Click to share! ⬇️

Azure 104 Study Guide

The Microsoft Azure AZ-104 Administrator Associate Exam is designed to help Information Technology professionals verify their ability to complete tasks such as implementing, managing, and monitoring identity, governance, storage, computing, and virtual networks in a cloud environment, plus provision, size, monitor, and adjust resources, when needed. Whoa, that’s a lot! Yes, it is. As such, this study guide is quite long, and only the most determined of administrators will make it to the end of this guide. If you’re ready to learn about the topics and concepts needed for the Microsoft Certified Azure Administrator Associate, let’s get started.

Azure Storage

Azure Storage is:

    • Durable and highly available. Data is replicated across data centers or geographical regions for protection from local catastrophes or natural disasters.
    • Accessible. Data in Azure Storage is accessed via HTTP or HTTPS. SDKs for Azure Storage are available in .NET, Java, Node.js, Python, PHP, Ruby, Go, and REST API.
    • Managed. Azure handles hardware maintenance and updates.
    • Scalable. Azure Storage is very scalable.
    • Secure. All data is encrypted in Azure Storage.

Azure storage has three categories.

  • Structured Data. Tables, Cosmos DB, and Azure SQL DB are examples of structured data.
  • Unstructured Data. Blobs and Data Lake Store.
  • Storage for Virtual Machines. Virtual machine storage like disks and files.

Storage accounts have two tiers: Standard and Premium.

  • Standard Uses (HDD) and provides the lowest cost per GB.
  • Premium Uses solid-state drives (SSD) and offers consistent low-latency performance.

A Storage Account can contain:

  • Azure Containers (Blobs): Object store for text and binary data.
  • Azure Queues: A messaging store for reliable messaging between application components.
  • Azure Tables: A NoSQL store for schemaless storage of structured data.
  • Azure Files: Managed file shares for cloud or on-premises deployments.

Blob storage is for:

  • Streaming video and audio.
  • Storing files for distributed access.
  • Storing data for backup, disaster recovery, and archiving.
  • Storing data for analysis by an on-premises or Azure-hosted service.
  • Serving images or documents directly to a browser.

Azure File Shares are for:

  • Mapping drives in the cloud just like on-prem solutions in the past
  • Configuration files can be stored on a file share and accessed from multiple VMs.
  • Diagnostic logs, metrics, and crash dumps are examples of data that can be written to a file share and analyzed later.

Types of Storage Accounts:

Standard general-purpose v2 Good for most scenarios like Blob, File, Queue, Table, and Data Lake Storage.

Premium block blobs Good for high transactions rates and scenarios that use smaller objects or require consistently low storage latency.

Premium file shares Enterprise or high-performance file share applications.

Premium page blobs Premium high-performance page blob scenarios.

Replication Types:


  • Application is restricted to replicating data only within a country due to data governance requirements.
  • Application stores data that can be easily reconstructed if data loss occurs.
  • Data is constantly changing and storing the data is really not required.


  • Changing to ZRS from another data replication option requires the physical data movement from a single storage stamp to multiple stamps within a region.
  • ZRS is not yet available in all regions.
  • ZRS may not protect your data against a regional disaster where multiple zones are permanently affected. Instead, ZRS offers resiliency for your data.


  • GRS replicates your data to another data center in a secondary region, but that data is available to be read-only if Microsoft initiates a failover from the primary to the secondary region.
  • Read-access geo-redundant storage (RA-GRS) is based on GRS. RA-GRS replicates your data to another data center in a secondary region and also provides you with the option to read from the secondary region.


Geo-zone-redundant storage combines the high availability of zone-redundant storage with the benefits of geo-redundant storage. Data in a GZRS storage account is replicated across three availability zones in the primary region and also to a second geographic region for protection from regional disasters.  Each region is paired with another region within the same geography to create a pair.

Access Storage Formats

  • Container service: //
  • File service: //
  • Queue service: //
  • Table service: //

Secure Storage

  • Firewalls and Virtual Networks restrict access to the Storage Account from specific Subnets on Virtual Networks or public IPs.
  • Subnets and Virtual Networks must exist in the same Azure Region or Region Pair as the Storage Account.

Read-access geo-redundant storage is the default replication option. Geo-redundant storage (GRS) copies the data synchronously three times within a single physical location in the primary region using LRS. It then copies the data asynchronously to a single physical location in the secondary region.

The storage account name is used as part of the URI for API access, so it must be globally unique.

LRS is best for recent data and low cost when data loss is not an issue.

Configure Blog Storage

Common uses of Blob storage include:

  • Storing data for backup, disaster recovery, and archiving.
  • Serving images or documents to a browser.
  • Storing data for analysis by an on-premises or Azure-hosted service.
  • Streaming video and audio.
  • Storing files for distributed access.

Blob storage offers three types of resources:

  • The storage account
  • Containers in the storage account
  • Blobs in a container

Name: Can contain lowercase letters, numbers, and hyphens, and must begin with a letter or a number. Must also be between 3 and 63 characters long. Public access level: Specifies whether data in the container may be accessed publicly.

  • Private is to ensure there is no anonymous access to the container and blobs.
  • Blob is to allow anonymous public read access for blobs only.
  • Container is to allow anonymous public read and list access to the entire container, including the blobs.

Access Tiers

  • Hot. The Hot tier is for frequent access of objects in the storage account.  Accessing data in the Hot tier is most cost-effective but storage costs are higher. Is the default tier.
  • Cool. The Cool tier is for storing data that is infrequently accessed and stored for at least 30 days.
  • Archive. The Archive tier is for data that will remain in the Archive tier for at least 180 days.

The lifecycle management policy lets you:

  • Transition blobs to a cooler storage tier to optimize for performance and cost.
  • Delete blobs at the end of their lifecycles.
  • Define rules to be run once per day at the storage account level.
  • Apply rules to containers or a subset of blobs.

Blob Object Replication

  • Block blobs (default) consist of blocks of data assembled to make a blob. Block blobs are ideal for storing text and binary data in the cloud, like files, images, and videos.
  • Append blobs Good for append operations, so they are useful for logging scenarios.
  • Page blobs Azure virtual machines use page blobs as OS and data disks.

Blob Uploads

  • AzCopy Command-line tool for Windows and Linux that copies data to and from Blob storage, across containers, or across storage accounts.
  • The Azure Storage Data Movement library .NET library for moving data between Azure Storage services.
  • Azure Data Factory supports copying data to and from Blob storage by using the account key, shared access signature, service principal, or managed identities.
  • Blobfuse Virtual file system driver for Azure Blob storage.
  • Azure Data Box Disk Used for transferring on-premises data to Blob storage when large datasets or network constraints make uploading data over the wire unrealistic.
  • The Azure Import/Export Provides a way to export large amounts of data from your storage account to hard drives that you provide and that Microsoft then ships back to you with your data.

The administrator can switch between hot and cool performance tiers at any time.

Changes between hot and cool, and to archive, happen immediately.

Any snapshots on a blob in the source account are not replicated to the destination account.

Storage Security

Azure Storage provides a comprehensive set of security capabilities that together enable developers to build secure applications.

  • Encryption. All data written to Azure Storage is automatically encrypted using Storage Service Encryption (SSE).
  • Authentication. Azure Active Directory (Azure AD) and Role-Based Access Control (RBAC) are supported for Azure Storage for both resource management operations and data operations, as follows:
    • You can assign RBAC roles scoped to the storage account to security principals and use Azure AD to authorize resource management operations such as key management.
    • Azure AD integration is supported for data operations on the Blob and Queue services.
  • Data in transit. Data can be secured in transit between an application and Azure by using Client-Side Encryption, HTTPS, or SMB 3.0.
  • Disk encryption. OS and data disks used by Azure virtual machines can be encrypted using Azure Disk Encryption.
  • Shared Access Signatures. Delegated access to the data objects in Azure Storage can be granted using Shared Access Signatures.

Auth options

  • Azure Active Directory (Azure AD). Azure AD is Microsoft’s cloud-based identity and access management service. With Azure AD, you can assign fine-grained access to users, groups, or applications via role-based access control (RBAC).
  • Shared Key. Shared Key authorization relies on your account access keys and other parameters to produce an encrypted signature string that is passed on the request in the Authorization header.
  • Shared access signatures. Shared access signatures (SAS) delegate access to a particular resource in your account with specified permissions and over a specified time interval.
  • Anonymous access to containers and blobs. You can optionally make blob resources public at the container or blob level. A public container or blob is accessible to any user for anonymous read access. Read requests to public containers and blobs do not require authorization.

