue for asynchronous communication between components.

Messages up to 64 KB
Millions of messages, pay per use
At-least-once delivery
Often compared to Service Bus Queue — Queue Storage is simpler, cheaper; Service Bus has more features (sessions, dead-letter, transactions, FIFO)

3.7 Azure NetApp Files

Overview

Enterprise-grade NFS/SMB file shares powered by NetApp.

Premium, Ultra, Standard service levels
For SAP HANA, HPC, enterprise file shares
Snapshots, cloning, cross-region replication
More expensive than Azure Files, but enterprise features

3.8 Azure Data Box

Overview

Physical device for offline data transfer to Azure. For TB-PB scale.

Data Box — 80 TB, ruggedized
Data Box Disk — 8 TB SSD, up to 5 disks
Data Box Heavy — 800 TB
For when network transfer is too slow or expensive
Microsoft ships device → you copy data → ship back → data uploaded to Azure

3.9 Azure Elastic SAN

Overview

SAN-like storage for workloads needing high IOPS and throughput.

Simplifies SAN deployment at scale
For enterprise applications needing shared block storage

PART 4: DATABASE SERVICES

4.1 Azure SQL Database

Overview

Fully managed SQL Server database. PaaS. Auto-backup, patching, HA built in.

Deployment Options

Option	Description	Use Case
Single Database	One database with dedicated resources	Single app database
Elastic Pool	Shared resources across multiple databases	Multi-tenant SaaS, variable workloads
Managed Instance	Near-100% SQL Server compatibility	Lift-and-shift migration

Purchasing Models

DTU Model — Simple, bundled compute+storage. Basic, Standard, Premium tiers.
vCore Model — Choose compute (Gen5, M-series, DC-series) + storage separately. General Purpose, Business Critical, Hyperscale.

Service Tiers (vCore)

Tier	HA	Storage	Use Case
General Purpose	Readable replica	Up to 4 TB	Most business workloads
Business Critical	3 replicas + readable secondaries	Up to 4 TB	Low latency, high IOPS
Hyperscale	Up to 4 readable replicas	Up to 100 TB	Very large databases

Key Features

Automatic Backups — 7-35 days retention. PITR (Point-In-Time Restore).
Long-Term Retention (LTR) — Up to 10 years for compliance.
Geo-Replication — Active geo-replication (async, readable secondaries in other regions).
Auto-Failover Groups — Automatic failover to secondary region. Decouples app from DB endpoint.
Read Scale-Out — Route read-only queries to readable replica (Business Critical, Hyperscale).
Transparent Data Encryption (TDE) — Encrypt data at rest. Enabled by default.
Always Encrypted — Encrypt columns client-side. DB never sees plaintext.
Dynamic Data Masking — Mask sensitive data in query results (e.g., SSN: XXX-XX-1234).
Row-Level Security (RLS) — Filter rows based on user context.
Auditing — Track database events to Storage Account / Log Analytics.
Microsoft Defender for SQL — Vulnerability assessment, threat detection.
Ledger — Immutable, cryptographically verified records (blockchain-like).

Interview Q&A

Q: Single Database vs Elastic Pool vs Managed Instance? A: Single DB = isolated, predictable workloads. Elastic Pool = shared eDTU/vCore across databases with variable peaks (cost-effective). Managed Instance = near-full SQL Server compatibility for migration, instance-scoped features (SQL Agent, cross-DB queries).

Q: Active Geo-Replication vs Failover Groups? A: Active Geo-Replication = up to 4 readable secondaries, manual failover. Failover Groups = automatic failover, group of databases, transparent connection string (listener endpoint). Use Failover Groups for production DR.

4.2 Azure SQL Managed Instance

Overview

Near-100% SQL Server compatibility. Lift-and-shift with minimal changes.

Key Differences from Azure SQL Database

Instance-scoped features: SQL Agent, cross-database queries, Service Broker
Native VNet integration (no public endpoint needed)
SQL Server Agent for jobs
Database Mail
Common language runtime (CLR)
More like on-prem SQL Server in the cloud

Instance Pools

Pack multiple managed instances into shared compute
Cost-effective for small instances

4.3 Azure Database for PostgreSQL

Overview

Managed PostgreSQL. Two deployment options:

Option	Description
Flexible Server	Recommended. Custom maintenance window, burstable compute, stop/start, zone-redundant HA
Single Server	Legacy (being retired). Simpler but less flexible

Key Features (Flexible Server)

Burstable, General Purpose, Memory Optimized tiers
Zone-redundant HA (automatic failover)
Read replicas (async)
Logical replication
PgBouncer built-in (connection pooling)
Stop/start to save costs
VNet integration (private access)

4.4 Azure Database for MySQL

Overview

Managed MySQL. Flexible Server (recommended) is the current deployment option.

Similar features to PostgreSQL Flexible Server
Burstable, General Purpose, Memory Optimized
Zone-redundant HA, read replicas, stop/start
VNet integration

4.5 Azure Cosmos DB

Overview

Globally distributed, multi-model NoSQL database. 99.999% SLA. Turnkey global distribution.

