Terraform and Azure


  • Azure will let you create your own custom Dashboards
  • ARM templates (aka Azure Resource Management) – predefined infrastructure using JSON
  • E.g. using Azure Cloud Shell (which includes terraform, git, etc): git clone https://github.com/scarolan/azure-terraform-beginners
  • Edit terraform.tfvars
    • resource_group
    • hostname (dashes OK, probably not underscores)
    • location: get a list using az account list-locations --output table
    • az vm list-skus -l westindia --output table | grep Standard_A0
  • terraform init: gets workspace ready, pulls in plugins and modules
  • terraform plan
  • terraform apply
  • See it being built in real-time in resource groups

Notes on the code: https://github.com/scarolan/azure-terraform-beginners

  • main.tf:
    • azurerm_resource_group: Azure must have a resource group
    • azurerm_virtual_network
    • azurerm_subnet
    • azurerm_network_security_group
    • azurerm_network_interface
    • provisioner “remote-exec” – simple remote exec. Could use Ansible, Chef


Azure Active Directory

Azure Active Directory now allows synchronisation between Azure AD and on-prem Directory Services.

Azure AD B2C

  • allows users to use 3rd party identities such as Facebook, Google or Microsoft ID (similar to AWS Federated Identity)

Azure AD Premium: supports password writeback.


Azure: Infrastructure and Networking

Azure Datacentres Architecture

Azure Datacentres


AWS  -> Azure

Placement Groups -> Affinity Groups


Fabric Controller

Some racks have a fabric controller which:

  • provisions VMs
  • heals failed VMs
  • rehydrates VMs
  • manages health and lifecycle of VMs

Azure Stamp / Cluster

  • shipping container
  • 20 rack group
  • all hardware in stamp uses same processor generation
  • 800 to 1000 individual servers very close together

Regional Availability and High Availability

Each rack functions as a fault domain.

Availability sets keep VMs available during downtime (which includes unscheduled – e.g. equipment failures and scheduled maintenance).

You need to have VMs in an availability set to qualify for the Azure 99.95% SLA.

Availability set: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets#availability-set-overview

The closest I can find in AWS is this: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-increase-availability.html


Initial impressions of Microsoft Azure (with terminology in AWS-speak)

Initial impressions with Azure (having been in AWS)

Weird how, when you’re trying to login via the command line, you have to open a browser window to complete the login.

And when you attempt to do `az login -u <username> -p <password>` as mentioned here:


it says

Logging in through command line is not supported. For cross-check, try 'az login' to authenticate through browser.

Azure concepts

See also https://dzone.com/articles/azure-for-the-aws-user-identity

Tenant => a user ( or, in Microsoft-speak, a representative of an organisation)


Service Principal: a credential for your application (https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-create-service-principals ).

You then assign permissions to the Service Principal via roles.

An IAM Role does not exist in AWS. Instead it has applicationsservice principals and RBAC.


  • Applications: your apps OR 3rd party (e.g. Salesforce, Office 365)
  • Service Principals: identity assigned to these applications
  • RBAC – role based access control – assigned to users, groups or service principals

Resource Group: each resource must belong to a Resource Group.

A resource group is simply a logical construct that groups multiple resources together so they can be managed as a single entity. For example, resources that share a similar lifecycle, such as the resources for an n-tier application may be created or deleted as a group.



a logical construct that groups together resource groups and their resources. However, an Azure subscription is also associated with the controls used by Azure resource manager.



Note also Azure uses Storage Accounts which have blob containers and file shares rather than S3.



homebrew install is good.

As I use zshit was odd to see a .bash_completionfile being installed. Turns out the CLI has full tab completion for commands under the bash shell.

Login sucks

$ az login

Note, we have launched a browser for you to login. For old experience with device code, use “az login –use-device-code”

You have logged in. Now let us find all the subscriptions to which you have access…

No subscriptions were found for ‘None’. If this is expected, use ‘–allow-no-subscriptions’ to have tenant level accesses

$ az group create –name TutorialResources –location eastus

Please run ‘az login’ to setup account.

$ az login -u <username> -p <password>

Logging in through command line is not supported. For cross-check, try ‘az login’ to authenticate through browser.

Why do you have to login via a browser?!!

No subscriptions were found for ‘None’

No subscriptions were found for ‘None’. If this is expected, use ‘–allow-no-subscriptions’ to have tenant level accesses

It’s easy to get bogged down in technical terms and, after a while you switch off. So, this one fooled me. I was thinking it was some technical jargon. No, it means you haven’t entered your credit card.

Even after you’ve entered your credit card I still got:

`You have not created any subscriptions yet.`  at https://portal.azure.com/#blade/Microsoft_Azure_Billing/MySubscriptionsBlade

and the Add button was greyed out.

Good old Microsoft. The entire process looks and feels clunky even though it’s a brand new service (newer than AWS). Shades of IBM.

It turned out, even though I had the Free plan, I was still getting the None error. Once upgrading to Pay-As-You-Go I was able to do an az login. Still find the browser login bizarre though.

Spin up a VM

1. create a Resource Group

Note: a Resource Group is a logical construct that groups multiple resources together so they can be managed together as a single entity ( https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption-guide/adoption-intro/azure-resource-access#what-is-an-azure-resource-group ). E.g. an n-tier application.

az group create --name myResourceGroup --location eastus

I really don’t understand why Microsoft have to create a different naming convention to AWS for Regions. (i.e. eastus as opposed to us-east).

2. spin up your VM

az vm create \

--resource-group myResourceGroup \

--name myVM \

--image UbuntuLTS \

--admin-username azureuser

--ssh-key-value ~/.ssh/id_rsa.pub

And it sucks that Azure has a URL that’s ridiculously long. E.g. the URL for AWS you can almost type by hand:


whereas for Azure it’s:


3. open ports

az vm open-port --port 80 --resource-group myResourceGroup --name myVM


Note the default for Azure is to spit out vast amounts of output after each command (whereas AWS is silent) – e.g. that last command had 221 lines of output afterwards.

4. connect to VM

ssh azureuser@publicIpAddress

(this took a loooong time to connect)

5. install web server

sudo apt-get -y update

sudo apt-get -y install nginx

Refreshingly, the demo uses ssh and nginxrather than some Microsoft’y version.

6. test


curl localhost 

which defaults to port 80.

Then open uppublicIpAddress in a browser.

7. cleaning up

az group delete --name myResourceGroup

Note: you need to enter y not yesat the command line to confirm. Out of habit, I entered yesa few times and wondered why it wasn’t accepting it. My bad – it does actually prompt you for y.

See also https://docs.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-cli

And other guides: