Skip to main content

Azure Quick Review

· 2 min read

There are a lot of workbooks that help with Microsoft Azure cost optimization, but when having discussions and looking into SLA/SLO and availability scenarios, there are fewer options to select from - today, we are going to look at the deployment and output of Azure Quick Review.

Azure Quick Review (azqr) goal is to produce a high level assessment of an Azure Subscription or Resource Group providing the following information for each Azure Service:

Azure Quick Review (created by Microsoft Senior Cloud Solution Architect Carlos Mendible), can supplement other tools - to give you visibility into your Azure services and answer questions such as:

  • What is my expected SLA?
  • Are my resources protected against zone failures?
  • Am I collecting diagnostic logs for my resources?
  • Is Defender for Cloud-enabled for all my resource types?

Using this tool is pretty simple (and, as the name suggests, Quick), and today we will look at running it from a windows endpoint, but first, we need some prerequisites.

Install the Azure CLI and make sure you have Reader rights across the subscriptions you want to review; in this demo, we will scan all subscriptions I have access to.

The Azure Quick Review (azqr) windows binary is intended to be run from the command line, so let's run it.

  1. Open your Windows Terminal

  2. Navigate to the location of the azqr binary

  3. Azure Quick Review

  4. Login to Azure using the Azure CLI by typing:

    az login
  5. Once you have authenticated, run the executable.

  6. Run azqr-windows-latest

  7. Once it has been completed, there will be an excel spreadsheet in the same folder as the Azure Quick Review executable, with an output that contains something similar to the below:

  8. Azure Quick Review - Overview

  9. Azure Quick Review - Recommedations

  10. Azure Quick Review - Defender for Cloud

Create Azure Bastion with Shareable Link support with PowerShell

· 9 min read

Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal or via the native SSH or RDP client installed on your local computer.


The Azure Bastion service is a fully platform-managed PaaS service you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS.

Because of this, if you don't have line-of-sight access to your Virtual Machines (via express route, Site-to-Site VPN etc.), Bastion becomes your jump box, allowing secure access to your virtual machines without needing a public IP.

There is a downside, though. To connect to a Virtual Machine secured by Bastion, you need access to the Azure Portal, or command line connectivity to Azure, to create the tunnel; this means that you may need to grant people elevated rights and access they may not need to connect.

As of November 2022, Microsoft introduced shareable links into public preview, solving two key pain points:

  • Administrators will no longer have to provide full access to their Azure accounts to one-time VM users—helping to maintain their privacy and security.
  • Users without Azure subscriptions can seamlessly connect to VMs without exposing RDP/SSH ports to the public internet.

The Bastion Shareable Link feature lets users connect to a target resource (virtual machine or virtual machine scale set) using Azure Bastion without accessing the Azure portal.

At the time of this writing, there are some scenarios where shareable links won't work - particularly across Network peering across subscriptions and regions.

Because the service is in Public Preview - native PowerShell cmdlet support, enabling and configuring this feature isn't available - but you can easily allow it via the Azure Portal.

Create Azure Bastion with Shareable Link Support

To get around that, we will leverage the Azure Rest API directly, using PowerShell to enable the Shareable Link feature and create and obtain a shareable link for a Virtual Machine.

Create Azure Bastion

I will assume there is already an Azure Virtual Network created; if not, you can follow the Microsoft documentation to get it up and running!

Also, make sure you have the Az Module installed.

The PowerShell function we will run will require a few parameters to create the Azure Bastion resource and enable Shared Link functionality; these parameters are:

RGNameThe Resource Group of your Virtual Network
VNetNameThe Virtual Network name
addressPrefixThe address prefix for your new Bastion subnet. For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.).
regionThe region, that Azure Bastion is deployed into (this needs to match your Virtual Network)
BastionPubIPNameThe name of the Public IP, used by the Azure Bastion resource (this is the Azure resource name, it doesn't have an external DNS alias, so doesn't need to be globally unique)
BastionResourceNameThe name of your Azure Bastion resource
  1. Copy the script below into a file named: New-AzBastionSharedLinkEnabled.ps1

    function New-AzBastionSharedLinkEnabled {
    Creates an Azure Bastion resource with shared link enabled, on an already existing Azure Virtual Network.
    [Parameter(Mandatory = $false, Position = 0)]
    $RGName = "BastionTest",

