Azure

Authors:

Published On:

Oct 9, 2019

Last Updated:

Apr 7, 2025

Resource Groups

A resource is a single service instance in Azure. A resource group is a logical grouping of resources. A ARM (Azure Resource Manager) template is a .json file that allows you to declaratively describe a set of resources.

The region of the resource group does not have to be the same as the region of the resource. Resource managers can be assigned resource manager locks (either Read-Only or Delete).

Resource groups can usually be moved between subscriptions.

IaaS -> Infrastructure as a Service. You look after the OS, libraries PaaS -> Platform as a Service.

Normally charged for egress of data, but not ingress.

Supported operating systems: Windows Server, Windows Client, Ubuntu, Red Hat Enterprise Linux, SUSE Linux

Resources

A resource is a primary primitive in Azure. Almost every thing you create in Azure is a particular type of resource.

Resources can be assigned Resource Tags. Resource tags can be used to logically organise resources. They are useful for the monitoring and billing of resources.

Storage Accounts

Storage account names have to be unique across all Azure storage accounts.

Storage explorer is a desktop application for browsing Azure storage accounts: https://azure.microsoft.com/en-ca/features/storage-explorer/

Blobs are a key/value object store (similar to AWS S3). Control user permissions with blob access policies. Block blobs are about 30x cheaper per GB than file blobs.

Load Balancers

Azure Load Balancers

A traditional traffic manager that can balance traffic between VMs (or other Azure end points).

Traffic Managers

A traffic manager is a smart DNS form of load balancer can can resolve a CNAME based on performance/geographic requirements.

Azure Active Directory

Azure Active Directory (Azure AD) is a cloud service that offers multi-tenant access and identity control.

Pass-through authentication:

Federation: Federation is a collection of domains that have established trust.

Management Groups

No management groups exists by default. Management groups can be used to group together subscriptions. Management groups exist in a tree-like hierarchy.

Subscriptions

A subscription is a logical unit of Azure services that is linked to an account. An Azure account is either an identity in Azure AD or a directory within Azure AD.

Role-based Access Control (RBAC)

Built-in Roles:

Owners
Contributors
Readers

What can be assigned to a role?

Users
Groups
Service Principals

Azure Policy

You can use Azure Policy to create, assign and manage policies. Policies are created from policy definitions. You can also determine the compliance for any policies.

File Sync

Azure supports both import and export file sync job.

For really large files, you can use the data boxes (physical storage devices that get sent to your location and then shipped back to Azure).

Permissions

Permissions in Azure tie in heavily with the Azure Active Directory.

Delegated: Used by apps the run with a signed-in user present Application: Used by apps that run without a signed-in user present

It is best practise to use delegated permissions wherever possible. Only use application permissions when the app is non-interactive or the app runs without requiring a user to login.

Legacy Windows-based Authentication

Users can login using Windows credentials with either Kerberos or NTLM.

Azure Monitor

Application Insights

Application insights can monitor request rates, response times, failure rates e.t.c. Exception stack traces from both the server and browser (client-side application code) are logged.

Application Insights can then provide it’s data via an API or through Visual Studio (for debugging). It can also create visualizations in the Azure dashboard.

Azure Search Service

The Azure Search Service is a managed search service provided by Azure. It allows you to import/connect to the underlying data and then easily create indexes.

Azure Functions

Azure Functions are a way to run small pieces of code, in which you are only billed for compute time when the code is running (i.e. serverless). They require to be triggered from a specific event (like a HTTP request or a timer schedule) which is supported by the Azure Function framework. They are similar to AWS Lambda functions.

The Azure Functions logo.¹

You can write the functions in a number of languages including:

Python
Javascript
Java
C#

Microsoft provides a VS Code extension that helps you write and deploy functions from your local machine. Microsoft Oryx is used to build the source code into a “runnable artifact”.²

A screenshot of the Azure Functions extension for VS Code.

As of May 2023, the v2 Python programming model became generally available for use.³

By default all files inside the function app root directory are bundled up and uploaded to the Azure Function when you deploy. You can exclude files by adding them to the .funcignore file. For a Python based function app, the .funcignore file might look like this:

.git*
.vscode
__azurite_db*__.json
__blobstorage__
__queuestorage__
local.settings.json
test
.venv

local.settings.json contains local environment variables under the Values property. As suggested by the filename, these settings only apply when the function is run on your local machine. To have the same environment variables when running in Azure, you will need to add the environment variables to the function app settings. This can be done via the Azure Portal GUI by clicking Settings -> Environment variables.

Using Python for Azure Functions

You can configure a function that runs on a schedule by using the @app.timer_trigger decorator. The below example shows a function that runs every day at 00:00:00 (i.e. once a day at midnight).

import logging
import azure.functions as func

app = func.FunctionApp()

# Azure Functions uses the NCronTab library to interpret NCRONTAB expressions. An NCRONTAB expression is similar to a CRON expression except that it includes an additional sixth field at the beginning to use for time precision in seconds:
# {second} {minute} {hour} {day} {month} {day-of-week}
# 0 0 0 * * * means every day at 00:00:00
@app.timer_trigger(schedule="0 0 0 * * *", arg_name="myTimer", run_on_startup=True, use_monitor=False)
def timer_trigger(myTimer: func.TimerRequest) -> None:
    logging.info('Python timer trigger function executed.')

Logging calls in Azure Functions can be accessed via Azure Application Insights. You will need to enable Application Insights in the function app settings before it becomes available. Once enabled, logs can be accessed via Monitoring -> Logs -> traces.

IoT Hub

The Device Provisioning Service (DPS) can be used to provision devices for Azure IoT Hub. The benefit of using a DPS (vs. directly connecting to an IoT Hub) is that:

You don’t have to hardcode the specific IoT Hub connection information into the device at the factory. Instead, you just have to hardcode the global DPS endpoint (and authentication information, but you’d have to do that either way).
You can easily load-balance devices across multiple IoT Hubs.
You can re-provision devices to a different IoT Hub if needed.
You can route devices to different IoT Hubs based on particular criteria such as geographic location, product, e.t.c.

The DPS has a global endpoint of global.azure-devices-provisioning.net.

Authentication

IoT Hub supports two types of device authentication:⁴

Symmetric key authentication: The IoT device has a pre-created symmetric key which IoT also knows about. The device presents a signature based on the symmetric key as proof of identity.
X.509 certificate-based authentication: The device stores a client certificate chain and private key. This seems to be the more popular method of authentication.

Selecting an attestation mechanism for an enrollment group in the Azure DPS.

The client certificate must have the value of its Subject Common Name (CN) field set to the value of the device ID that is used when registering the corresponding device in Azure IoT Hub.⁵

openssl will be used to generate the certificates. These examples will assume you are using Linux/macOS, although with a bit of modification you can make them work on Windows too.

The following Python code example shows how to generate a root certificate.

import datetime

from cryptography import x509
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ec

def generate_signed_certificate(subject_name, issuer_key, issuer_cert, public_key, cert_filename):
    cert = (
        x509.CertificateBuilder()
        .subject_name(subject_name)
        .issuer_name(issuer_cert.subject if issuer_cert else subject_name)
        .public_key(public_key)
        .serial_number(x509.random_serial_number())
        .not_valid_before(datetime.datetime.utcnow())
        # Make it expire a really long time from now so we don't have to keep renewing it
        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=1000*365))
        .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
        .sign(issuer_key, hashes.SHA256())
    )

    with open(cert_filename, "wb") as f:
        f.write(cert.public_bytes(serialization.Encoding.PEM))

private_key = ec.generate_private_key(ec.SECP256R1())

# Convert to pem format, you'll probably want to save this to file!
private_key_pem = private_key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.NoEncryption()
)

# Create subject name
subject_name = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, "A Country"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "A State"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, "A Locality"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, "My Organization"),
    x509.NameAttribute(NameOID.COMMON_NAME, "Common Name"),
])

# Generate root certificate using function defined above
generate_signed_certificate(
    subject_name,
    private_key,
    None, # Root cert is self-signed, so pass in None
    private_key.public_key(),
    "root_cert.pem" # File name to save the root certificate to
)

The certificate expiry is set to 1000 years in the future so that we won’t have to worry about renewing it (it’s hard to update certificates that have been programmed onto many small IoT devices). Certificates and private keys are stored in the pem format, which is base64 encoded.

To double-check your certificate data is correct, you can print out the contents with:

openssl x509 -in my_cert.pem -noout -text

It’s a good idea to have a standard naming convention for certificate files and private keys. My favourite is:

MyRootCA.crt.pem: The self-managed root certificate.
MyRootCA.key.pem: The private key for the root certificate.
MyIntermediateCA.crt.pem: The intermediate certificate.
MyIntermediateCA.key.pem: The private key for the intermediate certificate.
MyDevice.crt.pem: The device certificate (leaf certificate).
MyDevice.key.pem: The private key for the device certificate.

where MyRootCA and MyIntermediateCA would be changed to match the organisation and/or product name these certificates are being used for.

Microsoft. Azure Functions pricing [webpage]. Microsoft. Retrieved 2025-04-03, from https://azure.microsoft.com/en-us/pricing/details/functions/. ↩
GitHub. microsoft/Oryx [repository]. Microsoft. Retrieved 2025-04-03, from https://github.com/microsoft/Oryx. ↩
shreyab (2023, May 24). Azure Functions: V2 Python Programming Model is Generally Available [blog post]. Microsoft. Retrieved 2025-04-02, from https://techcommunity.microsoft.com/blog/azurecompute/azure-functions-v2-python-programming-model-is-generally-available/3827474. ↩
Nejimon Raveendran. How to create an IoT device in Azure IoT Hub with certificate-based authentication [article]. Medium. Retrieved 2025-05-01, from https://medium.com/@nejimon.raveendran/how-to-create-an-iot-device-in-azure-iot-hub-with-certificate-based-authentication-cc7df8790c55. ↩
Azure IoT Hub. Learn / Azure / Internet of Things / IoT Hub / Tutorial: Create and upload certificates for testing [documentation]. Microsoft. Retrieved 2025-05-01, from https://learn.microsoft.com/en-us/azure/iot-hub/tutorial-x509-test-certs. ↩