This chapter covers Azure Cloud Shell, a browser-accessible command-line environment for managing Azure resources. It matters for AZ-900 because understanding Cloud Shell demonstrates knowledge of Azure management tools, which falls under the 'Azure Management and Governance' domain (objective 3.4). This domain is weighted approximately 20-25% on the exam. Cloud Shell is a key tool for administrators and developers, and the exam expects you to know its features, limitations, and use cases.
Jump to a section
Imagine you are a field technician who needs to manage a network of smart buildings across a city. Instead of carrying a heavy laptop with all your tools installed, you walk into any office, sit at a shared computer, and open a web browser. That browser connects to a secure, pre-configured virtual laptop in the cloud that has every tool you need—command-line interfaces, scripting editors, and file storage. You don't install anything; the virtual laptop is always up to date, and your personal files are stored in a network drive that follows you to any computer. When you finish, you close the browser, and the virtual laptop is recycled, but your files and settings persist. This is exactly how Azure Cloud Shell works: it gives you a browser-accessible, authenticated, temporary Linux or PowerShell environment with Azure tools pre-installed, and your home directory is backed by Azure Files so your scripts and configuration survive across sessions. The mechanism is that Cloud Shell spins up a container (a lightweight virtual environment) for each session, connects it to your Azure subscription, and mounts your file share. When you're done, the container is destroyed, but the file share remains.
What is Azure Cloud Shell and Why Does It Exist?
Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. It provides two shell experiences: Bash (with Azure CLI) and PowerShell (with Azure PowerShell). The business problem it solves is the overhead of installing and maintaining local command-line tools. Before Cloud Shell, administrators had to install Azure CLI or Azure PowerShell on their local machines, keep them updated, manage authentication, and deal with cross-platform inconsistencies. Cloud Shell eliminates this by providing a pre-configured environment that is always up to date and accessible from anywhere with an internet connection.
How Cloud Shell Works: Mechanism
When you open Cloud Shell from the Azure portal (or shell.azure.com), Azure does the following behind the scenes:
Authentication: You are already authenticated via the Azure portal. Cloud Shell uses your existing Azure AD token to authorize actions against your subscriptions.
Container Allocation: Azure spins up a container (a lightweight, isolated environment) in one of the region's datacenters. This container runs either a Linux (Bash) or Windows Core (PowerShell) image that has all the Azure management tools pre-installed.
Storage Mount: Cloud Shell requires a storage account and a file share (Azure Files) to persist your home directory. The first time you use Cloud Shell, you are prompted to create or select a storage account and file share. This file share is mounted as $HOME (for Bash) or $env:USERPROFILE (for PowerShell). Any files you save in your home directory (like scripts, SSH keys, or configuration files) persist across sessions.
Session Lifecycle: The container is ephemeral—it exists only for the duration of your session. If you close the Cloud Shell window or are idle for 20 minutes, the container is torn down. However, your home directory (stored in Azure Files) persists. When you start a new session, a new container is created and your home directory is re-mounted.
Tools Included: Cloud Shell includes:
- Azure CLI (for Bash) and Azure PowerShell modules (for PowerShell)
- Git, Python, Node.js, .NET Core, and other common development tools
- Editors like vim, nano, and a built-in code editor (based on Monaco)
- Other utilities like jq, curl, wget, zip, etc.
Key Components and Features
Shell Selection: You can choose between Bash and PowerShell from a dropdown in the Cloud Shell toolbar. You can also switch between them during a session.
File Upload/Download: Cloud Shell supports uploading and downloading files via the toolbar menu (or using curl commands).
Multi-Session Support: You can open multiple Cloud Shell sessions in separate browser tabs or windows. Each session is isolated but shares the same file storage.
Azure Files Backing: The file share is a Standard Azure Files share (LRS or GRS, depending on your storage account configuration). It is subject to standard Azure Files pricing (storage cost plus transactions).
Integrated Editor: Cloud Shell includes a built-in editor that you can launch by typing code . (for the current directory) or code <filename>. This editor is useful for editing scripts or configuration files.
Temporary Storage: A temporary /tmp directory exists within the container but is not persisted. Any data saved outside $HOME is lost when the session ends.