APIs (Choose Based on Your Workload)

API	Compatible With	Best For
NoSQL (SQL)	Native Cosmos DB API	New applications, document store
MongoDB	MongoDB wire protocol	Migrating from MongoDB
Cassandra	Cassandra wire protocol	Migrating from Cassandra
Gremlin	Apache TinkerPop/Gremlin	Graph database (social networks, relationships)
Table	Azure Table Storage API	Simple key-value, migrating from Table Storage

Consistency Levels (5 levels — unique to Cosmos DB)

Level	Behavior	Use Case
Strong	Linearizable. Read always returns latest write.	Financial transactions, critical data
Bounded Staleness	Reads lag behind writes by K versions or T time	Gaming, ticketing
Session	Consistent within a session. Read-your-own-writes.	Default. Most applications.
Consistent Prefix	Reads see writes in order, but may be behind	Scenarios where order matters
Eventual	No ordering guarantee. Eventually consistent.	Lowest latency, highest availability

Key Features

Global Distribution — Replicate to any Azure region with one click. Multi-region writes.
Partition Key — Critical design choice. Determines data distribution and scalability. Choose high-cardinality, evenly distributed key.
Request Units (RU/s) — Cost metric. 1 RU ≈ 1 read of 1 KB item. Provisioned (manual/autoscale) or serverless.
Change Feed — Event stream of changes (inserts, updates). For real-time processing, ETL, triggers.
Stored Procedures — JavaScript-based, run server-side within a partition.
TTL (Time-to-Live) — Auto-expire documents after N seconds.
Serverless — Pay per request. For intermittent workloads.
Free Tier — 400 RU/s + 5 GB free for lifetime.

Interview Q&A

Q: How do you choose a partition key? A: High cardinality, even distribution, aligned with query patterns. Bad partition key = hot partition (uneven RU consumption). The partition key determines which logical partition data goes to. You cannot change partition key after creation.

Q: Explain Cosmos DB consistency levels? A: 5 levels from Strong (most consistent, highest latency) to Eventual (least consistent, lowest latency). Most apps use Session (default) — read-your-own-writes within a session. Consistency is per-request — you can use different levels for different operations.

Q: What are RUs? A: Request Units — unified cost metric. 1 RU = 1 read of 1 KB item by ID. Writes cost more RUs. Provisioned throughput (manual or autoscale) or serverless (pay per request).

4.6 Azure Cache for Redis

Overview

Managed Redis cache. In-memory data store for fast access.

Tiers

Tier	Features	Use Case
Basic	Single node, no SLA	Dev/test
Standard	Primary + replica, 99.9% SLA	Production
Premium	Cluster, VNet, persistence, zones	Enterprise
Enterprise	Redis Enterprise, RediSearch, RedisJSON	Advanced features
Enterprise Flash	Cost-optimized large cache	Large cache, cost-sensitive

Key Features

Persistence — RDB or AOF snapshots to Storage Account (Premium+)
Clustering — Shard data across multiple nodes (Premium+)
VNet Integration — Private endpoint support (Premium+)
Geo-Replication — Replicate across regions (Premium+)
Zone Redundancy — Spread across availability zones

Common Use Cases

Caching (session state, database query results)
Message broker (pub/sub)
Leaderboards, rate limiting
Real-time analytics

4.7 Azure Synapse Analytics

Overview

Unified analytics platform. Data warehouse + data lake + data integration. Formerly SQL Data Warehouse.

Key Components

Synapse SQL — Dedicated SQL pool (former SQL DW, MPP) + Serverless SQL pool (pay per query)
Synapse Spark — Managed Spark for data engineering/science
Synapse Pipelines — ETL/ELT orchestration (like Data Factory)
Synapse Studio — Unified web UI

Dedicated SQL Pool (Formerly SQL DW)

Massively Parallel Processing (MPP)
Compute + Storage separated. Pause compute when not in use.
DWU (Data Warehouse Units) for compute sizing
Table types: Heap, Clustered Index, Clustered Columnstore (default, best for analytics)

Serverless SQL Pool

Query data in ADLS Gen2 or Blob Storage directly
Pay per TB processed
No infrastructure to manage

Interview Q&A

Q: Dedicated SQL Pool vs Serverless SQL Pool? A: Dedicated = provisioned compute, consistent performance, for heavy/repeated workloads. Serverless = pay per query, ad-hoc queries over data lake, no compute to manage.

4.8 Azure Databricks

Overview

Apache Spark-based analytics platform. Collaborative notebooks. Delta Lake built in.

Key Features

Workspace — Collaborative notebooks (Python, Scala, SQL, R)
Clusters — Auto-scaling Spark clusters. Job clusters (ephemeral) vs All-purpose clusters.
Delta Lake — ACID transactions on data lake. Time travel, schema enforcement, MERGE operations.
MLflow — Track ML experiments, models
Photon Engine — C++ acceleration for Spark SQL (faster, cheaper)
Unity Catalog — Unified governance across workspaces

Interview Q&A

Q: What is Delta Lake? A: Open-source storage layer on data lake. Adds ACID transactions, time travel, schema enforcement, MERGE (upsert) to Parquet/data lake. Solves data reliability issues. Default format in Databricks.

4.9 Azure Data Explorer (Kusto)

Overview

Fast, interactive analytics for log and telemetry data. Optimized for high-volume, time-series data.

Kusto Query Language (KQL)
Ingest from Event Hubs, IoT Hub, Blob Storage
Used by Azure Monitor Log Analytics (same engine)
For logs, metrics, IoT telemetry, application traces

PART 5: MESSAGING & INTEGRATION SERVICES

5.1 Azure Service Bus

Overview

Enterprise message broker. Queues and Topics with pub/sub. Reliable, ordered, transactional messaging.

Entities

Queue — Point-to-point. One sender, one receiver. FIFO (with sessions).
Topic — Pub/sub. One sender, multiple subscribers. Each subscriber gets a copy.
Subscription — Receiver for a topic. Can have filters/rules.

Key Features

Sessions — FIFO ordering. Messages with same session ID processed in order by one consumer.
Dead-Letter Queue (DLQ) — Messages that can’t be processed or expired go here for inspection.
Scheduled Messages — Deliver at a future time.
Deferred Messages — Set aside for later processing.
Transactions — Atomic send + complete across entities.
Duplicate Detection — Discard duplicate messages (based on message ID).
Auto-forwarding — Chain queues/topics.
Batching — Server-side batch for throughput.

