After this lesson, you will be able to: Operate Azure safely: observe with Azure Monitor, Log Analytics, and Application Insights, and secure workloads with Microsoft Defender for Cloud, Azure Key Vault, Azure Policy, and RBAC.
The same operational discipline you applied on AWS applies on Azure with Microsoft's tooling. Azure Monitor and its query layer (Log Analytics) plus Application Insights are how you see what a running system is doing. Defender for Cloud, Key Vault, Azure Policy, and RBAC are how you keep it secure and compliant. These are heavily weighted in the AZ-104 and AZ-500 certifications and central to real Azure operations.
Azure Monitor is the umbrella service for metrics, logs, and alerts across every Azure resource, the CloudWatch equivalent. Underneath it, Log Analytics is the workspace where logs land and where you query them with KQL (Kusto Query Language), a genuinely powerful query language worth learning. Application Insights is the application-level layer: it instruments your app for request rates, dependency timings, exceptions, and distributed traces (the X-Ray equivalent). The on-call loop is the same as AWS: an alert fires, you query Log Analytics with KQL, and use Application Insights traces to find the slow or failing component.
KQL is how you slice logs in Azure. This finds the top failing requests in the last hour.
// Kusto Query Language (KQL) in a Log Analytics workspacerequests| where timestamp > ago(1h)| where success == false| summarize failures = count() by name, resultCode| sort by failures desc| take 10// KQL reads top-to-bottom like a pipeline (similar to the shell pipes// from the Linux subtrack): each | transforms the table from the step above.// Learning KQL is a high-leverage Azure skill; it powers Monitor,// Application Insights, Sentinel (security), and more.
Azure Key Vault stores secrets, encryption keys, and certificates, the Secrets Manager + KMS equivalent in one service, with access controlled by Entra ID and every access logged. Apps read secrets at runtime, ideally authenticating with a Managed Identity (from the Entra ID lesson) so there is no bootstrap secret to leak. Azure RBAC (role-based access control) governs who can do what to which resources, scoped at the management group, subscription, resource group, or individual resource level, applying least privilege the same way AWS IAM does. The pairing to remember: Key Vault holds the secrets, Managed Identities fetch them without a password, RBAC controls everything.
No alerts configured in Azure Monitor, so failures surface as user complaints. Alert on failure rate and latency at minimum. Storing secrets in app settings or code instead of Key Vault, then leaking them; use Key Vault + a Managed Identity so there is no secret to leak. Granting Owner/Contributor at subscription scope when a resource-group-scoped role would do; RBAC least privilege applies here too. Ignoring the Defender for Cloud Secure Score, which is a free, prioritized list of your actual risks. Letting Log Analytics ingest everything with long retention and getting a large bill; scope what you collect and set retention.
Pick the most secure option.
Sign in and purchase access to unlock this lesson.