Pricing and Limits
Cloud Shell itself is free to use. You only pay for the underlying storage (Azure Files) and any outbound data transfer. The container resources (CPU, memory) are provided at no charge. However, there are limits: - Idle Timeout: After 20 minutes of inactivity, the session is automatically terminated. - Session Duration: The maximum session duration is 30 minutes (though this is not enforced strictly; idle timeout is the main limit). - Storage Account Requirement: You must have a storage account and file share. The minimum size is 5 GB (free tier) but you can scale up. - Region: Cloud Shell is available in most Azure regions, but the container is allocated in a region close to you (based on the storage account location).
Comparison to On-Premises Equivalent
Before Cloud Shell, administrators would install Azure CLI on their local machines. This required:
Installing the CLI via package managers or installers
Running az login to authenticate
Keeping the CLI updated manually
Dealing with OS-specific issues (e.g., path differences, dependencies)
Cloud Shell eliminates all these steps. It is analogous to having a pre-configured virtual machine that you can access from any browser. However, Cloud Shell is not a full VM—it is a container with limited resources (1 GB RAM, 2 CPUs approximately). For heavy workloads, you would use a dedicated VM or Azure Bastion.
Azure Portal and CLI Touchpoints
Portal: You can open Cloud Shell from the top toolbar of the Azure portal (the >_ icon). It opens as a bottom panel.
Direct URL: You can access Cloud Shell directly at https://shell.azure.com.
Azure CLI Integration: Within Cloud Shell, you can run az commands to manage resources. For example:
az group list --output tablePowerShell Integration: In PowerShell mode, you can run Get-AzResourceGroup | Format-Table.
Scripting: You can write and store scripts in your home directory and execute them. For example, create a script deploy.sh:
#!/bin/bash
az group create --name myResourceGroup --location eastus
az vm create --resource-group myResourceGroup --name myVM --image UbuntuLTS --admin-username azureuser --generate-ssh-keysThen run it with bash deploy.sh.
Concrete Business Scenarios
Scenario 1: Rapid Incident Response: An admin gets an alert that a VM is unresponsive. From their phone or a shared computer, they open the Azure portal, launch Cloud Shell, and run az vm restart --resource-group prod --name web-server-01. They don't need to find their laptop or install tools.
Scenario 2: Onboarding New Developers: A team of developers needs to deploy resources to Azure for testing. Instead of each developer installing Azure CLI and configuring authentication, they are given access to Cloud Shell. They can start scripting immediately, and their scripts are stored in a shared file share.
Scenario 3: Cross-Platform Consistency: An organization has a mix of Windows, macOS, and Linux users. Cloud Shell provides a consistent environment for all users, eliminating "it works on my machine" issues.
Open Azure Cloud Shell
Navigate to the Azure portal (portal.azure.com) and sign in. Click the Cloud Shell icon (a `>_` symbol) in the top toolbar. A new panel opens at the bottom of the page. If it's your first time, you will be prompted to create a storage account and file share. Select your subscription and choose a region for the storage. The creation takes about 30 seconds. Once done, you are presented with a Bash or PowerShell prompt. You can switch between shells using the dropdown in the toolbar.
Select Shell Type (Bash or PowerShell)
In the Cloud Shell toolbar, you will see a dropdown that says 'Bash' or 'PowerShell'. Click it to switch between the two environments. Bash uses Azure CLI (commands start with `az`), while PowerShell uses Azure PowerShell cmdlets (commands start with `Get-Az`, `New-Az`, etc.). The exam expects you to know that both are available. You can also set the default shell in Cloud Shell settings.
Authenticate and Set Subscription
Cloud Shell automatically uses the credentials you used to sign in to the Azure portal. However, if you have multiple subscriptions, you may need to set the active subscription. In Bash, use `az account set --subscription "SubscriptionName"`. In PowerShell, use `Set-AzContext -Subscription "SubscriptionName"`. To list subscriptions, use `az account list --output table` or `Get-AzSubscription`. This step ensures commands target the correct subscription.
Create and Manage Resources
Now you can run commands to create and manage Azure resources. For example, to create a resource group in Bash: `az group create --name MyRG --location eastus`. To create a VM: `az vm create --resource-group MyRG --name MyVM --image UbuntuLTS --admin-username azureuser --generate-ssh-keys`. Cloud Shell will output the results directly. You can also run scripts stored in your home directory.
Persist Files and Close Session
Any files you save in `$HOME` (e.g., `/home/username`) are persisted to the Azure Files share. For example, create a script: `echo 'az group list' > myscript.sh`. This file will be available in future sessions. When you are done, simply close the Cloud Shell panel or navigate away. The container will be torn down after 20 minutes of inactivity. Your home directory remains in the file share.
Scenario 1: Global IT Support Team
A multinational company has a support team spread across different time zones. Team members often need to troubleshoot Azure resources from client sites or home offices. They use Cloud Shell to avoid installing Azure CLI on every machine. The team sets up a shared file share where they store common scripts for restarting VMs, checking resource health, and scaling app services. Because Cloud Shell is browser-based, support staff can access it from any device—even a tablet. The cost is minimal: only the storage account and file share (a few dollars per month). A common mistake is not setting the correct subscription, leading to commands affecting the wrong environment. To mitigate, they include az account set at the start of every script.
Scenario 2: DevOps Pipeline Debugging
A DevOps engineer is developing an Azure DevOps pipeline that uses Azure CLI tasks. When a pipeline fails, the engineer needs to reproduce the exact CLI commands locally. Instead of setting up a local environment, they open Cloud Shell and run the same commands. The persistence of scripts in the home directory allows them to iterate quickly. The engineer also uses the built-in code editor to modify YAML templates. The key benefit is that Cloud Shell mirrors the pipeline's agent environment (Linux agent uses Bash). A pitfall is that Cloud Shell has a 20-minute idle timeout; if the engineer is debugging for a long time, they need to keep the session active or use a script to prevent timeout (e.g., a simple while true; do sleep 600; done).
Scenario 3: Training and Workshops
When conducting Azure training, instructors often need to provide a consistent environment for all students. Instead of having each student install tools, the instructor directs them to Cloud Shell. The instructor can share scripts via a public URL that students download with curl. The file share for each student is private, so their work is isolated. This setup scales to hundreds of students without additional cost. One issue is that Cloud Shell's storage account creation requires contributor permissions on a subscription; students with reader-only access cannot use Cloud Shell. The instructor must ensure each student has at least contributor access to a subscription or a resource group.
Objective 3.4: Describe Azure management tools – This objective includes Cloud Shell, Azure CLI, Azure PowerShell, and Azure Portal. The exam expects you to understand what Cloud Shell is, its key features, and how it differs from other tools.
Common Wrong Answers and Why Candidates Choose Them: 1. 'Cloud Shell is a virtual machine that you can RDP into.' – Wrong. Cloud Shell is a container, not a full VM. Candidates confuse it with Azure Bastion or a jump box. 2. 'Cloud Shell requires you to install Azure CLI locally.' – Wrong. The whole point is that it is browser-based with tools pre-installed. 3. 'Cloud Shell can only run Bash.' – Wrong. It supports both Bash and PowerShell, selectable from the toolbar. 4. 'Cloud Shell persists the entire container across sessions.' – Wrong. Only the home directory (via Azure Files) persists; the container is ephemeral.
Specific Terms and Values to Memorize: - Idle timeout: 20 minutes - Supported shells: Bash (Azure CLI) and PowerShell (Azure PowerShell) - Backing storage: Azure Files (not Blob storage) - Access methods: Azure portal, shell.azure.com, and mobile app - Authentication: Uses the same credentials as the portal (Azure AD)
Edge Cases and Tricky Distinctions: - Cloud Shell is not available in the Azure Government or Azure China portals by default (though it may be in some regions). - Cloud Shell cannot be used to manage on-premises resources directly; it is for Azure management. - The storage account must be general-purpose v2 (GPv2) or FileStorage for premium. - If you close the browser tab, the session ends immediately (no graceful shutdown).
Memory Trick: 'CASH' – Cloud shell is Cloud-based, Authenticated, Shell (Bash or PowerShell), Home directory persisted.
Decision Tree for Exam Questions: - If the question asks for a 'browser-based shell for Azure management' → Cloud Shell. - If the question asks for 'pre-installed Azure CLI and PowerShell' → Cloud Shell. - If the question mentions 'persistent home directory' → Cloud Shell. - If the question mentions 'requires storage account' → Cloud Shell. - If the question mentions 'RDP' or 'full VM' → not Cloud Shell.
Azure Cloud Shell is a browser-accessible command-line environment for managing Azure resources.
It supports both Bash (Azure CLI) and PowerShell (Azure PowerShell).
Cloud Shell requires a storage account and Azure Files share to persist your home directory.
The container is ephemeral; only the home directory persists across sessions.
Cloud Shell has a 20-minute idle timeout; after that, the session ends.
Cloud Shell is free to use; you only pay for the underlying storage.
You can access Cloud Shell from the Azure portal or directly at shell.azure.com.
These come up on the exam all the time. Here's how to tell them apart.
Azure Cloud Shell
Browser-based, no installation needed
Pre-authenticated with portal credentials
Persistent home directory via Azure Files
Idle timeout of 20 minutes
Limited resources (container)
Azure CLI installed locally
Requires local installation and updates
Requires manual 'az login'
Local file system persists
No idle timeout (depends on machine)
Full resources of local machine
Mistake
Cloud Shell is a virtual machine that you can RDP into.
Correct
Cloud Shell is a container, not a VM. You cannot RDP or SSH into it. It provides a command-line interface only.
Mistake
Cloud Shell requires you to install Azure CLI locally.
Correct
Cloud Shell has Azure CLI and Azure PowerShell pre-installed. No local installation is needed.
Mistake
Cloud Shell only supports Bash.
Correct
Cloud Shell supports both Bash and PowerShell. You can switch between them using the toolbar dropdown.
Mistake
Cloud Shell persists the entire session environment across logins.
Correct
Only the home directory (backed by Azure Files) persists. The container and its temporary storage are destroyed after session ends.
Mistake
Cloud Shell is free with no additional costs.
Correct
Cloud Shell itself is free, but you pay for the underlying Azure Files storage (and any data transfer).
Yes, Azure Cloud Shell itself is free to use. However, you need a storage account and an Azure Files share to persist your home directory. You pay standard Azure Files rates for that storage (based on size and transactions). There is no charge for the compute resources (CPU, memory) of the container. So if you use the minimum 5 GB storage, the cost is minimal (a few cents per month).
Yes, you can access Cloud Shell from a mobile browser by navigating to https://shell.azure.com or through the Azure mobile app. The experience is optimized for touch, but typing long commands may be cumbersome. You can also use the mobile app's built-in Cloud Shell feature. Note that the interface may be limited, but it works for quick tasks.
Cloud Shell is available in Azure Government clouds, but you need to access it via the Azure Government portal (portal.azure.us). The same functionality applies, but the underlying infrastructure is isolated. For Azure China (21Vianet), Cloud Shell is also available via the dedicated portal. Always use the correct portal URL for your cloud environment.
The idle timeout is 20 minutes. To keep the session alive, you can run a command periodically. For example, in Bash you can run `while true; do sleep 600; done` in the background (but this may not be practical). Alternatively, you can use a script that outputs something every few minutes. The best approach is to use Cloud Shell for short tasks; for long-running operations, consider using Azure CLI on a VM or an Azure Automation runbook.
No, Cloud Shell is designed to manage Azure resources only. It does not have access to your on-premises network unless you have a VPN or ExpressRoute, and even then, the tools are Azure-focused. For managing on-premises resources, you would need to use other tools like PowerShell remoting or SSH from a local machine or a jump box.
If you delete the storage account that backs Cloud Shell, your home directory and all files in it are permanently deleted. Cloud Shell will prompt you to create a new storage account the next time you use it. Always ensure you have backups of important scripts before deleting the storage account. You can also migrate to a new storage account by updating the Cloud Shell settings.
Yes, you can install additional tools using package managers like `apt` (Bash) or `Install-Module` (PowerShell). However, these installations are not persisted across sessions because the container is ephemeral. To persist tools, you must install them to your home directory or use a custom script that runs at session start. For example, you can add `apt-get install -y mytool` to your `.bashrc` file, but it will run each time you start a new session.
You've just covered Azure Cloud Shell — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?