Lesson 39 of 60 intermediate

Azure Basics for Support Engineers

A practical first Azure map

Open interactive version (quiz + challenge)

Real-world analogy

Azure is a huge office park you rent space in. Resource groups are suites, VNets are building floors, NSGs are the security guards at each door, and RBAC is the HR policy deciding which employees open which office.

What is it?

Azure for junior IT is a practical toolkit: create and manage RGs, VNets, NSGs, VMs, basic storage, Entra identities, RBAC assignments, and simple monitoring. Mastery is a long road; literacy is a week.

Real-world relevance

A growing company wants a secure test environment for new hires. You build: one RG, one VNet with two subnets (workloads / mgmt), NSGs restricting RDP/SSH to the mgmt subnet, three small VMs, Azure Backup, auto-shutdown policy, RBAC for the HR-IT group. Cost: predictable. Risk: low. Audit: pleased.

Key points

Code example

// Azure basics — typical first-week commands (CLI)

# Login
az login
az account set --subscription "<sub-id>"

# Resource group + VNet + subnet
az group create -n rg-lab-01 -l southeastasia
az network vnet create -g rg-lab-01 -n vnet-lab --address-prefix 10.10.0.0/16 \
  --subnet-name workloads --subnet-prefix 10.10.1.0/24

# NSG with a basic rule
az network nsg create -g rg-lab-01 -n nsg-workloads
az network nsg rule create -g rg-lab-01 --nsg-name nsg-workloads -n Allow-RDP-Mgmt \
  --priority 100 --direction Inbound --access Allow --protocol Tcp \
  --source-address-prefixes 10.10.2.0/24 --destination-port-ranges 3389

# VM with managed identity
az vm create -g rg-lab-01 -n vm-web-01 --image Win2022Datacenter \
  --size Standard_B2s --admin-username opsadmin --assign-identity \
  --vnet-name vnet-lab --subnet workloads --nsg nsg-workloads

# Tagging for cost
az tag update --resource-id $(az group show -n rg-lab-01 --query id -o tsv) \
  --operation merge --tags env=lab owner=it-support costcenter=IT-001

Line-by-line walkthrough

  1. 1. First-week CLI examples
  2. 2. Login header
  3. 3. az login command
  4. 4. Set active subscription
  5. 5. Blank separator
  6. 6. RG + VNet + subnet
  7. 7. Create RG in region
  8. 8. Create VNet
  9. 9. Define subnet with prefix
  10. 10. Blank separator
  11. 11. NSG header
  12. 12. Create NSG
  13. 13. Create RDP rule
  14. 14. Blank separator
  15. 15. VM header
  16. 16. Create VM
  17. 17. Size, identity, network
  18. 18. Blank separator
  19. 19. Tagging header
  20. 20. Apply tags to RG
  21. 21. Tag key-values for cost tracking

Spot the bug

Junior exposes an Azure VM to the internet with NSG rule: Allow TCP 3389 from Any to workloads subnet, priority 100.
Need a hint?
Which practice does this violate, and what’s the fix?
Show answer
Open RDP to ‘Any’ equals daily brute-force storms. Fix: allow 3389 only from a management subnet or trusted IPs; ideally use Azure Bastion or a jump host and disable direct public RDP entirely. Add MFA + Conditional Access; keep audit logs.

Explain like I'm 5

Azure is a huge digital office park. You rent a suite (resource group), put furniture (VM, storage) inside, hang rules on the door (NSG), and tell HR who can enter (RBAC). Lock up when you’re done.

Fun fact

Microsoft ships multiple exam paths for junior cloud admins — AZ-900 (awareness), AZ-104 (administrator), AZ-500 (security), SC-300 (identity) — and at least one of these shows up in many corporate job ads as ‘preferred.’

Hands-on challenge

Open an Azure free account. Create one RG, one VNet with two subnets, one small VM, an NSG that permits SSH or RDP only from your IP. Run it for 30 minutes, delete the RG to clean up.

More resources

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp