█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/DevOps and Infrastructure/Cloud Platforms — Microsoft Azure/Azure Monitoring and Security
40 minIntermediate

Azure Monitoring and Security

After this lesson, you will be able to: Operate Azure safely: observe with Azure Monitor, Log Analytics, and Application Insights, and secure workloads with Microsoft Defender for Cloud, Azure Key Vault, Azure Policy, and RBAC.

The same operational discipline you applied on AWS applies on Azure with Microsoft's tooling. Azure Monitor and its query layer (Log Analytics) plus Application Insights are how you see what a running system is doing. Defender for Cloud, Key Vault, Azure Policy, and RBAC are how you keep it secure and compliant. These are heavily weighted in the AZ-104 and AZ-500 certifications and central to real Azure operations.

Prerequisites:Entra ID (Azure AD)

Observability: Azure Monitor, Log Analytics, Application Insights

Azure Monitor is the umbrella service for metrics, logs, and alerts across every Azure resource, the CloudWatch equivalent. Underneath it, Log Analytics is the workspace where logs land and where you query them with KQL (Kusto Query Language), a genuinely powerful query language worth learning. Application Insights is the application-level layer: it instruments your app for request rates, dependency timings, exceptions, and distributed traces (the X-Ray equivalent). The on-call loop is the same as AWS: an alert fires, you query Log Analytics with KQL, and use Application Insights traces to find the slow or failing component.

A KQL query in Log Analytics

KQL is how you slice logs in Azure. This finds the top failing requests in the last hour.

tsx
// Kusto Query Language (KQL) in a Log Analytics workspace
requests
| where timestamp > ago(1h)
| where success == false
| summarize failures = count() by name, resultCode
| sort by failures desc
| take 10
// KQL reads top-to-bottom like a pipeline (similar to the shell pipes
// from the Linux subtrack): each | transforms the table from the step above.
// Learning KQL is a high-leverage Azure skill; it powers Monitor,
// Application Insights, Sentinel (security), and more.

Secrets and access: Key Vault and RBAC

Azure Key Vault stores secrets, encryption keys, and certificates, the Secrets Manager + KMS equivalent in one service, with access controlled by Entra ID and every access logged. Apps read secrets at runtime, ideally authenticating with a Managed Identity (from the Entra ID lesson) so there is no bootstrap secret to leak. Azure RBAC (role-based access control) governs who can do what to which resources, scoped at the management group, subscription, resource group, or individual resource level, applying least privilege the same way AWS IAM does. The pairing to remember: Key Vault holds the secrets, Managed Identities fetch them without a password, RBAC controls everything.

💡 Defender for Cloud and Azure Policy: posture and compliance

Microsoft Defender for Cloud continuously assesses your resources against security benchmarks, gives you a Secure Score, and flags misconfigurations (a storage account open to the internet, a VM missing patches) with remediation steps. Azure Policy enforces rules across a subscription, for example 'all storage accounts must use encryption' or 'only these regions are allowed', and can audit or block non-compliant resources at creation. Together they are how enterprises keep hundreds of subscriptions compliant without manually reviewing every resource. There is no single AWS service that does both; it spans AWS Config, Security Hub, and Service Control Policies.

Common mistakes only experienced engineers catch

No alerts configured in Azure Monitor, so failures surface as user complaints. Alert on failure rate and latency at minimum. Storing secrets in app settings or code instead of Key Vault, then leaking them; use Key Vault + a Managed Identity so there is no secret to leak. Granting Owner/Contributor at subscription scope when a resource-group-scoped role would do; RBAC least privilege applies here too. Ignoring the Defender for Cloud Secure Score, which is a free, prioritized list of your actual risks. Letting Log Analytics ingest everything with long retention and getting a large bill; scope what you collect and set retention.

Quick Check

How should an Azure web app obtain its database password in production?

Pick the most secure option.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Azure Kubernetes Service (AKS)
Back to Cloud Platforms — Microsoft Azure
Azure Certification Path→