JON BONSO AND GEROME PAGATPATAN

AZURE
CERTIFIED
AZ-104
Microsoft Azure
Administrator

Tutorials Dojo Study Guide

 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭TABLE OF CONTENTS‬

I‭NTRODUCTION‬ ‭‬
5
‭AZ-104 MICROSOFT AZURE ADMINISTRATOR EXAM OVERVIEW‬ ‭6‬
‭Exam Details‬ ‭6‬
‭Exam Domains‬ ‭8‬
‭Exam Scoring System‬ ‭9‬
‭Exam Benefit‬ ‭10‬
‭AZ-104 MICROSOFT AZURE ADMINISTRATOR EXAM - STUDY GUIDE AND TIPS‬ ‭11‬
‭Study Materials‬ ‭11‬
‭Azure Services to Focus On‬ ‭12‬
‭Validate Your Knowledge‬ ‭13‬
‭Final Remarks‬ ‭18‬
‭CLOUD COMPUTING CONCEPTS‬ ‭19‬
‭Cloud Service Models‬ ‭19‬
‭Platform as a service (PaaS)‬ ‭20‬
‭Software as a service (SaaS)‬ ‭20‬
‭Serverless Computing‬ ‭20‬
‭Cloud Architecture Models‬ ‭22‬
‭Public Cloud‬ ‭22‬
‭Private Cloud‬ ‭22‬
‭Hybrid Cloud‬ ‭23‬
‭AZURE BASICS‬ ‭24‬
‭Azure Overview‬ ‭24‬
‭Advantages of Azure Cloud Computing‬ ‭24‬
‭Azure Global Infrastructure‬ ‭25‬
‭Azure Security and Compliance‬ ‭26‬
‭Azure Pricing‬ ‭26‬
‭Azure Well-Architected Framework - Five Pillars‬ ‭28‬
‭Best Practices when Architecting in the Cloud‬ ‭28‬
‭THE DIFFERENT AZURE SERVICES‬ ‭29‬
‭DEEP DIVE‬ ‭30‬
‭Azure Virtual Machines‬ ‭30‬
‭Components of a Virtual Machine‬ ‭30‬
‭Types of Virtual Machines‬ ‭31‬
‭Virtual Machine Disks‬ ‭32‬
‭Payment options for Virtual Machines‬ ‭35‬
‭Availability Options for Virtual Machines‬ ‭36‬

‭https://portal.tutorialsdojo.com/‬ ‭1‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ irtual Machine Scale Sets‬

V ‭ 7‬
3
‭Proximity Placement Groups‬ ‭43‬
‭Backup Azure Virtual Machines‬ ‭44‬
‭vCPU quotas‬ ‭47‬
‭Azure App Service‬ ‭48‬
‭App Service Plans‬ ‭48‬
‭Deployment Slots‬ ‭51‬
‭Diagnostics Logging‬ ‭54‬
‭App Service Environments‬ ‭55‬
‭Azure Container Instances (ACI)‬ ‭58‬
‭Sizing and Scaling‬ ‭58‬
‭Container Groups‬ ‭58‬
‭Configuring Container Apps‬ ‭59‬
‭Azure Kubernetes Service (AKS)‬ ‭67‬
‭Components‬ ‭67‬
‭Storage‬ ‭67‬
‭Scaling‬ ‭68‬
‭Network Connections‬ ‭69‬
‭Azure Resource Manager (ARM)‬ ‭71‬
‭Resource groups‬ ‭71‬
‭ARM templates‬ ‭71‬
‭Infrastructure as Code, YAML & JSON‬ ‭72‬
‭Deploying ARM templates‬ ‭73‬
‭Exporting Template‬ ‭75‬
‭Creating ARM templates‬ ‭75‬
‭Azure Storage Accounts‬ ‭81‬
‭Types of Storage Accounts‬ ‭81‬
‭Storage Account Endpoint‬ ‭83‬
‭Storage Account Redundancy‬ ‭83‬
‭Storage Encryption‬ ‭86‬
‭Azure Blob Storage‬ ‭87‬
‭Blob Storage Resources‬ ‭87‬
‭Access Tiers‬ ‭88‬
‭Transfer Data with AzCopy‬ ‭91‬
‭Import/Export Data to and from Azure‬ ‭92‬
‭Azure Files‬ ‭95‬
‭Storage Tiers‬ ‭95‬
‭Azure File Sync‬ ‭96‬
‭Azure Virtual Network‬ ‭97‬

‭https://portal.tutorialsdojo.com/‬ ‭2‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ omponents of a Virtual Network‬

C ‭ 7‬
9
‭Network Security Group (NSG) and Application Security Group (ASG)‬ ‭97‬
‭Virtual Network Peering‬ ‭99‬
‭Azure Load Balancer‬ ‭100‬
‭Components of a Load Balancer‬ ‭100‬
‭Load Balancing Algorithm‬ ‭101‬
‭Azure DNS‬ ‭103‬
‭Public and Private DNS‬ ‭103‬
‭DNS Record Types‬ ‭103‬
‭Import/Export a DNS Zone File‬ ‭103‬
‭Azure VPN Gateway‬ ‭104‬
‭VPN Gateway Connections‬ ‭104‬
‭VPN Types‬ ‭105‬
‭Microsoft Entra ID‬ ‭106‬
‭Managing Users, Groups, Roles and Devices‬ ‭106‬
‭Azure RBAC‬ ‭109‬
‭How Permissions are Enforced‬ ‭109‬
‭Different Types of Roles‬ ‭110‬
‭Role Definition Structure‬ ‭112‬
‭Azure Policy‬ ‭114‬
‭Policy Components‬ ‭114‬
‭Policy Definition Structure‬ ‭114‬
‭Policy Effects‬ ‭116‬
‭Azure Monitor‬ ‭117‬
‭Log Analytics‬ ‭117‬
‭Alert Rules and Action Groups‬ ‭117‬
‭Azure Network Watcher‬ ‭120‬
‭Network Connectivity Monitoring‬ ‭120‬
‭Diagnosing Virtual Machine Network Traffic‬ ‭120‬
‭Verify a TCP connection from a Virtual Machine‬ ‭120‬
‭Analyze the ingress and egress IP traffic through a Network Security Group‬ ‭120‬
‭COMPARISON OF AZURE SERVICES‬ ‭122‬
‭Azure Virtual Machine vs Web App‬ ‭122‬
‭Azure Container Instances (ACI) vs Azure Kubernetes Service (AKS)‬ ‭123‬
‭Azure Scale Set vs Availability Set‬ ‭125‬
‭Azure Blob vs Disk vs File Storage‬ ‭126‬
‭Locally Redundant Storage vs Zone-Redundant Storage vs Geo-Redundant Storage‬ ‭128‬
‭Azure Load Balancer vs App Gateway vs Traffic Manager vs Front Door‬ ‭130‬
‭Network Security Group (NSG) vs Application Security Group (ASG)‬ ‭132‬

‭https://portal.tutorialsdojo.com/‬ ‭3‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ zure Policy vs Azure Role-Based Access Control (RBAC)‬

A ‭ 33‬
1
‭Microsoft Entra ID vs Azure Role-Based Access Control (RBAC)‬ ‭134‬
‭ BOUT THE AUTHORS‬
A ‭136‬

‭https://portal.tutorialsdojo.com/‬ ‭4‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭INTRODUCTION‬
‭ ith the rapid advancement of technology, enterprises are adopting newer technologies that will help‬
W
‭their businesses transform and grow. Microsoft Azure is one of the emerging technologies that you can‬
‭leverage in this age since a lot of companies are shifting their existing infrastructures in the cloud. Unlike‬
‭the traditional setup, cloud computing allows you to obtain resources on-demand with just one click on‬
‭their platform, including the servers, storage, databases, networking, analytics, artificial intelligence, and‬
‭a lot more.‬

‭ icrosoft Azure offers a range of cloud services, depending on your business needs. These services are‬
M
‭continuously upgrading, and new features are being added every year to deliver customer satisfaction.‬
‭Since Azure's resources and services are too vast, the‬‭Microsoft Azure Certification‬‭program offers‬
‭different certification paths that will help aspiring candidates and IT professionals validate their skills‬
‭and knowledge to maximize the solutions created in the cloud.‬

‭ icrosoft Azure is the second biggest cloud service provider in the market next to AWS, and a lot of‬
M
‭companies are now adopting a‬‭multicloud‬‭strategy,‬‭which makes it all the more beneficial for IT‬
‭professionals like you to expand your skill set and learn multiple cloud technologies. Learning is a lot‬
‭more fun if you merge it with various cloud services. It will be an exciting and enjoyable journey for you,‬
‭and the first step is to become‬‭AZ-104 Microsoft Azure‬‭Administrator‬‭certified. This eBook will help‬
‭familiarize yourself with the basic cloud concepts as well as the core services of Microsoft Azure, which‬
‭are the building blocks that will help you pass the exam and make a successful career shift to cloud‬
‭computing.‬

‭ ote:‬‭We took extra care to come up with these study‬‭guides and cheat sheets, however, this is meant to‬
N
‭be just a supplementary resource when preparing for the exam. We highly recommend working on‬
‭hands-on sessions‬‭and‬‭practice exams‬‭to further expand‬‭your knowledge and improve your test-taking‬
‭skills.‬

‭https://portal.tutorialsdojo.com/‬ ‭5‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭AZ-104 MICROSOFT AZURE ADMINISTRATOR EXAM OVERVIEW‬

‭ he Microsoft Azure Certification Program validates the technical skills and knowledge for building‬
T
‭secure and reliable cloud-based applications using the Azure platform. By successfully passing the‬
‭Microsoft Azure exam, individuals can prove their expertise to their current and future employers.‬

‭Exam Details‬

‭ he AZ-104 Microsoft Azure Administrator examination is intended for IT Professionals who implement,‬
T
‭manage and monitor an organization’s cloud infrastructure. You can take this exam from a local testing‬
‭center or online from the comfort of your home. The exam is composed of different types of questions.‬