Tiers

Tier	Features
Basic	Queues only, no sessions/topics, smaller limits
Standard	Topics, sessions, 80 GB per entity, pay-per-use
Premium — Isolated resources, larger limits, no throttling

Interview Q&A

Q: Service Bus Queue vs Storage Queue? A: Service Bus = enterprise features (sessions, DLQ, transactions, FIFO, topics). Storage Queue = simpler, cheaper, massive scale, at-least-once delivery. Use Service Bus for complex messaging; Storage Queue for simple, high-volume.

Q: Queue vs Topic? A: Queue = one consumer, point-to-point. Topic = multiple subscribers (pub/sub). Use Topic when multiple systems need the same message.

5.2 Azure Event Grid

Overview

Event routing service. Reactive, pub/sub. Route events from Azure services or custom sources to handlers.

Key Concepts

Event Sources — Where events come from: Blob Storage, Resource Groups, Event Hubs, Service Bus, custom topics
Event Handlers — Where events go: Functions, Logic Apps, Webhooks, Service Bus, Event Hubs, Storage Queues
Topics — Endpoint where sources send events. System topics (Azure resources) or custom topics.
Event Subscriptions — Route events from topic to handler. Filter by subject, event type.
Dead-Lettering — Undeliverable events go to Storage Account or Service Bus.

Key Features

Near-real-time delivery (sub-second)
At-least-once delivery
Filter events (subject prefix/suffix, event type)
10M events/sec per topic (custom topics)
Serverless — pay per event

Interview Q&A

Q: Event Grid vs Event Hubs vs Service Bus? A: Event Grid = reactive event routing (fire-and-forget), discrete events (state changed). Event Hubs = big data streaming, high-throughput event stream (telemetry, logs). Service Bus = enterprise messaging with transactions, ordering, sessions (command messages).

5.3 Azure Event Hubs

Overview

Big data streaming platform. Ingest millions of events per second. Kafka-compatible.

Key Concepts

Event Hub — Named stream (like a Kafka topic)
Partition — Ordered sequence of events. Parallelism unit. More partitions = more throughput.
Consumer Group — View of the event hub. Each consumer reads independently.
Capture — Auto-save stream to ADLS Gen2 or Blob Storage (avro format).
Partition Key — Ensures ordering for related events (same key → same partition).

Key Features

Up to 7 MB/sec per partition (Standard), 10+ MB/sec (Premium/Dedicated)
Up to 32 partitions (Standard), 1024 (Premium/Dedicated)
Kafka compatibility — Use Kafka clients directly (no code change)
Auto-inflate partitions
Long retention (up to 90 days on Premium/Dedicated)
Event Hubs for Apache Kafka — Endpoint compatible with Kafka 1.0+

Tiers

Tier	Partitions	Retention	Throughput
Basic	1	1 day	Limited
Standard	32	7 days	Moderate
Premium	1024	90 days	High
Dedicated	Custom	90 days	Max

Interview Q&A

Q: When to use Event Hubs vs Service Bus? A: Event Hubs = high-throughput telemetry/streaming (IoT, clickstream, logs). Service Bus = command messages with business logic, transactions, ordering. Event Hubs for firehose of events; Service Bus for reliable message delivery.

5.4 Azure API Management (APIM)

Overview

Publish, secure, transform, analyze APIs. Gateway + Developer Portal + Management plane.

Components

API Gateway — Proxy. Enforces policies (rate limit, auth, transformation), caches responses.
Developer Portal — Self-service API discovery, documentation (Swagger/OpenAPI), try-it console.
Management Plane — Define APIs, policies, products, developer accounts.

Key Features

Policies — XML-based rules applied to requests/responses. Inbound, outbound, backend, on-error.
- Rate limiting, quotas
- JWT validation, OAuth2
- Caching
- Request/response transformation
- CORS
- Call other APIs (send-request)
Products — Group APIs. Open (no subscription needed) or Require subscription.
Subscriptions — Developers subscribe to products. API key per subscription.
Backends — Multiple backend types (HTTP, App Service, Function, Service Fabric)
API Versions & Revisions — Version APIs (v1, v2). Revisions for non-breaking changes.
Self-hosted Gateway — Run gateway in your own environment (on-prem, other clouds).
WebSocket APIs — Supported.

Tiers

Tier	Use Case
Consumption	Serverless, pay per API call
Developer	Dev/test, no SLA
Basic	Small production
Standard	Production
Premium	Multi-region, VNet, self-hosted gateway
Standard v2 / Premium v2	Newer, improved performance

Interview Q&A

Q: How do you secure APIs with APIM? A: Validate JWT tokens, OAuth2/OpenID Connect, subscription keys, rate limiting policies, IP filtering, client certificate authentication. Layer security: subscription key (who) + JWT (what they can access) + rate limit (how much).

5.5 Azure Logic Apps

Overview

Workflow automation with visual designer. 200+ connectors. No-code/low-code.

Key Features

Connectors — Pre-built integrations: Office 365, Salesforce, Twitter, SQL, Storage, etc.
Triggers — What starts the workflow: recurrence, HTTP, event, new email, etc.
Actions — Steps in the workflow: send email, insert row, call API, etc.
Conditions, Loops, Switch — Control flow
Error Handling — Run after configuration (on success, failure, timeout)
Integration Account — B2B scenarios (AS2, X12, EDIFACT, RosettaNet). XML validation, transforms.
Stateful vs Stateless — Stateful = history retained. Stateless = no history, faster.

Consumption vs Standard

Feature	Consumption	Standard
Pricing	Per execution	Fixed + per execution
Performance	Shared infrastructure	Dedicated (App Service)
VNet	No	Yes
Connectors	All built-in + managed	All + custom (code)

Interview Q&A

Q: Logic Apps vs Functions? A: Logic Apps = visual, no-code, integration-focused, 200+ connectors. Functions = code-first, compute-heavy, performance-sensitive. Use Logic Apps for orchestration/integration; Functions for complex logic.

PART 6: IDENTITY & ACCESS MANAGEMENT

6.1 Microsoft Entra ID (Azure Active Directory)

Overview

Cloud identity and access management. SSO, MFA, conditional access, B2B, B2C. The backbone of Azure security.

Key Concepts

Tenant — Your organization’s dedicated Entra ID instance. Identified by .onmicrosoft.com domain.
Users — Cloud-only or synced from on-prem AD (via Entra Connect / Cloud Sync).
Groups — Security groups (for auth) or Microsoft 365 groups (for collaboration). Dynamic groups (auto-add based on attributes).
App Registrations — Register apps for auth. OAuth2/OIDC endpoints.
Enterprise Applications — Instances of app registrations for SSO. Service principals.
Managed Identities — Auto-managed identities for Azure resources. No credentials to manage.
- System-assigned — Tied to resource lifecycle. One per resource.
- User-assigned — Standalone identity. Multiple resources can use it.

Authentication Methods

Password + MFA — Password + something you have (authenticator app, phone, FIDO2 key)
Passwordless — FIDO2 security keys, Microsoft Authenticator, Windows Hello
Conditional Access — If-then policies. E.g., “If user is admin AND location is outside US, block access.” Signal-based: user, group, location, device, app, risk.
Identity Protection — Risk-based policies. Sign-in risk (is this really the user?) and User risk (is the account compromised?).

App Registration & Permissions

App Registration — Define the app in Entra ID. Get client ID, configure redirect URIs, define permissions.
Delegated Permissions — App acts on behalf of user. Needs user consent.
Application Permissions — App acts as itself. Needs admin consent. More powerful.
Consent — User consents to delegated permissions. Admin consents to application permissions.

Key Features

SSO — One login for all cloud apps (SAML, OIDC, WS-Fed)
B2B — Invite external users (guest accounts). They use their own identity.
B2C — Customer identity (now Entra External ID). Social login (Google, Facebook) + local accounts.
PIM (Privileged Identity Management) — Just-in-time admin access. Time-bound, approval-based. Reduces standing privileges.
Access Reviews — Periodic review of access. Remove unused access.
Entitlement Management — Automated access packages for onboarding/offboarding.
Self-Service Password Reset (SSPR) — Users reset own passwords. Requires MFA.

Entra ID Editions

Feature	Free	P1	P2
SSO, MFA	Yes	Yes	Yes
Conditional Access	No	Yes	Yes
Identity Protection	No	No	Yes
PIM	No	No	Yes
Access Reviews	No	No	Yes

Interview Q&A

Q: What is Conditional Access? A: If-then policies for access control. Signals: user/group, location, device, app, risk level. Actions: allow, block, require MFA, require compliant device. Most powerful tool in Entra ID. Always use for admin accounts.

Q: System-assigned vs User-assigned Managed Identity? A: System-assigned = one identity per resource, deleted with resource. User-assigned = standalone, shared across resources, independent lifecycle. Use user-assigned when multiple resources need same identity or you need identity to survive resource recreation.

Q: What is PIM? A: Privileged Identity Management. Provides just-in-time, time-bound, approval-based access to privileged roles. Reduces attack surface by eliminating permanent admin access.

6.2 Microsoft Entra External ID (B2C)

Overview

Customer identity and access management (CIAM). Social login, custom branding, millions of users.

Social identity providers: Google, Facebook, Apple, Amazon
Custom policies (XML-based) for complex flows
User flows (built-in): sign up, sign in, password reset, profile edit
API connectors for custom validation/enrichment
Brand customization

6.3 Microsoft Entra Domain Services

Overview

Managed domain services in the cloud. LDAP, Kerberos, NTLM. Domain-join VMs without deploying domain controllers.

For lift-and-shift of legacy apps requiring AD domain
Not a replacement for on-prem AD (no schema extensions, no GPOs beyond baseline)
Kerberos + NTLM authentication
LDAP read/write
Domain join for Azure VMs
Secure LDAP (LDAPS)

6.4 Role-Based Access Control (RBAC)

Overview

Control who can do what on Azure resources. Built on ARM.

Key Concepts

Security Principal — Who: User, Group, Service Principal, Managed Identity
Role Definition — What: Set of permissions (Actions, NotActions, DataActions, NotDataActions)
Scope — Where: Management Group, Subscription, Resource Group, Resource
Assignment — Binding: Principal + Role + Scope

Built-in Roles (Key Ones)

Role	What It Can Do
Owner	Full access + manage access
Contributor	Full access, cannot manage access
Reader	View everything, cannot change
User Access Administrator	Manage access only
Key Vault Contributor	Manage Key Vault (not secrets)

Key Principles

Principle of Least Privilege — Grant minimum needed
Use built-in roles before custom roles
Assign at highest scope that makes sense (prefer RG over subscription)
Use PIM for privileged roles — Just-in-time, not permanent
Separate duties — No one person should control entire lifecycle

Interview Q&A

Q: What’s the difference between RBAC roles and Entra ID roles? A: RBAC roles = manage Azure resources (VMs, Storage, etc.). Entra ID roles = manage Entra ID itself (users, groups, apps). They are separate role systems.

6.5 Azure Key Vault

Overview

Centralized secret management. Store keys, secrets, certificates securely.

What It Stores

Secrets — Passwords, connection strings, API keys. Up to 25 KB each.
Keys — Cryptographic keys (RSA, EC). Hardware-protected (HSM) in Premium tier.
Certificates — X.509 certificates. Auto-renewal with integrated CAs (DigiCert, GlobalSign).

Access Models

Vault access policy — Legacy. Per-application access policies. Granular per-secret.
Azure RBAC — Recommended. Role-based. Built-in roles: Key Vault Administrator, Secrets User, etc.

