Azure Core Services Cheatsheet: Microsoft Cloud Quick Reference
This page is a quick reference for Microsoft Azure services. It covers the core services across compute, storage, networking, database, identity, security, and monitoring that you will encounter in Azure cloud and DevOps roles.
Compute#
Azure Virtual Machines#
IaaS virtual machines. Full control over OS, disk, and configuration. Azure VMs are grouped into series based on workload type.
VM series
| Series | Purpose | Example sizes |
|---|---|---|
| B-series | Burstable, low-cost development and light workloads | B1s, B2s, B4ms |
| D-series | General purpose, most production workloads | D2s v5, D4s v5 |
| F-series | Compute optimised, high CPU-to-memory ratio | F4s v2, F8s v2 |
| E-series | Memory optimised, in-memory databases | E4s v5, E16s v5 |
| N-series | GPU-accelerated, ML training and graphics | NC4as T4 v3, ND96asr A100 |
| L-series | Storage optimised, high local NVMe throughput | L8s v3, L16s v3 |
Virtual Machine Scale Sets (VMSS)#
Automatically scale a group of identical VMs based on metrics or a schedule. Integrates with Azure Load Balancer and Application Gateway. Supports rolling upgrades and automatic OS patching.
Azure App Service#
Fully managed platform for web applications and APIs. Supports .NET, Java, Node.js, Python, PHP, and Ruby. Runs on Windows or Linux. Scale horizontally with auto-scale rules or vertically by changing the pricing tier. No OS management required.
App Service plan tiers: Free, Shared, Basic, Standard, Premium, Isolated (dedicated environment for compliance and performance).
AKS (Azure Kubernetes Service)#
Managed Kubernetes service. Azure manages the control plane at no charge. You manage agent node pools (or use Virtual Nodes for serverless burst capacity). Integrates with Entra ID for RBAC, Azure Monitor for observability, and Azure Container Registry for images.
Azure Container Apps#
Serverless container platform built on Kubernetes and KEDA (Kubernetes Event-Driven Autoscaling). Scales to zero. No Kubernetes knowledge required. Supports microservices, background processing, and event-driven workloads. Good choice when you want containers without managing Kubernetes directly.
Azure Functions#
Serverless function execution. Write a function; attach it to a trigger (HTTP, Timer, Service Bus, Event Hub, Blob, Cosmos DB, etc.).
Hosting plans
| Plan | Description |
|---|---|
| Consumption | Scale to zero; pay per execution; cold starts possible |
| Flex Consumption | Faster cold starts; more predictable scaling |
| Premium | Pre-warmed instances; no cold starts; VNet integration |
| Dedicated (App Service) | Run on an existing App Service plan; always-on |
Storage#
Azure Blob Storage#
Object storage for unstructured data. Organise objects into containers within a storage account. Access via REST API, SDKs, or Azure Storage Explorer.
Blob access tiers
| Tier | Use case | Minimum storage |
|---|---|---|
| Hot | Frequently accessed data | None |
| Cool | Infrequently accessed, stored at least 30 days | 30 days |
| Cold | Accessed rarely, stored at least 90 days | 90 days |
| Archive | Long-term retention, offline storage, retrieved in hours | 180 days |
Lifecycle management policies can automatically move blobs between tiers based on age or last access time.
Azure Disk Storage#
Managed block storage for Azure VMs. Disks are created as standalone resources and attached to VMs.
Disk types
| Type | Characteristics |
|---|---|
| Standard HDD | Lowest cost, dev/test environments |
| Standard SSD | Better latency than HDD, light production workloads |
| Premium SSD v2 | High-performance SSD with independently configurable IOPS and throughput |
| Ultra Disk | Maximum IOPS and throughput, sub-millisecond latency, SAP HANA and demanding databases |
Azure Files#
Managed file shares accessible via SMB (Windows, Linux, macOS) and NFS (Linux). Mount directly on VMs or sync to on-premises servers using Azure File Sync. Good for shared application state, lift-and-shift of file servers, and persistent storage for containers.
Azure Data Lake Storage Gen2#
Azure Blob Storage with a hierarchical namespace enabled. Supports directory-level access control (ACLs), which is required for big data analytics workloads. Native integration with Azure Synapse Analytics, HDInsight, and Databricks.
Networking#
Virtual Network (VNet)#
Your private network in Azure. Similar to AWS VPC. Define address spaces, subnets, and routing rules. VNets are regional resources.
NSG (Network Security Group)#
Stateful firewall applied to a subnet or network interface. Define inbound and outbound rules based on source/destination IP, port, and protocol. Priority-based — lower priority number = evaluated first.
Load Balancing Services#
| Service | Layer | Use case |
|---|---|---|
| Azure Load Balancer | L4 (TCP/UDP) | Internal or external; ultra-low latency; non-HTTP protocols |
| Application Gateway | L7 (HTTP/HTTPS) | URL-based routing, cookie-based affinity, SSL termination, WAF |
| Azure Front Door | L7, global | Global CDN + L7 load balancing + WAF; anycast routing |
| Traffic Manager | DNS-based | DNS-level traffic routing across regions (not a true proxy) |
Connectivity#
| Service | Purpose |
|---|---|
| Azure DNS | Managed authoritative DNS; private zones for internal VNet resolution |
| VPN Gateway | Encrypted IPsec/IKE tunnels to on-premises or other clouds |
| ExpressRoute | Dedicated private connection to Azure through a connectivity provider; not over the internet |
| VNet Peering | Connect two VNets privately; within a region (regional) or cross-region (global) |
| Azure Firewall | Managed stateful firewall with FQDN filtering, TLS inspection, and threat intelligence |
| Azure Bastion | Managed jump host for RDP/SSH to VMs without a public IP on the VM |
Database#
Azure SQL Database#
Managed SQL Server as a service. Choose from single database, elastic pool (shared resources across databases), or managed instance (near-full SQL Server compatibility for migrations). Serverless tier automatically pauses and resumes. Built-in intelligence for automatic performance tuning.