    [Parameter(Mandatory = $false, Position = 1)]
    $VNetName = 'vnet-aue-dev',

    [Parameter(Mandatory = $false, Position = 2)]
    $addressPrefix = '',

    [Parameter(Mandatory = $false, Position = 3)]
    $region = 'AustraliaEast',

    [Parameter(Mandatory = $false, Position = 4)]
    $BastionPubIPName = 'VNet1-ip',

    [Parameter(Mandatory = $false, Position = 5)]
    $BastionResourceName = "$VNetName-bastion"

    # Set variable values for Resource Group name, Virtual Network name, address prefix, region, and bastion-related resources.

    # Connect to Azure using Get-AzAccount cmdlet.

    # Use Get-AzSubscription cmdlet to get all the subscriptions that the account has access to and allow the user to choose one using Out-GridView.
    Get-AzSubscription | Out-GridView -PassThru | Select-AzSubscription
    $token = (Get-AzAccessToken).Token
    $subscription = Get-AzContext | Select-Object Subscription

    # Use Get-AzVirtualNetwork cmdlet to get the virtual network object and then use Add-AzVirtualNetworkSubnetConfig cmdlet to create a new subnet for Azure Bastion service. Finally, use Set-AzVirtualNetwork cmdlet to update the virtual network configuration.
    $VNET = Get-AzVirtualNetwork -ResourceGroupName $RGName -Name $VNetName
    Add-AzVirtualNetworkSubnetConfig -VirtualNetwork $VNET -Name "AzureBastionSubnet" -AddressPrefix $addressPrefix | Set-AzVirtualNetwork
    $VNET = Get-AzVirtualNetwork -ResourceGroupName $RGName -Name $VNetName

    # Note: If there is an error message, it could indicate that the address prefix for the new subnet overlaps with existing address ranges or is too small.

    # Use New-AzPublicIpAddress cmdlet to create a new public IP address resource for the Bastion service.
    $publicip = New-AzPublicIpAddress -ResourceGroupName $RGName -name $BastionPubIPName -location $region -AllocationMethod Static -Sku Standard
    $publicip = Get-AzPublicIpAddress -ResourceGroupName $RGName -Name $BastionPubIPName
    # Use New-AzBastion cmdlet to create a new Azure Bastion resource with the specified configuration, including the virtual network and public IP address resources created earlier.
    New-AzBastion -ResourceGroupName $RGName -Name $BastionResourceName -PublicIpAddressRgName $publicip.ResourceGroupName -PublicIpAddressName $publicip.Name -VirtualNetwork $VNET -Sku 'Standard'

    #Enable Shareable links for VMs in Azure Bastion.
    $BastionSubnet = Get-AzVirtualNetworkSubnetConfig -Name 'AzureBastionSubnet' -VirtualNetwork $VNET

    $Body = [PSCustomObject]@{
    location = $region
    properties = @{
    enableShareableLink = "true"
    ipConfigurations = @(
    name = "bastionHostIpConfiguration"
    properties = @{
    subnet = @{
    id = $
    publicIPAddress = @{
    id = $publicip.Id

    } | ConvertTo-Json -Depth 6

    $params = @{
    Uri = "" + $subscription.Subscription.Id +
    Headers = @{ 'Authorization' = "Bearer $token" }
    Method = 'Put'
    Body = $body
    ContentType = 'application/json'

    # Invoke the REST API and store the response
    Invoke-RestMethod @Params
  2. Open a Terminal or PowerShell prompt, and navigate to the folder containing the script.

  3. Dot source the script so that you can run it from the session: . .\New-AzBastionSharedLinkEnabled.ps1

  4. . .\New-AzBastionSharedLinkEnabled.ps1

  5. Once it's imported - we can now run it; make sure you replace your parameters that match your environment:

    New-AzBastionSharedLinkEnabled -RGName BastionTest -VNetName vnet-aue-dev -addressPrefix -region AustraliaEast -BastionPubIPName VNet1-ip -BastionResourceName net-aue-dev-bastion
  6. The script will then prompt for your credentials to authenticate

  7. You will then need to select the Azure subscription containing your Azure Virtual Network, then select Ok

  8. Select Azure subscription

  9. The script will then go and provision Azure Bastion and enable Shared Links. It will take a few minutes to run while it provisions Bastion. Then you will get JSON output, indicating it has been completed.

  10. Windows PowerShell - New Azure Bastion

  11. Azure Bastion - Shareable Link

Now that we have an Azure Bastion instance and have Shareable Links enabled - it's time to create a Shareable Link for a Virtual Machine; this triggers 2 API endpoints - creating the shareable link and then retrieving the shareable link.

The same assumptions are made, so make sure you have the Az Module installed.

The script relies on the following parameters:

BastionResourceNameThe name of your Azure Bastion resource
RGNameThe Resource Group of your Bastion resource
VMRGNameThe Resource Group of your Virtual Machine, you want a Shareable Link for
VmnameThe name of the Virtual Machine you want a shareable link for
  1. Copy the script below into a file named: New-AzBastionShareableLink.ps1

    function New-AzBastionShareableLink {
    Creates an Azure Bastion shareable link.
    [Parameter(Mandatory = $false, Position = 0)]
    $BastionResourceName = 'vnet-aue-dev-bastion',

    [Parameter(Mandatory = $false, Position = 1)]
    $RGName = "BastionTest",

    [Parameter(Mandatory = $false, Position = 1)]
    $VMRGName = "BastionTest",

    [Parameter(Mandatory = $false, Position = 2)]
    $VMname = "2022ServerVM-2"

    # Connect to Azure using Get-AzAccount

    # Get all subscriptions that the account has access to
    Get-AzSubscription | Out-GridView -PassThru | Select-AzSubscription

    $subscription = Get-AzContext | Select-Object Subscription
    # Get the access token for the authenticated user
    $token = (Get-AzAccessToken).Token

    $ID = Get-AzVM -ResourceGroupName $VMRGName -Name $VMName | Select-Object Id -ExpandProperty id

    $body = @{

    vms = @(
    vm = @{
    id = $ID.Id

    } | ConvertTo-Json -Depth 3

    #creates the shareable link for the VM
    $params = @{
    Uri = "" + $subscription.Subscription.Id +
    Headers = @{ 'Authorization' = "Bearer $token" }
    Method = 'POST'
    Body = $body
    ContentType = 'application/json'

    # Invoke the REST API and store the response
    Invoke-RestMethod @Params

    #Gets the shareable link for the VM

    $params = @{
    Uri = "" + $subscription.Subscription.Id +
    Headers = @{ 'Authorization' = "Bearer $token" }
    Method = 'POST'
    # Body = $body
    ContentType = 'application/json'

    # Invoke the REST API and store the response
    $ShareableLink = Invoke-RestMethod @Params
    Write-Output $ShareableLink.value.bsl
  2. Open a Terminal or PowerShell prompt, and navigate to the folder containing the script.

  3. Dot source the script so that you can run it from the session: . .\New-AzBastionShareableLink.ps1

  4. s

  5. Once it's imported - we can now run it; make sure you replace your parameters that match your environment:

    New-AzBastionShareableLink -BastionResourceName net-aue-dev-bastion -RGName BastionTest -VMRGName BastionTest -VMname 2022ServerVM-2
  6. Azure Bastion - Create Shared Link

  7. The script will then prompt for your credentials to authenticate

  8. You will then need to select the Azure subscription containing your Azure Virtual Network, then select Ok

  9. Select Azure subscription

  10. The script will then go and collect the ID of the Virtual Machine, pass that through to the Create a Shareable Link, then wait 10 seconds for the Bastion Resource to update properly, then collect the Shareable Link and output it to the terminal.

  11. Azure Bastion - Shared Link

  12. You can also see the link created in the Azure Portal

  13. Microsoft Azure Portal - Shareable Link

  14. I can then copy the URL into my favourite browser and connect to your Virtual Machine securely!

  15. Microsoft Azure Bastion - Connect

The scripts can also be found directly on GitHub here:

Azure Budget Filters: A Key Tool for Effective Cloud Cost Management

· 12 min read

Azure Budgets are a vital tool that can be used to keep on top of your Cloud financial management (FinOps) Microsoft Azure platform potential and actual costs.

The most effective Azure Budgets - are the ones that you use!

 Azure Budgets

In the realm of Cost Management, budgets play a pivotal role in facilitating the planning and implementation of organizational accountability. These tools enable proactive communication regarding expenses and support the management of costs by closely monitoring spending trends over extended periods.

One can set up alerts based on current or projected expenditures to maintain adherence to the established organizational spending limit. Upon surpassing the budget thresholds, notifications are promptly triggered. Such occurrences neither impact any of the available resources nor interrupt any consumption processes.

By leveraging budgets, it becomes possible to perform detailed cost analysis and track expenses effectively.

Azure Back to School - Azure Budget Filters

Be aware of the delay with the Cost & Usage data, as there may be a difference between what you end up seeing in the Portal and the Budget itself - so make sure you account for this to be advised as early as possible:

Cost and usage data is typically available within 8-24 hours and budgets are evaluated against these costs every 24 hours.

Be sure to get familiar with Cost and usage data update specifics. When a budget threshold is met, email notifications are normally sent within an hour of the evaluation.

Note: Azure Budgets are not supported on Subscriptions, where you can't access Microsoft Cost Management, i.e. Azure Sponsorship subscriptions.

A time to clean the windows - Budget Scopes

When creating an Azure Budget, you can specify a Scope. A scope is the level of your hierarchy (i.e., if it's a Resource Group Budget, it cannot report on resources at the Subscription, you would have to create a Subscription or Management Group scoped Budget).

When you create an Azure Budget, they can be made at the following Scopes:

Microsoft Azure Budget Scopes

Most people, when creating scopes, will create a Scope at the Subscription and/or Resource Group level - there is no right or wrong answer when it comes to your Azure Budget Scope - this needs to work for you and your organisation, ie if you have a Project per Resource Group - then it would make sense to create a Budget per Resource Group, the same for Subscriptions.

You can also have multiple Azure Budgets at the same or different scopes, so a combination of Budgets may be the most effective. An example could be a Subscription Budget that may go to a Product Owner, but a Management Group could go to Finance or the Technology teams.

Keep in mind, that Budgets on their own are just a forecasting and alerting tool, they won't stop resources from running, if it goes over an alert threshold, out of the box - the Budget doesn't touch your resources, merely gives you an opportunity to proactively react to them, before costs become a problem.

Time to scrum the floor - Create an Azure Budget

Let's go through the process of creating an Azure Budget, using the Azure Portal.

  1. Log in to the Microsoft Azure Portal
  2. In the Search bar above, search for Budgets
  3. Click on Budgets
  4. Change the Scope
  5. Cost Management - Azure Budget
  6. You can select a Management Group, Subscription, or Resource Group for the Scope, by clicking on each - in my example, I have a Management Group named: mg-landingzones, which I am going to select.
  7. Click Select
  8. Now that the Scope has been set, we can add our Budget to the specified Scope, click + Add
  9. We will come back to Filters, in another section - but for the Budget details you will need:
    • Name this is the name of your Budget, make sure its something meaningful (ie Monthly-Budget_MG-LandingZones)
    • Reset period (Monthly/Quarterly or Annual, this is the period that the Budget resets back to $0 - you can't go wrong with Monthly)
    • Creation date (the date that the Budget will start)
    • Expiration date (the date that the Budget will stop)
  10. Budget Amount(this is the overall; amount that you are planning on your resources to spend)
  11. Azure Portal - Create budget
  12. Once you have entered in your Budget details, click Next to configure your Alert conditions. The alert conditions are where you can specify, what you want to alert on ie 50% or 80% of the overall budget amount. Actual - is when it financially reaches that point and Forecasted - is when current consumption is forecasted to reach that budget.
  13. Specify an email address to send the Alert to and click Create.
  14. Azure Budget Conditions