‭For multiple-choice types of questions, you will have to choose one correct response out of four options.‬

‭For Drag and Drop questions, match the items by dragging them to their correct descriptions.‬

‭https://portal.tutorialsdojo.com/‬ ‭6‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭For Dropdown types of questions, select the correct answer from the drop-down list of options.‬

‭ or Hotspot types of questions such as multiple Yes/No, evaluate whether the presented statements‬
F
‭relating to a certain topic are correct/incorrect.‬

‭https://portal.tutorialsdojo.com/‬ ‭7‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭You can take the exam via online proctoring or from a testing center close to you.‬

‭ xam Code:‬
E ‭ Z-104‬
A
‭Prerequisites:‬ ‭None‬
‭No. of Questions:‬ ‭50-60‬
‭Score Range:‬ ‭100-100‬
‭Cost:‬ ‭0‬
‭Passing Score:‬ ‭165 USD‬
‭Time Limit:‬ ‭700‬
‭180‬
‭minutes‬

‭Exam Domains‬

‭ he AZ-104 Microsoft Azure Administrator exam has five areas to assess your skills, each with a‬
T
‭corresponding weight and topic coverage. The skills measured are: Manage Azure identities and‬
‭governance (15–20%), Implement and manage storage (15–20%), Deploy and manage Azure compute‬
‭resources (20–25%), Configure and manage virtual networking (20–25%), and Monitor and back up‬
‭Azure resources (10–15%).‬

‭Manage Azure identities and governance‬

‭●‬ ‭Microsoft Entra ID objects‬
‭●‬ ‭Manage role-based access control (RBAC)‬
‭●‬ ‭Manage subscriptions and governance‬

‭https://portal.tutorialsdojo.com/‬ ‭8‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Implement and manage storage‬

‭●‬ ‭Configure access to storage‬
‭●‬ ‭Manage data in Azure storage accounts‬
‭●‬ ‭Configure Azure Files and Azure Blob Storage‬

‭Deploy and manage Azure compute resources‬

‭●‬ ‭Automate deployment of resources by using Azure Resource Manager templates‬
‭●‬ ‭Create and configure virtual machines‬
‭●‬ ‭Create and configure containers‬
‭●‬ ‭Create and configure an Azure App Service‬

‭Configure and manage virtual networking‬

‭●‬ ‭Configure virtual networks‬
‭●‬ ‭Configure secure access to virtual networks‬
‭●‬ ‭Configure load balancing‬
‭●‬ ‭Monitor virtual networking‬

‭Monitor and backup Azure resources‬

‭●‬ ‭Monitor resources by using Azure Monitor‬
‭●‬ ‭Implement backup and recovery‬

‭Exam Scoring System‬

‭ ou can get a score from 100 to 1,000 with a minimum passing score of 700 when you take the AZ-104‬
Y
‭Microsoft Azure Administrator exam. Microsoft uses a scaled scoring model to associate scores across‬
‭multiple exam types that may have different levels of difficulty. Your complete score report will be sent‬
‭to you by email 1 - 5 business days after your exam. However, as soon as you finish your exam, you’ll‬
‭immediately see a pass or fail notification on the testing screen.‬

‭ or individuals who unfortunately do not pass their exams, you must wait 24 hours before you are‬
F
‭allowed to retake the exam. There is no hard limit on the number of attempts you can retake an exam.‬

‭ nce you receive your score report via email, the result should also be saved in your Microsoft‬
O
‭Certification account. The score report contains a table of your performance in each domain and it will‬
‭indicate whether you have met the level of competency required for these. Take note that you do not‬
‭need to achieve competency in all areas for you to pass the exam. In the first part of the report, there will‬
‭be a performance summary by exam section that highlights your strengths and weaknesses, which can‬
‭help you determine the areas you need to improve on.‬

‭https://portal.tutorialsdojo.com/‬ ‭9‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Exam Benefit‬

I‭f you successfully pass any Microsoft Certification exam, you will receive a‬‭Certified Digital Badge‬‭.‬‭You‬
‭can showcase your achievements to your colleagues and employers by adding these digital badges to‬
‭your email signatures, Linkedin profile, or on your social media accounts. To view your badges, simply go‬
‭to the “Dashboard” section of your Acclaim Account.‬

‭ ou can visit the official Microsoft Certification FAQ page to view the frequently asked questions about‬
Y
‭getting certified and other information about the Microsoft Certification:‬
‭https://docs.microsoft.com/en-us/learn/certifications/certification-exam-policies‬‭.‬

‭https://portal.tutorialsdojo.com/‬ ‭10‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ Z-104 MICROSOFT AZURE ADMINISTRATOR EXAM - STUDY GUIDE‬

A
‭AND TIPS‬
‭ he‬‭AZ-104 Microsoft Azure Administrator‬‭certification‬‭exam is designed for people who have‬
T
‭experience in implementing, managing, and monitoring a Microsoft Azure environment. The exam will‬
‭test your technical skills in implementing solutions based on different scenarios. Having prior‬
‭experience in infrastructure management will help you understand the concepts and services easily.‬

‭The content of the exam will test your ability to perform the following:‬

‭‬
● ‭ anage Azure identities and governance‬
M
‭●‬ ‭Implement and manage storage‬
‭●‬ ‭Deploy and manage Azure compute resources‬
‭●‬ ‭Configure and manage virtual networking‬
‭●‬ ‭Monitor and backup Azure resources‬

‭ or more information about the AZ-104 exam, you can check out this‬‭exam skills outline‬‭. This study‬
F
‭guide will provide you with comprehensive review materials to help you pass the exam with flying colors.‬

‭Study Materials‬

‭ or the Microsoft Azure Administrator exam, we recommend that you check out these study materials‬
F
‭first before you take the actual exam. These resources will help you understand complex concepts and‬
‭services that will be useful on your exam day.‬

‭1.‬ M
‭ icrosoft Learn‬‭– this website provides different‬‭learning paths for various Microsoft certifications.‬
‭For the AZ-104 certification exam, you can focus on the following modules:‬
‭●‬ ‭Prerequisites for Azure administrators‬
‭●‬ ‭Manage identities and governance in Azure‬
‭●‬ ‭Implement and manage storage in Azure‬
‭●‬ ‭Deploy and manage Azure compute resources‬
‭●‬ ‭Configure and manage virtual networks for Azure administrators‬

‭2.‬ A
‭ zure Documentation‬‭– these documentations contain‬‭an overview, tutorials, examples, and how-to‬
‭guides that will help broaden your knowledge on different Azure services.‬

‭3.‬ A
‭ zure Blog‬‭– to get updated on new technologies and‬‭offerings of Microsoft Azure, you can‬
‭subscribe to their newsletter.‬

‭https://portal.tutorialsdojo.com/‬ ‭11‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭4.‬ A
‭ zure FAQs‬‭– you can find the FAQs section on the Azure documentation. The FAQs section is a‬
‭compiled list of commonly asked questions, use cases, and a comparison of several Azure‬
‭services.‬

‭5.‬ A
‭ zure free account‬‭– the Azure portal will help you‬‭get hands-on experience with its 12-month trial.‬
‭You’ll also get free credits that you can spend for the first 30 days.‬

‭6.‬ T
‭ utorials Dojo’s Azure Cheat Sheets‬‭– with the help of our cheat sheets, you can easily understand‬
‭the information found in the Azure documentation. These are presented in bullet point format to‬
‭highlight the important concepts.‬

‭7.‬ T
‭ utorials Dojo’s AZ-104 Microsoft Azure Administrator Practice Exams‬‭– our practice exams have‬
‭always been regarded as the best in the market. Each question in our practice tests contains‬
‭detailed explanations at the end of each set to help you digest important concepts that will help you‬
‭pass your Microsoft Azure certification exam on your first try.‬

‭Azure Services to Focus On‬

‭ our primary source of information when studying for the AZ-104 certification exam is the Azure‬
Y
‭documentation. To comprehend the different scenarios in the exam, you should have a thorough‬
‭understanding of the following services:‬

‭1.‬ A
‭ zure Virtual Network‬‭– you should know how to create‬‭a VNet peering, security rules,‬
‭configuration of private/public IP addresses, network interface, subnets, and virtual networks.‬

‭2.‬ ‭Azure DNS‬‭– the configuration of custom DNS, private,‬‭and public DNS zone.‬

‭3.‬ A
‭ zure Application Gateway‬‭– you should know when to‬‭use a load balancer and a web traffic load‬
‭balancer, and how to create a web application firewall.‬

‭4.‬ A
‭ zure Load Balancer‬‭– the types of load balancing‬‭rules, the difference between a public load‬
‭balancer, and an internal load balancer.‬

‭5.‬ ‭Azure VPN Gateway‬‭– know how to configure VPN and‬‭VPN gateway.‬

‭6.‬ A
‭ zure ExpressRoute‬‭– understand the concepts of ExpressRoute‬‭and how you would implement it‬
‭in your environment.‬

‭https://portal.tutorialsdojo.com/‬ ‭12‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭7.‬ A
‭ zure Virtual Machines‬‭– learn how to deploy and configure a VM, scale sets, highly available‬
‭solutions, moving and redeploying of VM, creating a backup, backup policy, and recovery services‬
‭vaults.‬

‭8.‬ A
‭ zure App Service‬‭– learn how to create an app service‬‭plan and what run time can be put in the‬
‭same app service plan.‬

‭9.‬ ‭Azure Container Instances‬‭– understand the concepts‬‭of containers and how to use ACI.‬

‭10.‬‭Azure Kubernetes Service‬‭– the difference between‬‭ACI and AKS, the configuration of AKS.‬

‭11.‬‭Azure Blob‬‭– you need to learn how to configure storage‬‭accounts, import/export of data, storage‬
‭tiers, replication, and authentication.‬

‭12.‬‭Azure Files‬‭– learn how to create a file share, file‬‭sync, copy data using AZCopy.‬

‭13.‬‭Microsoft Entra ID‬‭– you should know how to manage‬‭a user, group, guest accounts, joined devices,‬
‭device settings, and best practices.‬

‭14.‬‭Azure RBAC‬‭– learn how to create and assign a role‬‭and the types of built-in roles.‬

‭15.‬‭Azure Policy‬‭– you need to learn how to read and create‬‭a policy.‬

‭16.‬‭Azure Monitor‬‭– you should know how to interpret metrics,‬‭the configuration of log analytics, query‬
‭and analyze logs, set up alerts and actions, and other service features.‬

‭ e suggest that you check out‬‭Tutorials Dojo’s Azure‬‭Cheat Sheets‬‭, which provide bullet-point‬
W
‭summaries of the most important concepts on different Azure services.‬

‭Validate Your Knowledge‬

I‭f you’re feeling confident because you’ve followed the recommended materials above, it’s time to test‬
‭your knowledge of various Azure concepts and services. For high-quality practice exams, you can use‬
‭the Tutorials Dojo‬‭AZ-104 Microsoft Azure Administrator‬‭Associate practice exams‬‭.‬

‭ hese‬‭practice tests‬‭cover the relevant topics that‬‭you can expect from the real exam. It also contains‬
T
‭different types of questions such as single choice, multiple responses, hotspot, yes/no, drag and drop,‬
‭and case studies. Every question on these practice exams has a detailed explanation and adequate‬
‭reference links that help you understand why the correct answer is the most suitable solution. After‬
‭you’ve taken the exams, it will highlight the areas that you need to improve on. Together with our‬‭cheat‬

‭https://portal.tutorialsdojo.com/‬ ‭13‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ heets‬‭, we’re confident that you’ll be able to pass the exam and have a deeper understanding of how‬
s
‭Azure works.‬

‭Sample Practice Test Questions:‬

‭Question 1‬

‭ our company has an Microsoft Entra tenant named‬‭tutorialsdojo.onmicrosoft.com‬‭and a public DNS‬

Y
‭zone for‬‭tutorialsdojo.com‬‭.‬

‭ ou added the custom domain name‬‭tutorialsdojo.com‬‭to Microsoft Entra ID. You need to verify that‬
Y
‭Azure can verify the domain name.‬

‭What DNS record type should you use?‬

‭ .‬
1 ‭ RV‬
S
‭2.‬ ‭NSEC‬
‭3.‬ ‭NSEC3‬
‭4.‬ ‭MX‬

‭Correct Answer: 4‬

‭https://portal.tutorialsdojo.com/‬ ‭14‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ icrosoft Entra ID‬‭is Microsoft’s cloud-based identity and access management service, which helps‬
M
‭your employees sign in and access resources in:‬

‭ External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS‬
–
‭applications.‬

‭ Internal resources, such as apps on your corporate network and intranet, along with any cloud apps‬
–
‭developed by your own organization.‬

‭ icrosoft Online business services, such as Office 365 or Microsoft Azure, require Microsoft Entra ID for‬
M
‭sign-in and to help with identity protection. If you subscribe to any Microsoft Online business service,‬
‭you automatically get Microsoft Entra ID with access to all the free features.‬

‭ very new Microsoft Entra ID tenant comes with an initial domain name,‬
E
‭<domainname>.onmicrosoft.com‬‭. You can’t change or‬‭delete the initial domain name, but you can add‬
‭your organization’s names. Adding custom domain names helps you to create user names that are‬
‭familiar to your users, such as‬‭[email protected].‬

‭You can verify your custom domain name by using TXT or MX record types.‬

‭Hence, the correct answer is:‬‭MX.‬

‭https://portal.tutorialsdojo.com/‬ ‭15‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ RV, NSEC, and NSEC3‬‭are incorrect because these record types are not supported by Microsoft Entra‬
S
‭ID for verifying your custom domain. Only TXT and MX record types are supported.‬

‭References:‬

‭https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain‬

‭https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis‬

‭Check out this Microsoft Entra ID Cheat Sheet:‬

‭https://tutorialsdojo.com/microsoft-entra-id/‬

‭Question 2‬

‭You plan to automate the deployment of Windows Servers using a virtual machine scale set.‬

‭You need to make sure that the web components are installed in the virtual machines.‬

‭Which two actions should you perform?‬

‭ .‬
1 ‭ reate a configuration script.‬
C
‭2.‬ ‭Create an automation account.‬
‭3.‬ ‭Create a policy.‬
‭4.‬ ‭Configure the extensionProfile section of the ARM template.‬
‭5.‬ ‭Create a new scale set.‬

‭Correct Answer: 1, 4‬

‭ zure virtual machine scale sets‬‭let you create and‬‭manage a group of load-balanced VMs. The number‬
A
‭of VM instances can automatically increase or decrease in response to demand or a defined schedule.‬
‭Scale sets provide high availability to your applications and allow you to centrally manage, configure, and‬
‭update a large number of VMs.‬

‭https://portal.tutorialsdojo.com/‬ ‭16‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ he Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension‬
T
‭is useful for post-deployment configuration, software installation, or any other configuration or‬
‭management tasks.‬

‭Hence, the correct answers are:‬

‭– Create a configuration script.‬

‭– Configure the extensionProfile section of the ARM template.‬

‭ he option that says:‬‭Create an automation account‬‭is incorrect because an automation account‬

T
‭wouldn’t help you automatically install web components. You still need to create a configuration script‬
‭and extensionProfile in the ARM template.‬

‭ he option that says:‬‭Create a policy‬‭is incorrect‬‭because this option only evaluates resources in Azure.‬
T
‭Take note that you don’t need to create a policy to install web components.‬

‭ he option that says:‬‭Create a new scale set‬‭is incorrect‬‭because this wouldn’t install the required web‬
T
‭components. Instead of creating a new scale set, you should use a custom script extension to install the‬
‭web components in the VMs.‬

‭https://portal.tutorialsdojo.com/‬ ‭17‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭References:‬

‭ ttps://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-deploy-a‬
h
‭pp‬

‭ ttps://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template#what-‬
h
‭is-the-azure-custom-script-extension‬

‭ ttps://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-deploy-a‬
h
‭pp#already-provisioned‬

‭Check out this Azure Virtual Machines Cheat Sheet:‬

‭https://tutorialsdojo.com/azure-virtual-machines/‬

‭ or more‬‭AZ-104 practice exam‬‭questions with detailed‬‭explanations, check out the‬‭Tutorials Dojo‬

F
‭Portal‬‭:‬

‭Final Remarks‬

I‭t is not enough to understand the concepts at a high level. You also need to get hands-on experience by‬
‭using the Microsoft Azure Portal. Simulate different scenarios that will help you deepen your‬
‭understanding of various services. The combination of practical and theoretical knowledge will help you‬
‭analyze difficult questions in the exam.‬

‭ few reminders that we can give is to always check the time and review your answers before‬
A
‭proceeding to the next question (especially in the case study and yes/no questions). Before your‬
‭scheduled exam day, don’t forget to take a good rest. If you’re not feeling confident yet, there’s always an‬
‭option to reschedule your exam. Good luck, and we wish you all the best.‬

‭https://portal.tutorialsdojo.com/‬ ‭18‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭CLOUD COMPUTING CONCEPTS‬

‭ loud computing is the delivery of services over the Internet that helps you reduce your operating costs,‬
C
‭run your infrastructure efficiently, and scale as business requirements change.‬

‭Cloud Service Models‬

‭‬ T
● ‭ he three cloud computing service models are IaaS, PaaS, and SaaS.‬
‭●‬ ‭You can also use serverless computing to eliminate the need to manage infrastructure.‬
‭●‬ ‭The shared responsibility model determines the security tasks that are handled by the cloud‬
‭provider and handled by the customer.‬
‭○‬ ‭Azure is responsible for protecting the infrastructure such as hosts, network, and‬
‭data center.‬
‭○‬ ‭The customer is responsible for protecting their data, endpoints, account, and‬
‭access management.‬
‭●‬ ‭IaaS, PaaS, and SaaS have different levels of managed services:‬

‭IaaS‬ ‭PaaS‬ ‭SaaS‬

‭Applications‬ ‭Applications‬ ‭Applications‬

‭Data‬ ‭Data‬ ‭Data‬

‭Runtime‬ ‭Runtime‬ ‭Runtime‬

‭MIddleware‬ ‭MIddleware‬ ‭MIddleware‬

‭O/S‬ ‭O/S‬ ‭O/S‬

‭Virtualization‬ ‭Virtualization‬ ‭Virtualization‬

‭Servers‬ ‭Servers‬ ‭Servers‬

‭Storage‬ ‭Storage‬ ‭Storage‬

‭Networking‬ ‭Networking‬ ‭Networking‬

‭https://portal.tutorialsdojo.com/‬ ‭19‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Infrastructure as a service (IaaS)‬

‭‬
● ‭ ost user management‬
M
‭●‬ ‭You are responsible for managing the‬‭operating systems,‬‭data,‬‭and‬‭applications.‬
‭●‬ ‭IaaS helps you to extend resources rapidly to meet the spikes required for your application.‬
‭●‬ ‭Used in the following scenarios:‬
‭○‬ ‭Migrating workloads‬‭– move existing applications to‬‭the cloud.‬
‭○‬ ‭Test and development‬‭– quickly set up and dismantle test and development environments.‬
‭IaaS makes scaling development and testing environments fast and economical.‬
‭○‬ ‭Storage, backup, and recovery‬‭– simplify the planning‬‭and management of backup and‬
‭recovery systems.‬
‭○‬ ‭Website hosting‬‭– less expensive than traditional‬‭web hosting.‬
‭○‬ ‭High-performance computing (HPC)‬‭– clusters of computers‬‭that help solve complex‬
‭problems involving millions of variables or calculations.‬
‭○‬ ‭Big data analysis‬‭– for massive data sets that require‬‭a huge amount of processing power.‬

‭Platform as a service (PaaS)‬

‭‬ L
● ‭ ess user management‬
‭●‬ ‭The operating systems are managed by the cloud provider, while the user is responsible for the‬
‭applications and data they run and store.‬
‭●‬ ‭PaaS offers all the functionality you need to support the entire lifecycle of web applications:‬
‭building, testing the application‬‭,‬‭deploying the source‬‭code‬‭,‬‭managing‬‭, and‬‭updating‬‭within the‬
‭same integrated environment.‬
‭●‬ ‭Used in the following scenarios:‬
‭○‬ ‭Development framework‬‭– a framework for creating or‬‭customizing cloud-based‬
‭applications.‬
‭○‬ ‭Analytics or business intelligence‬‭– find insights‬‭and patterns, and predict outcomes to‬
‭improve business decisions.‬

‭Software as a service (SaaS)‬

‭‬ L
● ‭ east amount of management‬
‭●‬ ‭The cloud provider is responsible for managing everything, and the end-user just uses the software.‬

‭Serverless Computing‬

‭‬ F
● ‭ unction as a Service (FaaS)‬
‭●‬ ‭You simply deploy the code with a serverless platform, and it runs at high availability.‬
‭●‬ ‭Dynamically scales up and down to meet the demands of each workload within seconds.‬

‭https://portal.tutorialsdojo.com/‬ ‭20‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭●‬ A
‭ ‬‭pay-per-execution model‬‭that charges sub-second billing only for the time and resources required‬
‭to execute the code.‬

‭https://portal.tutorialsdojo.com/‬ ‭21‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Cloud Architecture Models‬

‭‬ T
● ‭ hree deployment methods of cloud computing:‬‭Public‬‭vs Private vs Hybrid.‬
‭●‬ ‭The model you choose for cloud deployment depends on your budget, security, scalability, and‬
‭maintenance needs.‬

‭Public Cloud‬

‭●‬ F ‭ ocus on maintaining your applications without having to worry about purchasing, managing, or‬
‭maintaining the hardware on which it runs.‬
‭●‬ ‭You can use multiple public cloud providers of varying scale.‬

‭Advantages‬ ‭Disadvantages‬

‭High scalability/agility.‬ ‭Specific security requirements.‬

‭Pay-as-you-go pricing.‬ ‭ overnment policies, industry‬

G
‭standards, or legal requirements.‬

‭ ou are not responsible for the updates‬

Y ‭ ou don’t own the hardware or services‬
Y
‭and maintenance of the hardware.‬ ‭and you also can’t manage them as‬
‭you may want to.‬

‭ he required technical knowledge is‬

T ‭ aintaining a legacy application might‬
M
‭minimal.‬ ‭be hard to meet.‬

‭Private Cloud‬

‭●‬ A ‭ dedicated on-premises datacenter configured to be a cloud environment that provides users in‬
‭your organization with self-service access to compute resources.‬
‭●‬ ‭You are responsible for the purchase and maintenance of the hardware and software services.‬
‭●‬ ‭You can use a private cloud when an organization has data that cannot be put in the public cloud,‬
‭perhaps for legal reasons.‬

‭Advantages‬ ‭Disadvantages‬

‭ ny scenario or legacy application‬

A ‭ apEx involved – principal cost is the‬
C
‭configuration is supported.‬ ‭procurement of the equipment.‬

‭ ou have control (and responsibility)‬

Y ‭ o scale, you must buy, install, and set‬
T
‭over security.‬ ‭up new hardware.‬

‭https://portal.tutorialsdojo.com/‬ ‭22‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ ompliance or security requirements in‬

C ‭ rivate clouds require IT skills and‬
P
‭your organization.‬ ‭expertise.‬

‭Hybrid Cloud‬

‭‬ D
● ‭ ata and applications can move between‬‭private‬‭and‬‭public clouds‬‭.‬
‭●‬ ‭When there is a spike in demand in your private cloud, you can “burst through” to the public cloud‬
‭for additional computing resources.‬

‭Advantages‬ ‭Disadvantages‬

‭ aintain a private infrastructure for‬

M ‭ ore expensive than selecting one‬
M
‭sensitive assets.‬ ‭deployment model since it involves‬
‭some CapEx cost upfront‬

‭ ake advantage of the resources in the‬

T I‭t can be more complicated to set up‬
‭public cloud when needed.‬ ‭and manage‬

‭ ith the ability to scale to the public cloud,‬

W
‭you pay for extra computing power only‬
‭when needed.‬

‭ llows you to use your own equipment to‬

A
‭meet the security and compliance‬
‭requirements in your organization.‬

‭https://portal.tutorialsdojo.com/‬ ‭23‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭AZURE BASICS‬
‭Azure Overview‬

‭ zure is a cloud computing platform that was introduced by Microsoft in 2010. It enables you to create,‬
A
‭manage, and deploy applications across a large global network. Microsoft Azure also provides a variety‬
‭of services to assist your business in addressing current and potential business challenges in your‬
‭infrastructure and applications.‬

‭ oday, Microsoft Azure has the second-largest share in the cloud industry. It also has specialized‬
T
‭regions for compliance or legal purposes.‬

‭Advantages of Azure Cloud Computing‬

‭●‬ C ‭ ost‬‭– Eliminate the capital expense of buying hardware,‬‭software, and setting up of data centers.‬
‭The principle of the cloud is, you will only pay for the computing resources you have consumed.‬
‭●‬ ‭Global scale‬‭– One of the benefits of cloud computing‬‭is the ability to scale elastically. This means‬
‭that you can easily add resources such as compute and storage capacity in different regions with‬
‭just a few clicks.‬
‭●‬ ‭Performance‬‭– Cloud computing services are hosted‬‭on a global network of secure data centers‬
‭that are upgraded with the latest generation of computing hardware on a regular basis. Compared‬
‭to a single corporate datacenter, this has several advantages, including lower application network‬
‭latency and greater economies of scale.‬
‭●‬ ‭Security‬‭– Cloud service providers offer a broad‬‭set of policies, technologies, and controls to‬
‭protect your data and infrastructure against potential threats.‬
‭●‬ ‭Speed‬‭– In a cloud computing environment, you can‬‭provision computing resources in minutes with‬
‭just a few clicks. Providing businesses with a great deal of flexibility and relieving capacity planning‬
‭pressure.‬
‭●‬ ‭Productivity‬‭– The cloud provides a lot of convenience‬‭to your IT teams since it reduces the time‬
‭needed to obtain additional resources, allowing them to focus solely on achieving more important‬
‭business goals.‬
‭●‬ ‭Reliability‬‭– With cloud computing, you can easily‬‭manage backup data, disaster recovery and‬
‭business continuity since the data can be mirrored at multiple redundant sites.‬

‭https://portal.tutorialsdojo.com/‬ ‭24‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Global Infrastructure‬

‭Regions‬

‭‬ E
● ‭ ach region has more than one data center, which is a physical location.‬
‭●‬ ‭A group of data centers deployed in a latency-defined perimeter and connected through a dedicated‬
‭regional low-latency network.‬
‭●‬ ‭Criteria in choosing a Region:‬
‭○‬ ‭Location‬‭– a region closest to your users minimizes‬‭the latency.‬
‭○‬ ‭Features‬‭– some features are not available in all‬‭regions.‬
‭○‬ ‭Price‬‭– the price of services varies from region to‬‭region.‬
‭●‬ ‭Each Region is paired within the same geographic area.‬
‭●‬ ‭If the primary region has an outage, you can‬‭failover‬‭to the secondary region.‬
‭●‬ ‭You can use paired regions for‬‭replication.‬
‭●‬ ‭Regions that are unique when it comes to compliance:‬
‭○‬ ‭Azure Government Cloud‬‭– only US federal, state, local,‬‭and tribal governments and their‬
‭partners have access to this dedicated instance.‬
‭○‬ ‭China Region‬‭– data center is physically located within‬‭China and has no connection outside‬
‭of China, including other Azure regions.‬

‭Availability Zones‬

‭‬ E
● ‭ ach availability zone is a physical location within a region.‬
‭●‬ ‭A zone is composed of one or more data centers with independent power, cooling, and networking‬
‭facilities.‬
‭●‬ ‭Azure services that support Availability Zones fall into two categories:‬
‭○‬ ‭Zonal services‬‭– a resource is pinned to a specific‬‭zone.‬
‭○‬ ‭Zone-redundant services‬‭– replicates automatically‬‭across zones.‬

‭https://portal.tutorialsdojo.com/‬ ‭25‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Security and Compliance‬

I‭n the cloud, the responsibility of security is a shared one. Microsoft Azure secures what they can on‬
‭their end, while you secure what you can on your end. Only this way can everyone protect their valuable‬
‭data. Also as a customer, you inherit all the best practices of Azure policies, architecture, and operational‬
‭processes built to satisfy the requirements of their most security-sensitive customers.‬

‭ icrosoft Azure has also developed multiple tools and services to help you achieve your security‬
M
‭objectives. You can also review the numerous audits and certifications that third-party auditors have‬
‭conducted on Azure so that whenever you need to fulfill strict compliance with the use of a service, you‬
‭can simply verify its status through the catalog.‬

‭Azure Pricing‬

‭‬ A
● ‭ zure offers pay-as-you-go and reserved instances for pricing.‬
‭●‬ ‭Azure Pricing Factors:‬
‭○‬ ‭Resource size and resource type.‬
‭○‬ ‭Different Azure locations have different prices for services.‬
‭○‬ ‭The bandwidth of your services.‬
‭○‬ ‭Any data transfer between two different billing zones is charged.‬
‭■‬ ‭Ingress (data in)‬‭= free‬
‭■‬ ‭Egress (data out)‬‭= charged based on data going out‬‭of Azure datacenters.‬
‭●‬ ‭Factors that can reduce costs:‬
‭○‬ ‭By purchasing a‬‭reserved instance‬‭(one-year or three-year‬‭terms), you can significantly‬
‭reduce costs by up to 72 percent compared to pay-as-you-go pricing.‬
‭○‬ ‭A‬‭reserved capacity‬‭is a commitment for a period of‬‭one or three years for SQL Database‬
‭and SQL Managed Instance.‬
‭○‬ ‭Hybrid Benefit‬‭allows you to use your on-premises‬‭Software Assurance-enabled Windows‬
‭Server and SQL Server licenses on Azure.‬
‭○‬ ‭If you purchase an unused compute capacity, you can get deep discounts up to 90 percent‬
‭compared to pay-as-you-go pricing.‬‭A spot virtual‬‭machine‬‭is for workloads that can tolerate‬
‭interruptions.‬
‭●‬ ‭All resources belong to a‬‭subscription‬‭.‬
‭○‬ ‭An Azure account can have multiple subscriptions.‬
‭○‬ ‭Organize your resources and subscriptions using‬‭Azure‬‭management groups‬‭.‬
‭●‬ ‭Azure Cost Management‬‭gives you a detailed view of‬‭current and projected costs.‬
‭●‬ ‭For new accounts, the‬‭Azure Free Tier‬‭is available.‬
‭○‬ ‭Free Tier offers limited usage of Azure products at no charge for 12 months.‬
‭○‬ ‭You also get $200 credit that you can spend during the first 30 days.‬
‭○‬ ‭More details at‬‭https://azure.microsoft.com/en-us/free/‬

‭https://portal.tutorialsdojo.com/‬ ‭26‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ ‬ ‭Estimate your expected monthly costs using‬‭Azure Pricing Calculator.‬

○
‭ ‬ ‭Total Cost of Ownership (TCO) Calculator‬
●
‭○‬ ‭Estimate total savings over a period of time by using Azure.‬
‭○‬ ‭Compares costs and savings against on-premises and co-location environments.‬
‭●‬ ‭Azure Support Plans:‬
‭○‬ ‭Basic‬‭– included for all Azure customers.‬
‭○‬ ‭Developer‬‭– recommended for non-production environments.‬‭Limited access to technical‬
‭support during business hours by email only.‬
‭○‬ ‭Standard‬‭– appropriate for production workload environments.‬‭Has 24/7 access to Azure’s‬
‭technical support engineers by phone or email.‬
‭○‬ ‭Professional Direct‬‭– suitable for business-critical‬‭workloads. Has 24/7 access to Azure’s‬
‭technical support engineers by phone or email. Provides access to Operations Support,‬
‭ProDirect delivery managers, and Support APIs.‬

‭Service Level Agreement (SLA)‬

‭ ‬ I‭t is the commitment of Microsoft for the uptime and connectivity of a service.‬
●
‭●‬ ‭You could obtain a service credit if the service level agreement is not met by Microsoft.‬
‭●‬ ‭Composite SLAs include several resources (‬‭with different‬‭availability levels‬‭) to support an‬
‭application.‬
‭●‬ ‭SLAs for multi-region deployments distribute the application in more than one region for high‬
‭availability and use Azure Traffic Manager for failover if one region fails.‬

‭Service Lifecycle‬

‭●‬ P ‭ rivate Preview‬‭is only available to a few customers‬‭for early access to new technologies and‬
‭features.‬
‭●‬ ‭Public Preview‬‭makes the service in the public phase‬‭and can be used by any customers to‬
‭evaluate the new features but SLA does not apply.‬
‭●‬ ‭General Availability‬‭is the release of service to‬‭the general public and is fully supported by SLAs.‬
‭●‬ ‭Azure updates allow you to get the latest updates on any Azure products and features.‬

‭https://portal.tutorialsdojo.com/‬ ‭27‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Well-Architected Framework - Five Pillars‬

‭●‬ O ‭ perational Excellence‬‭- run and monitor systems to‬‭deliver business value and to continually‬
‭improve supporting processes and procedures.‬
‭●‬ ‭Reliability‬‭- recover the system from infrastructure‬‭or service disruptions, dynamically acquire‬
‭computing resources to meet demand, and mitigate disruptions such as misconfigurations or‬
‭transient network issues.‬
‭●‬ ‭Performance Efficiency‬‭- use computing resources efficiently‬‭to meet system requirements and to‬
‭maintain that efficiency as demand changes and technologies evolve.‬
‭●‬ ‭Cost Optimization‬‭- avoid or eliminate unneeded costs‬‭or suboptimal resources.‬
‭●‬ ‭Security‬‭- protect information, systems, and assets‬‭while delivering business value through risk‬
‭assessments and mitigation strategies.‬

‭Best Practices when Architecting in the Cloud‬

‭●‬ D ‭ esign for self healing‬‭- Failures occur in a distributed‬‭system. Design your application to be‬
‭self-healing in the event of failure.‬
‭●‬ ‭Make all things redundant‬‭- Design a resilient and‬‭highly available application to avoid single points‬
‭of failure.‬
‭●‬ ‭Minimize coordination‬‭- To achieve scalability, you‬‭must minimize coordination between application‬
‭services.‬
‭●‬ ‭Design to scale out‬‭- Design an application that can‬‭scale horizontally (adding or removing new‬
‭instances) as needed.‬
‭●‬ ‭Partition around limits‬‭- Use partition for database,‬‭network, and compute limits‬
‭●‬ ‭Design for operations‬‭- The operations team must be‬‭able to access the tools they need for the‬
‭application.‬
‭●‬ ‭Use managed services‬‭- When designing an application,‬‭use PaaS rather than IaaS.‬
‭●‬ ‭Use the best data store for the job‬‭- Select the storage‬‭technology that is most appropriate for your‬
‭data and its intended use.‬
‭●‬ ‭Design for evolution‬‭- An evolutionary design is required‬‭for continuous innovation.‬
‭●‬ ‭Build for the needs of business‬‭- Always consider‬‭the business requirements when designing an‬
‭application.‬

‭https://portal.tutorialsdojo.com/‬ ‭28‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭THE DIFFERENT AZURE SERVICES‬

‭ ompute‬‭is the processing power required by applications‬‭and systems to carry out computational‬
C
‭tasks.‬
‭Services: Virtual Machine, App Service, Functions, and Kubernetes Service‬

‭ torage‬‭in the cloud is used to store different types‬‭of data, such as objects, files, and backups.‬
S
‭Services: Blob, Disk, and Files‬

‭ atabase‬‭is a system to store and manage structured‬‭and unstructured information.‬

D
‭Services: SQL Database and Cosmos DB‬

‭ etworking‬‭provides a global link to distribute the‬‭application all over the world.‬

N
‭Services: Virtual Network, Load Balancer, CDN, and DNS‬

‭ ecurity‬‭allows you to authenticate and authorize‬‭users and services to access your applications.‬
S
‭Services: Active Directory, RBAC, and Security Center‬

‭ anagement and Governance‬‭is a tool to control and‬‭monitor your infrastructure services.‬

M
‭Services: Monitor, Policy, and Advisor‬

‭https://portal.tutorialsdojo.com/‬ ‭29‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭DEEP DIVE‬

‭Azure Virtual Machines‬

‭Components of a Virtual Machine‬

‭1.‬ W
‭ hen creating a virtual machine, you always start off by choosing a‬‭subscription‬‭and‬‭resource‬
‭group‬‭. A subscription is a container where you can‬‭provision Azure resources. Before you can‬
‭deploy resources, you also need to create a new resource group. This is a logical group to organize‬
‭and manage all your resources in your subscription.‬

‭2.‬ A
‭ fter you have chosen the resource group, you configure the‬‭availability option‬‭of your virtual‬
‭machine. You can choose between the availability zone, availability set or no infrastructure‬
‭redundancy option. The option you selected here would determine the availability and resiliency of‬
‭your applications.‬

‭3.‬ T
‭ he‬‭image‬‭of your virtual machine contains the OS,‬‭settings, and other applications that you will use‬
‭in your server. In the Azure Marketplace, you can choose between images provided by Microsoft or‬
‭your own custom image‬

‭4.‬ O
‭ nce you have chosen the image of your virtual machine, select the‬‭type and size‬‭of your virtual‬
‭machine. This will determine the physical properties of your instance, such as vCPUs, RAM, disks,‬
‭and more.‬

‭5.‬ D
‭ uring the creation of your virtual machine, you can also specify whether you'd like to launch it in a‬
‭spot instance‬‭or use another instance billing type‬‭(pay as you go or reserved).‬

‭6.‬ T
‭ o access your virtual machine, you will need to use a‬‭key pair‬‭. It is generated after you launch your‬
‭virtual machine. Make sure to secure your copy of your public key. Once you delete your public key,‬
‭you wouldn't be able to directly access your instance.‬

‭7.‬ A
‭ fter you have configured the basic settings, you need to add‬‭storage‬‭for your virtual machine. The‬
‭disks that can be added are the operating system disk, data disk, and temporary disk. Encryption for‬
‭your disks is automatically configured.‬

‭8.‬ Y
‭ ou also need to configure which‬‭virtual network‬‭the‬‭virtual machine should be launched in. And‬
‭the‬‭network security group‬‭will serve as a firewall‬‭to your servers. It contains rules that allow or‬
‭deny network traffic coming to or from your firewall.‬

‭https://portal.tutorialsdojo.com/‬ ‭30‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭9.‬ W
‭ hen you have configured the network settings of your virtual machines, you can also enable‬
‭monitoring, auto-shutdown, and backup‬‭in the management‬‭options.‬

‭10.‬‭In the advanced configuration option of your virtual machine, you can add‬‭extensions‬‭for‬
‭post-deployment configuration,‬‭custom and user data‬‭to execute certain commands while the‬
‭instance is being provisioned, and‬‭proximity placement‬‭group to enable you to group your resources‬
‭closer in the same region.‬

‭11.‬‭Lastly, you can add‬‭tags‬‭to easily identify and classify‬‭your resources.‬

‭12.‬‭Once you have reviewed the configuration of your instance, proceed with the launch. Wait for your‬
‭virtual machine to finish preparing itself, and you should be able to connect to it if there aren’t any‬
‭issues.‬

‭13.‬‭If you are having difficulties connecting to a virtual machine, you can try redeploying the VM to‬
‭move it to a new node in the Azure infrastructure. Don’t worry, all of the existing configurations in‬
‭the resource will still be there after completing the redeployment.‬

‭Types of Virtual Machines‬

‭1.‬ G
‭ eneral Purpose‬‭- provides a balanced CPU-to-memory‬‭ratio. This instance is ideal for testing,‬
‭development, and low to medium-traffic web servers. The B-series have burstable performance that‬
‭allows the VM to use the build-up credits when the application requires higher CPU performance.‬

‭2.‬ C
‭ ompute Optimized‬‭- designed to have a high CPU-to-memory‬‭ratio. Instances belonging to this‬
‭family are well suited for medium-traffic web servers, network appliances, batch processes,‬
‭analytics, application, and gaming servers.‬

‭3.‬ M
‭ emory Optimized‬‭- offers a high memory-to-CPU ratio.‬‭Ideal for relational database servers,‬
‭medium to large caches, and in-memory analytics.‬

‭4.‬ S
‭ torage Optimized‬‭- provides high disk throughput‬‭and IO. This VM size is ideal for SQL, NoSQL‬
‭databases, big data, data warehousing, and large transactional databases.‬

‭5.‬ G
‭ PU‬‭- designed for compute-intensive, graphics-intensive,‬‭and visualization workloads. It is‬
‭available in single, multiple, or fractional GPUs.‬

‭6.‬ H
‭ igh-performance compute‬‭- the HPC VM size is the‬‭most powerful and fastest CPU with high‬
‭throughput network interfaces. It is optimized for fluid dynamics, explicit and implicit finite element‬
‭analysis, weather modeling, seismic processing, reservoir simulation, and RTL simulation.‬

‭https://portal.tutorialsdojo.com/‬ ‭31‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Virtual Machine Disks‬

‭ he disks of a virtual machine are block-level storage volumes. This storage is managed by Azure and‬
T
‭mainly used for Azure VMs. With managed disks, all you have to do is specify the type and size of the‬
‭disk and provision it.‬

‭In Azure, there are three types of disk roles:‬

‭1.‬ ‭Operating system (OS) disk‬ ‭- in order for the virtual‬‭machine to operate, it must have an OS disk.‬
‭There are a variety of images that you can choose from in the Azure Marketplace. An example of‬
‭images that you can use are Windows Server, Ubuntu, Debian, RHEL, etc. There are two types of OS‬
‭disk:‬
‭a.‬ ‭Persistent OS disk - this type of disk supports all sizes of VM, and the data is preserved even‬
‭if you upgrade your OS disk and VM size.‬
‭b.‬ ‭Ephemeral OS disk - use ephemeral OS disks if you need lower read/write latency and faster‬
‭VM reimage. This type of disk is ideal for stateless applications, and it can be stored on VM‬
‭cache or VM temp/resource disk if sufficient space is available.‬

‭2.‬ D
‭ ata disk‬‭- this disk is also managed by Azure, and‬‭you can store your application data or any other‬
‭data that you need to keep. Before you use a data disk, there are two options that you can select:‬
‭a.‬ ‭Create and attach a new disk - you have the option to create the new disk from a snapshot,‬
‭storage blob, or an empty disk.‬
‭b.‬ ‭Attach an existing disk - allows you to add the disks you’ve already created. It’s also‬
‭important to know that the number of data disks that you can attach will depend on the size‬
‭of your VM.‬

‭3.‬ T
‭ emporary disk‬‭- provides you short-term storage to‬‭store pages and swap files. Take note that the‬
‭data on this disk may be lost when you redeploy a VM or during a maintenance event. Also, to‬
‭configure a server-side encryption on this disk, you need to enable encryption at host.‬

‭The available disks that you can choose from are:‬

‭1.‬ ‭Ultra Disk‬‭- ideal for IO-intensive workloads, top-tier‬‭databases, and other transaction-heavy‬
‭workloads. This storage has the highest disk size, throughput, and IOPS.‬
‭2.‬ ‭Premium SSD‬‭- designed for production and performance-sensitive‬‭workloads.‬
‭3.‬ ‭Standard SSD‬‭- used for web servers and dev/test environments.‬
‭4.‬ ‭Standard HDD‬‭- ideal for backup, non-critical data,‬‭and infrequent access.‬

‭https://portal.tutorialsdojo.com/‬ ‭32‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Detai‬ ‭Standar‬ ‭Standar‬ ‭Premium SSD‬ ‭Ultra Disk‬

‭l‬ ‭d HDD‬ ‭d SSD‬

‭ isk‬
D ‭HDD‬ ‭SSD‬ ‭SSD‬ ‭SSD‬
‭type‬

‭Scen‬ ‭ ackup,‬
B ‭ eb‬
W ‭Production‬ I‭O-intensive‬
‭ario‬ ‭non-crit‬ ‭servers,‬ ‭and‬ ‭workloads, top‬
‭ical,‬ ‭and‬ ‭performance‬ ‭tier databases,‬
‭infrequ‬ ‭light‬ ‭sensitive‬ ‭and other‬
‭ent‬ ‭applicat‬ ‭workloads‬ ‭transaction-he‬
‭access‬ ‭ions of‬ ‭avy workloads‬
‭enterpri‬
‭se‬

‭ ax‬
M ‭32,767‬ ‭32,767‬ ‭32,767 GiB‬ ‭65,536 GiB‬
‭Disk‬ ‭GiB‬ ‭GiB‬
‭Size‬

‭Max‬ ‭500‬ ‭750‬ ‭900 MB/s‬ ‭2,000 MB/s‬

‭ hro‬
T ‭MB/s‬ ‭MB/s‬
‭ughp‬
‭ut‬

‭ ax‬
M ‭2,000‬ ‭6,000‬ ‭20,000‬ ‭160,000‬
‭IOPS‬

I‭t’s also very important to understand how you can secure your data inside your virtual machine disks.‬
‭Let’s now take a look at disk encryption, Azure managed disks supports three types of encryption:‬
‭1.‬ ‭Server Side Encryption (SSE)‬‭- the data stored on‬‭managed disks are automatically encrypted at‬
‭rest by default when persisting it to the cloud.‬
‭a.‬ ‭Platform-managed keys - the keys are managed by Azure. The data, images, and snapshots‬
‭written to an existing managed disks are automatically encrypted-at-rest.‬
‭b.‬ ‭Customer-managed keys - since you are providing your own keys, you also manage the level‬
‭of encryption on each managed disk. To manage your own keys, you can use Azure Key‬
‭Vault. This service enables you to import your own RSA keys or generate a new ones.‬

‭2.‬ A
‭ zure Disk Encryption (ADE)‬‭- provides volume encryption‬‭on both OS and data disks of Azure VMs.‬
‭The encryption for Windows is done using BitLocker. On the other hand, the encryption for Linux is‬
‭done using DM-Crypt.‬

‭https://portal.tutorialsdojo.com/‬ ‭33‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭3.‬ E
‭ ncryption at host‬‭- this type of encryption is different from SSE. The encryption of data is provided‬
‭by the server hosting your virtual machine and the encrypted data flows into the Azure Storage‬
‭service.‬

‭ ncry‬
E ‭Temp‬ ‭ ncry‬
E ‭Encry‬ ‭ ust‬
C ‭ ncry‬
E
‭ption‬ ‭Disk‬ ‭ption‬ ‭pted‬ ‭omer‬ ‭ption‬
‭at‬ ‭Encry‬ ‭of‬ ‭Data‬ ‭Keys‬ ‭Statu‬
‭rest‬ ‭ption‬ ‭Cach‬ ‭Flow‬ ‭s‬
‭es‬ ‭s‬

‭ ncryption‬
E ‭✓‬ ‭-‬ ‭-‬ ‭-‬ ‭-‬ ‭ nhe‬
U
‭at rest with‬ ‭althy‬
‭PMK‬

‭ ncryption‬
E ‭✓‬ ‭-‬ ‭-‬ ‭-‬ ‭✓‬ ‭ nhe‬
U
‭at rest with‬ ‭althy‬
‭CMK‬

‭ zure Disk‬
A ‭✓‬ ‭✓‬ ‭✓‬ ‭✓‬ ‭✓‬ ‭Healt‬
‭Encryption‬ ‭hy‬

‭ ncryption‬
E ‭✓‬ ‭✓‬ ‭✓‬ ‭✓‬ ‭✓‬ ‭ nhe‬
U
‭at Host‬ ‭althy‬

‭Note:‬
‭●‬ ‭The encrypted data flows are between Compute and Storage service.‬
‭●‬ ‭The disk encryption status is labeled by Azure Security Center.‬

‭ hen creating a copy of your managed disks, there are comparisons between images and snapshots.‬
W
‭As discussed earlier in data disks, snapshots allow you to create a point in time recovery. But how is it‬
‭different from images?‬

‭Let's look at the differences between the two:‬

‭1.‬ ‭Snapshots‬‭- a full, read-only copy of your virtual‬‭hard drive. It can be taken at any point in time. The‬
‭existence of a managed disk snapshot is independent of the source disk. This means that it applies‬
‭only to one disk. You can also use snapshots to create a new disk and attach it to a virtual machine.‬
‭2.‬ ‭Images‬‭- contain all the managed disks associated‬‭with the virtual machine. The created image can‬
‭be used to launch hundreds of virtual machines without managing any storage accounts.‬

‭https://portal.tutorialsdojo.com/‬ ‭34‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ o conclude the comparison, a snapshot is only aware of the disk that it contains. For scenarios that‬
T
‭require the coordination of multiple disks, like striping, snapshot wouldn’t be able to meet this‬
‭requirement. Therefore, this is where you would want to use custom images.‬