Key Features

Soft Delete — Recover deleted vaults/secrets (7-90 days retention). Enabled by default.
Purge Protection — Prevent permanent deletion during retention period.
Firewall — Restrict access to specific networks.
Private Endpoint — Access via private IP.
HSM-backed keys — Premium tier. FIPS 140-2 Level 2.
Managed HSM — Dedicated, single-tenant HSM. FIPS 140-2 Level 3.

Interview Q&A

Q: How do you access Key Vault from an application? A: Use Managed Identity + RBAC. No credentials in code. App gets token from IMDS endpoint, authenticates to Key Vault. For AKS: use Secret Store CSI Driver or Workload Identity.

Q: Vault access policy vs RBAC? A: RBAC is recommended (consistent with Azure model, supports PIM). Access policy is legacy but offers per-secret granularity. New deployments should use RBAC.

PART 7: SECURITY SERVICES

7.1 Microsoft Defender for Cloud

Overview

Cloud Security Posture Management (CSPM) + Cloud Workload Protection (CWP). Secures multi-cloud and on-prem resources.

Key Features

Secure Score — Percentage-based score of your security posture. Based on recommendations.
Recommendations — Actionable steps to improve security. Categorized: Network, Identity, Data, Compute.
Regulatory Compliance — Compare posture against standards (ISO 27001, NIST, PCI DSS, SOC 2, etc.).
Asset Inventory — View all resources and their security status.
Workflow Automation — Auto-respond to recommendations/alerts.

Defender Plans (Workload Protection)

Plan	Protects
Defender for Servers	VMs, on-prem servers. Vulnerability scanning, EDR (MDE), JIT VM access
Defender for App Service	Web app threat detection
Defender for SQL	SQL Server (on-prem, Azure SQL, VM). Vulnerability assessment, threat detection
Defender for Storage	Blob, Files, Data Lake. Malware scanning, data exfiltration detection
Defender for Containers	AKS, ACR, Container Apps. Image scanning, K8s threat detection
Defender for Key Vault	Threat detection for Key Vault
Defender for DNS	DNS-layer threat detection
Defender for IoT	IoT/OT device security
Defender for Databases	Open-source databases (PostgreSQL, MySQL, MariaDB)

JIT VM Access

Reduce attack surface by opening RDP/SSH ports only when needed
Request access → approved → port opened for limited time → auto-closed
Must-have for internet-facing VMs

Interview Q&A

Q: What is Secure Score? A: Measures your security posture (0-100%). Based on completed vs total recommendations. Higher = more secure. Used to prioritize remediation. Track over time.

7.2 Microsoft Sentinel

Overview

Cloud-native SIEM (Security Information and Event Management) + SOAR (Security Orchestration, Automation, and Response). Built on Log Analytics.

Key Components

Data Connectors — Ingest logs from M365, Azure, third-party (Cisco, Palo Alto, etc.)
Analytics (Rules) — Detect threats. Scheduled, real-time, ML-based, fusion.
Incidents — Group related alerts into incidents for investigation.
Workbooks — Interactive dashboards for visualization.
Playbooks — Automated response (Logic Apps-based). Auto-remediate threats.
Hunting — Proactive threat hunting with KQL queries.
Watchlists — Custom lists for enrichment (e.g., VIP users, malicious IPs).
Threat Intelligence — Integrate TI feeds. Use in analytics rules.

Key Features

UEBA (User and Entity Behavior Analytics) — ML-based anomaly detection. Establishes baselines.
SOAR — Automate response with playbooks (Logic Apps). E.g., block IP, disable user, isolate VM.
ML-based detection — Fusion (multi-stage attack detection), anomaly detection.
KQL (Kusto Query Language) — Query language for hunting and analytics rules.

Interview Q&A

Q: What is Sentinel and why use it? A: Cloud-native SIEM + SOAR. No infrastructure to manage. Scales automatically. Pay per GB ingested. Centralize security logs, detect threats, automate response.

7.3 Azure Policy

Overview

Enforce organizational rules and compliance at scale. Evaluate resources against policies. Prevent non-compliant resources.

Key Concepts

Policy Definition — Rule (if condition → deny/audit/modify/append/deployIfNotExists)
Policy Assignment — Apply definition to scope (MG, subscription, RG)
Policy Parameters — Make policies reusable (e.g., allowed regions list)
Initiative Definition — Group of policy definitions (e.g., “ISO 27001 compliance”)
Exemptions — Exclude specific resources from policies

Effects

Effect	What Happens
Deny	Block non-compliant resource creation/update
Audit	Log non-compliance (no block)
AuditIfNotExists — Audit if related resource doesn’t exist
DeployIfNotExists — Auto-deploy if missing (e.g., auto-deploy diagnostics)
Modify — Add/modify properties (e.g., add tags)
Disabled	Policy not evaluated

Common Policies

Allowed locations (restrict regions)
Allowed resource types
Require tags
Enforce encryption
Auto-deploy diagnostics settings
Prevent public endpoints

Interview Q&A

Q: Azure Policy vs RBAC? A: RBAC = who can do what (permissions). Policy = what is allowed/compliant (rules). They’re complementary. RBAC controls access; Policy controls what resources can look like.

7.4 Azure Blueprints

Overview

Package of policies + RBAC + ARM templates for repeatable compliance. Deploy a compliant environment in one shot.

Blueprint = Policy Assignments + Role Assignments + ARM Templates + Resource Groups
Version controlled
Artifact locking (prevent drift)
For compliance scenarios (deploy compliant landing zones)

7.5 Azure WAF (Web Application Firewall)

Overview

Protect web apps from common attacks (OWASP Top 10). Runs on Application Gateway or Front Door.

