Cloud CLI15 min

Azure CLI (az) — Comprehensive Reference Cheat Sheet

Cross-domain Azure CLI reference — auth, resource groups, VMs, storage, networking, App Service, containers, RBAC, and scripting patterns in one place.

Auth & Subscriptions

az login                                          # Interactive browser login
az login --use-device-code                        # Device code (no browser)
az account list --output table                    # List subscriptions
az account set --subscription "<sub-id>"          # Switch subscription
az account show --query "[id,name,user.name]"     # Current subscription
az logout

Resource Groups

az group create --name myRG --location eastus
az group list --output table
az group show --name myRG
az group delete --name myRG --yes --no-wait
az resource list --resource-group myRG --output table

Virtual Machines

# Create VM
az vm create -g myRG -n myVM --image Ubuntu2204 \
  --size Standard_B2s --generate-ssh-keys

# VM lifecycle
az vm start   -g myRG -n myVM
az vm stop    -g myRG -n myVM               # billing continues
az vm deallocate -g myRG -n myVM           # stops billing
az vm restart -g myRG -n myVM
az vm delete  -g myRG -n myVM --yes

# Query
az vm list -g myRG --output table
az vm get-instance-view -g myRG -n myVM \
  --query "instanceView.statuses[1].displayStatus" -o tsv

# Open port
az vm open-port -g myRG -n myVM --port 80

# IP address
az vm list-ip-addresses -g myRG -n myVM -o table

Storage

# Account
az storage account create -n mystorageacct -g myRG \
  --sku Standard_LRS --kind StorageV2 --location eastus
az storage account list -g myRG -o table
az storage account keys list -n mystorageacct -g myRG
CONN=$(az storage account show-connection-string -n mystorageacct -g myRG -o tsv)

# Blob containers
az storage container create -n mycontainer --account-name mystorageacct
az storage blob upload   --account-name mystorageacct -c mycontainer -n file.txt --file ./file.txt
az storage blob download --account-name mystorageacct -c mycontainer -n file.txt --file ./out.txt
az storage blob list     --account-name mystorageacct -c mycontainer -o table

# SAS token (1-day read for a blob)
az storage blob generate-sas --account-name mystorageacct -c mycontainer \
  -n file.txt --permissions r --expiry $(date -u -d "+1 day" '+%Y-%m-%dT%H:%MZ') -o tsv

Networking

# VNet / subnet
az network vnet create -g myRG -n myVNet --address-prefix 10.0.0.0/16
az network vnet subnet create -g myRG --vnet-name myVNet -n mySubnet --address-prefix 10.0.1.0/24

# NSG
az network nsg create -g myRG -n myNSG
az network nsg rule create -g myRG --nsg-name myNSG -n AllowHTTP \
  --priority 100 --direction Inbound --access Allow --protocol Tcp --destination-port-ranges 80 443

# Public IP
az network public-ip create -g myRG -n myIP --sku Standard --allocation-method Static

# DNS zone
az network dns zone create -g myRG -n example.com
az network dns record-set a add-record -g myRG -z example.com -n www --ipv4-address 1.2.3.4

App Service

az appservice plan create -g myRG -n myPlan --sku B2 --is-linux
az webapp create -g myRG --plan myPlan -n myapp-unique --runtime "NODE:18-lts"
az webapp config appsettings set -g myRG -n myapp-unique --settings KEY=value
az webapp deployment source config-zip -g myRG -n myapp-unique --src app.zip
az webapp log tail -g myRG -n myapp-unique
az webapp deployment slot create -g myRG -n myapp-unique --slot staging
az webapp deployment slot swap -g myRG -n myapp-unique --slot staging

Container Services (ACR / ACI)

# ACR
az acr create -g myRG -n myregistry --sku Basic
az acr build --registry myregistry --image myapp:v1 .
az acr login -n myregistry

# ACI
az container create -g myRG -n mycontainer \
  --image nginx --ports 80 --ip-address Public --dns-name-label myapp-demo
az container logs -g myRG -n mycontainer
az container show -g myRG -n mycontainer -o table
az container delete -g myRG -n mycontainer --yes

RBAC

az role assignment create \
  --assignee user@example.com \
  --role Contributor \
  --resource-group myRG

az role assignment list --resource-group myRG -o table
az role assignment delete --assignee user@example.com --role Contributor -g myRG

az role definition list --output table
az role definition list --custom-role-only --output table

Key Vault

az keyvault create -g myRG -n mykeyvault --location eastus
az keyvault secret set --vault-name mykeyvault -n mySecret --value "supersecret"
az keyvault secret show --vault-name mykeyvault -n mySecret --query value -o tsv
az keyvault secret list --vault-name mykeyvault -o table
az keyvault secret delete --vault-name mykeyvault -n mySecret

Azure Monitor

# Metrics
az monitor metrics list --resource <resource-id> --metric "Percentage CPU" -o table

# Activity log
az monitor activity-log list --resource-group myRG --output table

# Alerts
az monitor alert create -g myRG -n "High CPU" \
  --target <resource-id> \
  --condition "avg Percentage CPU > 80" \
  --action email admin@example.com

Scripting Patterns

# Capture output
VM_ID=$(az vm show -g myRG -n myVM --query id -o tsv)
RG_LOCATION=$(az group show -n myRG --query location -o tsv)

# Loop over resources
az vm list -g myRG --query "[].name" -o tsv | while read name; do
  echo "Stopping $name"
  az vm deallocate -g myRG -n "$name" --no-wait
done

# Conditional (check if resource exists)
az group show -n myRG &>/dev/null \
  && echo "exists" \
  || az group create -n myRG -l eastus

# JMESPath query examples
az vm list --query "[].{Name:name, Size:hardwareProfile.vmSize}" -o table
az resource list --tag env=prod --query "[].name" -o tsv
az vm list -g myRG --query "length(@)" -o tsv    # count

Global Flags Quick Reference

Flag	Purpose
`-o table \| json \| tsv \| yaml`	Output format
`--query "..."`	JMESPath filter
`--no-wait`	Async operation
`--yes / -y`	Skip confirmation
`--debug`	Show HTTP calls
`--subscription`	Override subscription