Lesson 39 of 60 intermediate

Azure Basics for Support Engineers

A practical first Azure map

Open interactive version (quiz + challenge)

Real-world analogy

Azure is a huge office park you rent space in. Resource groups are suites, VNets are building floors, NSGs are the security guards at each door, and RBAC is the HR policy deciding which employees open which office.

What is it?

Azure for junior IT is a practical toolkit: create and manage RGs, VNets, NSGs, VMs, basic storage, Entra identities, RBAC assignments, and simple monitoring. Mastery is a long road; literacy is a week.

Real-world relevance

A growing company wants a secure test environment for new hires. You build: one RG, one VNet with two subnets (workloads / mgmt), NSGs restricting RDP/SSH to the mgmt subnet, three small VMs, Azure Backup, auto-shutdown policy, RBAC for the HR-IT group. Cost: predictable. Risk: low. Audit: pleased.

Key points

Subscription, resource group, resource — Subscription: billing boundary. Resource group: logical container for related resources. Resource: a thing (VM, storage account, database). Delete the RG — everything inside goes with it.
Regions, zones, and redundancy — Pick a region near users. Use zones for high availability within a region. Use geo-redundant storage and cross-region backups for DR. Don’t overthink; start with one region, one zone, and grow.
VNet, subnet, NSG, route table — VNet is your private network in Azure. Subnets segment it. NSGs are stateful firewalls (allow/deny rules) on subnet or NIC. Route tables steer traffic — including forced tunneling to an on-prem firewall.
Virtual machines — the ops bread and butter — Pick size, image, disks (managed, premium for IO), networking, identity. Patch via Automation/Update Management. Back up via Azure Backup. Turn them off when not needed (cost hygiene).
Entra ID vs Azure AD DS vs on-prem AD — Entra ID: modern cloud identity (OIDC/SAML, conditional access). Azure AD DS: domain-join-in-cloud service (legacy-style Kerberos/LDAP for apps that need it). On-prem AD: traditional Active Directory. They can integrate, but they’re not the same thing.
RBAC and Azure Policy — RBAC controls who can do what (reader, contributor, owner, plus custom roles). Azure Policy enforces rules (‘only allow VMs in this region,’ ‘require tags,’ ‘must use approved images’). Together they enforce guardrails without micromanagement.
Azure Monitor, Log Analytics, Sentinel — Monitor collects metrics/logs. Log Analytics is the query engine (KQL). Sentinel is the SIEM on top. Juniors should recognize these names and know a couple of simple KQL queries.
Cost Management — Tag resources with owner/env/project. Watch Cost Analysis and set budgets. Idle VMs, unattached disks, and forgotten test resources are the #1 cloud waste. Clean them up regularly.

Code example

// Azure basics — typical first-week commands (CLI)

# Login
az login
az account set --subscription "<sub-id>"

# Resource group + VNet + subnet
az group create -n rg-lab-01 -l southeastasia
az network vnet create -g rg-lab-01 -n vnet-lab --address-prefix 10.10.0.0/16 \
  --subnet-name workloads --subnet-prefix 10.10.1.0/24

# NSG with a basic rule
az network nsg create -g rg-lab-01 -n nsg-workloads
az network nsg rule create -g rg-lab-01 --nsg-name nsg-workloads -n Allow-RDP-Mgmt \
  --priority 100 --direction Inbound --access Allow --protocol Tcp \
  --source-address-prefixes 10.10.2.0/24 --destination-port-ranges 3389

# VM with managed identity
az vm create -g rg-lab-01 -n vm-web-01 --image Win2022Datacenter \
  --size Standard_B2s --admin-username opsadmin --assign-identity \
  --vnet-name vnet-lab --subnet workloads --nsg nsg-workloads

# Tagging for cost
az tag update --resource-id $(az group show -n rg-lab-01 --query id -o tsv) \
  --operation merge --tags env=lab owner=it-support costcenter=IT-001

Line-by-line walkthrough

1. First-week CLI examples
2. Login header
3. az login command
4. Set active subscription
5. Blank separator
6. RG + VNet + subnet
7. Create RG in region
8. Create VNet
9. Define subnet with prefix
10. Blank separator
11. NSG header
12. Create NSG
13. Create RDP rule
14. Blank separator
15. VM header
16. Create VM
17. Size, identity, network
18. Blank separator
19. Tagging header
20. Apply tags to RG
21. Tag key-values for cost tracking

Spot the bug

Junior exposes an Azure VM to the internet with NSG rule: Allow TCP 3389 from Any to workloads subnet, priority 100.

Need a hint?

Which practice does this violate, and what’s the fix?

Show answer

Open RDP to ‘Any’ equals daily brute-force storms. Fix: allow 3389 only from a management subnet or trusted IPs; ideally use Azure Bastion or a jump host and disable direct public RDP entirely. Add MFA + Conditional Access; keep audit logs.

Explain like I'm 5

Azure is a huge digital office park. You rent a suite (resource group), put furniture (VM, storage) inside, hang rules on the door (NSG), and tell HR who can enter (RBAC). Lock up when you’re done.

Fun fact

Microsoft ships multiple exam paths for junior cloud admins — AZ-900 (awareness), AZ-104 (administrator), AZ-500 (security), SC-300 (identity) — and at least one of these shows up in many corporate job ads as ‘preferred.’

Hands-on challenge

Open an Azure free account. Create one RG, one VNet with two subnets, one small VM, an NSG that permits SSH or RDP only from your IP. Run it for 30 minutes, delete the RG to clean up.

More resources

AZ-104 study guide (Microsoft Learn)
Azure CLI reference (Microsoft Learn)
John Savill Azure content (John Savill)

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp