AZ-104 Exam Focused Nuggets — Practical & Exam-Ready

1. Azure Compute — Virtual Machines (VMs)

  • ✅ VM sizes affect CPU, RAM, disk throughput — pick size matching workload needs.
  • ✅ Use Managed Disks (Premium SSD recommended for production) for simplified and durable storage.
  • ✅ VM Scale Sets support automatic scaling (scale out with instances, scale up by resizing VM).
  • ✅ Scale out preferred for load distribution; scale up for resource-intensive apps.
  • ✅ Use Availability Sets to distribute VMs across fault and update domains for 99.95% SLA.
  • ✅ Use Availability Zones for 99.99% SLA against datacenter failure (regional redundancy).
  • Spot VMs save costs but can be evicted anytime — ideal for batch jobs.
  • ✅ Use Azure Bastion to securely RDP/SSH without public IP exposure (exam scenario: secure jump host).
  • ✅ Enable Boot Diagnostics (requires storage account) to troubleshoot VM startup failures.
  • ✅ Use VM extensions (e.g., Custom Script Extension) for post-deployment configuration automation.
  • ✅ Enable Accelerated Networking on supported VMs to reduce latency and improve throughput (Linux & Windows).
  • Proximity Placement Groups reduce network latency between VMs for clustered apps.
  • ✅ PowerShell: Set-AzVm -AcceleratedNetworking $true to enable accelerated networking.
  • ✅ To resize VM, deallocate first, then change size via portal/CLI/PowerShell (e.g., az vm resize).
  • ✅ To redeploy a VM, use az vm redeploy to move it to a healthy host in the same region.

2. Azure Storage — Blob Storage & Disks

  • Immutable Storage (WORM) means no deletes or overwrites allowed on blobs during retention.
  • ✅ Two types:
    • Time-based retention: set retention period after which data is mutable again.
    • Legal hold: indefinite retention until manually cleared.
  • Policy must be locked to prevent removal or changes — key for compliance.
  • ✅ Applies only to block blobs, not append or page blobs.
  • ✅ Configure via Azure Portal, CLI (az storage blob immutability-policy), ARM, or Bicep.
  • ✅ Blob storage tiers: Hot (frequent access), Cool (infrequent), Archive (rare, offline).
  • ✅ Use Lifecycle Management rules to auto-transition blobs between tiers.
  • ✅ Enable Soft Delete on blobs to recover accidental deletions (default retention configurable).
  • ✅ Use SAS tokens to provide granular, time-limited access without sharing keys.
  • ✅ Storage redundancy options impact durability & cost:
    • LRS (Locally Redundant Storage): copies within same data center.
    • GRS (Geo-Redundant Storage): replicates to secondary region for disaster recovery.
    • RA-GRS (Read Access GRS): read access to secondary region.
  • ✅ Azure Files supports SMB/NFS shares; use Azure File Sync for caching on-prem.
  • ✅ Premium SSD Managed Disks recommended for high-performance VMs; Standard HDD for dev/test.
  • ✅ You cannot change disk type (e.g., from Standard HDD to Premium SSD) without snapshot & recreate.
  • ✅ Disk sizes must match workload; Standard SSD max 4TB, Ultra Disk can go larger with configurable IOPS.
  • ✅ Snapshot a managed disk for point-in-time backup; restore by creating a new disk from snapshot.
  • ✅ CLI example to enable immutability:
az storage blob immutability-policy create --account-name mystorage --container-name mycontainer --blob-name myblob --period 30