Key Features

Rule Sets — OWASP 3.2, 3.1, 3.0, 2.2.1
Custom Rules — Match conditions (IP, header, URI, geo) → allow/deny
Exclusions — Bypass WAF for specific fields (e.g., large file uploads)
Policy — Centralized WAF policy applied across multiple App Gateways/Front Doors

WAF Modes

Detection mode — Log but don’t block (testing)
Prevention mode — Block and log (production)

7.6 Azure Confidential Computing

Overview

Encrypt data in use using Trusted Execution Environments (TEEs). Data is encrypted at rest, in transit, AND in use.

DC-series VMs — SGX-enabled Intel processors
AKS Confidential Containers — Run containers in enclaves
Azure Attestation — Remote verification of TEE environment
For: financial data, healthcare records, multi-party computation

PART 8: AI / ML SERVICES

8.1 Azure OpenAI Service

Overview

Azure-hosted OpenAI models. GPT-4o, GPT-4, GPT-3.5, DALL-E, Whisper, Embeddings. Enterprise security, compliance, regional availability.

Key Features

Models — GPT-4o, GPT-4, GPT-4-32k, GPT-3.5-turbo, DALL-E 3, Whisper, text-embedding-ada-002
Deployments — Create deployment with specific model + capacity (PTUs or pay-per-use)
PTUs (Provisioned Throughput Units) — Reserved capacity, predictable latency
Content Filters — Built-in safety filters (hate, sexual, violence, self-harm). Configurable.
Private Endpoints — Access via private IP
RBAC — Role-based access
Fine-tuning — Customize models with your data (GPT-3.5-turbo, Babbage, Davinci)
On Your Data — Ground models in your data (search over documents)
Assistants API — Build AI assistants with tools (code interpreter, file search, function calling)

Interview Q&A

Q: Why use Azure OpenAI vs OpenAI directly? A: Enterprise features: private endpoints, RBAC, content safety, regional data residency, VNet integration, compliance certifications. Data not used to train models.

8.2 Azure AI Services (Cognitive Services)

Overview

Pre-built AI APIs. No ML expertise needed. REST APIs + SDKs.

Vision

Service	What It Does
Computer Vision	Image analysis, OCR, spatial analysis
Custom Vision	Train custom image classifiers/object detectors
Face	Face detection, recognition, verification
Video Indexer	Extract insights from video

Speech

Service	What It Does
Speech to Text	Real-time & batch transcription
Text to Speech	Neural TTS voices
Speech Translation	Real-time speech translation
Speaker Recognition	Identify/verify speakers

Language

Service	What It Does
Language Service	Sentiment, NER, key phrase extraction, PII detection, summarization, conversation
Translator — Real-time text translation (100+ languages)
Document Intelligence (Form Recognizer)	Extract structure from documents (invoices, forms, IDs)

Decision

Service	What It Does
Content Safety	Detect harmful content (text + image)
Personalizer	RL-based content ranking

8.3 Azure Machine Learning

Overview

End-to-end ML platform. Train, deploy, manage, monitor ML models.

Key Components

Workspace — Top-level resource. Contains all ML artifacts.
Compute — Compute instances (dev), compute clusters (training), inference clusters (deploy), attached compute (AKS, etc.)
Data — Datastores (connect to Storage, SQL), Datasets (versioned data references)
Experiments — Track training runs. Log metrics, parameters, artifacts.
Models — Register, version, package models
Endpoints — Real-time endpoints (online), Batch endpoints (batch scoring)
Pipelines — Orchestrate ML workflows (data prep → train → evaluate → deploy)
Prompt Flow — Build LLM orchestrations (RAG, chains, agents)

Key Features

AutoML — Automatically try algorithms + hyperparameters
MLflow — Open-source tracking (integrated)
Managed Endpoints — Deploy models with auto-scaling, A/B testing, traffic splitting
Responsible AI Dashboard — Fairness, error analysis, interpretability
Feature Store — Centralized feature management (preview)

8.4 Azure AI Search (Cognitive Search)

Overview

AI-powered search over your data. Full-text search, vector search, semantic search.

Key Concepts

Index — Searchable collection of documents. Schema-defined fields.
Indexer — Crawl data source (Blob, SQL, Cosmos DB) → populate index. Scheduled or on-demand.
Skillset — AI enrichment pipeline. Extract text from images, OCR, entity recognition, translation.
Knowledge Store — Save enriched data to Storage for analytics.

Search Features

Full-text search (Lucene-based)
Vector search (embeddings, nearest neighbor)
Semantic search (AI-reranked results)
Faceted navigation, filters, suggestions, autocomplete
Synonym maps, scoring profiles

PART 9: ANALYTICS SERVICES

9.1 Azure Stream Analytics

Overview

Real-time stream processing. SQL-like queries over event streams. Input from Event Hubs/IoT Hub, output to multiple sinks.

Key Features

SQL-like query language (SAQL)
Windowing: Tumbling, Hopping, Sliding, Session
Input: Event Hubs, IoT Hub, Blob Storage
Output: Event Hubs, Blob, SQL, Cosmos DB, Power BI, Service Bus, Data Lake
Reference data joins (static data enrichment)
ML scoring (custom functions)
Job diagram for debugging

9.2 Azure Data Factory

Overview

Cloud ETL / data integration. Orchestrate data movement and transformation at scale.

Key Concepts

Pipelines — Logical grouping of activities
Activities — Actions: Copy Data, Databricks Notebook, Stored Procedure, ForEach, If Condition, etc.
Datasets — Data structures (point to data source)
Linked Services — Connection info (connection strings, auth)
Integration Runtimes — Compute for data movement:
- Azure IR — Cloud data movement
- Self-hosted IR — On-prem / VNet data movement
- SSIS IR — Run SSIS packages

Key Features

Copy Activity — Move data between 100+ sources and sinks
Mapping Data Flows — Visual ETL transformations
Tumbling Window Trigger — Scheduled pipeline execution
Event-based Trigger — Trigger on blob creation
Monitoring — Visual monitoring, alerts
Managed VNet — Secure data movement

9.3 HDInsight

Overview

Managed Hadoop ecosystem. Open-source big data analytics.

