AZ-104 Exam and Azure Administration
In today’s rapidly evolving technology landscape, cloud computing has become a core component for businesses of all sizes, from multinational corporations to small local companies. One of the most widely adopted cloud platforms is Microsoft Azure. With its expansive range of services, Azure enables organizations to build, deploy, and manage applications seamlessly. However, to ensure that an Azure environment is configured and maintained correctly, skilled IT professionals are necessary. The Microsoft Certified: Azure Administrator Associate certification, validated through the AZ-104 exam, is one way to demonstrate expertise in managing Azure environments.
This article delves into the AZ-104 certification, its significance for IT professionals, and why it is an essential step for anyone working with Azure, particularly those aspiring to manage and maintain cloud resources. Understanding the structure, exam objectives, preparation methods, and career implications of the AZ-104 exam can help you decide whether this certification aligns with your career goals.
What is the AZ-104?
The AZ-104 is the certifying exam for Microsoft’s associate-level Azure certification. The full name of the certification is Microsoft Certified: Azure Administrator Associate, and it is designed to assess the skills of IT professionals in managing and administering cloud environments using Microsoft Azure. Passing this exam proves that an individual possesses the necessary knowledge and skills to implement, manage, and monitor an organization’s Azure infrastructure.
This certification falls under the intermediate level in Microsoft’s Azure certification path. Unlike the Microsoft Certified: Azure Fundamentals certification, which serves as an introductory certification for those new to Azure, the Azure Administrator Associate certification is targeted at professionals who already have experience with IT administration. The AZ-104 exam covers a broad range of administrative tasks within Azure, including configuring storage, deploying compute resources, managing virtual networks, and ensuring the smooth operation of the environment.
For IT professionals looking to advance their careers in cloud technologies, the AZ-104 certification is a valuable credential. It equips professionals with essential skills needed to manage Azure resources effectively, making them capable of handling administrative tasks and ensuring the reliability and security of cloud environments.
Exam Objectives and Skills Tested
The AZ-104 exam is designed to test a candidate’s ability to perform various administrative tasks within an Azure environment. Microsoft has broken down the exam content into five key objectives. These are the areas that candidates should focus on to successfully pass the exam and earn the Azure Administrator Associate certification.
1. Manage Azure Identities and Governance
Azure identities are at the core of any organization’s cloud environment. Managing Azure Active Directory (Azure AD) is crucial for controlling access to resources within an Azure subscription. As part of the AZ-104 exam, candidates will need to demonstrate their ability to manage Azure AD, user and group identities, and implement governance strategies to ensure proper security protocols are followed.
This objective includes tasks such as
· Configuring Azure Active Directory and managing its components.
· Creating and managing users, groups, and devices.
· Implementing Azure AD Connect for directory synchronization.
· Configuring multi-factor authentication (MFA) and conditional access policies to enhance security.
2. Implement and Manage Storage
The AZ-104 exam tests a candidate’s ability to configure and manage Azure storage resources. Storage management is vital to ensure that an organization’s data is securely stored, backed up, and accessible at all times.
Topics covered under this objective include
· Configuring Azure Storage accounts, including setting up containers and managing blobs.
· Implementing Azure File Sync and Azure Backup for data protection.
· Managing access to Azure Storage through shared access signatures (SAS) and role-based access control (RBAC).
· Implementing storage security measures, such as encryption and firewalls.
3. Deploy and Manage Azure Compute Resources
One of the key aspects of managing a cloud environment is deploying compute resources. The AZ-104 exam evaluates a candidate’s ability to provision and manage virtual machines (VMs), which are the backbone of most cloud infrastructures.
Candidates will be assessed on:
· Deploying and configuring virtual machines using the Azure portal, PowerShell, and CLI.
· Managing VM networking, availability sets, and scale sets.
· Implementing virtual machine monitoring, backup, and disaster recovery solutions.
· Managing App Services for web apps, including scaling and troubleshooting.
4. Configure and Manage Virtual Networking
Virtual networking is a fundamental part of Azure’s infrastructure. Azure administrators must be able to create and manage virtual networks (VNets) to ensure that resources are connected and communication is optimized. This section tests a candidate’s knowledge of Azure networking services and how to configure them.
Key tasks include:
· Configuring virtual networks, subnets, and network security groups (NSGs).
· Implementing and managing VPNs and ExpressRoute for secure connections between on-premises infrastructure and Azure.
· Configuring and managing Azure DNS for name resolution.
· Setting up network traffic routing and ensuring optimal connectivity between resources.
5. Monitor and Back Azure Resources
Monitoring and backup are essential tasks for maintaining the health and security of Azure environments. Candidates must demonstrate their ability to monitor the performance of resources, implement logging and alerts, and perform backups to ensure data recovery in case of a failure.
Tasks under this objective include
· Configuring Azure Monitor to track resource health and performance.
· Managing Azure Alerts and Log Analytics to gather insights and automate responses.
· Implementing Azure Backup for resource protection and disaster recovery.
· Configuring Azure Site Recovery for business continuity.
Who Should Take the AZ-104?
The AZ-104 certification is designed for individuals who are responsible for implementing, managing, and monitoring identity, governance, storage, compute, and virtual networks in a Microsoft Azure environment. It also covers provisioning and managing Azure resources, configuring and managing virtual networking, and securing identities. Several job roles align well with the skills tested in the AZ-104 exam, and professionals from various backgrounds can significantly benefit from this certification.
Azure administrators are one of the primary audiences for the AZ-104 certification. These professionals are often already involved in managing cloud resources and services within Azure. Their day-to-day responsibilities typically include implementing and managing storage, configuring virtual machines, monitoring and managing Azure resources, and managing identities using Azure Active Directory. The AZ-104 exam ensures that Azure administrators can validate their skills in real-world scenarios. It covers essential administrative tasks such as configuring virtual networks, monitoring and backing up Azure resources, and implementing security measures. For Azure administrators, the certification acts as a formal recognition of their ability to manage Azure effectively and aligns with the skills needed to maintain and optimize a cloud-based infrastructure.
Systems administrators, particularly those coming from traditional on-premises environments, are also well-suited for the AZ-104 certification. Many organizations are shifting from on-premises servers and services to cloud-based infrastructure, and this transition requires systems administrators to update their knowledge and skill sets. The AZ-104 certification bridges this gap by offering training and assessment in cloud-based administration, highlighting the distinctions between managing on-premises systems and those hosted in Azure. It introduces candidates to concepts such as scalability, automation, and resource management through Azure Resource Manager templates, tools that may be unfamiliar to those used to managing local servers. For systems administrators, obtaining the AZ-104 certification helps in adapting to cloud-first strategies and ensures they can manage resources in a hybrid or fully cloud-based environment.
Network administrators can also greatly benefit from the AZ-104 certification, especially as cloud networking becomes an integral part of enterprise IT infrastructures. The certification includes topics such as configuring virtual networks, managing connectivity between virtual networks, implementing network security groups, and integrating on-premises networks with Azure using VPN gateways and ExpressRoute. For network administrators, understanding how networking operates in a cloud environment is essential. Azure networking introduces virtual network peering, service endpoints, and private links, all of which are different from traditional networking setups. The AZ-104 certification equips network professionals with the knowledge and skills needed to manage these resources, ensuring secure and efficient cloud connectivity. It also provides insights into monitoring and diagnosing network-related issues using Azure-native tools.
IT support professionals, including help desk analysts and technical support staff, may find the AZ-104 certification a valuable step forward in their careers. As more businesses adopt cloud solutions, IT support roles are evolving to include responsibilities that go beyond troubleshooting desktops and on-premises servers. These professionals are increasingly required to support cloud applications, manage user identities, and troubleshoot issues related to virtual machines and cloud storage. The AZ-104 certification prepares support personnel to take on these expanded roles by teaching them how to use the Azure portal, manage resources, and respond to incidents involving cloud-based infrastructure. It introduces basic administrative tasks such as managing subscriptions, configuring role-based access control, and setting up resource monitoring, all of which are necessary skills for modern support roles. By achieving this certification, IT support professionals demonstrate their readiness to handle more complex and cloud-focused responsibilities, potentially opening the door to roles in cloud administration or DevOps.
Another group that stands to benefit from the AZ-104 certification includes junior IT professionals and recent graduates looking to specialize in cloud technologies. While the exam is not necessarily entry-level, it does provide a clear pathway for individuals who have foundational IT knowledge and wish to pursue a career in cloud administration. The certification helps such individuals understand Azure’s core services and equips them with practical skills that can be immediately applied in enterprise environments. Since many organizations prefer candidates with certified expertise, obtaining the AZ-104 can improve employability and provide a competitive edge in the job market. It also serves as a stepping stone for more advanced Azure certifications, such as the AZ-305 for Azure Solutions Architects.
DevOps professionals with a focus on deployment and operations may also consider taking the AZ-104 certification to round out their understanding of infrastructure and system management. While many DevOps roles focus on CI/CD pipelines and automation, having a solid grasp of Azure administration is crucial for deploying and maintaining environments efficiently. The AZ-104 exam includes topics on monitoring and backup, which are critical for maintaining service reliability. It also provides knowledge on configuring automation through runbooks and using Azure Monitor to gain insights into system performance. For DevOps professionals, the certification offers a practical understanding of how infrastructure is provisioned and managed, enabling them to optimize their workflows and enhance overall system reliability.
Cloud consultants and technical account managers can also benefit from earning the AZ-104 certification. These professionals are often responsible for advising clients on cloud solutions, creating architectural recommendations, or acting as liaisons between technical teams and business stakeholders. A thorough understanding of Azure administration helps them provide more accurate guidance and build trust with clients. The certification demonstrates a hands-on familiarity with the Azure ecosystem, allowing consultants to tailor solutions that are practical and aligned with clients’ infrastructure needs. It also enhances communication between technical and non-technical stakeholders by grounding recommendations in real-world knowledge of Azure capabilities.
In larger organizations, IT project managers and cloud strategists might consider the AZ-104 certification to deepen their understanding of cloud infrastructure. While these roles may not involve hands-on management of Azure resources, having a working knowledge of Azure administration ensures that project managers can effectively plan, coordinate, and assess the technical feasibility of cloud projects. The certification provides insight into the administrative considerations of deploying applications, managing resources, and scaling solutions within Azure, all of which are essential for effective project planning and stakeholder communication.
Cybersecurity professionals focusing on cloud security can also gain value from the AZ-104 certification. Although the certification is not primarily security-focused, it does cover essential aspects of securing identities, configuring role-based access, and implementing network security controls. Understanding the default security features within Azure, such as Network Security Groups, Azure Defender, and Azure Policy, helps security professionals align security practices with the way Azure is administered. It enables them to collaborate more effectively with cloud administrators and ensure that best practices for access management and resource protection are consistently implemented.
Lastly, organizations looking to build or expand their internal cloud competencies may encourage cross-functional teams to pursue the AZ-104 certification. This includes software developers, database administrators, and operations engineers who interact with cloud infrastructure as part of their roles. While these professionals may not specialize in administration, having foundational knowledge of how Azure resources are managed helps improve collaboration, reduce deployment errors, and streamline operations. For example, developers who understand Azure infrastructure can write more efficient and compatible code for deployment, while database administrators can better manage Azure-based data services with insights into performance monitoring and backup strategies.
The AZ-104 certification is not limited to any single role but supports a wide range of professionals involved in cloud computing. Its focus on administrative skills, resource management, identity control, networking, and monitoring makes it relevant to multiple domains. Whether transitioning to the cloud from traditional IT roles, enhancing current responsibilities in a cloud-focused job, or preparing for more advanced Azure certifications, individuals across IT disciplines will find the AZ-104 a critical step in validating and expanding their capabilities in Microsoft Azure.
Preparing for the AZ-104
Passing the AZ-104 requires a comprehensive understanding of Azure’s administrative functions, which can be gained through practical experience and formal training. While there are no formal prerequisites for the AZ-104 exam, Microsoft recommends that candidates have at least six months of hands-on experience working with Azure.
Preparing for the AZ-104 requires a well-structured study plan, as the exam covers a wide range of topics. Using Cloud Practice test platforms, such as Exam-Labs, can help candidates simulate the exam experience and reinforce their knowledge. Studying official Microsoft documentation and online learning resources, including courses that align with the exam objectives, will also aid in exam preparation. Additionally, it’s helpful to gain practical experience by using the Azure portal, PowerShell, and CLI to configure and manage resources.
Candidates should focus on mastering the skills necessary for managing Azure identities, storage, compute resources, virtual networking, and backup operations. Understanding how these components interact within Azure will give candidates the confidence to answer complex exam questions effectively.
Cost of the AZ-104 Exam
The cost to attempt the AZ-104 exam is USD 165. However, this does not include the cost of training materials or preparatory courses. As with any certification exam, it’s important to factor in the costs of study resources, including books, practice tests, and courses that align with the exam objectives.
In some cases, professionals affected by the COVID-19 pandemic may be eligible for discounts or free exam vouchers, depending on their location and circumstances. It’s always a good idea to check Microsoft’s official AZ-104 page for up-to-date information on exam pricing and discounts.
Azure Identity and Governance for AZ-104
Azure identity and governance play a crucial role in managing security, access control, and resource accountability in a cloud environment. For anyone preparing for the AZ-104: Microsoft Azure Administrator exam, a deep understanding of how Azure handles identities, access management, and governance frameworks is essential. This section expands on the first exam domain, Manage Azure Identities and Governance, with technical insights and hands-on tasks you’re expected to master for real-world administrative responsibilities.
Understanding Azure Active Directory (Azure AD)
Azure AD (Azure Active Directory) is a cloud-based identity and access management (IAM) solution by Microsoft. It enables users to securely sign in and access resources in Azure and other Microsoft services such as Microsoft 365.
Azure AD differs from the traditional Windows Server Active Directory. The traditional AD is domain-centric and works best within on-premises networks, while Azure AD is optimized for the cloud and SaaS applications.
Azure AD is essential for:
- Managing user identities and credentials.
- Enforcing authentication policies.
- Assigning and controlling access to resources.
- Enabling single sign-on (SSO) and multifactor authentication (MFA).
- Integrating with external identity providers.
In the AZ-104 exam, expect scenario-based questions that involve configuring Azure AD tenants, managing users and groups, implementing policies, and synchronizing on-premises identities.
User and Group Management
Managing users and groups in Azure AD is one of the first steps in setting up a secure environment. Users can be added individually or in bulk, either manually or via directory synchronization from on-premises environments using Azure AD Connect.
Creating Users in Azure AD
You can create users through:
- Azure Portal
- PowerShell (New-AzADUser)
- Azure CLI (az ad user create)
Managing Groups
Groups are used to assign permissions collectively. There are two types:
- Security groups: For managing access to resources.
- Microsoft 365 groups: For collaboration in Microsoft 365 apps like Teams and SharePoint.
Groups can be static or dynamic. Dynamic groups use rules to automatically add users based on attributes (e.g., job title or department), which is useful for automating access.
Administrative Units (AUs)
Azure AD allows you to segment administrative control through Administrative Units, which is helpful in large enterprises. For example, you can allow an IT admin in Europe to manage only European users without giving them global admin rights.
Role-Based Access Control (RBAC)
RBAC is a method for managing user permissions in Azure. Rather than granting blanket permissions, RBAC allows granular control over what users can do.
An RBAC model consists of three main elements:
- Security Principal: A user, group, service principal, or managed identity.
- Role Definition: A collection of permissions (like Reader, Contributor, and Owner).
- Scope: Defines where the access applies—subscription, resource group, or specific resource.
Example use case:
- Assign a user the Reader role at the resource group level so they can view resources but not modify them.
You can assign roles via:
- Azure Portal
- Azure CLI (az role assignment create)
- PowerShell (New-AzRoleAssignment)
Custom Roles
While Azure offers many built-in roles, you can create custom roles if the default ones don’t meet your needs. For example, a custom role might allow a user to restart VMs but not delete them.
Azure AD Connect and Hybrid Identity
Organizations often use on-premises Active Directory and want to synchronize it with Azure AD. This is done using Azure AD Connect.
Three synchronization methods are available:
- Password hash synchronization (PHS): Syncs password hashes from AD to Azure AD.
- Pass-through authentication (PTA): Authenticates users against on-prem AD.
- Federation (AD FS): Uses a federation server to authenticate.
Azure AD Connect ensures consistency of identities across on-prem and cloud environments. The AZ-104 exam expects familiarity with setup and troubleshooting of synchronization issues.
You should understand:
- How to install Azure AD Connect.
- How to configure synchronization rules.
- How to manage synchronization cycles.
- Tools like IdFix are used for cleaning up directory data before synchronization.
Azure Policy
Azure Policy is a governance tool that enforces organizational standards and compliance rules across Azure resources. It allows administrators to ensure that deployments meet specific requirements.
For instance, a policy can:
- Restrict VM sizes to only specific SKUs.
- Enforce tags on resources.
- Prevent the creation of public IPs.
Initiatives are a group of policies assigned together. You assign policies or initiatives to scopes like subscriptions or resource groups.
Policy evaluation modes:
- Audit: Logs violations but does not stop actions.
- Deny: Prevents non-compliant resources from being created.
- Append: Adds specific settings to requests.
In the AZ-104, you’ll be tested on your ability to assign and evaluate policies using:
- Azure Portal
- Azure CLI
- PowerShell
Example CLI command to assign a policy:
az policy assignment create –policy “policyDefinitionID” –scope “/subscriptions/{subscription-id}/resourceGroups/{resource-group}”
Azure Blueprints
Azure Blueprints help you define a repeatable set of governance tools and resource templates for consistent deployment. Blueprints combine ARM templates, policies, role assignments, and resource groups into one package.
Use cases include:
- Deploying a standardized environment for dev or prod.
- Enforcing compliance across new environments.
Blueprints are ideal when you need repeatable, governed deployments.
Blueprints are typically used in enterprise environments where policy compliance is strictly regulated (e.g., healthcare or finance). While Azure Blueprints is being gradually replaced by other governance services, the AZ-104 still expects knowledge of how to create and assign them.
Resource Locks and Tags
Resource Locks prevent accidental deletion or modification of resources. There are two types:
- CanNotDelete: Allows reading and modifying, but not deletion.
- ReadOnly: Makes the resource read-only.
Example scenario: Apply a lock to a production VM so no one can accidentally delete it.
Use PowerShell:
New-AzResourceLock -LockName “ProdVMProtection” -LockLevel CanNotDelete -ResourceName “ProdVM” -ResourceType “Microsoft.Compute/virtualMachines” -ResourceGroupName “ProdRG”
Tags are metadata key-value pairs applied to resources. Tags help with:
- Billing segregation.
- Identifying resources by environment.
- Automation and reporting.
You can apply tags through Azure Portal, PowerShell, CLI, or ARM templates.
Example CLI command:
az resource tag –tags Environment=Production Owner=IT –name myVM –resource-group myRG
Conditional Access and MFA
Conditional Access allows organizations to enforce access control policies based on conditions such as user location, device status, and risk level. It’s built on top of Azure AD and is critical for enforcing modern security strategies like Zero Trust.
A policy might:
- Require MFA if a user logs in from an untrusted location.
- Block access to specific applications when conditions are not met.
Multi-Factor Authentication (MFA) is a security enhancement that requires users to provide two or more verification factors to access a resource.
Azure AD supports:
- Password + mobile app code
- Password + SMS verification
- Password + biometrics (via compatible devices)
In AZ-104, you’ll need to know how to configure conditional access policies and enforce MFA using
- Azure AD portal
- Azure Security Center recommendations
Azure Management Groups and Subscriptions
Large organizations use management groups to organize subscriptions hierarchically. Management groups allow centralized policy assignment and RBAC controls across multiple subscriptions.
Structure example:
- Root Management Group
- Production Group (Prod Subscription 1, Prod Subscription 2)
- Development Group (Dev Subscription 1)
Using this structure, you can:
- Apply policies at the management group level.
- Ensure compliance across multiple teams and subscriptions.
You manage management groups using
- Azure Portal
- PowerShell
- Azure CLI
Monitoring Identity and Governance with Azure Monitor
Azure Monitor is used to collect and analyze logs from Azure AD, policies, role assignments, and more. Integration with Log Analytics lets you query activity logs for specific actions like permission changes, failed logins, or policy violations.
Sample KQL query to find failed sign-ins:
SigninLogs
| where ResultType != 0
| project UserPrincipalName, ResultDescription, Location, AppDisplayName, TimeGenerated
You should know how to:
- Enable diagnostic settings.
- Stream logs to a Log Analytics workspace.
- Set up alerts based on governance events.
Managing Azure Storage and Compute Resources for AZ-104
The third major domain of the AZ-104: Microsoft Azure Administrator certification exam revolves around managing Azure compute and storage resources. This includes provisioning and managing VMs, configuring storage accounts, handling virtual disks, understanding storage tiers, managing containers, and configuring availability options. A strong grasp of these components is essential not just for passing the exam but for functioning effectively in any real-world Azure environment.
Understanding Azure Storage: A Foundational Element
Azure provides several types of storage services to support a wide range of data and compute workloads. The core storage types include
· Blob Storage: Object storage for unstructured data like images, videos, and backups.
· File Storage: Managed file shares accessible via SMB/NFS protocols.
· Queue Storage: Messaging service for decoupling app components.
· Table Storage: NoSQL key-value store for structured data.
· Disk Storage: Persistent block storage for VMs.
Creating and Managing Storage Accounts
Every storage resource begins with a storage account, which acts as a container for various services.
Storage Account Types:
· General-purpose v2 (GPv2): Supports blobs, files, queues, and tables; recommended for most scenarios.
· BlockBlobStorage: Optimized for high-throughput applications.
· FileStorage: Premium file shares with low latency.
Redundancy Options:
Azure offers multiple redundancy options to ensure durability:
· LRS (Locally Redundant Storage)—Three copies within a single data center.
· ZRS (Zone-Redundant Storage)—Replicates data across zones in a region.
· GRS (Geo-Redundant Storage)—Copies data to a secondary region.
· RA-GRS – GRS with read access on the secondary location.
When configuring storage for production, especially critical workloads, choosing the right redundancy is vital.
az storage account create \
–name mystorageaccount \
–resource-group myRG \
–location eastus \
–sku Standard_LRS \
–kind StorageV2
Azure Blob Storage
Blob storage is a key service for storing unstructured data. It has three blob types:
· Block blobs – For documents, images, and backups.
· Append blobs – Ideal for logs.
· Page blobs—Used for VM disks.
Blob Tiers:
Azure offers access tiers to optimize cost:
· Hot – Frequent access.
· Cool – Infrequent access, lower cost.
· Archive – Rarely accessed, lowest cost.
You can move blobs between tiers manually or via lifecycle management policies.
az storage blob upload \
–account-name mystorageaccount \
–container-name mycontainer \
–name myfile.txt \
–file ./myfile.txt
Azure File Shares
Azure Files provides fully managed file shares in the cloud. These can be mounted on Windows, Linux, or macOS systems.
You can:
· Configure quotas.
· Set NTFS permissions using Azure AD DS.
· Mount via SMB or NFS.
az storage share create \
–name myfileshare \
–account-name mystorageaccount \
–quota 100
To mount a file share on Windows:
net use Z: \\mystorageaccount.file.core.windows.net\ myfileshare /u:Azure\mystorageaccount <storage-key>
Azure Disk Storage
Azure Disk Storage is used to provide durable block storage to VMs. There are three types of managed disks:
· Standard HDD—Cost-effective, low-performance.
· Standard SSD—Better performance, moderate cost.
· Premium SSD—High IOPS and low latency.
· Ultra Disk—Designed for mission-critical applications.
Disks come in two roles:
· OS Disk—Required to boot the VM.
· Data Disk—For additional storage.
You can increase disk size, enable encryption, or take snapshots for backup.
az disk create \
–resource-group myRG \
–name myDisk \
–size-gb 128 \
–sku Premium_LRS
VM Management and Configuration
Azure Virtual Machines (VMs) provide on-demand computing resources. The compute offering is categorized into series based on workload:
· D-Series – General-purpose.
· E-Series – Memory-optimized.
· F-Series – Compute-optimized.
· L-Series – Storage-optimized.
· B-Series – Economical, burstable performance.
Creating a VM:
You can use Azure Portal, PowerShell, Azure CLI, or ARM templates. The CLI method:
az vm create \
–name myVM \
–resource-group myRG \
–image UbuntuLTS \
–admin-username azureuser \
–generate-ssh-keys
VM Sizes and Availability Sets
Choosing the right VM size is crucial to balance cost and performance. Consider CPU, RAM, disk, and network throughput.
For high availability, Azure offers:
· Availability Sets—Spread VMs across fault and update domains within a data center.
· Availability Zones—Physically separate locations within a region.
· Proximity Placement Groups—Low-latency app placement for co-located VMs.
Scaling and Performance Optimization
Azure supports scaling up (resizing the VM) and scaling out (adding more VMs).
VM Scale Sets allow you to deploy and manage a set of identical VMs, supporting autoscaling and load balancing.
az vmss create \
–name myScaleSet \
–resource-group myRG \
–image UbuntuLTS \
–upgrade-policy-mode automatic \
–admin-username azureuser \
–generate-ssh-keys
Custom Script Extensions
Custom Script Extensions allow you to run scripts (e.g., PowerShell, Bash) post-deployment on VMs for configuration or software installation.
Use this for:
· Installing web servers.
· Configuring settings.
· Installing updates.
az vm extension set \
–resource-group myRG \
–vm-name myVM \
–name CustomScriptExtension \
–publisher Microsoft.Azure.Extensions \
–settings ‘{“fileUris”:[“<script-url>”] ,”commandToExecute”:”sh script.sh”}’
Backing Up and Restoring VMs
Azure Backup is used to protect VMs without additional infrastructure. It creates restore points that can be used to recover VMs.
Steps:
· Create a Recovery Services vault.
· Enable backup for VMs.
· Configure retention and policies.
Azure CLI example:
az backup protection enable-for-vm \
–vm myVM \
–vault-name myVault \
–resource-group myRG \
–policy-name DefaultPolicy
Managing Storage Access and Security
Azure provides several mechanisms to secure storage access:
· Shared Access Signatures (SAS)—Granular access control with expiration.
· Azure AD Authentication—For fine-grained access control on blobs and files.
· Storage Firewall and Virtual Networks—Restrict access by IP or subnet.
· Private Endpoints—Secure storage traffic through Azure VNet.
Example: Generate a SAS token using CLI:
az storage blob generate-sas \
–account-name mystorageaccount \
–container-name mycontainer \
–name myfile.txt \
–permissions r \
–expiry 2025-05-01T00:00Z \
–output tsv
Monitoring and Performance Tuning
To monitor storage and VM performance:
· Use Azure Monitor and Log Analytics.
· Set up alerts for CPU, disk I/O, and and network traffic.
· Use Diagnostics Settings for granular logs.
For example, monitor VM CPU usage using a KQL query:
Perf
| where ObjectName == “Processor” and CounterName == “% Processor Time”
| summarize avg(CounterValue) by bin(TimeGenerated, 5m), Computer
Lifecycle Management and Automation
For storage:
· Use lifecycle policies to delete old blobs or move them to lower tiers.
For computing:
· Use Automation Accounts to schedule VM start/stop.
· Use Runbooks and Logic Apps for automated management.
Managing Azure Networking for AZ-104
Networking is a fundamental component of cloud infrastructure, and Microsoft Azure provides a robust suite of networking tools and services to build secure, scalable, and high-performance environments. The AZ-104 Microsoft Azure Administrator exam dedicates a significant portion to managing virtual networks, routing, network security, DNS, connectivity solutions like VPNs and ExpressRoute, and monitoring network health. This part explores these components in detail and equips you with the practical knowledge needed for both exam success and real-world Azure network management.
Understanding Azure Virtual Network (VNet)
A Virtual Network (VNet) in Azure is the foundation of private communication within the Azure cloud. VNets allow Azure resources like virtual machines, databases, and applications to securely communicate with each other, with on-premises systems, and with the internet.
Key components of a VNet:
· Address Space: Defines the IP address range (CIDR notation) used in the VNet.
· Subnets: Divide the VNet into segments for better organization and security.
· Network Interfaces: Connect a VM to the network.
· DNS Settings: Configure name resolution within the VNet.
az network vnet create \
–name MyVNet \
–resource-group MyRG \
–address-prefix 10.0.0.0/16 \
–subnet-name MySubnet \
–subnet-prefix 10.0.1.0/24
Subnets and IP Addressing
Subnets partition the VNet to isolate workloads and apply different security policies.
Best Practices:
· Use separate subnets for front-end and back-end services.
· Avoid overlapping IP ranges with on-premises networks.
· Reserve IP addresses for future expansion.
Network Security Groups (NSGs)
NSGs act as virtual firewalls. They allow or deny traffic to and from Azure resources based on rules.
Components:
· Inbound/Outbound Rules: Define permitted or denied traffic.
· Priority: Lower numbers have higher priority.
· Rule Components: Source/Destination IP, Port, Protocol, Action.
az network nsg create \
–resource-group MyRG \
–name MyNSG
az network nsg rule create \
–resource-group MyRG \
–nsg-name MyNSG \
–name AllowSSH \
–protocol Tcp \
–direction Inbound \
–priority 1000 \
–source-address-prefix ‘*’ \
–source-port-range ‘*’ \
–destination-address-prefix ‘*’ \
–destination-port-range 22 \
–access Allow
Route Tables and User-Defined Routes (UDRs)
By default, Azure uses system routes for traffic routing. User-Defined Routes (UDRs) enable customization for scenarios like
· Routing traffic through a network virtual appliance (NVA)
· Enabling forced tunneling to on-premises
· Controlling east-west traffic in a hub-and-spoke topology
az network route-table create \
–name MyRouteTable \
–resource-group MyRG
az network route-table route create \
–resource-group MyRG \
–route-table-name MyRouteTable \
–name RouteToFirewall \
–address-prefix 0.0.0.0/0 \
–next-hop-type VirtualAppliance \
–next-hop-ip-address 10.0.2.4
Attach the route table to a subnet to apply the routing.
Azure DNS and Custom DNS
Azure DNS allows hosting DNS domains in Azure and provides name resolution for Azure resources. You can also use custom DNS servers for internal domains or hybrid DNS configurations.
Set a custom DNS server:
az network vnet update \
–name MyVNet \
–resource-group MyRG \
–dns-servers 10.1.0.4
For name resolution across VNets, use Azure Private DNS Zones and VNet links.
VNet Peering
VNet peering enables seamless connectivity between VNets. Peered VNets can communicate using private IPs, even across regions (global peering).
az network vnet peering create \
–name PeerAtoB \
–resource-group MyRG \
–vnet-name VNetA \
–remote-vnet VNetB_ID \
–allow-vnet-access
Key Considerations:
· Low latency, high bandwidth.
· Traffic remains within Microsoft’s backbone.
· Peering is non-transitive (A-B, B-C ≠ , A-C).
Azure Load Balancers
Azure provides multiple load balancing solutions depending on the layer and scenario:
Basic vs Standard Load Balancer
· Basic: Only within a region and a single availability set.
· Standard: Zone-redundant, supports virtual networks and public IPs.
Types:
· Public Load Balancer: Routes external traffic to VMs.
· Internal Load Balancer (ILB): Distributes traffic across VMs within the VNet.
az network lb create \
–resource-group MyRG \
–name MyPublicLB \
–sku Standard \
–frontend-ip-name myFrontEnd \
–backend-pool-name myBackEndPool \
–public-ip-address MyPublicIP
Add health probes and load balancing rules to complete the setup.