3. Azure Networking

  • ✅ VNets isolate resources; subnets segment VNets logically.
  • ✅ NSGs control inbound/outbound traffic via rules (priority-based, allow/deny).
  • ✅ Use Application Security Groups (ASGs) to group VMs logically for NSG rules — reduces complexity.
  • VNet Peering enables direct private IP connectivity between VNets — low latency, high bandwidth.
  • ✅ Global VNet Peering connects VNets across regions (supports inter-region communication).
  • ✅ Use Azure Firewall for centralized, stateful, fully managed firewall policies.
  • ✅ User Defined Routes (UDRs) can override default routing for traffic steering (e.g., force traffic via firewall).
  • ExpressRoute provides private dedicated circuit for on-prem to Azure with SLA, bypassing public internet.
  • ✅ VPN Gateway supports Site-to-Site and Point-to-Site VPN with secure IPsec/IKE encryption.
  • ✅ Azure Load Balancer distributes traffic at Layer 4; Application Gateway works at Layer 7 with WAF.
  • ✅ Azure Front Door provides global HTTP/HTTPS load balancing with SSL termination and CDN.
  • ✅ Use Private Endpoints to connect to Azure PaaS privately over your VNet.
  • ✅ Service Endpoints extend VNet private IP range access to PaaS services without private IP.
  • ✅ Enable DDoS Protection Standard on virtual networks to mitigate volumetric attacks (free tier limited).
  • ✅ Network Watcher provides diagnostic tools: packet capture, connection monitor, NSG flow logs.
  • ✅ NSG flow logs can be analyzed via Traffic Analytics for network insights.
  • ✅ Azure Bastion allows secure RDP/SSH access without exposing VM public IP.

4. Identity and Access Management

  • ✅ Azure AD is the identity platform for Azure resources authentication and authorization.
  • ✅ RBAC roles control access to Azure resources; built-in roles include Owner, Contributor, Reader.
  • ✅ Assign RBAC at subscription, resource group, or resource level — least privilege principle applies.
  • ✅ Use Custom Roles for granular permission sets beyond built-in roles.
  • ✅ Use Privileged Identity Management (PIM) for just-in-time privileged access with approval workflows.
  • ✅ MFA should be enabled for all admin and privileged users for enhanced security.
  • ✅ Conditional Access policies enforce access controls based on location, device compliance, and risk.
  • ✅ Use Managed Identities (system-assigned or user-assigned) to authenticate Azure services securely without credentials.
  • ✅ Service principals allow apps to authenticate to Azure AD and obtain access tokens.
  • ✅ Use Access Reviews regularly to review and revoke unnecessary access.
  • ✅ Azure AD Connect synchronizes on-prem AD users and groups to Azure AD.
  • ✅ Enable Self-Service Password Reset (SSPR) to reduce helpdesk workload.
  • ✅ B2B collaboration securely invites external users with controlled access.
  • ✅ Password policies: Azure AD enforces complexity and lockout thresholds by default.
  • ✅ Use Identity Protection to detect leaked credentials, risky sign-ins, and automate risk response.
  • ✅ Audit logs for sign-ins and changes are critical for security monitoring.

5. Management and Governance

  • ✅ Use Azure Resource Manager (ARM) for declarative resource deployment via JSON templates.
  • ✅ ARM templates support parameterization, variables, outputs, and nested templates.
  • ✅ Azure Policy enforces organizational standards like allowed VM sizes or location restrictions.
  • ✅ Assign policies at management group, subscription, or resource group scope.
  • ✅ Azure Blueprints package ARM templates, policies, role assignments for environment deployment.
  • ✅ Use Tags to organize resources for billing and management — follow naming conventions.
  • ✅ Enable Resource Locks (CanNotDelete, ReadOnly) to prevent accidental changes.
  • ✅ Use Azure Monitor to collect metrics and logs from resources.
  • ✅ Configure Alerts on metrics (CPU, disk IO, etc.) and logs (event occurrences).
  • ✅ Use Azure Advisor for personalized best practice recommendations on cost, security, and performance.
  • ✅ Azure Cost Management tracks usage and sets budgets with alerting.
  • ✅ Use Azure Automation runbooks for routine tasks like VM start/stop or backup.
  • ✅ Azure Service Health informs planned maintenance or outages affecting resources.
  • ✅ Activity Logs track all management-plane operations for auditing and troubleshooting.
  • ✅ Use Log Analytics Workspace to query across resources and create dashboards.
  • ✅ Update Management automates patching for Windows and Linux VMs.
  • ✅ Azure Lighthouse allows service providers to manage multiple tenants securely.
  • ✅ Use Azure DevOps or GitHub Actions to implement CI/CD pipelines for infrastructure and app deployments.