Time to clean the dishes - Azure Budget Filters

By default, Scoping the Budget to the Subscription or Resource Group is good enough for 95% of the use cases - but using Budget filters, you can enable a bit more flexibility - for scenarios such as:

  • Product-centric alerts
  • Service centric alerts

While the scope is your level of the Azure hierarchy, your filter is your handrail to stop you from falling, currently, Microsoft offers the following filters:

PropertyWhen to useNotes
Availability zonesBreak down AWS costs by availability zone.Applicable only to AWS scopes and management groups. Azure data doesn't include availability zone and will show as No availability zone.
Billing periodBreak down PAYG costs by the month that they were, or will be, invoiced.Use Billing period to get a precise representation of invoiced PAYG charges. Include two extra days before and after the billing period if filtering down to a custom date range. Limiting to the exact billing period dates won't match the invoice. Will show costs from all invoices in the billing period. Use Invoice ID to filter down to a specific invoice. Applicable only to PAYG subscriptions because EA and MCA are billed by calendar months. EA/MCA accounts can use calendar months in the date picker or monthly granularity to accomplish the same goal.
BillingProfileIdThe ID of the billing profile that is billed for the subscription's charges.Unique identifier of the EA enrollment, pay-as-you-go subscription, MCA billing profile, or AWS consolidated account.
BillingProfileNameName of the EA enrollment, pay-as-you-go subscription, MCA billing profile, or AWS consolidated account.Name of the EA enrollment, pay-as-you-go subscription, MCA billing profile, or AWS consolidated account.
Charge typeBreak down usage, purchase, refund, and unused reservation and savings plan costs.Reservation purchases, savings plan purchases, and refunds are available only when using actual costs and not when using amortized costs. Unused reservation and savings plan costs are available only when looking at amortized costs.
DepartmentBreak down costs by EA department.Available only for EA and management groups. PAYG subscriptions don't have a department and will show as No department or unassigned.
Enrollment accountBreak down costs by EA account owner.Available only for EA billing accounts, departments, and management groups. PAYG subscriptions don't have EA enrollment accounts and will show as No enrollment account or unassigned.
FrequencyBreak down usage-based, one-time, and recurring costs.Indicates whether a charge is expected to repeat. Charges can either happen once OneTime, repeat on a monthly or yearly basis Recurring, or be based on usage UsageBased.
Invoice IDBreak down costs by billed invoice.Unbilled charges don't have an invoice ID yet and EA costs don't include invoice details and will show as No invoice ID.
InvoiceSectionIdUnique identifier for the MCA invoice section.Unique identifier for the EA department or MCA invoice section.
InvoiceSectionNameName of the invoice section.Name of the EA department or MCA invoice section.
LocationBreak down costs by resource location or region.Purchases and Marketplace usage may be shown as unassigned, or No resource location.
MeterBreak down costs by usage meter.Purchases and Marketplace usage will show as unassigned or No meter. Refer to Charge type to identify purchases and Publisher type to identify Marketplace charges.
OperationBreak down AWS costs by operation.Applicable only to AWS scopes and management groups. Azure data doesn't include operation and will show as No operation - use Meter instead.
Pricing modelBreak down costs by on-demand, reservation, or spot usage.Purchases show as OnDemand. If you see Not applicable, group by Reservation to determine whether the usage is reservation or on-demand usage and Charge type to identify purchases.
PartNumberThe identifier used to get specific meter pricing.
ProductName of the product.
ProductOrderIdUnique identifier for the product order
ProductOrderNameUnique name for the product order.
ProviderBreak down costs by the provider type: Azure, Microsoft 365, Dynamics 365, AWS, and so on.Identifier for product and line of business.
Publisher typeBreak down Microsoft, Azure, AWS, and Marketplace costs.Values are Microsoft for MCA accounts and Azure for EA and pay-as-you-go accounts.
ReservationBreak down costs by reservation.Any usage or purchases that aren't associated with a reservation will show as No reservation or No values. Group by Publisher type to identify other Azure, AWS, or Marketplace purchases.
ReservationIdUnique identifier for the purchased reservation instance.In actual costs, use ReservationID to know which reservation the charge is for.
ReservationNameName of the purchased reservation instance.In actual costs, use ReservationName to know which reservation the charge is for.
ResourceBreak down costs by resource.Marketplace purchases show as Other Marketplace purchases and Azure purchases, like Reservations and Support charges, show as Other Azure purchases. Group by or filter on Publisher type to identify other Azure, AWS, or Marketplace purchases.
Resource groupBreak down costs by resource group.Purchases, tenant resources not associated with subscriptions, subscription resources not deployed to a resource group, and classic resources don't have a resource group and will show as Other Marketplace purchases, Other Azure purchases, Other tenant resources, Other subscription resources, $system, or Other charges.
ResourceIdUnique identifier of the Azure Resource Manager resource.
Resource typeBreak down costs by resource type.Type of resource instance. Not all charges come from deployed resources. Charges that don't have a resource type will be shown as null or empty, Others, or Not applicable. For example, purchases and classic services will show as others, classic services, or No resource type.
ServiceFamilyType of Azure service. For example, Compute, Analytics, and Security.
ServiceNameName of the Azure service.Name of the classification category for the meter. For example, Cloud services and Networking.
Service name or Meter categoryBreak down cost by Azure service.Purchases and Marketplace usage will show as No service name or unassigned.
Service tier or Meter subcategoryBreak down cost by Azure usage meter subclassification.Purchases and Marketplace usage will be empty or show as unassigned.
SubscriptionBreak down costs by Azure subscription and AWS linked account.Purchases and tenant resources may show as No subscription.
TagBreak down costs by tag values for a specific tag key.Purchases, tenant resources not associated with subscriptions, subscription resources not deployed to a resource group, and classic resources cannot be tagged and will show as Tags not supported. Services that don't include tags in usage data will show as Tags not available. Any remaining cases where tags aren't specified on a resource will show as Untagged. Learn more about tags support for each resource type.
UnitOfMeasureThe billing unit of measure for the service. For example, compute services are billed per hour.

One or a combination of these filters can be used to create your own meaningful Budgets! You can target specific resources, an example is if you have resources in a Shared Resource Group - for example, Networking, and you have a VPN Gateway, that is used for a Site to Site VPN, for a specific application, that is sitting in another resource group or subscription - you can add the Resource directly into the filter of your Budget for the Azure Gateway, and then include a Tag - that may reference the rest of the application dependencies.

Budgets can be created with all sorts of various tools, from the Azure Portal to:

Relaxing beverage time - Tips & Tricks

Finished the day of cleaning! Now is the time to sit back and enjoy your favourite beverages, and read the labels on the bottles!

  • You can use the Azure Mobile Application to display your Cost and Budgets so keep on top of your consumption on the go!
  • The Microsoft Cost Management team are working on new features all the time, including improvements to Cost Management and Budgets! If you like living on the edge - be sure to check out the Preview portal (and add your feedback)!
  • You can use an Action Group, to trigger a Webhook or Azure Automation runbook - to resize or stop resources. Action Groups are currently only supported for subscription and resource group scopes, so you may need to have one Budget for Monitoring at a higher level and one Budget for running automation at a lower level.

Azure for Students

· 3 min read

Students learn in different ways through many possible avenues and experiences. Microsoft has assets to help students navigate through their journey.

This article aims to help to make access to student resources clearer.

Skilling Journey

MS Student Developer - Skilling Journey

There are 3 phases:

  • Discover
  • Engage
  • Grow

Each phase offers various ways of engage, learn and discover Microsoft Azure services and functionality.

Some of the resources for each phase can be found below:

Microsoft Learn Student HubAzure for StudentsImagine Cup
Microsoft ReactorHackathonsEvents: Student Summit
Microsoft Build
Curriculum on GitHubDev Tools for Teaching
Independent Learner

If you are an independent learner, the resources below can supplement your desire to learn:

  • Learn by Doing: Students can gain the skills to
    apply to everyday situations through hands-on
    personalized training at their own pace or with our
    global network of learning partner
  • Showcase Skills: Help advance their career by
    completing challenges that demonstrate expertise.
    Earn globally recognized and industry-endorsed
    certifications and showcase them to their network.
  • Code Samples: Test out new capabilities in their
    own projects faster and easier with code samples
    that bring Microsoft technology to life.