Azure Application Gateway
For Layer 7 (HTTP/HTTPS) traffic, use Application Gateway. It supports:
· SSL termination
· URL-based routing
· Web Application Firewall (WAF)
az network application-gateway create \
–name MyAppGW \
–resource-group MyRG \
–capacity 2 \
–sku Standard_v2 \
–vnet-name MyVNet \
–subnet MySubnet
Use WAF policies to protect from OWASP top 10 vulnerabilities.
Azure Front Door and Traffic Manager
· Azure Front Door provides global Layer 7 routing with SSL offloading and acceleration.
· Traffic Manager provides DNS-based global load balancing using various routing methods (priority, performance, etc.)
Use Traffic Manager to route to the nearest endpoint based on user geography.
Connecting On-Premises to Azure
1. Site-to-Site VPN
A secure IPsec connection between on-premises and Azure.
az network vpn-connection create \
–name MyConnection \
–resource-group MyRG \
–vnet-gateway1 MyVNetGW \
–local-gateway2 MyOnPremGateway \
–shared-key MySharedKey
Requires a Virtual Network Gateway and a Local Network Gateway.
2. Point-to-Site VPN
Securely connect individual clients (e.g., remote employees) using certificates or Azure AD authentication.
3. ExpressRoute
Private, dedicated connection to Azure over a service provider’s network:
· Higher throughput
· SLA-backed reliability
· Bypasses the internet
ExpressRoute is ideal for enterprise workloads with strict compliance needs.
Network Watcher: Monitoring and Diagnostics
Azure Network Watcher provides tools for troubleshooting and monitoring.
Key Features:
· Connection Monitor: Track availability and latency.
· IP Flow Verify: Check NSG rules for traffic.
· Packet Capture: Deep traffic inspection.
· Topology Viewer: Visualize network architecture.
az network watcher configure \
–resource-group MyRG \
–locations eastus \
–enabled true
az network watcher show-topology \
–resource-group MyRG \
–location eastus
Use metrics and logs in Azure Monitor to set alerts for high traffic, dropped packets, or connectivity issues.
Private Link and Private Endpoints
Private Link enables secure access to Azure services (e.g., storage, SQL) over a private IP within your VNet.
az network private-endpoint create \
–name MyPrivateEP \
–resource-group MyRG \
–vnet-name MyVNet \
–subnet MySubnet \
–private-connection-resource-id <resource-id> \
–group-ids blob \
–connection-name MyConnection
Use this for:
· Eliminating data exposure to the public internet.
· Meeting compliance requirements.
· Securing hybrid architectures.
Service Endpoints
Service Endpoints extend VNet identity to Azure services, enabling traffic to remain on Azure’s backbone while accessing PaaS services like
· Azure Storage
· Azure SQL
· Azure Cosmos DB
az network vnet subnet update \
–name MySubnet \
–vnet-name MyVNet \
–resource-group MyRG \
–service-endpoints Microsoft.Storage
Bastion Host
Azure Bastion provides browser-based RDP/SSH access to VMs without exposing them to the public internet.
Benefits:
· No public IP required on VMs.
· Secure, firewall-friendly access.
az network bastion create \
–name MyBastion \
–resource-group MyRG \
–vnet-name MyVNet \
–public-ip-address MyPublicIP \
–location eastus \
–subnet BastionSubnet
Best Practices for Azure Networking
1. Use NSGs at both the subnet and NIC levels for layered security.
2. Implement VNet Peering with route controls to manage traffic flow between environments.
3. Use Private Link over Service Endpoints for enhanced data protection.
4. Separate production and test environments into different VNets or subscriptions.
5. Log all traffic using Azure Firewall or NSG Flow Logs for auditing.
6. Use Application Gateway WAF for secure, scalable web app delivery.
7. Implement DNS resolution strategies using Azure DNS or custom DNS to integrate with a hybrid infrastructure.
Final Thoughts
Mastering Azure networking is crucial for any Azure administrator, as it forms the backbone of secure, efficient, and scalable cloud architectures. In the AZ-104 exam, understanding how to design and manage virtual networks, configure secure access with tools like NSGs and Azure Firewall, enable hybrid connectivity with VPNs or ExpressRoute, and optimize traffic with load balancers and private endpoints is essential.
While the concepts may seem complex at first, hands-on practice in the Azure portal or through CLI/PowerShell will solidify your understanding and prepare you for real-world challenges. Azure’s networking services are deeply integrated with security, performance, and compliance features, making your knowledge in this area not just exam-relevant but critical for any enterprise deployment.
