🌧️ Azure

Updated at 2018-09-24 14:54

Azure is a cloud computing service by Microsoft. This document covers the main components of Azure in a nutshell.

Azure has the following top-level entities you manage:

  • Azure Account: a unique entity that grants access to Azure subscriptions.
  • Azure Subscription: a scope for billing and permissions management. Similar concept to a Google Cloud Platform "Project".
  • Azure Active Directory: a cloud-based access management service. You create users for your colleagues and place them in groups. Each subscription can only trust a single Azure AD for authentication.
  • Azure Tenant: a trusted instance of Azure AD that is created when your organization register for an Azure account, representing your organization.

Azure Resource Manager is the management service for Azure. It enables you to create, modify or remove resources in your Azure subscriptions.

Resource manager contains the following entities:

  • Resource: an item that you can manage through Azure e.g. a server.
  • Resource Group: a collection of related resources e.g. for all servers for a certain project.
  • Resource Provider: the service that provides the resource e.g. Microsoft.Compute provides servers.
  • Resource Manager Template: a reusable file that defines resources to be deployed to a resource group.

Role-based Access Control (RBAC) manages who has access to your Azure resources.

You have three entities:

  • Security Principal: who has the authority?
  • Role: what can be done?
  • Scope: which resources can be targeted?

Security Principal

A security principal represents an identity.

Security principal can be one of the following types:

  • User: an individual with a profile in Azure AD.
  • Group: a set of users in Azure AD.
  • Service Principal: an identity for an application e.g. "username:password".
  • Managed Identity: an identity that is automatically managed by Azure.


A role is a collection of permissions. A role simply lists what that identities with that role can do like create or terminate servers.

You can create your own roles but the common ones are:

  • Owner: full access to the target resources.
  • Contributor: full access to the target resources, but can't delegate access.
  • Reader: can view and read the target resources, but can't delegate access.


A scope is the set of resources targeted. You can specify scope in multiple levels; subscription, resource group, resource, etc.


Disks are either persistent or temporary:

  • Persistent:
    • Physically managed by Microsoft Azure Storage service.
    • You will keep all data on reboot, star/stop, VM type change and maintenance.
  • Temporary:
    • Physically on the host operating system running the Hypervisor software.
    • You will lose all data on reboot, start/stop, VM type change and maintenance.
Persistent: application code, databases, critical data, etc.
Temporary:  caches, Windows pagefile, etc.

Managed disks are storage volumes that are used with the Azure virtual machines.

Managed disk types:

  • Standard HDD for non-critical workloads, low cost but inconsistent performance.
  • Standard SSD for general workloads, consistent throughput and medium latency.
  • Premium SSD for IO-sensitive workloads, high throughput and low latency.
  • Ultra Disk for data-intensive workloads, highest throughput and lowest latency.

Disk roles; each Azure VM machine...

  • OS Disk: ...has one up to 4TB OS disk that will contain the OS.
  • Temporary Disk: ...has one or more fixed-size temporary disks e.g. D2s_v3 has one 16GB and Lsv2 storage optimized types have additional 1.9TB NVMe disks.
  • Data Disk: ...can have multiple data disks, up to 32TB.

The easiest way to test if you are using temporary storages incorrectly is start your VM, let it run a bit and then change the VM type. If it crashes, you are probably using temporary storage for crucial data.