Back to skills
SkillHub ClubRun DevOpsFull StackDevOpsTesting
Azure
Deploy, monitor, and manage Azure services with battle-tested patterns.
Packaged view
This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.
Stars
3,126
Hot score
99
Updated
March 20, 2026
Overall rating
C4.0
Composite score
4.0
Best-practice grade
C64.0
Install command
npx @skill-hub/cli install openclaw-skills-azure
Repository
openclaw/skills
Skill path: skills/ivangdavila/azure
Deploy, monitor, and manage Azure services with battle-tested patterns.
Open repositoryBest for
Primary workflow: Run DevOps.
Technical facets: Full Stack, DevOps, Testing.
Target audience: everyone.
License: Unknown.
Original source
Catalog source: SkillHub Club.
Repository owner: openclaw.
This is still a mirrored public skill entry. Review the repository before installing into production workflows.
What it helps with
- Install Azure into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
- Review https://github.com/openclaw/skills before adding Azure to shared team environments
- Use Azure for development workflows
Works across
Claude CodeCodex CLIGemini CLIOpenCode
Favorites: 0.
Sub-skills: 0.
Aggregator: No.
Original source / Raw SKILL.md
---
name: Azure
description: Deploy, monitor, and manage Azure services with battle-tested patterns.
metadata: {"clawdbot":{"emoji":"π·","requires":{"anyBins":["az"]},"os":["linux","darwin","win32"]}}
---
# Azure Production Rules
## Cost Traps
- Stopped VMs still pay for attached disks and public IPs β deallocate fully with `az vm deallocate` not just stop from portal
- Premium SSD default on VM creation β switch to Standard SSD for dev/test, saves 50%+
- Log Analytics workspace retention defaults to 30 days free, then charges per GB β set data retention policy and daily cap before production
- Bandwidth between regions is charged both ways β keep paired resources in same region, use Private Link for cross-region when needed
- Cosmos DB charges for provisioned RU/s even when idle β use serverless for bursty workloads or autoscale with minimum RU setting
## Security Rules
- Resource Groups don't provide network isolation β NSGs and Private Endpoints do. RG is for management, not security boundary
- Managed Identity eliminates secrets for Azure-to-Azure auth β use System Assigned for single-resource, User Assigned for shared identity
- Key Vault soft-delete enabled by default (90 days) β can't reuse vault name until purged, plan naming accordingly
- Azure AD conditional access policies don't apply to service principals β use App Registrations with certificate auth, not client secrets
- Private Endpoints don't automatically update DNS β configure Private DNS Zone and link to VNet or resolution fails
## Networking
- NSG rules evaluate by priority (lowest number first) β default rules at 65000+ always lose to custom rules
- Application Gateway v2 requires dedicated subnet β at least /24 recommended for autoscaling
- Azure Firewall premium SKU required for TLS inspection and IDPS β standard can't inspect encrypted traffic
- VNet peering is non-transitive β hub-and-spoke requires routes in each spoke, or use Azure Virtual WAN
- Service Endpoints expose entire service to VNet β Private Endpoints give private IP for specific resource instance
## Performance
- Azure Functions consumption plan has cold start β Premium plan with minimum instances for latency-sensitive
- Cosmos DB partition key choice is permanent and determines scale β can't change without recreating container
- App Service plan density: P1v3 handles ~10 slots, more causes resource contention β monitor CPU/memory per slot
- Azure Cache for Redis Standard tier has no SLA for replication β use Premium for persistence and clustering
- Blob storage hot tier for frequent access β cool has 30-day minimum, archive has 180-day and hours-long rehydration
## Monitoring
- Application Insights sampling kicks in at high volume β telemetry may miss intermittent errors, adjust `MaxTelemetryItemsPerSecond`
- Azure Monitor alert rules charge per metric tracked β consolidate metrics in Log Analytics for complex alerts
- Activity Log only shows control plane operations β diagnostic settings required for data plane (blob access, SQL queries)
- Alert action groups have rate limits β 1 SMS per 5 min, 1 voice call per 5 min, 100 emails per hour per group
- Log Analytics query timeout is 10 minutes β optimize queries with time filters first, then other predicates
## Infrastructure as Code
- ARM templates fail silently on some property changes β use `what-if` deployment mode to preview changes
- Terraform azurerm provider state contains secrets in plaintext β use remote backend with encryption (Azure Storage + customer key)
- Bicep is ARM's replacement β transpiles to ARM, better tooling, use for new projects
- Resource locks prevent accidental deletion but block some operations β CanNotDelete lock still allows modifications
- Azure Policy evaluates on resource creation and updates β existing non-compliant resources need remediation task
## Identity and Access
- RBAC role assignments take up to 30 minutes to propagate β pipeline may fail immediately after assignment
- Owner role can't manage role assignments if PIM requires approval β use separate User Access Administrator
- Service principal secret expiration defaults to 1 year β set calendar reminder or use certificate with longer validity
- Azure AD B2C is separate from Azure AD β different tenant, different APIs, different pricing
---
## Skill Companion Files
> Additional files collected from the skill directory layout.
### _meta.json
```json
{
"owner": "ivangdavila",
"slug": "azure",
"displayName": "Azure",
"latest": {
"version": "1.0.0",
"publishedAt": 1770685222502,
"commit": "https://github.com/openclaw/skills/commit/590a12286a0369bd54a184b793d7ee3e706375dd"
},
"history": []
}
```