A SAS gives you granular control over the type of access you grant to clients who have the SAS, including:

  • An account-level SAS can delegate access to multiple storage services.
  • An interval over which the SAS is valid, including the start time and the expiry time.
  • The permissions granted by the SAS.

Optionally, you can also:

  • Specify an IP address or range of IP addresses from which Azure Storage will accept the SAS.
  • The protocol over which Azure Storage will accept the SAS. You can use this optional parameter to restrict access to clients using HTTPS.
  • If a SAS is compromised, it can be used by anyone who obtains it.
  • If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application’s functionality may be hindered.

The following recommendations for using shared access signatures can help mitigate risks.

  • Always use HTTPS to create or distribute a SAS.
  • Reference stored access policies where possible.
  • Use near-term expiration times on an unplanned SAS.
  • Have clients automatically renew the SAS if necessary.
  • Be careful with SAS start time.
  • Be specific with the resource to be accessed.
  • Understand that your account will be billed for any usage, including that done with SAS.
  • Validate data written using SAS.
  • Don’t assume SAS is always the correct choice. Sometimes the risks associated with a particular operation against your storage account outweigh the benefits of SAS.
  • Use Storage Analytics to monitor your application.

SAS will change access based on permissions or duration by replacing the policy with a new one or deleting it altogether to revoke access.

The default network rule is to allow all connections from all networks.

Access keys provide unrestricted access to the storage resources.

File Storage

  • Replace and supplement. Azure Files can be used to completely replace or supplement traditional on-premises file servers or NAS devices.
  • Access anywhere. Popular operating systems such as Windows, macOS, and Linux can directly mount Azure File shares wherever they are in the world.
  • Lift and shift. Azure Files makes it easy to “lift and shift” applications to the cloud that expect a file share to store file application or user data.
  • Azure File Sync. Azure File shares can also be replicated with Azure File Sync to Windows Servers, either on-premises or in the cloud, for performance and distributed caching of the data where it’s being used.
  • Shared applications. Storing shared application settings.
  • Diagnostic data. Storing diagnostic data such as logs, metrics, and crash dumps in a shared location.
  • Tools and utilities. Storing tools and utilities needed for developing or administering Azure virtual machines or cloud services.

Azure Files
Provides an SMB interface, client libraries, and a REST interface that allows access from anywhere to stored files.

Azure Blobs
Provides client libraries and a REST interface that allows unstructured data to be stored and accessed at a massive scale in block blobs.

  • Azure files are true directory objects. Azure blobs are a flat namespace.
  • Azure files are accessed through file shares. Azure blobs are accessed through a container.
  • Azure files provide shared access across multiple virtual machines. Azure disks are exclusive to a single virtual machine.


  • Protection against application error and data corruption.
  • Protection against accidental deletions or unintended changes.
  • General backup purposes.

File Sync

  • Lift and shift.
  • Branch Offices.
  • Backup and Disaster Recovery.
  • File Archiving.

Storage Sync Service. The Storage Sync Service is the top-level Azure resource for Azure File Sync. The Storage Sync Service resource is a peer of the storage account resource, and can similarly be deployed to Azure resource groups.

Sync group. A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. If you have two distinct sets of files that you want to manage with Azure File Sync, you would create two sync groups and add different endpoints to each sync group. A Storage Sync Service can host as many sync groups as you need.

Registered server. The registered server object represents a trust relationship between your server and the Storage Sync Service. You can register as many servers to a Storage Sync Service instance as you want.

Azure File Sync agent. The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share. The Azure File Sync agent has three main components:

  • FileSyncSvc.exe: The background Windows service that is responsible for monitoring changes on server endpoints, and for initiating sync sessions to Azure.
  • StorageSync.sys: The Azure File Sync file system filter, which is responsible for tiering files to Azure Files.
  • PowerShell management cmdlets: PowerShell cmdlets that you use to interact with the Microsoft.StorageSync Azure resource provider. You can find these at the following (default) locations:
    • C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.PowerShell.Cmdlets.dll
    • C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll

Server endpoint. A server endpoint represents a specific location on a registered server, such as a folder on a server volume. Multiple server endpoints can exist on the same volume if their namespaces do not overlap (i.e., F:\sync1 and F:\sync2). You can configure cloud tiering policies individually for each server endpoint. You can create a server endpoint via a mount point. Note, mount points within the server endpoint are skipped. You can create a server endpoint on the system volume but, there are two limitations if you do so:

  • Cloud tiering cannot be enabled.
  • Rapid namespace restore (where the system quickly brings down the entire namespace and then starts to recall content) is not performed.

Cloud endpoint. A cloud endpoint is an Azure file share that is part of a sync group. The entire Azure file share syncs and an Azure file share can be a member of only one cloud endpoint. Therefore, an Azure file share can be a member of only one sync group. If you add an Azure file share that has an existing set of files as a cloud endpoint to a sync group, the existing files are merged with any other files that are already on other endpoints in the sync group.

Deploy Azure File Sync

  1. Deploy the Storage Sync Service.
  2. Prepare Windows Server to use with Azure File Sync.
  3. Install the Azure File Sync Agent.
  4. Register Windows Server with Storage Sync Service.

Cloud tiering allows frequently accessed files to be cached on the local server.

Infrequently accessed files are tiered, or archived, to the Azure file share according to the policy created.

The Azure File Sync agent is a downloadable package that enables a Windows Server file share to be synced with an Azure file share.

Storage Tools

Storage Explorer is used to connect to different storage accounts.

  • Connect to storage accounts associated with your Azure subscriptions.
  • Connect to storage accounts and services that are shared from other Azure subscriptions.
  • Connect to and manage local storage by using the Azure Storage Emulator.

In addition, you can work with storage accounts in global and national Azure:

  • Connect to an Azure subscription.
  • Work with local development storage.
  • Attach to external storage.
  • Attach a storage account by using SAS.
  • Attach a service by using SAS.
  • Connect to an Azure Cosmos DB account by using a connection string.

Import Export Service

  • Migrating data to the cloud. Move large amounts of data to Azure quickly and cost-effectively.
  • Content distribution. Quickly send data to your customer sites.
  • Backup. Take backups of your on-premises data to store in Azure blob storage.
  • Data recovery. Recover a large amount of data stored in blob storage and have it delivered to your on-premises location.

Az Copy

  • Supports Azure Data Lake Storage Gen2 APIs.
  • Supports copying an entire account to another account.
  • Account to account copy is now using the new Put from URL APIs.
  • List/Remove files and blobs in a given path.
  • Supports wildcard patterns in a path, –include flags, and –exclude flags.
  • Improved resiliency: every AzCopy instance will create a job order and a related log file.
  • General performance improvements.
  • Azure Active Directory (Supported for Blob and ADLS Gen2 services). Use .\azcopy login to sign in using Azure Active Directory. The user should have a Storage Blob Data Contributor role assigned to write to Blob storage using Azure Active Directory authentication.
  • SAS tokens (supported for Blob and File services). Append the SAS token to the blob path on the command line to use it.

Azure Storage Explorer is the best choice for a GUI if the user doesn’t want to use the Azure portal.

The AzCopy tool can work with two different storage accounts. The other tools do not copy data between storage accounts. Alternatively, Storage Explorer can be used to copy data between storage accounts.

AzCopy is ideal for transferring large files as it can run in the background.

Create Storage Account

The settings that are defined by a storage account are:

  • Subscription: The Azure subscription will be billed for the services in the account.
  • Location: The data center that will store the services in the account.
  • Performance: Determines the data services you can have in your storage account and the type of hardware disks used to store the data.
    • Standard allows you to have any data service (Blob, File, Queue, Table) and uses magnetic disk drives.
    • Premium provides more services for storing data. These storage accounts use solid-state drives (SSD) for storage.
  • Replication: Determines the strategy used to make copies of your data to protect against hardware failure or natural disaster. At a minimum, Azure automatically maintains three copies of your data within the data center associated with the storage account. The minimum replication is called locally redundant storage (LRS), and guards against hardware failure but does not protect you from an event that incapacitates the entire datacenter. You can upgrade to one of the other options such as geo-redundant storage (GRS) to get replication at different datacenters across the world.
  • Access tier: Controls how quickly you will be able to access the blobs in a storage account. Hot gives quicker access than Cool, but at an increased cost. The hot access tier applies only to blobs and serves as the default value for new blobs.
  • Secure transfer required: A security feature that determines the supported protocols for access. Enabled requires HTTPS, while disabled allows HTTP.
  • Virtual networks: A security feature that allows inbound access requests only from the virtual network(s) you specify.


  • Name – Each storage account has a name. The name must be globally unique within Azure, use only lowercase letters and digits, and be between 3 and 24 characters.
  • Deployment model
    • Resource Manager: the current model that uses the Azure Resource Manager API
    • Classic: a legacy offering that uses the Azure Service Management API
  • Account kind
    • StorageV2 (general purpose v2): the current offering that supports all storage types and all of the latest features
    • Storage (general purpose v1): a legacy kind that supports all storage types but may not support all features
    • Blob storage: a legacy kind that allows only block blobs and append blobs

Create via

  • Azure Portal
  • Azure CLI (Command-line interface)
  • Azure PowerShell
  • Management client libraries

In general, increased diversity means an increased number of storage accounts.

A storage account by itself has no financial cost. However, the settings you choose for the account do influence the cost of services in the account.

Use multiple storage accounts to reduce costs.

The storage account name is used as part of the URI for API access, so it must be globally unique.

Storage accounts are stable for the lifetime of a project. It’s common to create them at the start of a project.


Access storage

  • Public access
  • Azure Active Directory (Azure AD)
  • Shared key
  • Shared access signature (SAS)

There are two separate settings that affect public access:

  • The Storage Account.
  • The Container.

There are three types of shared access signatures:

  • User delegation SAS: This can only be used for Blob storage and is secured with Azure AD credentials.
  • Service SAS: A service SAS is secured using a storage account key.
  • Account SAS: An account SAS is secured with a storage account key.

To reduce the potential risks of using a SAS, Microsoft provides these tips:

  • Always use HTTPS.
  • Use user delegation SAS wherever possible because it removes the need to store your storage account key in code.
  • Set your expiration time to the smallest useful value.
  • Only grant the access that’s required.
  • When there’s an unacceptable risk of using a SAS, create a middle-tier service to manage users and their access to storage.

You can create a stored access policy on four kinds of storage resources:

  • Blob containers
  • File shares
  • Queues
  • Tables

The stored access policy you create for a blob container can be used for all the blobs contained in it and the container itself. The stored access policy is created with the following properties:

  • Identifier
  • Start time
  • Expiry time
  • Permissions

Azure Files

  • Store apps and configuration files in a file share and connect new VMs to the shared files.
  • Cloud-based apps can efficiently write log files by using the File REST API to the shared storage.
  • A business doesn’t need to buy and deploy expensive redundant hardware and manage software updates.
  • Automate the creation and editing of file shares by using PowerShell or Azure CLI commands.
  • Data is encrypted in transit using HTTPS and is stored encrypted when at rest.
  • The shares are cross-platform, and you can connect to them from Windows, Linux, or macOS.
  • Standard performance: Double-digit ms latency, 10,000 IOPS, 300-MBps bandwidth
  • Premium performance: Single-digit ms latency, 100,000 IOPS, 5-GBps bandwidth

Low bandwidth means Azure File Sync will handle the updating and syncing of files efficiently over the low-bandwidth network.

Storage Explorer

  • It’s easy to connect to and manage multiple storage accounts.
  • The interface lets you connect to Azure Cosmos DB and Data Lake.
  • You can also use the interface to update and view entities in your storage accounts.
  • Storage Explorer is free to download and use.
  • Azure Blob Storage. Used to store unstructured data as a binary large object (blob).
  • Azure Table Storage. Used to store NoSQL, semi-structured data.
  • Azure Queue Storage. Used to store messages in a queue, which can then be accessed and processed by applications through HTTP(S) calls.
  • Azure Files. Service that enables access through the Server Message Block protocol, similar to traditional file servers.
  • Azure Data Lake Storage. Based on Apache Hadoop, is designed for large data volumes and can store unstructured and structured data.

There are many ways to connect an Azure Storage Explorer instance to your Azure resources:

  • Add resources by using Azure Active Directory (Azure AD)
  • Use a connection string
  • Use a shared access signature URI
  • Use a name and key
  • Attach to a local emulator
  • Attach to Azure Cosmos DB through a connection string
  • Attach to Azure Data Lake by using a URI

Virtual Machines

IaaS Use Cases

  • Test and development.
  • Website hosting.
  • Storage, backup, and recovery.
  • High-performance computing. High-performance computing on supercomputers, computer grids, or computer clusters helps solve complex problems involving millions of variables or calculations.
  • Big data analysis.
  • Extended Datacenter.

Provisioning VMs to Azure requires planning.

  • Start with the network
  • Name the VM
  • Decide the location for the VM
  • Determine the size of the VM
  • Understanding the pricing model
  • Storage for the VM
  • Select an operating system
  • The location can limit your available options
  • There are price differences between locations
  • Consumption-based
  • Reserved Virtual Machine Instances

The Azure Bastion service is a fully platform-managed PaaS service provisioned inside a virtual network. Bastion provides seamless RDP and SSH connectivity to virtual machines. The access uses the Azure portal and SSL.

Outbound requests are allowed by default. Inbound traffic from within the virtual network is allowed. By placing a VM in a virtual network, the VM owner is implicitly opting-in to communication among the resources in the virtual network.

Availability Sets are an important capability when you want to build reliable cloud solutions.

  • Configure multiple virtual machines in an Availability Set for redundancy.
  • Configure each application tier into separate Availability Sets.
  • Combine a Load Balancer with Availability Sets.
  • Use managed disks with virtual machines.
  • Availability Zones are unique physical locations within an Azure region.
  • Each zone is made up of one or more data centers equipped with independent power, cooling, and networking.
  • To ensure resiliency, there’s a minimum of three separate zones in all enabled regions.
  • The physical separation of Availability Zones within a region protects applications and data from data center failures.
  • Zone-redundant services replicate your applications and data across Availability Zones to protect from single-points-of-failure.
  • With Availability Zones, Azure offers the industry’s best 99.99% VM uptime SLA.

Azure services that support Availability Zones fall into two categories:

  • Zonal services. Pins the resource to a specific zone
  • Zone-redundant services. Platform replicates automatically across zones

Vertical Scale vs Horizontal Scale

  • A service built on virtual machines is under-utilized. Reducing the virtual machine size can reduce monthly costs.
  • Increasing virtual machine size to cope with larger demand without creating additional virtual machines.
  • Vertical scaling generally has more limitations. Vertical scaling is dependent on the availability of larger hardware, which quickly hits an upper limit and can vary by region. Vertical scaling also usually requires a virtual machine to stop and restart.
  • Horizontal scaling is more flexible in a cloud situation as it allows you to run potentially thousands of virtual machines to handle the load.
  • Reprovisioning means removing an existing virtual machine and replacing it with a new one. Do you need to retain your data?

Scale Sets

  • All VM instances are created from the same base OS image and configuration. This approach lets you easily manage hundreds of VMs without additional configuration tasks or network management.
  • Scale sets support the use of the Azure load balancer for basic layer-4 traffic distribution and Azure Application Gateway for more advanced layer-7 traffic distribution and SSL termination.
  • Scale sets are used to run multiple instances of your application. If one of these VM instances has a problem, customers continue to access your application through one of the other VM instances with minimal interruption.
  • Customer demand for your application may change throughout the day or week. To match customer demand, scale sets are elastic and can automatically increase the number of VM instances as application demand increases, then reduce the number of VM instances as demand decreases. This is known as autoscale.
  • Scale sets support up to 1,000 VM instances. If you create and upload your own custom VM images, the limit is 600 VM instances.

When you create a scale set, consider these parameters.

  • Initial instance count. The number of virtual machines in the scale set (0 to 1000).
  • Instance size.
  • Azure spot instance. Low-priority VMs are allocated from Microsoft Azure’s excess compute capacity. Spot instances enable several types of workloads to run at a reduced cost.
  • Use managed disks.
  • Enable scaling beyond 100 instances. If No, the scale set will be limited to one placement group with a max capacity of 100. If Yes, the scale set can span multiple placement groups. This allows for the capacity to be up to 1,000 but changes the availability characteristics of the scale set.
  • Spreading algorithm.

Autoscale benefits

  • Automatically adjust capacity. Create rules that define the acceptable performance for a positive customer experience.
  • Scale-out. If your application demand increases, the load on the VM instances in your scale set increases.
  • Scale in. On an evening or weekend, your application demand may decrease.
  • Schedule events. Schedule events to automatically increase or decrease the capacity of your scale set at fixed times.
  • Less overhead. Reduces the management overhead to monitor and optimize the performance of your application.

Config Scale Sets

  • Minimum number of VMs. The minimum value for autoscale on this scale set.
  • Maximum number of VMs. The maximum value for autoscale on this scale set.
  • Scale-out CPU threshold. The CPU usage percentage threshold for triggering the scale-out autoscale rule.
  • Number of VMs to increase by. The number of virtual machines to add to the scale set when the scale-out autoscale rule is triggered.
  • Scale in CPU threshold. The CPU usage percentage threshold for triggering the scale in the autoscale rule.
  • Number of VMs to decrease by. The number of virtual machines to remove to the scale set when the scale in the autoscale rule is triggered.

When autoscale is enabled the parameters for when to scale are configured. 

With schedule-based rules administrators proactively schedule the scale set to deploy one or any number of additional instances. This will accommodate a spike in demand and then scale back down when the spike ends.

Azure VM extensions can be:

  • Managed with Azure CLI, PowerShell, Azure Resource Manager templates, and the Azure portal.
  • Bundled with a new VM deployment or run against any existing system.

The DSC script consists of a Configuration block, Node block, and one or more resource blocks.

  • The Configuration block is the outermost script block. You define it by using the Configuration keyword and providing a name.
  • One or more Node blocks. Node blocks define the computers or VMs that you are configuring.
  • One or more resource blocks. Resource blocks configure the resource properties.

Virtual machine extensions automate the tasks of creating, maintaining, and removing virtual machines.

Custom script extensions will time out and that should be considered when deciding on the scope of the script.

DSC is a good choice for installing virtual machine features.

App Service

  • Free and Shared. The Free and Shared service plans are base tiers that run on the same Azure VMs as other apps.
  • Basic. The Basic service plan is designed for apps that have lower traffic requirements, and don’t need advanced auto scale and traffic management features.
  • Standard. The Standard service plan is designed for running production workloads. Pricing is based on the size and number of instances you run.
  • Premium. The Premium service plan is designed to provide enhanced performance for production apps.
  • Isolated. The Isolated service plan is designed to run mission-critical workloads, that are required to run in a virtual network.


  • The scale settings take only seconds to apply and affect all apps in your App Service plan.
  • If your app depends on other services, such as Azure SQL Database or Azure Storage, you can scale up these resources separately.

Rules include a trigger and a scale action (in or out). The trigger can be metric-based or time-based.

  • Metric-based. Metric-based rules measure application load and add or remove VMs based on that load.
  • Time-based. Time-based (schedule-based) rules allow you to scale when you see time patterns in your load and want to scale before a possible load increase or decrease occurs.
  • Having a minimum instance count makes sure your application is always running even under no load.
  • Having a maximum instance count limits your total possible hourly cost.
  • You can automatically scale between the minimum and maximum using rules you create.
  • Ensure the maximum and minimum values are different and have an adequate margin between them.
  • Always use a scale-out and scale-in rule combination that performs an increase and decrease.
  • Choose the appropriate statistic for your diagnostics metric (Average, Minimum, Maximum and Total).
  • Always select a safe default instance count. The default instance count is important because autoscale scales your service to that count when metrics are not available.
  • Always configure autoscale notifications.

Scale-up gives more CPU, memory, and disk space. Scale-up by changing the pricing tier of the App Service plan.

Time-based rules allow scaling based on time patterns.

Reasons to use App Services

  • Multiple languages and frameworks. App Service has first-class support for ASP.NET, Java, Ruby, Node.js, PHP, or Python.
  • DevOps optimization. Set up continuous integration and deployment with Azure DevOps, GitHub, BitBucket, Docker Hub, or Azure Container Registry. Promote updates through test and staging environments.
  • Global scale with high availability. Host apps anywhere in Microsoft’s global data center infrastructure, and the App Service SLA promises high availability.
  • Connections to SaaS platforms and on-premises data. Choose from more than 50 connectors for enterprise systems (such as SAP), SaaS services (such as Salesforce), and internet services.
  • Security and compliance. App Service is ISO, SOC, and PCI compliant. Authenticate users with Azure Active Directory or with social login (Google, Twitter, and Microsoft).
  • Application templates. Choose from an extensive list of application templates in the Azure Marketplace, such as WordPress, Joomla, and Drupal.
  • Visual Studio integration. Dedicated tools in Visual Studio streamline the work of creating, deploying, and debugging.
  • API and mobile features. App Service provides turn-key CORS support for RESTful API scenarios and simplifies mobile app scenarios by enabling authentication, offline data sync, push notifications, and more.
  • Serverless code. Run a code snippet or script on-demand without having to explicitly provision or manage infrastructure and pay only for the compute time your code actually uses.

Configure App Service

  • Name. The name must be unique and will be used to locate your app. You can map a custom domain name, if you prefer to use that instead.
  • Publish. The App service can host either Code or a Docker Container.
  • Runtime stack. The software stack to run the app, including the language and SDK versions. For Linux apps and custom container apps, you can also set an optional start-up command or file. Choices include .NET Core, .NET Framework, Node.js, PHP, Python, and Ruby.
  • Operating system. Choices are Linux and Windows.
  • Region. Your choice will affect app service plan availability.

Certain configuration settings can be included in the developer’s code or configurated in the app service.

  • Always On. Keep the app loaded even when there’s no traffic.
  • ARR affinity. In a multi-instance deployment, ensure that the client is routed to the same instance for the life of the session.
  • Connection strings. Connection strings are encrypted at rest and transmitted over an encrypted channel.

Automated Deployment

  • Azure DevOps: You can push your code to Azure DevOps (previously known as Visual Studio Team Services), build your code in the cloud, run the tests, generate a release from the code, and finally, push your code to an Azure Web App.
  • GitHub: Azure supports automated deployment directly from GitHub.
  • Bitbucket: With its similarities to GitHub, you can configure an automated deployment with Bitbucket.

Manual Deployment

  • Git: App Service web apps feature a Git URL that you can add as a remote repository. Pushing to the remote repository will deploy your app.
  • CLI: webapp up is a feature of the command-line interface that packages your app and deploys it.
  • Visual Studio: Visual Studio features an App Service deployment wizard that can walk you through the deployment process.
  • FTP/S: FTP or FTPS is a traditional way of pushing your code to many hosting environments, including App Service.

Deployment Slots

  • You can validate app changes in a staging deployment slot before swapping it with the production slot.
  • Deploying an app to a slot first and swapping it into production ensures that all instances of the slot are warmed up before being swapped into production. This eliminates downtime when you deploy your app. The traffic redirection is seamless, and no requests are dropped because of swap operations. This entire workflow can be automated by configuring Auto Swap when pre-swap validation is not needed.
  • After a swap, the slot with the previously staged app now has the previous production app. If the changes swapped into the production slot are not as you expected, you can perform the same swap immediately to get your “last known good site” back.

Secure App Service

  • Authenticates users with the specified provider.
  • Validates, stores, and refreshes tokens.
  • Manages the authenticated session.
  • Injects identity information into request headers.

Custom Domain

  1. Reserve your domain name.
  2. Create DNS records that map the domain to your Azure web app.
  • An A (Address) record maps a domain name to an IP address.
  • A CNAME (Canonical Name) record maps a domain name to another domain name. DNS uses the second name to look up the address. Users still see the first domain name in their browser.
  1. Enable the custom domain.

Backup App Service

  • App configuration.
  • File content.
  • Database connected to your app (SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, MySQL in-app).
  • The Backup and Restore feature requires the App Service plan to be in the Standard tier or Premium tier.
  • You can configure backups manually or on a schedule.
  • You need an Azure storage account and container in the same subscription as the app that you want to back up. After you have made one or more backups for your app, the backups are visible on the Containers page of your storage account, and your app. In the storage account, each backup consists of file that contains the backup data and an .xml file that contains a manifest of the .zip file contents. You can unzip and browse these files if you want to access your backups without actually performing an app restore.
  • Full backups are the default. When a full backup is restored, all content on the site is replaced with whatever is in the backup. If a file is on the site, but not in the backup it gets deleted.
  • Partial backups are supported. Partial backups allow you to choose exactly which files you want to back up. When a partial backup is restored, any content that is located in one of the excluded directories, or any excluded file, is left as is. You restore partial backups of your site the same way you would restore a regular backup.
  • You can exclude files and folders you do not want in the backup.
  • Backups can be up to 10 GB of app and database content.
  • Using a firewall-enabled storage account as the destination for your backups is not supported.

App Insights

  • Request rates, response times, and failure rates – Find out which pages are most popular, at what times of day, and where your users are. See which pages perform best. If your response times and failure rates go high when there are more requests, then perhaps you have a resourcing problem.
  • Dependency rates, response times, and failure rates – Find out whether external services are slowing you down.
  • Exceptions – Analyze the aggregated statistics, or pick specific instances and drill into the stack trace and related requests. Both server and browser exceptions are reported.
  • Page views and load performance – reported by your users’ browsers.
  • User and session counts.
  • Performance counters from your Windows or Linux server machines, such as CPU, memory, and network usage.
  • Host diagnostics from Docker or Azure.
  • Diagnostic trace logs from your app – so that you can correlate trace events with requests.
  • Custom events and metrics that you write yourself in the client or server code, to track business events such as items sold or games won.

Connections strings follow the content across the swap.

Azure currently supports Azure DevOps, GitHub, Bitbucket, OneDrive, Dropbox, and external Git repositories.

Azure Container Instance

Containers offer several advantages over physical and virtual machines, including:

  • Increased flexibility and speed when developing and sharing the application code.
  • Simplified application testing.
  • Streamlined and accelerated application deployment.
  • Higher workload density, resulting in improved resource utilization.

An example container group:

  • Is scheduled on a single host machine.
  • Is assigned a DNS name label.
  • Exposes a single public IP address, with one exposed port.
  • Consists of two containers. One container listens on port 80, while the other listens on port 1433.
  • Includes two Azure file shares as volume mounts, and each container mounts one of the shares locally.

An example usage could include:

  • A container serving a web application and a container pulling the latest content from source control.
  • An application container and a logging container. The logging container collects the logs and metrics output by the main application and writes them to long-term storage.
  • An application container and a monitoring container. The monitoring container periodically makes a request to the application to ensure that it’s running and responding correctly, and raises an alert if it’s not.
  • A front-end container and a back-end container. The front end might serve as a web application, with the back end running a service to retrieve data.

A container is essentially a standalone package that contains everything that is needed to execute a piece of software. The package includes:

  • The application executable code.
  • The runtime environment (such as .NET Core).
  • System tools.
  • Settings.

Container groups are scheduled on a single host machine.

Containers only provide lightweight isolation from the host and other containers but don’t provide as strong a security boundary as a virtual machine.

Organizations are only billed when the container is in use.

Azure Kubernetes Service

Pools are groups of nodes with identical configurations.

Nodes are individual virtual machines running containerized applications.

Pods are a single instance of an application. A pod can contain multiple containers.

Container is a lightweight and portable executable image that contains software and all of its dependencies.

Deployment has one or more identical pods managed by Kubernetes.

Manifest is the YAML file describing a deployment.

A Kubernetes cluster is divided into two components:

  • Azure-managed nodes, which provide the core Kubernetes services and orchestration of application workloads.
  • Customer-managed nodes that run your application workloads.
  • The kubelet is the Kubernetes agent that processes the orchestration requests from the Azure-managed node, and scheduling of running the requested containers.
  • Virtual networking is handled by the kube-proxy on each node. The proxy routes network traffic and manages IP addressing for services and pods.
  • The container runtime is the component that allows containerized applications to run and interact with additional resources such as the virtual network and storage. AKS clusters using Kubernetes version 1.19 node pools and greater use containerd as its containers runtime. AKS clusters using Kubernetes prior to v1.19 for node pools use Moby (upstream docker) as its container runtime.

AKS Networking

  • Cluster IP – Creates an internal IP address for use within the AKS cluster. Good for internal-only applications that support other workloads within the cluster.
  • NodePort – Creates a port mapping on the underlying node that allows the application to be accessed directly with the node IP address and port.
  • LoadBalancer – Creates an Azure load balancer resource, configures an external IP address, and connects the requested pods to the load balancer backend pool. To allow customers’ traffic to reach the application, load-balancing rules are created on the desired ports.
  • ExternalName – Creates a specific DNS entry for easier application access.

AKS Storage

  • Volumes
  • Persistent volumes
  • Storage classes
  • Persistent volume claims

AKS Scaling

The kubelet is the Kubernetes agent that processes the orchestration requests from the Azure-managed node.

ClusterIP creates an internal IP address for use within the AKS cluster. This is good for internal-only applications that support other workloads within the cluster.

With Kubernetes organizations only pay for the virtual machine instances, storage, and networking resources consumed by the cluster.

Virtual Networks

Virtual networks can be used in many ways.

  • Create a dedicated private cloud-only VNet. Sometimes you don’t require a cross-premises configuration for your solution. When you create a VNet, your services and VMs within your VNet can communicate directly and securely with each other in the cloud.
  • Securely extend your data center With VNets. You can build traditional site-to-site (S2S) VPNs to securely scale your data center capacity. S2S VPNs use IPSEC to provide a secure connection between your corporate VPN gateway and Azure.
  • Enable hybrid cloud scenarios. VNets give you the flexibility to support a range of hybrid cloud scenarios. You can securely connect cloud-based applications to any type of on-premises systems such as mainframes and Unix systems.
  • Service requirements. Each service directly deployed into a virtual network has specific requirements for routing and the types of traffic that must be allowed into and out of subnets. Service may require, or create, their own subnet, so there must be enough unallocated space for them to do so.
  • Virtual appliances. Azure routes network traffic between all subnets in a virtual network, by default. You can override Azure’s default routing to prevent Azure routing between subnets, or to route traffic between subnets through a network virtual appliance.
  • Service endpoints. You can limit access to Azure resources such as an Azure storage account or Azure SQL database, to specific subnets with a virtual network service endpoint.
  • Network security groups. You can associate zero or one network security group to each subnet in a virtual network. You can associate the same, or a different, network security group to each subnet. Each network security group contains rules, which allow or deny traffic to and from sources and destinations.
  • Private IP addresses: Used for communication within an Azure virtual network (VNet), and your on-premises network, when you use a VPN gateway or ExpressRoute circuit to extend your network to Azure.
  • Public IP addresses: Used for communication with the Internet, including Azure public-facing services.

Static Addresses

  • DNS name resolution, where a change in the IP address would require updating host records.
  • IP address-based security models that require apps or services to have a static IP address.
  • TLS/SSL certificates linked to an IP address.
  • Firewall rules that allow or deny traffic using IP address ranges.
  • Role-based VMs such as Domain Controllers and DNS servers.
  • Dynamic. Azure assigns the next available unassigned or unreserved IP address in the subnet’s address range. Azure assigns to a new resource, if addresses are already assigned to other resources. Dynamic is the default allocation method.
  • Static. You select and assign any unassigned or unreserved IP address in the subnet’s address range.

Network Security Groups

You can add more rules by specifying:

  • Name
  • Priority
  • Port
  • Protocol (Any, TCP, UDP)
  • Source (Any, IP Addresses, Service tag)
  • Destination (Any, IP Addresses, Virtual Network)
  • Action (Allow or Deny)

Service. Service specifies the destination protocol and port range for this rule. You can choose a predefined service, like HTTPS and SSH. When you select a service, the Port range is automatically completed. Choose custom to provide your own port range.

Port ranges. Port ranges can include a single port, a port range, or a comma-separated list of ports. The ports designate the traffic will be allowed or denied by this rule. Provide an asterisk (*) to allow traffic on any port.

Priority. Rules are processed in priority order. The lower the number, the higher the priority. We recommend leaving gaps between rules to make it easier to add new rules. The value is between 100-4096 and unique for all security rules within the network security group.

Azure Firewall

  • Built-in high availability. High availability is built-in, so additional load balancers aren’t required. There’s nothing you need to configure.
  • Availability Zones. Azure Firewall can be configured during deployment to span multiple Availability Zones for increased availability.
  • Unrestricted cloud scalability. Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don’t need to budget for your peak traffic.
  • Application FQDN filtering rules. You can limit outbound HTTP/S traffic or Azure SQL traffic to a specified list of fully qualified domain names (FQDN) including wild cards.
  • Network traffic filtering rules. You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.
  • Threat intelligence. Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.
  • Multiple public IP addresses. You can associate multiple public IP addresses with your firewall.

Hub and Spoke

  • The hub is a virtual network in Azure that acts as a central point of connectivity to your on-premises network.
  • The spokes are virtual networks that peer with the hub and can be used to isolate workloads.
  • Traffic flows between the on-premises datacenter and the hub through an ExpressRoute or VPN gateway connection.
  • Cost savings by centralizing services that can be shared by multiple workloads, such as network virtual appliances (NVAs) and DNS servers, in a single location.
  • Overcome subscriptions limits by peering virtual networks from different subscriptions to the central hub.
  • Separation of concerns between central IT (SecOps, InfraOps) and workloads (DevOps).
  • Workloads in different environments that require shared services. Development and testing environments that require DNS. Shared services are placed in the hub virtual network. Each environment is deployed to a spoke to maintain isolation.
  • Workloads that don’t require connectivity to each other, but require access to shared services.
  • Enterprises that require central control over security aspects. A firewall in the hub and workloads in each spoke.


  • Name: A label for the rule.
  • Protocol: TCP or UDP.
  • Source Address: * (Internet), a specific Internet address, or a CIDR block.
  • Destination Address: The external address of the firewall that the rule will inspect.
  • Destination Ports: The TCP or UDP ports that the rule will listen to on the external IP address of the firewall.
  • Translated Address: The IP address of the service (virtual machine, internal load balancer, and so on) that privately hosts or presents the service.
  • Translated Port: The port that the inbound traffic will be routed to by the Azure Firewall.

Network Rules

  • Name: A friendly label for the rule.
  • Protocol: TCP, UDP, ICMP (ping and traceroute) or Any.
  • Source Address: The address or CIDR block of the source.
  • Destination Addresses: The addresses or CIDR blocks of the destination(s).
  • Destination Ports: The destination port of the traffic.

App Rules

  • Name: A friendly label for the rule.
  • Source Addresses: The IP address of the source.
  • Protocol:Port: HTTP/HTTPS and the port that the webserver is listening on.
  • Target FQDNs: The domain name of the service. An FQDN tag represents a group of FQDNs associated with well-known Microsoft services. Example FQDN tags include Windows Update, App Service Environment, and Azure Backup.

When a packet is being inspected to determine if it is allowed or not, the rules are processed in this order:

  1. Network Rules
  2. Application Rules (network and application)

An application rule can be used to filter traffic based on an FQDN such as

Use DNAT to translate Azure firewall’s public IP address to the private IP address of the virtual server.

The Azure firewall uses a statically assigned public IP address.

Azure DNS

  • The name of the zone must be unique within the resource group, and the zone must not exist already.
  • The same zone name can be reused in a different resource group or a different Azure subscription.
  • Where multiple zones share the same name, each instance is assigned different name server addresses.
  • Root/Parent domain is registered at the registrar and pointed to Azure NS.
  • Child domains are registered in AzureDNS directly.

Private DNS

  • Removes the need for custom DNS solutions. Previously, many customers created custom DNS solutions to manage DNS zones in their virtual network. You can now perform DNS zone management by using the native Azure infrastructure. This removes the burden of creating and managing custom DNS solutions.
  • Use all common DNS records types. Azure DNS supports A, AAAA, CNAME, MX, PTR, SOA, SRV, and TXT records.
  • Automatic hostname record management. Along with hosting your custom DNS records, Azure automatically maintains hostname records for the VMs in the specified virtual networks. In this scenario, you can optimize the domain names you use without needing to create custom DNS solutions or modify applications.
  • Hostname resolution between virtual networks. Unlike Azure-provided hostnames, private DNS zones can be shared between virtual networks. This capability simplifies cross-network and service-discovery scenarios, such as virtual network peering.
  • Familiar tools and user experience. To reduce the learning curve, this new offering uses well-established Azure DNS tools (PowerShell, Azure Resource Manager templates, and the REST API).
  • Split-horizon DNS support. With Azure DNS, you can create zones with the same name that resolve to different answers from within a virtual network and from the public internet. A typical scenario for split-horizon DNS is to provide a dedicated version of a service for use inside your virtual network.
  • Available in all Azure regions. The Azure DNS private zones feature is available in all Azure regions in the Azure public cloud.

Azure DNS hosts the registered domains. Administrators can control and configure the domain records, like A, CNAME, MX, and set up alias records.

The A or AAAA record maps an IP address to a domain. Multiple IP addresses are known as a recordset.

Azure Private DNS manages and resolves domain names in a virtual network without adding a custom DNS solution.

VNET Peering

  • Regional VNet peering connects Azure virtual networks in the same region.
  • Global VNet peering connects Azure virtual networks in different regions. When creating a global peering, the peered virtual networks can exist in any Azure public cloud region or China cloud regions, but not in Government cloud regions. You can only peer virtual networks in the same region in Azure Government cloud regions.
  • Private. Network traffic between peered virtual networks is private. Traffic between the virtual networks is kept on the Microsoft backbone network. No public Internet, gateways, or encryption is required in the communication between the virtual networks.
  • Performance. A low-latency, high-bandwidth connection between resources in different virtual networks.
  • Communication. The ability for resources in one virtual network to communicate with resources in a different virtual network, once the virtual networks have peered.
  • Seamless. The ability to transfer data across Azure subscriptions, deployment models, and across Azure regions.
  • No disruption. No downtime to resources in either virtual network when creating the peering, or after the peering is created.

When you Allow Gateway Transit the virtual network can communicate to resources outside the peering.

  • Use a site-to-site VPN to connect to an on-premises network.
  • Use a VNet-to-VNet connection to another virtual network.
  • Use a point-to-site VPN to connect to a client.

The peering is not successfully established until the peering status for both virtual network peerings is Connected.

Gateway transit allows peered virtual networks to share the gateway and get access to resources.

The Azure backbone handles traffic between virtual networks.

VPN Gateway

  • Site-to-site connections connect on-premises datacenters to Azure virtual networks
  • VNet-to-VNet connections connect Azure virtual networks (custom)
  • Point-to-site (User VPN) connections connect individual devices to Azure virtual networks
  • Gateway type. VPN or ExpressRoute.
  • VPN type. Route-based or Policy-based. Most VPN types are Route-based. The type of VPN you choose depends on the make and model of your VPN device and the kind of VPN connection you intend to create. Typical route-based gateway scenarios include point-to-site, inter-virtual network, or multiple site-to-site connections.
  • SKU. Use the drop-down to select a gateway SKU. Your choice will affect the number of tunnels you can have and the aggregate throughput benchmark. The benchmark is based on measurements of multiple tunnels aggregated through a single gateway. It is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.
  • Generation. Generation1 or Generation2. You cannot change generations or SKUs across generations. Basic and VpnGw1 SKUs are only supported in Generation1. VpnGw4 and VpnGw5 SKUs are only supported in Generation2.
  • Virtual networks. The virtual network will be able to send and receive traffic through the virtual network gateway. A virtual network cannot be associated with more than one gateway.

Typical route-based gateway scenarios include point-to-site, inter-virtual network, or multiple site-to-site connections.

Route-based is also selected to coexist with an ExpressRoute gateway or when the IKEv2 protocol is used.

Aggregate Throughput Benchmarks are provided for each Gateway SKU.

Express Route and Virtual WAN

  • Unlimited data. Billing is based on a monthly fee; all inbound and outbound data transfer is included free of charge.
  • Metered data. Billing is based on a monthly fee; all inbound data transfer is free of charge. Outbound data transfer is charged per GB of data transfer. Data transfer rates vary by region.
  • ExpressRoute premium add-on. This add-on includes increased routing table limits, increased number of VNets, global connectivity, and connections to Microsoft 365 and Dynamics 365.

Virtual WAN

  • Integrated connectivity solutions in hub and spoke. Automate site-to-site configuration and connectivity between on-premises sites and an Azure hub.
  • Automated spoke setup and configuration. Connect your virtual networks and workloads to the Azure hub seamlessly.
  • Intuitive troubleshooting. You can see the end-to-end flow within Azure, and then use this information to take required actions.

Azure ExpressRoute is a service that provides a direct connection from the on-premises data center to the Microsoft cloud.

Azure Virtual WAN with Virtual WAN hubs simplifies a complex virtual network WAN.

ExpressRoute is best for handling enterprise-class and mission-critical workloads.

Load Balancing

An internal load balancer enables the following types of load balancing:

  • Within a virtual network. Load balancing from VMs in the virtual network to a set of VMs that reside within the same virtual network.
  • For a cross-premises virtual network. Load balancing from on-premises computers to a set of VMs that reside within the same virtual network.
  • For multi-tier applications. Load balancing for internet-facing multi-tier applications where the backend tiers are not internet-facing. The backend tiers require traffic load-balancing from the internet-facing tier.
  • For line-of-business applications. Load balancing for line-of-business applications that are hosted in Azure without additional load balancer hardware or software. This scenario includes on-premises servers that are in the set of computers whose traffic is load-balanced.

An internal load balancer directs traffic only to resources that are inside a virtual network or that use a VPN to access Azure infrastructure.

The load balancer uses a five-tuple (source IP, source port, destination IP, destination port, and protocol type) hash to map traffic to available servers.

The virtual machines that use a load balancer to distribute a load must be in the same virtual network.

Azure Application Gateway

  • Support for the HTTP, HTTPS, HTTP/2, and WebSocket protocols.
  • A web application firewall to protect against web application vulnerabilities.
  • End-to-end request encryption.
  • Autoscaling, to dynamically adjust capacity as your web traffic load change.
  • Redirection. Redirection can be used to another site, or from HTTP to HTTPS.
  • Rewrite HTTP headers. HTTP headers allow the client and server to pass parameter information with the request or the response.
  • Custom error pages. Application Gateway allows you to create custom error pages instead of displaying default error pages. You can use your own branding and layout using a custom error page.

An Application Gateway uses the hostname, port, and URL path.

The Application Gateway distributes requests using round-robin.

The Web Application Firewall is an optional component that handles incoming requests before they reach a listener.

The Web Application Firewall checks each request for many common threats, based on the Open Web Application Security Project.

Azure 104 Sample Questions

Your company wants to implement Multi-factor authentication by using conditional access policies. Which of the following would they need to carry out to achieve this requirement?
Upgrade the Azure AD licenses to Premium P1

When adding custom domain names, which of the following record needs to be added to your custom domain registrar?
TXT record.

You have configured Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network for your company. Users are reporting that when they attempt to access, they are prompted multiple times to sign in and are forced to use an account name that ends with You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory. You need to ensure that the users can use single-sign-on (SSO) to access Azure resources. What should you do first?
From Azure AD, add and verify a custom domain name.

What kind of account would you create to allow an external organization easy access?
A guest user account for each member of the external team.

What is the default domain name before a custom domain is created?

When you enable SSPR for your Azure AD organization…
If the user passes the authentication tests, then they can reset their password.

When is a user considered registered for SSPR?
A user is considered registered for SSPR when they’ve registered at least the number of methods that you’ve required to reset a password. You can set this number in the Azure portal.

A company has set up an Azure subscription and a tenant. They want to ensure that only Virtual Machines of a particular SKU size can be launched in their Azure account.
They decide to implement Role-Based access control.
Does this fulfill the requirement?
No Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

Your company has an Azure account and an Azure subscription. They have created a Virtual Network named devops-net. Which of the following users would be able to add a subnet to the Virtual Network?
If you look at the Network Contributor Role, they have access to manage Virtual Networks. And then by default, the Owner will have all privileges over Azure resources.

Your company has an Azure subscription and an Azure tenant called devops. A group called devops-dev has been created in the tenant. This group will consist of Azure AD users who will take on a developer role. You need to ensure that the group has the ability to manage Logic Apps in Azure.
You decide to assign the Logic App Contributor role to the group.
Would this solution fulfill the requirement?
Yes. If you look at the permissions for the in-built roles for Logic Apps, you can see that the role has the permissions for managing Logic App resources

A company has just set up an Azure account and subscription. There is a requirement to ensure that IT admins can only spin up VM’s of a particular SKU size. Which of the following can help achieve this?
Create an Azure policy and assign it to the subscription.

Which CLI command is used to create your own unique policy?
az policy definition create

Which of the following can be used to organize resources for cost reporting? Choose the most complete answer.
Subscriptions, resource groups, and tags

What option do you have to grant someone access to a single container in your Azure storage account without having to give them your storage account keys?
Create for them a Shared Access Signature (SAS)

2 PB is quite a large amount of storage, and very few uses are going to fill that up. Assuming that you will not fill it up, what would be the most likely reason you need to create more than one unmanaged storage account?
Exceeding the maximum of 20,000 IO operations per second

A company needs to set up a storage account named DevOps-Architect in Azure. Below are the key requirements for the storage account:
– Be able to store virtual disk files for Azure virtual machines
– Costs of accessing the files needs to be minimized
– Replication costs should be minimized.
Which of the following would you choose as the replication strategy?
Locally redundant storage (LRS)

You have been requested to move a subset of documents to Azure. The total size of the documents is 500MB. You have the following requirements:
– Move the existing files to Azure Blob storage.
– Copy the files to Azure over the Internet.
Which of the following is the ideal implementation step that should be followed to fulfill this requirement?
Use Azure Storage Explorer to copy the files.

What benefit does a Content Delivery Network (CDN) provide its users?
Allows you to reduce the traffic coming into a web server for static, unchanging files such as images, videos, and PDFs

The standard use for a Content Delivery Network (CDN) cache is to accelerate the serving of static files such as images, videos, and scripts. But when a website is completely customized to each user, where every user sees different content or personalized content, it’s not as effective. How can a CDN help these dynamic websites serve web content faster to users?
By reading the HTML as it serves it, it can prefetch the next set of URLs before the user browser even requests them; and it can apply dynamic compression to images if the browser client is on a slower internet connection or a mobile device.

You have created a storage account named devops. You have created a file share named demo using the file service. You need to ensure that users can connect to the file share from their home computers. Which of the following port should be open to ensure connectivity?
The SMB protocol requires TCP port 445 to be open; connections will fail if port 445 is blocked.

Your company wants to deploy a blogging solution on Azure. Below are the key deployment requirements
– Ability to connect to Azure BLOB storage as the origin
– Ensure that users across the world get the same performance when they access the blogging site
You provide a solution of using the Azure File Sync service. Does this solution meet the requirement?
No. The Azure File Sync service is used as a file distribution service. The ideal solution to use here is the Content Delivery service. 

There is a web-based application called devops-app. This application is used by users across the world. The application devops-app is a critical application and hence you need to ensure a backup solution is in place for the application. Which of the following would need to be created first?
To back up any resource in Azure, the first thing you need to do is to create a Recovery Services vault.

Your company has an Azure account and subscription. A virtual machine named awesomevm is created as part of the subscription. There is a requirement to protect the virtual machine using Azure Backup. You need to apply a rule that the backups must be created every day at 12:00 and stored for a minimum of 45 days. Which of the following can be used to configure the backup rule?
A backup policy

The primary goal of cloud-based backup services is to:
Prevent data loss by backing up virtual machines and other resources that store data

What are Azure Availability Zones?
Availability Zones – Unique physical locations within an Azure region, made up of one or more data centers; there is a minimum of three zones in each region; you can manually place your resources in an availability zone for the highest availability

Cool Company Inc runs its Azure virtual machines in an availability set. All of the websites are running in the same availability set. They do this to increase the availability of their application should planned or unplanned outages happen. What is the maximum number of fault domains (FD) and update domains (UD) that your application can be spread across?
Microsoft automatically assigns Virtual Machines across 2 fault domains (physical servers) and 5 update domains to minimize uptime during planned and unplanned outages by default. The maximum number of FD is 3 and the maximum number of UD is 20.

What are the primary criteria to qualify for Microsoft’s Service Level Agreement (SLA), promising 99.95% uptime, for Virtual Machines?
VMs must have two or more instances in the same availability set

What is the maximum number of virtual machines that a virtual machine scale set can support?

What data format are ARM templates created in?

In order to use ARM templates in automation, what other file is usually required besides the ARM template JSON file itself?
No other files are required. But a parameter JSON file would be used if the template had parameters as inputs.

A new network interface named secondary has been created. The Network interface needs to be added to the Virtual machine. What must be done first in order to ensure that the network interface can be attached to the Virtual Machine?
In order to add a network interface to a virtual machine, the machine needs to be stopped first.

You have an application deployed in Azure. This application is hosted on a Virtual Machine called awesomevm. The Virtual Machine was deployed using a Resource Manager template called demo.json. You receive a notification that awesomevm will be affected by maintenance. To avoid maintenance, you want to move the Virtual machine to a different host immediately.
You decide on following the steps of going to the Settings blade and clicking on the Redeploy button.
Would this solution fulfill the requirement?
Yes, if you Redeploy the VM, it will be allocated to a different hardware cluster. This will ensure that awesomevm is not affected by the maintenance. If you go to the Redeploy blade of your Virtual Machine, you can see the ability to relocate the VM on a different host.

You have a virtual machine created in Azure. The Virtual machine has one network interface and one managed disk. The size of the Virtual machine is D4s_v3.
The following changes will be made to the Virtual Machine:
– The size of the Virtual machine will be set to D8s_v3
– A 200GB managed disk will be attached to the Virtual machine
– A network interface will be added
– The Puppet agent extension will be installed
Which of the following 2 options will cause downtime for the Virtual Machine?
After you create a virtual machine (VM), you can scale the VM up or down by changing the VM size. In some cases, you must deallocate the VM first. This can happen if the new size is not available on the hardware cluster that is currently hosting the VM.

Imagine the following:
– You have two Azure Windows VM’s hosting the web tier of an app named devopsapp.
– You have two Azure Windows VM’s hosting the database tier of an app named devopsapp.
You want to ensure daily backups are taken for the Azure VM’s. The daily retention period for the webserver would be one week and for the database VM’s, 15 days.
What is the minimum number of backup policies you would need to create?
You would need to create two policies. One is for the web servers with the retention of a daily backup point for seven days, and another for the database servers with retention of daily backup points for 15 days.

Your company has an Azure account and subscription. A virtual machine named awesomevm is created as part of the subscription. There is a requirement to protect the virtual machine using Azure Backup. You need to apply a rule that the backups must be created every day at 12:00 and stored for a minimum of 45 days. Which of the following is used to store the backups?
In order to back up a VM, you have to first create a recovery services vault.

You need to ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to twenty instances. Which pricing tier should you recommend?

Which of the following is not a valid automated deployment source?
Sharepoint. Azure currently supports Azure DevOps, GitHub, Bitbucket, OneDrive, Dropbox, FTP, local Git, and external Git repositories.

You have defined an autoscale condition with four autoscale rules. The first rule scales out when the CPU utilization reaches 70 percent. The second rule scales back in when the CPU utilization drops below 50 percent. The third rule scales out if memory occupancy exceeds 75 percent. The fourth rule scales back in when memory occupancy falls below 50 percent. When will the system scale out?
When CPU utilization reaches 70 percent or memory occupancy exceeds 75 percent

Suppose you work for a company that builds a Massively Multiplayer Online (MMO) game. You decide to move all your services to Azure Kubernetes service. Which of the following components will contribute to your monthly Azure charge?
You only pay for the virtual machines instances, storage, and networking resources consumed by your Kubernetes cluster.

You have an Azure Kubernetes Service (AKS) cluster named Clus1 in a resource group named RG1.
An administrator plans to manage Clus1 from an Azure AD-joined device.
You need to ensure that the administrator can deploy the YAML application manifest file for a container application.
You install the Azure CLI on the device.
Which command should you run next?
To configure kubectl to connect to your Kubernetes cluster, use the az aks get-credentials command. This command downloads credentials and configures the Kubernetes CLI to use them.

On which of the following operating systems does Docker for desktop run?
Linux, macOS, and Windows

True or false: Microsoft ExpressRoute is a virtual networking technology that operates over the public Internet that allows secure, scalable access to Microsoft Azure services while ensuring performance, security, and reliability.
False. ExpressRoute operates over a private network, not the Internet. You must connect through a communications service provider to arrange a private direct connection.

Why would you use a custom route in a virtual network?
Custom routes are used to override the default Azure routing so that you can route traffic through a network virtual appliance (NVA).

Which of the following resources can you assign a public IP address to?
A virtual machine

You have an application in the East US region, running on a virtual network also in the East US region. You need to establish an encrypted, private connection to a data source that exists in Azure’s Japan region, and that data source does not have a public endpoint. Attempting to connect with the Japanese data source from East US results in an error. How best to establish a connection between the two regions?
Install Gateway devices on both East US and Japan regions, and connect the gateways together

Which of the following needs to be set up in Azure for the Site-to-Site VPN connection?
A gateway subnet

You need to connect Azure resources like Azure virtual machines across geographical regions. Which Azure networking option should you use?
Use virtual network peering to connect virtual networks to each other so resources in either virtual network can communicate with each other. The virtual networks you connect can be in different Azure regions.

What does Azure DNS allow you to do?
Azure DNS allows you to host your registered domains. You can control and configure the domain records, like A, CNAME, MX, and set up alias records.

What type of DNS record is used to map a custom domain to a web app using its IP address?
The A record maps a custom domain to an IP address.

Your company goes ahead and registers a domain name of You then go ahead and create an Azure DNS zone named You then add an A record to the zone for a host named www that has an IP address of But the users complain that they cannot resolve the URL to This issue needs to be resolved.
You propose a solution to modify the name server at the domain registrar.
Would this solution resolve the issue?
Yes. If you create a DNS zone in Azure, then you need to first make a note of the Name servers for the DNS zone. Then go to your DNS provider and enter the Name servers for your Domain

If no rules other than the default NSG rules are in place, are VM’s on SubnetA and SubnetB be able to connect to the Internet?
Yes. The Outbound rules contain a Rule with the Name of “AllowInternetOutBound”. This would allow all Outbound traffic to the Internet.

Your company has an Azure account and subscription. The subscription contains a virtual machine named awesomevm877. You have a computer named Computer1 that runs Windows 10. Computer1 is connected to the Internet. You add a network interface to the virtual machine with the default NSG rules.
From Computer1 you want to be able to also access a web service running on port 80 after awesomevm877 is started. Which of the following must be done for this to work?
In the “Add inbound security rule” for the “Inbound security rules” pane you need to add an incoming rule to allow traffic on port 80.

You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network security groups that you require?
1. A network security group can have multiple network interfaces assigned to it. Since the question clearly states that the virtual machines all require the same inbound and outbound security rules, hence we should use the same network security group for all network interfaces

Your team is planning on creating an Internal load balancer. This load balancer will be used to distribute traffic to Azure Virtual Machines. You need to ensure that user requests are always mapped to the same Virtual Machine that processes the initial request. Which of the following would you need to set for the Load Balancer?
Set Session Persistence to Client IP

A company has set up a Load balancer that load balances traffic on ports 80 and 443 across 3 virtual machines. You have to ensure that all RDP traffic is directed towards a VM named awesomevm. How would you achieve this?
By creating an inbound NAT rule

What is the default distribution type for traffic through a load balancer?
5 tuple hash

Which of the following statement about external load balancers is correct?
They have a public IP address.

The necessary peering connections have been created between vnetwork1 and vnetwork2. The firewalls on the virtual machines have been modified to allow ICMP traffic. But traffic does not seem to flow between the virtual machines when the ping request is made.
Which of the following can be used to diagnose the issue?
The issue could be due to the security groups. You can diagnose the issue using IP Flow Verify.

Your company currently has a Virtual Network defined in Azure. The Virtual Network has a default subnet that contains 2 Virtual machines named awesomevm and awesomevm1 There is a requirement to inspect all network traffic between the Virtual Machines for a duration of 3 hours.
You propose a solution to run Packet Capture in Azure Network Watcher
Does this solution fulfill the requirement?
Yes. Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining information on network intrusions, debugging client-server communications, and much more.

A company has the following resources defined in Azure
A Virtual Network named vnet1 which connects to an on-premises network using a site-to-site VPN
The Virtual Network contains a subnet named SubnetA
The subnet is associated with a network security group named devops-nsg
The subnet contains a basic internal load balancer named devopslb
The load balancer has three Azure virtual machines in the backend pool
The company has the requirement to collect data about the IP addresses that connect to the load balancer. The company also wants its data team to run interactive queries from the Azure portal against the collected data
Which of the following would be a resource that would need to be created for this purpose?
You can perform Interactive queries using Log Analytics. To analyze traffic, you need to have an existing network watcher or enable a network watcher in each region that you have NSGs that you want to analyze traffic.

Which Azure Service is the centralized spot for all Activity Logs, Metrics, Alerts, and Diagnostics for all resources across your subscription?
Azure Monitor is the centralized spot to contain all these things.

In order to get diagnostics from an Azure virtual machine you own, what is the first step to doing that?
A diagnostics agent needs to be installed on the VM

What is the best way to “baseline” your existing Azure environment?
Export the ARM templates from Azure to recreate the deployment

Which Microsoft service can help you monitor and manage costs for Microsoft Azure, Amazon AWS, and Google Cloud Platform?
Cloudyn is a Microsoft service that can work with the major cloud vendors to report on costs

Click to share! ⬇️