6. Backup and Disaster Recovery

  • ✅ Use Recovery Services Vault to manage backup and Site Recovery configurations.
  • ✅ Azure Backup supports VM, SQL, files, and Azure Files backup.
  • ✅ Backup policies define schedule, retention, and frequency of backups.
  • ✅ Backups are incremental after initial full backup to save space and bandwidth.
  • ✅ Use Soft Delete to protect against accidental backup deletion (retain deleted backups).
  • ✅ Site Recovery replicates VMs to another Azure region or on-premises for disaster recovery.
  • ✅ Test failover in Site Recovery validates disaster readiness without impacting production.
  • ✅ Backups encrypt data both at rest and in transit.
  • ✅ Restore can be full VM restore or file-level recovery depending on workload.
  • ✅ Use Azure Blob Snapshots for quick point-in-time backups of blobs.
  • ✅ Geo-redundant backup storage protects backups against regional outages.
  • ✅ Regularly test disaster recovery runbooks and document RTO/RPO goals.
  • ✅ Automate backup reports and monitor via Azure Monitor alerts.

7. Security & Network Protection

  • ✅ Use NSGs to filter traffic; rules evaluated by priority, first match applies.
  • ✅ Group VMs using ASGs for scalable NSG rules.
  • ✅ Azure Firewall allows application and network-level filtering with logging.
  • ✅ Enable DDoS Protection Standard on VNets to mitigate volumetric attacks.
  • ✅ Use WAF with Application Gateway for Layer 7 web app protection.
  • ✅ Private Link enables private network access to Azure PaaS resources — no public internet.
  • ✅ Use Service Endpoints for secure VNet to PaaS connectivity but traffic still goes over Azure backbone with public IP.
  • ✅ Just-in-Time VM access limits exposure of management ports to approved times.
  • ✅ Enable encryption for data at rest (Azure Storage Service Encryption) and in transit (TLS).
  • ✅ Use Azure Security Center recommendations to remediate vulnerabilities.
  • ✅ Rotate secrets and keys regularly, use Azure Key Vault for secret management.
  • ✅ Use Azure Sentinel for centralized security incident detection and response.

8. Monitoring and Troubleshooting

  • ✅ Enable diagnostic settings on Azure resources to export logs to Log Analytics, Storage, or Event Hub.
  • ✅ Use Azure Monitor metrics to track VM CPU, memory, disk, and network usage.
  • ✅ Configure alerts for critical thresholds and failures.
  • ✅ Use Network Watcher tools (connection monitor, packet capture) for network diagnostics.
  • ✅ Use Resource Health to check service status and planned maintenance affecting resources.
  • ✅ Use Activity Logs to audit management operations.
  • ✅ Use Application Insights for application-level telemetry and diagnostics.
  • ✅ Create workbooks and dashboards in Azure Monitor for visualization.
  • ✅ Use Azure Automation to remediate alerts automatically.
  • ✅ VM Insights provide detailed metrics and dependencies for VMs.

9. Automation and Scripting

  • ✅ Use Azure CLI (az vm create, az storage account create, etc.) for scripting and automation.
  • ✅ PowerShell az module (New-AzVm, Set-AzVMSize) is an alternative for Windows admins.
  • ✅ ARM templates enable declarative, idempotent deployments of resources.
  • ✅ Bicep language simplifies ARM template authoring with better syntax.
  • ✅ Use Azure Automation Runbooks to automate maintenance tasks like VM shutdown/start.
  • ✅ Logic Apps automate workflows across services without code.
  • ✅ Use Managed Identities for automation scripts to avoid managing credentials.
  • ✅ Use Terraform (beyond AZ-104 scope but useful) for infrastructure as code.
  • ✅ Schedule backups, patching, and resource scaling using automation and Logic Apps.
  • ✅ Use Azure Policy remediation tasks to auto-correct non-compliant resources.
  • ✅ Enable Change Tracking with Azure Automation to audit configuration changes.

Advertisements

Leave a comment

Website Powered by WordPress.com.

Up ↑

Discover more from BrontoWise

Subscribe now to keep reading and get access to the full archive.

Continue reading