Azure Cosmos DB#
Globally distributed, multi-model NoSQL database. Distribute data across any number of Azure regions with single-digit millisecond reads and writes. Multiple API options:
| API | Compatibility |
|---|---|
| NoSQL (Core) | Native Cosmos DB JSON document API |
| MongoDB | Wire-protocol compatible with MongoDB |
| Cassandra | Wire-protocol compatible with Apache Cassandra |
| Gremlin | Graph database API |
| Table | Compatible with Azure Table Storage |
Choose the MongoDB API when migrating a MongoDB workload; choose the native NoSQL API for new projects.
Azure Database for PostgreSQL / MySQL#
Managed open-source relational databases. Flexible Server deployment provides zone-redundant HA, point-in-time restore, and configurable maintenance windows.
Azure Synapse Analytics#
Unified analytics platform combining a data warehouse (formerly SQL Data Warehouse), Apache Spark, and data integration (Pipelines). Query data in Azure Data Lake Storage Gen2 without loading it. Use when you need a single workspace for both data engineering and BI.
Azure Cache for Redis#
Managed Redis. Use for session caching, data caching, leaderboards, and message brokering. Supports Redis Cluster for higher throughput. Enterprise tier supports Redis modules (RediSearch, RedisBloom, RedisTimeSeries).
Identity#
Microsoft Entra ID#
Formerly Azure Active Directory. The cloud identity platform for Microsoft 365 and Azure. Every Azure subscription has a linked Entra tenant. Provides authentication (OAuth 2.0, OIDC, SAML), authorisation (RBAC), and directory services.
Entra ID is not a domain controller — it is a cloud identity provider. For traditional Active Directory features (Kerberos, LDAP, Group Policy), use Azure Active Directory Domain Services (Entra Domain Services).
Managed Identities#
Allow Azure resources (VMs, App Service, Functions, AKS pods) to authenticate to other Azure services without any credentials in code. Two types:
- System-assigned: tied to the lifecycle of the resource; deleted when the resource is deleted
- User-assigned: standalone identity; can be assigned to multiple resources
Azure RBAC#
Role-based access control on Azure resources. Assign roles (Owner, Contributor, Reader, or custom roles) to a principal (user, group, service principal, or managed identity) at a scope (management group, subscription, resource group, or resource).
Entra ID Conditional Access#
Policy-based access control. Define conditions (user location, device compliance, application being accessed, sign-in risk level) and grant or block access accordingly. Requires Entra ID P1 or P2 licences.
Security#
| Service | Purpose |
|---|---|
| Azure Key Vault | Store and manage secrets, encryption keys, and TLS certificates; access controlled by RBAC and access policies |
| Microsoft Defender for Cloud | Cloud security posture management (CSPM) and workload protection; security score and recommendations |
| Microsoft Sentinel | Cloud-native SIEM (Security Information and Event Management) and SOAR; built on Log Analytics |
| Azure Policy | Define and enforce compliance rules on resources at scale; evaluate resources against policies and deny or audit non-compliant deployments |
| DDoS Protection | Standard tier provides adaptive DDoS mitigation with telemetry and alerts beyond the basic protection included for all VNets |
Serverless and Integration Services#
| Service | Purpose |
|---|---|
| Azure Functions | Serverless function execution (see Compute section above) |
| Logic Apps | Low-code workflow automation; hundreds of built-in connectors to SaaS and Azure services |
| Azure Service Bus | Enterprise messaging with queues and topics (pub/sub); ordered delivery, duplicate detection, dead-letter queue |
| Azure Event Grid | Event routing service; publish/subscribe for events from Azure services and custom applications; push model |
| Azure Event Hubs | High-throughput event streaming ingestion; millions of events per second; compatible with Apache Kafka protocol |
Monitoring and Observability#
| Service | Purpose |
|---|---|
| Azure Monitor | Central platform collecting metrics and logs from all Azure resources |
| Log Analytics | Workspace for querying logs using KQL (Kusto Query Language); foundation for Sentinel, Defender, and Application Insights |
| Application Insights | Application Performance Monitoring (APM); tracks requests, dependencies, exceptions, custom events; auto-instruments many frameworks |
| Azure Advisor | Personalised recommendations for reliability, security, performance, and cost based on your actual resource usage |
KQL quick example — query application errors in the last 24 hours:
requests
| where timestamp > ago(24h)
| where success == false
| summarize count() by resultCode, bin(timestamp, 1h)
| order by timestamp descAzure Certification Path#
| Certification | Audience |
|---|---|
| AZ-900: Azure Fundamentals | Non-technical or entry-level cloud awareness |
| AZ-104: Azure Administrator Associate | Infrastructure engineers managing Azure resources |
| AZ-204: Azure Developer Associate | Developers building applications on Azure |
| AZ-305: Azure Solutions Architect Expert | Architects designing Azure solutions (requires AZ-104) |
| AZ-400: Azure DevOps Engineer Expert | DevOps practitioners (requires AZ-104 or AZ-204) |
| SC-900: Security, Compliance & Identity | Entry-level security awareness |
| SC-300: Identity and Access Administrator | Entra ID and identity specialisation |
For most engineers entering Azure roles, AZ-900 followed by AZ-104 is the standard path. Developers often choose AZ-204 instead of AZ-104.