Azure for DevOps Engineers: Getting Started

We’ve spent the last few weeks building up our Terraform skills — providers, resources, state, variables, outputs. But before we connect Terraform to Azure, it helps to understand what we’re connecting to.

This post is Azure 101 for DevOps engineers. Not a deep dive into every service, but a practical foundation for the things you’ll actually use.

Why Azure?

Azure is Microsoft’s cloud platform, and it’s everywhere in the enterprise.

Why DevOps engineers should learn Azure:

Enterprise dominance: Major presence in finance, healthcare, government
Hybrid cloud strength: Seamless integration with on-prem Active Directory
IaC support: First-class Terraform provider
Well-defined patterns: The Cloud Adoption Framework provides battle-tested architecture guidance

Azure Account Hierarchy

Tenant (Azure Entra ID)
└── Management Groups
    └── Subscriptions
        └── Resource Groups
            └── Resources

Tenant

The tenant is your Azure Entra ID (formerly Azure AD) instance — the identity foundation.

Management Groups

Management groups let you organize subscriptions and apply policies at scale. CAF-aligned structure:

Tenant Root Group
├── Platform
│   ├── Management
│   ├── Connectivity
│   └── Identity
├── Landing Zones
│   ├── Corp
│   └── Online
└── Sandbox

Subscriptions

A subscription is your primary billing and resource boundary.

Resource Groups

Resource groups are logical containers for resources. Every resource must belong to exactly one RG.

The Cloud Adoption Framework

Microsoft’s CAF is a collection of documentation, best practices, and tools. It covers Strategy, Plan, Ready, Adopt, Govern, and Manage.

Azure Landing Zone Accelerator for Terraform

module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
  version = "~> 6.0"

  root_parent_id = data.azurerm_client_config.current.tenant_id
  root_id        = "contoso"
  root_name      = "Contoso"

  deploy_core_landing_zones     = true
  deploy_management_resources   = true
  deploy_connectivity_resources = true
}

Core Services for DevOps

Compute

Service	Use Case
Virtual Machines	Traditional VMs
VM Scale Sets	Auto-scaling VM groups
App Service	Managed web hosting
AKS	Managed Kubernetes

Storage

Service	Use Case
Blob Storage	Object storage, Terraform state
File Storage	SMB/NFS shares

Networking

Service	Use Case
Virtual Network	Isolated network
NSG	Firewall rules
Azure Firewall	Managed firewall
Load Balancer	L4 load balancing

Networking Fundamentals

Virtual Networks (VNets)

resource "azurerm_virtual_network" "main" {
  name                = "vnet-${var.app_name}-${var.environment}"
  resource_group_name = azurerm_resource_group.app.name
  location            = azurerm_resource_group.app.location
  address_space       = ["10.0.0.0/16"]
}

Hub-Spoke Topology (CAF Pattern)

The CAF recommends a hub-spoke network topology with shared services in the hub and workloads in spokes.

Identity and Access Management

Azure RBAC

Who (Principal) + What (Role) + Where (Scope) = Access

Built-in roles: Owner, Contributor, Reader

Service Principals

For automation, create a service principal:

az ad sp create-for-rbac --name "terraform-sp" --role Contributor \
  --scopes /subscriptions/<YOUR_SUBSCRIPTION_ID>

Managed Identities

Managed identities are the preferred way to authenticate Azure resources to each other. No credentials to manage.

Automation with Terraform

Basic Provider Setup

terraform {
  required_version = ">= 1.3"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.0"
    }
  }
}

provider "azurerm" {
  features {}
}

Cost Management Basics

Use Tags

locals {
  required_tags = {
    environment  = var.environment
    owner        = var.owner
    cost_center  = var.cost_center
    managed_by   = "terraform"
  }
}