Hadoop, Spark, Kafka, Storm, HBase, Interactive Query (Hive LLAP)
For organizations already using Hadoop ecosystem
Deploy as clusters (pay while running — can be deleted when not needed)
Enterprise Security Package (ESP) — Domain-join with Entra Domain Services

9.4 Azure Analysis Services

Overview

Enterprise OLAP / semantic modeling. Tabular data models for BI.

Power BI connects to Analysis Services for enterprise modeling
Semantic layer over data warehouse
Row-level security
Scale up/down, pause when not in use

9.5 Microsoft Purview

Overview

Unified data governance. Data catalog, classification, lineage, compliance.

Data Map — Automated data discovery and mapping
Data Catalog — Searchable inventory of data assets
Data Estate Insights — Understand your data landscape
Classification — Auto-classify sensitive data (SSN, credit card, etc.)
Lineage — Track data flow from source to destination
Integration — Scans: Azure, on-prem SQL, AWS, SAP, etc.

PART 10: MANAGEMENT & GOVERNANCE

10.1 Azure Resource Manager (ARM)

Overview

Deployment and management layer for Azure. Every action goes through ARM. Consistent management plane.

Key Concepts

Resource — Individual Azure service instance (VM, Storage Account, etc.)
Resource Group — Logical container for resources. Lifecycle boundary (delete RG = delete all resources). Region-scoped metadata.
Subscription — Billing + management boundary. Limits/quota per subscription.
Management Group — Manage multiple subscriptions. Policy + RBAC inheritance.

Hierarchy

Management Group → Subscription → Resource Group → Resource

ARM Templates / Bicep

ARM Templates — JSON IaC. Declarative. Idempotent.
Bicep — DSL that compiles to ARM JSON. Cleaner syntax, easier to read/write. Recommended over JSON.

Interview Q&A

Q: What is ARM? A: Azure Resource Manager. The management layer that handles all CRUD operations on Azure resources. Every tool (Portal, CLI, PowerShell, SDK) goes through ARM. Provides RBAC, tags, locks, and policy enforcement.

10.2 Azure Monitor

Overview

Full observability platform. Metrics, logs, alerts, dashboards.

Key Components

Metrics — Time-series data from resources (CPU, memory, request count). 93 days retention.
Logs — Log Analytics workspace. KQL queries. Custom logs. 30-730 days retention.
Application Insights — APM for web apps. Request tracking, dependency tracking, live metrics, availability tests.
Alerts — Metric alerts, log alerts, activity log alerts. Action groups (email, SMS, webhook, Logic App).
Dashboards — Shared dashboards in Portal.
Workbooks — Interactive reports combining metrics, logs, parameters.

Key Features

Diagnostic Settings — Route resource logs and metrics to Log Analytics, Storage, or Event Hubs.
Data Collection Rules (DCR) — Define what data to collect from VMs (AMA - Azure Monitor Agent).
VM Insights — Pre-built monitoring for VMs (performance, maps).
Container Insights — Pre-built monitoring for AKS/ARC K8s.
Network Insights — Network monitoring dashboards.

Interview Q&A

Q: Metrics vs Logs in Azure Monitor? A: Metrics = numeric time-series (CPU%, memory), pre-collected, 93 days, fast to query. Logs = everything else, KQL queries, flexible, longer retention, more expensive. Use metrics for alerting (fast). Use logs for deep investigation.

10.3 Azure Advisor

Overview

Personalized best-practice recommendations. Analyzes your resources and configuration.

Categories: Cost, Security, Reliability, Performance, Operational Excellence

Free service
Weekly updates
Postpone or dismiss recommendations
Download as PDF/CSV

10.4 Azure Cost Management

Overview

Track, allocate, and optimize Azure spend.

Key Features

Cost Analysis — View spend by resource, resource group, service, tag
Budgets — Set spending limits. Alert when threshold reached.
Cost Alerts — Budget alerts, credit alerts, department spending alerts (EA)
Exports — Schedule cost data export to Storage Account
Tags — Organize and track costs by project, department, environment
Reservation Recommendations — Identify resources for Reserved Instances savings

Interview Q&A

Q: How do you optimize Azure costs? A: Right-size VMs (Advisor), Reserved Instances (predictable workloads), Spot VMs (fault-tolerant), auto-shutdown (dev/test), use Cool/Archive tiers for storage, delete unmanaged disks/orphaned resources, use Budgets for alerts, review cost analysis weekly.

10.5 Azure Arc

Overview

Manage on-premises and multi-cloud resources from Azure. Project Azure management plane everywhere.

What You Can Manage

Servers — On-prem Linux/Windows servers. Install extensions (MDE, monitoring, custom scripts).
Kubernetes — Attach any K8s cluster (on-prem, EKS, GKE). Deploy GitOps, policies, monitoring.
SQL Server — Manage on-prem SQL Server from Azure. Pay-as-you-go licensing.
Data Services — Run Azure SQL Managed Instance, PostgreSQL on any infrastructure.
Machine Learning — Extend ML to on-prem

Key Benefits

Single management plane for hybrid/multi-cloud
Apply Azure Policy to non-Azure resources
Use Azure Monitor for on-prem servers
Run Azure data services anywhere

10.6 Azure Migrate

Overview

Assessment and migration tool for moving on-prem workloads to Azure.

Key Features

Discovery — Discover on-prem servers, databases, web apps
Assessment — Right-sizing, cost estimation, readiness check
Migration — Server migration (agent-based or agentless), database migration, web app migration
Dependency Mapping — Visualize server dependencies (using Service Map/AMA)

Tools

Azure Migrate: Server Assessment — Assess VMware, Hyper-V, physical servers
Azure Migrate: Server Migration — Replicate and failover servers
Data Migration Assistant (DMA) — Assess SQL Server migration readiness
Azure Database Migration Service (DMS) — Migrate databases with minimal downtime

10.7 Azure Lighthouse

Overview

Multi-tenant management. Service providers manage customer resources from their own tenant.

Delegated resource management
No need for guest accounts in customer tenant
Azure Portal, CLI, PowerShell, SDK support
Audit all cross-tenant actions
For MSPs, centralized IT teams

PART 11: HYBRID & EDGE SERVICES

11.1 Azure Arc (see Part 10 for details)

11.2 Azure Stack HCI

Overview

Hyper-converged infrastructure on-prem. Run VMs on-prem, manage from Azure.

Run on certified hardware (Dell, Lenovo, HPE, etc.)
Azure Hybrid Benefit for licensing
Azure Arc-enabled
AKS on Azure Stack HCI
Azure Virtual Desktop on HCI
Pay-as-you-go or subscription

11.3 Azure Stack Hub

Overview

Run Azure services on-premises. Disconnected scenarios possible.

Integrated systems (hardware from partners)
Connected or disconnected from Azure
Use Azure IaaS + some PaaS on-prem
For: edge, disconnected, regulatory, low-latency scenarios

11.4 Azure Stack Edge

Overview

Edge computing device with AI/ML + storage. Data processing at the edge.

Ruggedized hardware device
Run VMs, Kubernetes, ML models at edge
Transfer data to Azure (network or device)
GPU-enabled (NVIDIA T4)
Use cases: manufacturing, retail, field operations

11.5 Azure IoT Hub

Overview

Managed IoT service. Connect, monitor, manage billions of IoT devices.

Key Features

Device-to-Cloud (D2C) telemetry
Cloud-to-Device (C2D) commands
Device twins (reported/desired properties)
Device provisioning service (DPS) — zero-touch provisioning
Module twins for edge devices
File upload from devices
Routes — Send messages to endpoints (Event Hubs, Storage, Service Bus)

Tiers

Tier	Messages/Day	Use Case
Free	8,000	Dev/test
S1	400,000/unit	Small deployments
S2	6M/unit	Medium
S3	300M/unit	Large

11.6 Azure IoT Edge

Overview

Run cloud workloads on edge devices. Deploy modules (containers) to edge.

Offline operation with store-and-forward
Edge Agent + Edge Hub runtime
Deploy ML models, Azure Stream Analytics, custom modules
Offline support for extended periods

11.7 Azure Digital Twins

Overview

IoT spatial intelligence. Model physical environments as digital twins.

Model relationships between people, spaces, devices
Query spatial intelligence graph
Event route to downstream services
For: smart buildings, factories, cities

11.8 Azure Sphere

Overview

Secured microcontroller (MCU) for IoT devices. End-to-end security.

Sphere MCU (chip) + Linux OS + Cloud security service
Hardware root of trust
Automatic OS updates
Certificate-based auth

PART 12: DEVELOPER TOOLS

12.1 Azure DevOps

Overview

Application lifecycle management. Boards, Repos, Pipelines, Test Plans, Artifacts.

Services

Service	What It Does
Azure Boards	Work items, sprints, kanban, dashboards
Azure Repos	Git repositories (TFVC also available)
Azure Pipelines	CI/CD — build and deploy. YAML or classic. Agent-based (Microsoft-hosted or self-hosted).
Azure Test Plans	Manual and exploratory testing
Azure Artifacts — Package management (NuGet, npm, Maven, Python, Universal)

Key Concepts

Organization → Project → Repos, Pipelines, Boards
Service Connections — Connect to Azure (ARM), GitHub, Docker, etc.
Variable Groups — Shared variables across pipelines
Environments — Deployment targets with approvals/checks
Templates — Reusable pipeline steps

Interview Q&A

Q: Azure DevOps vs GitHub Actions? A: Azure DevOps = full ALM suite (boards, repos, pipelines, test plans). GitHub Actions = CI/CD only, GitHub-native. Many teams use GitHub for code + Azure DevOps for boards/pipelines.

12.2 Azure CLI / PowerShell / SDKs

Azure CLI

Cross-platform (Windows, Mac, Linux)
az command
Imperative, good for scripting
az group create --name myRG --location eastus

Azure PowerShell

Az module
PowerShell-native
Good for Windows admins, complex scripts
New-AzResourceGroup -Name myRG -Location eastus

Infrastructure as Code

ARM Templates — JSON, native to Azure
Bicep — DSL, compiles to ARM. Recommended.
Terraform — HashiCorp HCL. Multi-cloud. Azure provider.
Ansible — YAML playbooks. Agentless.

PART 13: SaaS SERVICES

13.1 Microsoft 365

Office apps (Word, Excel, PowerPoint)
Exchange Online (email)
SharePoint Online (document management)
OneDrive for Business (file storage)
Microsoft Teams (chat, meetings, collaboration)
Microsoft Viva (employee experience)

13.2 Dynamics 365

ERP + CRM suite: - Sales — CRM - Customer Service — Support - Field Service — Dispatch, scheduling - Finance — Financial management - Supply Chain Management — SCM - Business Central — SMB ERP - Commerce — E-commerce

13.3 Power Platform

Power Apps — Build custom apps (canvas + model-driven)
Power Automate — Workflow automation (desktop + cloud flows)
Power BI — Business intelligence and visualization
Power Virtual Agents — Build chatbots (now Copilot Studio)
Power Pages — External-facing websites
Dataverse — Underlying data platform

13.4 Microsoft Fabric

Overview

Unified analytics platform. Lakehouse, data warehouse, real-time analytics, BI, data engineering, data science. All in one SaaS.

OneLake — Single data lake for the organization (like OneDrive for data)
Lakehouse — Data lake + warehouse
Data Warehouse — Traditional warehousing
Real-Time Intelligence — Stream processing
Data Factory — ETL (built-in)
Power BI — Visualization (built-in)