⏳
Loading cheatsheet...
Azure infra and DevOps workflows with practical deployment, identity, and automation notes.
# ── Azure Virtual Machines ──
# Create a resource group
az group create --name myResourceGroup --location eastus
# Create a VM
az vm create \
--resource-group myResourceGroup \
--name myAppVM \
--image Ubuntu2204 \
--size Standard_B2s \
--admin-username azureuser \
--authentication-type ssh \
--ssh-key-values ~/.ssh/id_rsa.pub \
--public-ip-sku Standard \
--nsg myAppNSG \
--subnet mySubnet \
--vnet-name myVNet \
--custom-data cloud-init.txt
# Open a port on the NSG
az vm open-port --port 80 --resource-group myResourceGroup --name myAppVM
# List VMs
az vm list --resource-group myResourceGroup -o table
# SSH into VM
az vm ssh --resource-group myResourceGroup --name myAppVM
# Stop / Start / Delete
az vm stop --resource-group myResourceGroup --name myAppVM
az vm start --resource-group myResourceGroup --name myAppVM
az vm delete --resource-group myResourceGroup --name myAppVM --yes
# Resize VM
az vm resize --resource-group myResourceGroup --name myAppVM --size Standard_B4ms
# ── VM Sizes ──
# Standard_B2s : 2 vCPU, 4 GB RAM (burstable, dev/test)
# Standard_D2s_v5 : 2 vCPU, 8 GB RAM (general purpose)
# Standard_E2s_v5 : 2 vCPU, 16 GB RAM (memory optimized)
# Standard_F2s_v2 : 2 vCPU, 4 GB RAM (compute optimized)
# Standard_NC6s_v3: 6 vCPU, 112 GB RAM, 1x V100 GPU# ── Azure Kubernetes Service (AKS) ──
# Create AKS cluster
az aks create \
--resource-group myResourceGroup \
--name myAKSCluster \
--kubernetes-version 1.29 \
--node-count 3 \
--node-vm-size Standard_B2s \
--enable-managed-identity \
--enable-addons monitoring,ingress-appgw \
--workspace-resource-id /subscriptions/SUB_ID/resourceGroups/MC_RG/providers/Microsoft.OperationalInsights/workspaces/myWorkspace \
--enable-cluster-autoscaler \
--min-count 2 \
--max-count 10 \
--network-plugin azure \
--network-policy azure \
--os-sku Ubuntu
# Get credentials
az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
# Scale node pool
az aks nodepool scale --resource-group myResourceGroup \
--cluster-name myAKSCluster --name nodepool1 --node-count 5
# Upgrade cluster
az aks upgrade --resource-group myResourceGroup \
--name myAKSCluster --kubernetes-version 1.30
# Add a spot node pool (cheaper for interruptible workloads)
az aks nodepool add \
--resource-group myResourceGroup \
--cluster-name myAKSCluster \
--name spotpool \
--enable-cluster-autoscaler \
--min-count 0 --max-count 5 \
--priority Spot \
--eviction-policy Delete \
--node-vm-size Standard_B2s \
--labels workload=spot
# ── Azure App Service (PaaS) ──
# Create App Service plan
az appservice plan create --name myPlan --resource-group myResourceGroup --sku B1 --is-linux
# Create web app
az webapp create --resource-group myResourceGroup --plan myPlan --name myapp-abc123 --runtime "NODE|20-lts"
# Deploy from GitHub
az webapp deployment source config --name myapp-abc123 --resource-group myResourceGroup \
--repo-url https://github.com/org/myapp --branch main --manual-integration
# Deploy from local
az webapp up --name myapp-abc123 --resource-group myResourceGroup --location eastus
# Configure environment variables
az webapp config appsettings set --name myapp-abc123 --resource-group myResourceGroup \
--settings NODE_ENV=production DB_HOST=mydb.postgres.database.azure.com| Service | Type | Best For | Scaling |
|---|---|---|---|
| Azure VMs | IaaS | Full OS control, legacy apps | VMSS auto-scale |
| AKS | Managed K8s | Container orchestration | Cluster autoscaler |
| App Service | PaaS | Web apps, APIs (Linux/Win) | Built-in auto-scale |
| Azure Functions | Serverless | Event-driven, triggers | 0→N automatic |
| Container Apps | Serverless containers | Microservices, KEDA scaling | KEDA-based |
| VMSS | VM scale sets | Identical VMs, batch workloads | Custom auto-scale rules |
| Series | Prefix | Best For |
|---|---|---|