Build in the cloud-free with Azure for Students ($100 Azure Credit, No credit card required)

Use your university or school email to sign up and renew each year you're a student. Your school or university doesn't need to be enrolled in a program - your university and school email address is used to validate your student status.

Group Learner

If you are a group learner, alongside the same content as the indepedant learning path, check out the Microsoft Student Ambassador program to meet likeminded people, and don't forget to check out for your local Azure meetups!

Education Hub

Located in the Azure Portal, the Education Hub enables easy access to Azure offers and other academic benefits Microsoft provides.

Using the Education Hub, Students can:

  • Download free software provided by their Academic Institution
  • Sign up for academic-specific Azure offers
  • Launch self-guided role-based learning pathways
  • Deploy academic-focused ARM templates

Microsoft Azure Education Hub


A bit of a misleading heading! But there is no need to repeat FAQS that have already been answered by Microsoft or community members; the trick is finding where to go!

Most Student FAQs (Frequently Asked Questions) can be answered on the following page:

Frequently asked questions about the Education Hub, but there may be other questions that don't fit in; if that's the case - make sure you check Microsoft Q&A - as most likely, what you need has been answered by Microsoft or a community member.

Make sure you also check out my post on How can I learn how to use Microsoft Azure? and AWESOME-Azure-Architecture list.

Azure Availability Zone Peering

· 8 min read

In most regions (and odds are, if your area doesn't have Avalibility Zones, it's on the roadmap to be set up), Microsoft Azure has Availability Zones.

Each Azure region features data centres deployed within a latency-defined perimeter. At a high level, these zones consist of 3 separate data centres with independent cooling, power, switching etc.

Azure availability zones

Azure availability zones are connected by a high-performance network with a round-trip latency of less than 2ms. They help your data stay synchronized and accessible when things go wrong. Each zone is composed of one or more datacenters equipped with independent power, cooling, and networking infrastructure. Availability zones are designed so that if one zone is affected, regional services, capacity, and high availability are supported by the remaining two zones.

With availability zones, you can design and operate applications and databases that automatically transition between zones without interruption. Azure availability zones are highly available, fault tolerant, and more scalable than traditional single or multiple datacenter infrastructures.

Availability Zone peering

Today we are going to look into Availability Zone peering:

Each data centre is assigned to a physical zone. Physical zones are mapped to logical zones in your Azure subscription. Azure subscriptions are automatically assigned this mapping when a subscription is created.

Physical Zones vs Logical Zones

There are a few things to be aware of here that I will call out:

  • Physical zones are mapped to logical zones in your Azure subscription.
  • Azure subscriptions are automatically assigned this mapping when a subscription is created.

So what does this mean?

We know we have three separate data centres within a single region:

1Australia East
2Australia East
3Australia East

We can see these zones in the Azure Portal when we create resources:

Azure Avalibility Zone - Selection

This is great for making your solutions redundant against a single data centre failure and spreading your workloads across different zones; services such as Virtual Networks are zone-redundant by default, allowing access to resources across multiple zones out of the box.

One reason you may have all your resources in a single zone could be latency.

Lets us go back to the paragraphs around physical and logical zones and mapping - what does this mean?

What this means is that each of the three data centres is assigned a physical AND logical mapping, so your Azure datacentres look like this:

Zone (Physical)RegionZone (Logical)
1Australia East3
2Australia East2
3Australia East1

When you deploy a resource into an Azure Avalibility Zone and select Zone 1, you choose the Logical Zone, NOT a physical zone.

This means that FOR EACH Microsoft Azure subscription, whether in the same Microsoft Entra ID tenancy or not, Zone 1 can be a different physical data centre.

So if you have resources deployed across multiple subscriptions, and all your resources are deployed to Zone 1 - they MAY NOT be in the same physical data centre.

Azure SubscriptionsRegionZone (Logical)Zone (Physical)
Sub AAustralia East11
Sub BAustralia East13
Sub BAustralia East11

In an example like the above, you have three separate Azure subscriptions, and you have deployed your Virtual Machines and other resources across all Azure subscriptions into Zone 1, 2 of your subscriptions are using the same physical zone for zone 1, and another subscription is using a separate availability zone altogether.


One of the reasons the logical and physical zones are different is due to capacity management; out of habit, many people select Zone 1 - this would mean that certain zones become overpopulated while others are underutilized. The logical zones allow Microsoft some ability to spread the load.

It's worth noting that mapping the Logical to Physical Zones of the Avalibility Zones within your region is done when the subscription is created.

Checking your Zone Peers using PowerShell and the Azure API

During normal business use - you don't need to know any of this; select a zone and deploy; if you have resources across subscriptions and run into additional latency - this may be why, although each availability zone is connected through a dedicated regional low-latency network with a round-trip latency of less than 2ms.

But suppose you are curious or want to delve deeper into your Disaster Recovery and resiliency architecture within a single region. In that case, it can be helpful to know the mapping.

This information isn't fed into the Azure Portal. To find the mapping, we need to query the Azure API directly using the Check Zone Peers endpoint.

To do this, I have written a rough PowerShell script that will register the AvailabilityZonePeering Azure feature that you need to enable the lookup and query the API for the mappings.

# Connect to Azure using Get-AzAccount

# Set the region to 'Australia East'
$region = 'Australia East'

# Get all subscriptions that the account has access to
$subscriptions = Get-AzSubscription | Select-Object -ExpandProperty SubscriptionId

# Get the access token for the authenticated user
$token = (Get-AzAccessToken).Token

# Check if AvailabilityZonePeering feature is enabled and enable it if it's not
$azFeature = Get-AzProviderFeature -ProviderNamespace Microsoft.Resources -FeatureName AvailabilityZonePeering
if (!$azFeature.RegistrationState.Equals("Registered")) {
do {
Register-AzProviderFeature -FeatureName AvailabilityZonePeering -ProviderNamespace Microsoft.Resources
Start-Sleep -Seconds 5
$azFeature = Get-AzProviderFeature -ProviderNamespace Microsoft.Resources -FeatureName AvailabilityZonePeering
} until ($azFeature.RegistrationState.Equals("Registered"))
Write-Host "The AvailabilityZonePeering feature has been enabled."
} else {
Write-Host "The AvailabilityZonePeering feature is already enabled."

# Define the request body for the REST API call
$body = @{
subscriptionIds= $subscriptions | ForEach-Object { 'subscriptions/' + $_ }
location = $region
} | ConvertTo-Json

# Define the request parameters for the REST API call
$params = @{
Uri = "" + $subscriptions[0] +
Headers = @{ 'Authorization' = "Bearer $token" }
Method = 'POST'
Body = $body
ContentType = 'application/json'

# Invoke the REST API and store the response
$availabilityZonePeers = Invoke-RestMethod @Params

# Initialize an empty array for the output
$output = @()

# Loop through each availability zone and its associated peers and add them to the output array
foreach ($i in $availabilityZonePeers.availabilityZonePeers.availabilityZone) {
foreach ($zone in $availabilityZonePeers.availabilityZonePeers[$i-1].peers ) {
$output += New-Object PSObject -Property @{
Zone = $i
MatchesZone = $zone.availabilityZone
SubscriptionId = $zone.subscriptionId
$output += ""

# Output the results
$output | Format-Table

Once we have connected to Microsoft Azure and run the script, we will get an output like the one below, which I ran across my own three subscriptions:


On the right-hand side, we see the 'Zones' - these are the Physical Zones, so Zone 1 to 3.

For each subscription, we can see the Logical Zone mapping as well.

In this example, my subscription of '3bdfd67e-6280-43af-8121-4f04dc84706c', if I were to deploy to Zone 2 in my Azure Portal, would deploy to the same physical datacenter as Zone 1 of: '8df7caa2-95cb-44d1-9ecb-e5220ec6a825'.

As you can also see, my Zone 3 matches the same Zone 3 logically and physically for all my subscriptions, but there are differences between Zone 2 and 1.

Again, during normal business as usual, you don't need to know this - but it's always good to know how this works. If you want confirmation of the resiliency of your architecture across Availability Zones, this is a great way to confirm whether your resources are physically located together - or not.