| Burstable | B-series | Dev/test, low-traffic web |
| General Purpose | D-series | Most production workloads |
| Memory Optimized | E-series | Databases, in-memory cache |
| Compute Optimized | F-series | Batch processing, gaming |
| GPU | NC/ND-series | ML training, GPU rendering |
| Spot VMs | Any + --priority Spot | Up to 90% off (interruptible) |
# ── Azure Blob Storage ──
# Create storage account
az storage account create \
--name mystorageacct123 \
--resource-group myResourceGroup \
--location eastus \
--sku Standard_RAGRS \
--kind StorageV2 \
--access-tier Hot \
--allow-blob-public-access false \
--enable-hierarchical-namespace # ADLS Gen2
# Create container
az storage container create --name mydata --account-name mystorageacct123
# Upload / Download blobs
az storage blob upload --container-name mydata \
--name data/report.csv --file ./local/report.csv
az storage blob download --container-name mydata \
--name data/report.csv --file ./downloaded/report.csv
# List blobs
az storage blob list --container-name mydata --output table
# Generate SAS token (Shared Access Signature)
az storage blob generate-sas \
--container-name mydata --name data/report.csv \
--permissions r --expiry 2025-12-31T23:59:00Z \
--only-show-error
# Copy blob
az storage blob copy start \
--destination-container archive \
--destination-name report-backup.csv \
--source-container mydata \
--source-name data/report.csv
# Set blob tier (lifecycle)
az storage blob set-tier --container-name mydata \
--name old-data.json --tier Cool
# ── Lifecycle Management Policy ──
cat > lifecycle.json << 'EOF'
{
"rules": [
{
"name": "MoveToCoolAfter30",
"enabled": true,
"type": "Lifecycle",
"definition": {
"filters": { "blobTypes": ["blockBlob"], "prefixMatch": ["logs/"] },
"actions": { "baseBlob": { "tierToCool": { "daysAfterModificationGreaterThan": 30 } } }
}
},
{
"name": "DeleteAfter365",
"enabled": true,
"type": "Lifecycle",
"definition": {
"filters": { "blobTypes": ["blockBlob"], "prefixMatch": ["temp/"] },
"actions": { "baseBlob": { "delete": { "daysAfterModificationGreaterThan": 365 } } }
}
}
]
}
EOF
az storage account management-policy create \
--account-name mystorageacct123 --policy @lifecycle.json| Tier | Cost | Min Stay | Retrieval | Use Case |
|---|---|---|---|---|
| Hot | Highest storage, lowest access | None | Instant | Active data, frequent access |
| Cool | Lower storage, higher access | 30 days | Milliseconds | Infrequent access, backups |
| Cold | Lowest storage, highest access | 90 days | Hours | Archive, compliance |
| Archive | Lowest cost | 180 days | 15+ hours | Long-term retention |
| Service | Type | Best For |
|---|---|---|
| Blob Storage | Object | Files, images, backups, data lake |
| Azure Files | SMB/NFS shares | File shares, lift-and-shift |
| Azure Queue | Message queue | Simple async messaging |
| Azure Disk | Block storage | VM OS/data disks |
| Azure Table | NoSQL key-value | Legacy, simple lookups |
| Managed Disks | Persistent storage | Attached to VMs, snapshots |
# ── Azure Files (SMB/NFS File Shares) ──
az storage share create --name myshare --account-name mystorageacct123 --quota 5120
az storage directory create --share-name myshare --dirname projects
az storage file upload --share-name myshare --source ./local/config.yml --path config.yml
# Azure Queue Storage
az storage queue create --name orders --account-name mystorageacct123
az storage message put --queue-name orders --content '{"orderId":"123","status":"pending"}'
az storage message peek --queue-name orders --num-messages 5
az storage message delete --queue-name orders --id msg-id --pop-receipt receipt--enable-hierarchical-namespace) to get ADLS Gen2 features: directory-level ACLs, fine-grained permissions, and POSIX-like semantics. Essential for analytics workloads using Synapse or Databricks.# ── Azure SQL Database ──
# Create logical SQL server
az sql server create \
--name my-sql-server-123 \
--resource-group myResourceGroup \
--location eastus \
--admin-user sqladmin \
--admin-password '$(openssl rand -base64 24)'
# Configure firewall (allow Azure services)
az sql server firewall-rule create \
--server my-sql-server-123 --resource-group myResourceGroup \
--name AllowAzureServices --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0
# Create SQL Database
az sql db create \
--resource-group myResourceGroup \
--server my-sql-server-123 \
--name myappdb \
--service-objective S1 \
--backup-storage-redundancy Local
# Create elastic pool (share DTUs across databases)
az sql elastic-pool create \
--resource-group myResourceGroup \
--server my-sql-server-123 \
--name myElasticPool \
--edition GeneralPurpose \
--capacity 200 \
--db-max-capacity 50 \
--db-min-capacity 10
# Scale database
az sql db update --resource-group myResourceGroup \
--server my-sql-server-123 --name myappdb --service-objective P2
# Geo-replication
az sql db replica create \
--resource-group myResourceGroup \
--server my-sql-server-123 \
--name myappdb \
--partner-resource-group secondaryRG \
--partner-server my-sql-server-secondary# ── Azure Cosmos DB ──
# Create Cosmos DB account
az cosmosdb create \
--name my-cosmos-123 \
--resource-group myResourceGroup \
--kind GlobalDocumentDB \
--default-consistency-level Session \
--locations regionName=eastus failoverPriority=0 isZoneRedundant=true \
--locations regionName=westus2 failoverPriority=1 isZoneRedundant=false
# Create database
az cosmosdb sql database create \
--account-name my-cosmos-123 \
--resource-group myResourceGroup \
--name myappdb
# Create container with partition key
az cosmosdb sql container create \
--account-name my-cosmos-123 \
--resource-group myResourceGroup \
--database-name myappdb \
--name users \
--partition-key-path /userId \
--throughput 400
# Create container with autoscale
az cosmosdb sql container create \
--account-name my-cosmos-123 \
--resource-group myResourceGroup \
--database-name myappdb \
--name orders \
--partition-key-path /customerId \
--autoscale-max-throughput 4000// ── Cosmos DB SDK (Node.js) ──
import { CosmosClient } from '@azure/cosmos';
const client = new CosmosClient({
endpoint: 'https://my-cosmos-123.documents.azure.com:443/',
key: process.env.COSMOS_KEY,
});
const database = client.database('myappdb');
const container = database.container('users');
// Create item
await container.items.create({
id: 'alice',
userId: 'u001',
name: 'Alice Johnson',
email: 'alice@example.com',
preferences: { theme: 'dark', notifications: true },
});
// Read item
const { resource: user } = await container.item('alice').read();
// Query with SQL
const { resources: activeUsers } = await container.items
.query({
query: 'SELECT * FROM c WHERE c.status = @status ORDER BY c.createdAt DESC',
parameters: [{ name: '@status', value: 'active' }],
})
.fetchAll();
// Upsert (insert or update)
await container.items.upsert({ id: 'alice', status: 'active', lastLogin: new Date() });
// Delete item
await container.item('alice').delete();
// ── Stored Procedure ──
// await container.scripts.storedProcedure('bulkImport').execute({ items: [...] });| Tier | Model | Best For |
|---|---|---|
| DTU-based | Shared pool (DTUs) | Simple workloads, predictable load |
| vCore General Purpose | Per-core pricing | Most production workloads |
| vCore Business Critical | Premium storage, fast recovery | Mission-critical, low latency |
| Serverless | Auto-pause, per-second billing | Intermittent, dev/test |
| Hyperscale | Massive scale (up to 100 TB) | Large databases, fast restore |
| Level | Latency | Staleness | Use Case |
|---|---|---|---|
| Strong | Highest | None (linearizable) | Banking, inventory (rarely needed) |
| Bounded Staleness | High | Configurable lag | Leaderboards, social feeds |
| Session | Low | Read-your-writes | Most apps (recommended default) |
| Consistent Prefix | Lowest | Eventual order | Chat, IoT telemetry |
| Eventual | Lowest | Any order | Product catalog, social counters |
# ── Virtual Network (VNet) ──
# Create VNet with subnets
az network vnet create \
--name myVNet \
--resource-group myResourceGroup \
--location eastus \
--address-prefix 10.0.0.0/16
az network vnet subnet create \
--name web-subnet \
--vnet-name myVNet \
--resource-group myResourceGroup \
--address-prefixes 10.0.1.0/24
az network vnet subnet create \
--name app-subnet \
--vnet-name myVNet \
--resource-group myResourceGroup \
--address-prefixes 10.0.2.0/24
az network vnet subnet create \
--name db-subnet \
--vnet-name myVNet \
--resource-group myResourceGroup \
--address-prefixes 10.0.3.0/24 \
--service-endpoints Microsoft.Sql Microsoft.Storage
# ── Network Security Group (NSG) ──
az network nsg create --name myNSG --resource-group myResourceGroup --location eastus
az network nsg rule create --nsg-name myNSG --resource-group myResourceGroup \
--name AllowHTTP --priority 100 --direction Inbound \
--source-address-prefixes '*' --source-port-ranges '*' \
--destination-address-prefixes '*' --destination-port-ranges 80 \
--access Allow --protocol Tcp
az network nsg rule create --nsg-name myNSG --resource-group myResourceGroup \
--name AllowHTTPS --priority 110 --direction Inbound \
--source-address-prefixes '*' --destination-port-ranges 443 \
--access Allow --protocol Tcp
az network nsg rule create --nsg-name myNSG --resource-group myResourceGroup \
--name DenyAllInbound --priority 4096 --direction Inbound \
--access Deny --protocol '*' \
--source-address-prefixes '*' --destination-port-ranges '*'
# Associate NSG with subnet
az network vnet subnet update --name web-subnet --vnet-name myVNet \
--resource-group myResourceGroup --network-security-group myNSG# ── Application Gateway (L7 Load Balancer + WAF) ──
# Create public IP
az network public-ip create --name myAppGW-Pip --resource-group myResourceGroup \
--sku Standard --allocation-method Static
# Create Application Gateway
az network application-gateway create \
--name myAppGW \
--resource-group myResourceGroup \
--location eastus \
--sku Standard_v2 \
--capacity 2 \
--public-ip-address myAppGW-Pip \
--http-listener myListener \
--frontend-port 80 \
--default-backend-pool myBackendPool \
--default-backend-http-settings myBackendSettings \
--backend-pool-address-type Fqdn
# Add WAF (Web Application Firewall)
az network application-gateway waf-config set \
--gateway-name myAppGW \
--resource-group myResourceGroup \
--enabled true \
--firewall-mode Prevention \
--rule-set-type OWASP \
--rule-set-version 3.2
# ── Azure Load Balancer (L4) ──
# Public Load Balancer
az network lb create --name myLB --resource-group myResourceGroup \
--location eastus --sku Standard --frontend-ip-name myFrontend
az network lb probe create --lb-name myLB --resource-group myResourceGroup \
--name myProbe --protocol tcp --port 80
az network lb rule create --lb-name myLB --resource-group myResourceGroup \
--name myRule --protocol tcp --frontend-port 80 --backend-port 80 \
--probe myProbe --frontend-ip-name myFrontend \
--backend-pool-name myBackendPool
# ── Azure Front Door (Global CDN + WAF) ──
az afd profile create --name myFrontDoor --resource-group myResourceGroup \
--sku Standard_AzureFrontDoor
az afd endpoint create --name myEndpoint --profile-name myFrontDoor \
--resource-group myResourceGroup --origin-group myOriginGroup| Type | Layer | Scope | Best For |
|---|---|---|---|
| Public LB | L4 (TCP/UDP) | Regional | VMs, inbound traffic |
| Internal LB | L4 (TCP/UDP) | Regional | Internal microservices |
| App Gateway | L7 (HTTP/S) | Regional | Web apps, WAF, path routing |
| Front Door | L7 + CDN | Global | Global CDN, multi-region routing |
| Traffic Manager | DNS | Global | DNS-based traffic routing |
| Concept | Description |
|---|---|
| VNet | Virtual network (10.0.0.0/16 max 65K IPs) |
| Subnet | IP range in VNet (min /29 = 8 IPs) |
| NSG | Stateful L3/L4 firewall (allow/deny rules) |
| App Gateway | L7 load balancer + WAF + SSL termination |
| Front Door | Global CDN + WAF + multi-region routing |
| VNet Peering | Connect VNets (transitive across same hub) |
| Private Endpoint | Private IP for PaaS services (no public) |
| Service Endpoints | Secure PaaS access from VNet subnet |
--disable-public-network-access for maximum security.# ── Entra ID (Azure AD) & RBAC ──
# Create a service principal (app registration)
az ad sp create-for-rbac --name "my-app-sp" \
--role contributor \
--scopes /subscriptions/SUB_ID/resourceGroups/myResourceGroup
# Output:
# appId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# displayName : my-app-sp
# password : yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
# tenant : zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
# Login with service principal
az login --service-principal -u APP_ID -p PASSWORD --tenant TENANT_ID
# Assign RBAC role
az role assignment create \
--assignee APP_ID \
--role "Storage Blob Data Contributor" \
--scope /subscriptions/SUB_ID/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageacct123
# List role assignments
az role assignment list --assignee APP_ID --output table
# ── Managed Identity (no credentials!) ──
# System-assigned managed identity
az vm identity assign --resource-group myResourceGroup --name myAppVM
# User-assigned managed identity
az identity create --resource-group myResourceGroup --name myAppIdentity
az vm identity assign --resource-group myResourceGroup --name myAppVM \
--identities /subscriptions/SUB_ID/resourceGroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myAppIdentity
# Grant managed identity access to Key Vault
az keyvault set-policy -n my-keyvault \
--object-id $(az identity show --name myAppIdentity --resource-group myResourceGroup --query principalId -o tsv) \
--secret-permissions get list| Type | Description | Use Case |
|---|---|---|
| User Account | Human user in Entra ID | Interactive login, Azure portal |
| Service Principal | App registration + credentials | CI/CD, automated scripts |
| Managed Identity | System or user-assigned | Azure resources accessing services |
| Group | Collection of users/principals | Team-level access management |
| Role | Scope | Access |
|---|---|---|
| Owner | All scopes | Full access + manage access |
| Contributor | All scopes | Manage resources, not access |
| Reader | All scopes | View-only |
| User Access Admin | All scopes | Manage role assignments |
| Key Vault Secrets Officer | Key Vault | Manage secrets |
| Storage Blob Data Owner | Storage | Full blob data access |
| AcrPush | Container Registry | Push images to ACR |
# ── Azure Pipelines YAML ──
trigger:
branches:
include:
- main
- develop
paths:
exclude:
- README.md
- docs/**
pr:
branches:
include:
- main
variables:
vmImage: 'ubuntu-latest'
nodeVersion: '20.x'
azureSubscription: 'my-service-connection'
appName: 'myapp-abc123'
resourceGroup: 'myResourceGroup'
acrName: 'myacr123'
imageTag: '$(Build.SourceVersion)'
stages:
- stage: Build
displayName: 'Build & Test'
jobs:
- job: Build
pool:
vmImage: $(vmImage)
steps:
- task: NodeTool@0
inputs:
versionSpec: '$(nodeVersion)'
- script: npm ci
displayName: 'Install dependencies'
- script: npm run lint && npm run typecheck
displayName: 'Lint & typecheck'
- script: npm test -- --ci --coverage
displayName: 'Run tests'
- task: PublishTestResults@2
inputs:
testResultsFiles: '**/test-results.xml'
testRunTitle: 'Unit Tests'
condition: always()
- task: PublishCodeCoverageResults@2
inputs:
codeCoverageTool: 'Cobertura'
summaryFileLocation: 'coverage/cobertura-coverage.xml'
- task: Docker@2
displayName: 'Build & Push Docker Image'
inputs:
command: 'buildAndPush'
repository: '$(acrName).azurecr.io/$(appName)'
dockerfile: '**/Dockerfile'
buildContext: '.'
tags: |
$(imageTag)
latest
- stage: DeployStaging
displayName: 'Deploy to Staging'
dependsOn: Build
condition: succeeded()
jobs:
- deployment: DeployStaging
environment: 'staging'
pool:
vmImage: $(vmImage)
strategy:
runOnce:
deploy:
steps:
- task: AzureWebApp@1
inputs:
azureSubscription: '$(azureSubscription)'
appType: 'webAppLinux'
appName: '$(appName)-staging'
package: '$(Pipeline.Workspace)/drop/**/app.zip'
- stage: DeployProduction
displayName: 'Deploy to Production'
dependsOn: DeployStaging
condition: succeeded()
jobs:
- deployment: DeployProduction
environment: 'production'
pool:
vmImage: $(vmImage)
strategy:
canary:
increments:
- 10
- 25
- 50
- 100
preDeploy:
steps:
- script: echo "Pre-deploy validation"
routeTraffic:
steps:
- task: AzureAppServiceSwap@1
inputs:
azureSubscription: '$(azureSubscription)'
ResourceGroupName: '$(resourceGroup)'
WebAppName: '$(appName)'
SourceSlot: 'staging'
TargetSlot: 'production'
postRouteTraffic:
steps:
- script: curl -sf https://$(appName).azurewebsites.net/health
on:
failure:
steps:
- script: echo "Rolling back!"
- task: AzureAppServiceSwap@1
inputs:
azureSubscription: '$(azureSubscription)'
ResourceGroupName: '$(resourceGroup)'
WebAppName: '$(appName)'
SourceSlot: 'production'
TargetSlot: 'staging'| Service | Purpose |
|---|---|
| Azure Boards | Work tracking, Kanban, sprint planning |
| Azure Repos | Git repos, PRs, branch policies |
| Azure Pipelines | CI/CD (YAML or Classic) |
| Azure Test Plans | Manual + exploratory testing |
| Azure Artifacts | Package feeds (npm, Maven, NuGet) |
| Azure Monitor | Application & infra monitoring |
| Type | Scope | Description |
|---|---|---|
| Variable | Pipeline | Simple key-value, can be overridden at runtime |
| Variable Group | Shared across pipelines | Linked to Key Vault for secrets |
| Template Variable | In YAML file | Reusable variable definitions |
| Runtime Variable | Pipeline execution | Set via scripts (logging commands) |
| Secret Variable | Masked in logs | Use for passwords, connection strings |
$(mySecret) in your pipeline.# ── Azure OpenAI Service ──
# Create OpenAI resource
az cognitiveservices account create \
--name my-openai \
--resource-group myResourceGroup \
--kind OpenAI \
--sku S0 \
--location eastus
# Deploy GPT-4o model
az cognitiveservices account deployment create \
--name my-openai \
--resource-group myResourceGroup \
--deployment-name gpt4o \
--model-format OpenAI \
--model-name gpt-4o \
--model-version 2024-08-06 \
--sku-capacity 30 \
--sku-name Standard
# List deployments
az cognitiveservices account deployment list \
--name my-openai --resource-group myResourceGroup -o table# ── Azure Machine Learning Workspace ──
# Create ML workspace
az ml workspace create --name my-ml-workspace \
--resource-group myResourceGroup --location eastus
# Create compute cluster
az ml compute create --name my-cluster \
--workspace-name my-ml-workspace --resource-group myResourceGroup \
--type amlcompute --size Standard_DS3_v2 --min-instances 0 --max-instances 4
# Submit a training job
az ml job create --file job.yml --workspace-name my-ml-workspace \
--resource-group myResourceGroup
# ── Azure AI Services (Cognitive) ──
az cognitiveservices account create \
--name my-ai-services \
--resource-group myResourceGroup \
--kind CognitiveServices \
--sku S0 \
--location eastus
# Enables: Language, Vision, Speech, Translator all in one// ── Azure OpenAI SDK (TypeScript) ──
import { AzureOpenAI } from 'openai';
const client = new AzureOpenAI({
apiKey: process.env.AZURE_OPENAI_KEY,
endpoint: 'https://my-openai.openai.azure.com',
apiVersion: '2024-08-01-preview',
deployment: 'gpt4o',
});
// Chat completion
const response = await client.chat.completions.create({
model: 'gpt4o',
messages: [
{ role: 'system', content: 'You are a helpful DevOps assistant.' },
{ role: 'user', content: 'Explain Kubernetes deployments in simple terms.' },
],
temperature: 0.7,
max_tokens: 1000,
});
console.log(response.choices[0].message.content);
// ── Azure AI Language (Sentiment Analysis) ──
// from "@azure/ai-language-text" import { TextAnalysisClient, AzureKeyCredential }
// const client = new TextAnalysisClient(endpoint, new AzureKeyCredential(key));
// const result = await client.analyzeSentiment(["I love Azure!"]);
// console.log(result[0].sentiment); // "positive"| Service | Purpose | API Type |
|---|---|---|
| Azure OpenAI | GPT-4o, DALL-E, Whisper | REST + SDK |
| AI Language | Sentiment, NER, key phrases | REST + SDK |
| AI Vision | OCR, image analysis, face | REST + SDK |
| AI Speech | STT, TTS, translation | REST + SDK |
| Azure ML | Full ML lifecycle | Python SDK + CLI |
| Azure ML Studio | No-code ML, AutoML | Drag-and-drop UI |
# ── Resource Groups & Organization ──
# Create resource group with tags
az group create --name prod-rg-eastus \
--location eastus \
--tags Environment=production Team=platform CostCenter=eng-101
# List all resources in a group
az resource list --resource-group prod-rg-eastus -o table
# Move resources between groups
az resource move --ids /subscriptions/SUB_ID/resourceGroups/old-rg/providers/Microsoft.Compute/virtualMachines/myVM \
--destination-group prod-rg-eastus
# ── Azure Policy ──
# Define a policy (restrict regions)
az policy definition create --name allowed-regions \
--display-name "Allowed Regions" \
--description "Only allow resources in approved regions" \
--rules '{
"if": {
"not": {
"field": "location",
"in": ["eastus", "westus2", "northeurope"]
}
},
"then": {
"effect": "deny"
}
}' \
--mode Indexed
# Assign policy to resource group
az policy assignment create --name restrict-regions \
--policy allowed-regions \
--scope /subscriptions/SUB_ID/resourceGroups/prod-rg-eastus
# Check compliance
az policy state list --resource prod-rg-eastus -o table
# ── Tags ──
# Tag existing resources
az tag create --resource-id /subscriptions/SUB_ID/resourceGroups/prod-rg-eastus \
--tags Environment=production Owner=platform-team Project=myapp
# ── Azure Blueprints ──
az blueprint create --name prod-blueprint \
--display-name "Production Blueprint" \
--description "Standard production environment setup"
az blueprint version create --blueprint-name prod-blueprint --version "1.0"| Level | Scope | Policies/RBAC Apply |
|---|---|---|
| Management Group | Multiple subscriptions | Organization-wide policies |
| Subscription | Billing boundary | Subscription-level controls |
| Resource Group | Collection of resources | Group-level policies + RBAC |
| Resource | Individual resource | Resource-level locks & tags |
| Effect | Description |
|---|---|
| Deny | Block resource creation/modification |
| Audit | Log non-compliant resources |
| Append | Auto-add tags or settings |
| DeployIfNotExists | Deploy missing dependencies |
| Disabled | Disable evaluation (testing) |
| Modify | Add/remove/update properties |
# ── Resource Locks (prevent accidental deletion) ──
# CanNotDelete: allows modification, prevents deletion
az lock create --name prevent-delete --lock-type CanNotDelete \
--resource-group prod-rg-eastus
# ReadOnly: prevents all modifications
az lock create --name read-only --lock-type ReadOnly \
--resource /subscriptions/SUB_ID/resourceGroups/prod-rg-eastus/providers/Microsoft.Sql/servers/my-sql-server
# List locks
az lock list --resource-group prod-rg-eastus -o table
# Delete a lock (required before deletion)
az lock delete --name prevent-delete --resource-group prod-rg-eastusCanNotDelete lock prevents accidental deletion via CLI, portal, or API. Locks are inherited — applying one on a resource group protects all resources within it.