‭ hen talking about how the virtual machine handles unexpected disk traffic, Azure offers a feature‬
W
‭called‬‭bursting‬‭. This will grant the virtual machine‬‭and disk the ability to boost the IOPS and MB/s‬
‭performance for a period of time. In other words, it will allow you to get more use out of your disk and‬
‭also helps you avoid upgrading the disk just to accommodate traffic spikes. The bursting on virtual‬
‭machines and disks are independent from one another. So if you need to burst the disk performance,‬
‭you don't need to burst the virtual machine. Bursting is enabled by default for both virtual machine and‬
‭disk.‬

‭The following resources support bursting:‬

‭1.‬ ‭Burstable Virtual Machines:‬
‭a.‬ ‭General Purpose:‬‭B, Dsv3, Dasv4, Ddsv4, and Dsv4 series‬
‭b.‬ ‭Compute Optimized:‬‭Fsv2 series‬
‭c.‬ ‭Memory Optimized:‬‭Esv3, Easv4, Edsv4, and Esv4 series‬
‭d.‬ ‭Storage Optimized:‬‭Lsv2 series‬
‭2.‬ ‭Burstable Disk:‬
‭a.‬ ‭Premium SSD‬
‭b.‬ ‭Standard SSD‬

‭Payment options for Virtual Machines‬

‭ zure provides you with a variety of options to pay for compute capacity. Here are the following payment‬
A
‭options:‬
‭1.‬ ‭Pay as you go‬‭- you are billed on a per-second basis.‬‭You can start or stop anytime, and you only‬
‭pay for what you use. This payment option is ideal for users who prefer flexibility or have‬
‭unpredictable workloads that cannot be interrupted.‬
‭2.‬ ‭Reserved Instance‬‭- you get up to 72 percent price‬‭savings compared to pay-as-you-go, but in‬
‭return, you need to pay the upfront cost and be committed for one or three years in a specified‬
‭region. There are three options to scope a reservation:‬
‭a.‬ ‭Single resource group‬‭- the reservation discount applies‬‭solely to the corresponding‬
‭resources in the resource group you've chosen. Keep in mind that discounts will not be‬
‭applied if the resource group is moved or deleted.‬
‭b.‬ ‭Single subscription‬ ‭- the reservation discount applies‬‭only to the corresponding resources‬
‭in the subscription you've selected.‬
‭c.‬ ‭Shared‬‭- the reservation discount is applied to the‬‭corresponding resources in eligible‬
‭subscriptions within the billing context. If the subscription is moved to a different billing‬

‭https://portal.tutorialsdojo.com/‬ ‭35‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ ontext, the discounts no longer apply to that subscription but will continue to apply to the‬
c
‭remaining subscriptions in the billing context.‬
‭i.‬ ‭The billing context for Enterprise Agreement customers is enrollment. In an‬
‭enrollment, the reservation shared scope contains multiple Active Directory tenants.‬
‭ii.‬ ‭The billing scope for Microsoft Customer Agreement customers is billing profile.‬
‭iii.‬ ‭The billing scope for individual subscriptions with pay-as-you-go rates is all eligible‬
‭subscriptions.‬
‭After purchasing a reservation, you can always update the scope. Go to the reservation, click‬
‭Configuration‬‭, and then rescope the reservation. Rescoping‬‭a reservation won't change the‬
‭reservation term.‬

‭3.‬ S
‭ pot‬‭- save up to 90 percent when you purchase unused‬‭compute capacity. This is only ideal for‬
‭workloads that can tolerate interruptions. Discounts may vary based on:‬
‭a.‬ ‭Region‬
‭b.‬ ‭Virtual machine type‬
‭c.‬ ‭Compute capacity‬

‭ ince Azure Spot Virtual Machines are unused capacity, at any point in time, Azure infrastructure can‬
S
‭evict Spot VMs with 30 seconds notice. Eviction is based on the capacity or the max price you've set.‬
‭When creating a Spot VMs, you can set the eviction policy to Deallocate (default) or Delete.‬

‭ he Deallocate policy moves your virtual machine to the stopped-deallocated state, allowing you to‬
T
‭redeploy it later. However, there is no assurance that the allocation will be successful. Your quota will be‬
‭depleted by the deallocated VMs, and you will be charged for the underlying disks.‬

I‭f you want your virtual machines to be deleted when it is evicted, you can set the eviction policy to‬
‭Delete. The underlying disks are also deleted, so you won't be charged for the storage. In the portal, you‬
‭can look up the eviction rates by size in a certain region. Go to‬‭View pricing history and compare prices‬
‭in nearby regions‬‭to see a table or graph of pricing‬‭for a specific size.‬

‭Availability Options for Virtual Machines‬

‭There are two ways to manage the availability and resiliency of your applications in a virtual machine:‬
‭1.‬ ‭Availability zones‬‭- to protect your resources from‬‭an entire data center failure, you need to deploy‬
‭the VMs to a minimum of three Availability Zones to ensure resiliency. Azure services that support‬
‭Availability Zones are classified into two types:‬
‭a.‬ ‭Zonal services - resources are pinned to a specific Availability Zone.‬
‭Examples: Virtual machines, Managed disks, Standard IP addresses‬
‭b.‬ ‭Zone-redundant services - replicate resources automatically across Availability Zones to‬
‭protect from single points of failure.‬

‭https://portal.tutorialsdojo.com/‬ ‭36‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ xamples: Zone-redundant storage, SQL Database‬

E
‭ .‬ ‭Availability sets‬‭- to protect from hardware failures‬‭within a data center, you can deploy the virtual‬
2
‭machine to an availability set. Each VM in an availability set is assigned to an update domain and‬
‭fault domain. This option ensures that at least one is available during planned or unplanned‬
‭maintenance events.‬
‭a.‬ ‭Update domains (planned maintenance)‬
‭i.‬ ‭A logical group of virtual machines that can undergo maintenance at the same time.‬
‭By default, it has five non-user-configurable update domains. It can be increased up‬
‭to 20 update domains and given 30 minutes to recover before maintenance is‬
‭initiated on a different update domain.‬
‭b.‬ ‭Fault domains (unplanned maintenance)‬
‭i.‬ ‭A logical group of virtual machines that share a common power source and network‬
‭switch. By default, VMs within an availability set are separated up to three fault‬
‭domains.‬

‭Virtual Machine Scale Sets‬

‭ hen you need to improve the performance of your applications and also provide redundancy, you‬
W
‭should scale your resources horizontally. Horizontal scaling means you are adding more servers to the‬
‭system. By doing this, the workload will be distributed across multiple resources and accommodate the‬
‭increasing demand. Take note that this type of scaling is different from vertical scaling. When you say‬
‭scale vertically, you are increasing or decreasing the resources of a single server instead of adding new‬
‭servers to the system.‬

‭ he horizontal scaling service in Azure is called‬‭virtual machine scale sets‬‭. A VM scale set allows‬‭you to‬
T
‭create and manage a group of load-balanced VMs. Since the workload is distributed, if one VM fails, you‬
‭can still continue to access your application through other VMs with minimal interruption. You can also‬
‭distribute VMs in a scale set within a single data center or across various data centers. This service‬
‭supports both layer 4 basic traffic distribution and layer 7 advanced traffic distribution and TLS‬
‭termination.‬

‭Virtual Machine Scale Sets provide the following key benefits:‬

‭●‬ ‭By creating scaling policies, you can automatically add or remove virtual machines based on host‬
‭metrics. A host metric provides you visibility into the performance of the virtual machines in a scale‬
‭set without the need to install and configure agents. An example of host metrics can be CPU‬
‭Utilization, Network In, and many more.‬
‭●‬ ‭You can create health checks and set a repair policy to automatically replace unhealthy virtual‬
‭machines. Unhealthy instances are reported by Application Health extension or Load Balancer‬
‭health probes.‬

‭https://portal.tutorialsdojo.com/‬ ‭37‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭●‬ Y ‭ ou can associate virtual machine scale sets with a load balancer. This will allow you to distribute‬
‭virtual machines across Availability Zones. By implementing this practice, you can make your‬
‭application redundant and highly available.‬
‭●‬ ‭Lastly, virtual machine scale sets allow you to scale hundreds or even thousands of virtual‬
‭machines.‬

‭ ow that we know scale sets can be associated with load balancers, this will help us implement one of‬
N
‭the best practices on architecting in the cloud by evenly distributing the virtual machines across‬
‭different Availability Zones. The main reason why you need to configure it with a load balancer is to give‬
‭you high availability. An application that can run continuously even if one of the virtual machines fails.‬
‭Aside from distributing the load across AZs, one of the added benefits is you can use Load Balancer‬
‭health probes for more robust health checks.‬

‭When associating scale sets with a load balancer, you have two options:‬
‭1.‬ ‭Azure Application Gateway‬‭- is an HTTP/HTTPs web traffic‬‭load balancer that has the capability to‬
‭do the following: URL-based routing, SSL termination, session persistence, and web application‬
‭firewall.‬
‭2.‬ ‭Azure Load Balancer‬‭- a TCP/UDP network traffic load‬‭balancer that supports port forwarding and‬
‭outbound flows.‬

‭ fter going through load balancing, let’s now talk about the scaling policy and how it works. A‬‭scaling‬
A
‭policy‬‭can determine when a virtual machine should‬‭be added or removed to meet the current capacity‬
‭requirements of your application. When you create a virtual machine scale set, you would see this‬
‭configuration in the portal.‬

‭https://portal.tutorialsdojo.com/‬ ‭38‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ hese configurations can only be seen if you select the custom scaling policy option. The first thing that‬
T
‭you can set is the number of instances. But let’s focus on the remaining two options, the scaling out and‬
‭the scaling in.‬‭Scale out‬‭is when you need to add‬‭virtual machines to the scale set to increase the‬
‭current capacity. In order to scale out, you should input certain values on the following fields:‬
‭●‬ ‭CPU threshold - is the CPU usage percentage threshold on when to trigger the scale out rule.‬
‭●‬ ‭Duration in minutes - is the amount of time that the autoscale will check the threshold again.‬
‭●‬ ‭Number of instances to increase by - this will determine how many virtual machines should be‬
‭added when the scale out rule is triggered.‬

‭ n the other hand, the‬‭scale in‬‭rule is when should‬‭the scale sets remove a virtual machine in order to‬
O
‭decrease the capacity. Unlike scale out, you only need to input two values in the scale in fields. After you‬
‭create a virtual machine scale set, you will see a lot of options available that you can configure in the‬
‭scaling policy.‬

‭https://portal.tutorialsdojo.com/‬ ‭39‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ s seen in the image above, you can still configure other options in order to meet certain requirements‬
A
‭on when to scale your virtual machines. Here are the options that you can customize:‬
‭1.‬ ‭Metric Name‬‭- allows you to set the metric that will‬‭be collected to your virtual machine. Some of‬
‭the metrics that you can choose from are:‬
‭○‬ ‭Percentage CPU‬

‭https://portal.tutorialsdojo.com/‬ ‭40‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ ‬ ‭Network In or Out‬
○
‭○‬ ‭Disk Read or Write Bytes‬
‭○‬ ‭Disk Read or Write Operations/Sec‬
‭○‬ ‭CPU Credits Consumed or Remaining‬
‭2.‬ ‭Aggregates‬‭- it is how you want to collect the data.‬‭For example, TimeAggregation = “Sum” will‬
‭aggregate the sampled metrics by taking the sum. The methods that you can select from are:‬
‭○‬ ‭Average‬
‭○‬ ‭Minimum‬
‭○‬ ‭Maximum‬
‭○‬ ‭Sum‬
‭○‬ ‭Last‬
‭○‬ ‭Count‬
‭ .‬ ‭Operators‬‭- this will determine when to trigger scale‬‭action.‬
3
‭○‬ ‭Greater than‬
‭○‬ ‭Greater than or equal to‬
‭○‬ ‭Less than‬
‭○‬ ‭Less than or equal to‬
‭○‬ ‭Equal to‬
‭○‬ ‭Not equal to‬
‭4.‬ ‭Actions‬‭- what should the scaling policy do after‬‭it is triggered.‬
‭○‬ ‭Increase count by‬
‭○‬ ‭Increase percent by‬
‭○‬ ‭Increase count to‬
‭○‬ ‭Decrease count by‬
‭○‬ ‭Decrease percent by‬
‭○‬ ‭Decrease count to‬

‭If you want to collect more information based on different metrics, you need to install the following:‬
‭●‬ ‭App Insights‬‭- when you want to collect application‬‭metrics such as page load performance and‬
‭session counts, you can install app insights in your application, and it will monitor your app and‬
‭send telemetry to Azure.‬
‭●‬ ‭Azure Diagnostic Extension‬‭- when you want detailed‬‭Host-based metrics, you can install this‬
‭extension. This agent will run inside your virtual machine. It will monitor and save performance‬
‭metrics to an Azure storage service to collect more detailed information.‬

‭https://portal.tutorialsdojo.com/‬ ‭41‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭There are also other options that you can configure when creating a virtual machine scale set:‬
‭1.‬ ‭Scale-In Policy‬‭- allows you to specify the order‬‭in which virtual machines are deleted during a‬
‭scale-in operation. The options that you can select from are:‬
‭a.‬ ‭Default‬
‭■‬ ‭Balance across availability zones and fault domains‬
‭■‬ ‭Deletes the VM with the highest instance ID‬
‭b.‬ ‭Newest VM‬
‭■‬ ‭Balance across availability zones‬
‭■‬ ‭Deletes the newest created virtual machine‬
‭c.‬ ‭Oldest VM‬
‭■‬ ‭Balance across availability zones‬
‭■‬ ‭Deletes the oldest created virtual machine‬
‭2.‬ ‭Update Policy‬‭- allows you to set how you can upgrade‬‭your virtual machines to the latest scale set‬
‭model.‬
‭a.‬ ‭Automatic - upgrades will start immediately in random order.‬
‭b.‬ ‭Manual - the existing virtual machines must be manually upgraded.‬
‭c.‬ ‭Rolling - upgrades are rolled out in batches with the option to pause.‬
‭3.‬ ‭Automatic OS Upgrades‬‭- by enabling this option, the‬‭upgrades on the OS disk will be done‬
‭automatically for all virtual machines.‬
‭4.‬ ‭Health Monitoring‬‭- helps you determine if your resources‬‭are healthy or unhealthy. There are two‬
‭modes that you can select:‬
‭a.‬ ‭Application Health Extension - pings an HTTP/HTTPs request with a specific path and‬
‭returns an HTTP status.‬
‭b.‬ ‭Load Balancer Probe - checks are done through TCP/UDP or HTTP/HTTPs requests. You‬
‭can only select this option if you have an associated load balancer.‬
‭5.‬ ‭Automatic Repair Policy‬‭- automatically replace unhealthy‬‭virtual machines with a new one.‬
‭6.‬ ‭Allocation Policy‬‭- allows you to scale beyond 100‬‭instances (default).‬

‭https://portal.tutorialsdojo.com/‬ ‭42‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Proximity Placement Groups‬

I‭f you need to reduce the physical distance between virtual machines, you place it in a single region. To‬
‭bring VMs physically close together, you deploy it in a single availability zone. However, a single AZ may‬
‭span in different data centers, which can result in network latency that impacts your application. To‬
‭achieve the lowest possible latency, you need to deploy the virtual machines in a proximity placement‬
‭group.‬

‭ his is a logical grouping to make sure that the resources are physically close to each other. It could be‬
T
‭used with VMs, availability sets, and VM scale sets. You can also move your existing resources into a‬
‭proximity placement group. This configuration is helpful if latency is your first priority. But, if you need to‬
‭have resiliency, you should spread your virtual machines across availability zones. Remember that a‬
‭single proximity placement group cannot span zones, and by default, it can only hold 100 virtual‬
‭machines. You can scale beyond the limit if the‬‭singlePlacementGroup‬‭property is set to false.‬
‭Therefore, multiple placement groups can hold up to 1,000 virtual machines.‬

‭https://portal.tutorialsdojo.com/‬ ‭43‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Backup Azure Virtual Machines‬

‭ o prevent unintended destruction or deletion of data on a virtual machine, you need to create a backup‬
T
‭of your data. With the‬‭Azure Backup‬‭service, you can‬‭back up on-premises machines, workloads, and‬
‭Azure VMs. The backup schedule can be configured on a daily or weekly basis. While the backup‬
‭retention can be set on a daily, weekly, monthly, and yearly schedule.‬

I‭f you would recall, the VM in a stopped/deallocated state only stops the virtual machine and Azure‬
‭Backup only takes snapshots of the VM disks. This means that even if the VM status is running or‬
‭stopped, you can still create a backup as long as the disk is attached to the VM. Remember that you can‬
‭only backup data sources or virtual machines that are in the same region as the Recovery Services vault.‬
‭You can also back up virtual machines that have different resource groups or operating systems as long‬
‭as they are in the same region as the vault.‬

‭To understand how Azure Backup works, let’s take a look at its components:‬

‭1.‬ A
‭ ‬‭Recovery Services vault‬‭is a storage entity that‬‭stores data and recovery points that have been‬
‭created over time. The data stored in the vault is a copy of data or configuration information for‬

‭https://portal.tutorialsdojo.com/‬ ‭44‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

v‭ irtual machines, workloads or servers. It also supports service integration like System Center DPM,‬
‭Windows Server, Azure Backup Server, and many more.‬

‭A Recovery Services vault can't be deleted if it contains the following dependencies:‬

‭○‬ ‭Protected data sources (IaaS VMs, SQL databases, Azure file shares)‬
‭○‬ ‭Backup data‬
‭○‬ ‭Backup data (soft-deleted state)‬
‭○‬ ‭Registered storage accounts‬
‭Therefore, if you try to delete the vault without removing the dependencies, you will receive an error‬
‭message "Failed to delete resource group." To resolve this problem, you must stop the backup first,‬
‭then disable soft delete and delete the resource group.‬

‭2.‬ T
‭ he‬‭Microsoft Azure Recovery Services (MARS)‬‭agent‬‭allows you to backup data from Windows‬
‭virtual machines and on-premises machines. The backups are directly stored to the Recovery‬
‭Services vault. In order to install the MARS agent and perform backups, you need to have the‬
‭following:‬
‭○‬ ‭Recovery Services vault‬
‭○‬ ‭Backup policy‬
‭○‬ ‭Secure route (ExpressRoute or Private Endpoint)‬

‭3.‬ A
‭ zure Backup Vault is an important component of the Azure Backup service. It serves as a storage‬
‭entity that houses backup data for various Azure services. It’s designed to support newer workloads‬
‭and services like Azure Database for PostgreSQL servers. The vault simplifies the organization of‬
‭backup data, reducing management overhead. It incorporates enhanced security features to protect‬
‭cloud backups and ensure safe data recovery, even in compromised environments. The vault is‬
‭compatible with Azure role-based access control (RBAC), providing fine-grained access‬
‭management. It also ensures data isolation by storing backup data in a Microsoft-managed Azure‬
‭subscription and tenant, separate from the production environment. The vault handles storage‬
‭settings and encryption settings, offering options for platform-managed keys and‬
‭customer-managed keys for backup data encryption.‬

‭4.‬ T
‭ he‬‭Azure Storage Explorer‬‭is a standalone application‬‭that offers a unified interface for managing‬
‭Azure Storage data. It simplifies the process of managing and navigating Azure Storage accounts,‬
‭including Blob Containers, File Shares, Queues, and Tables. Users can easily upload, download, and‬
‭manage data across multiple subscriptions using this tool. It also supports advanced features such‬
‭as blob snapshots, blob versioning, and setting up blob access tiers. Azure Storage Explorer is‬
‭available on Windows, macOS, and Linux, which makes it a convenient choice for developers and‬
‭administrators working on different platforms.‬

‭https://portal.tutorialsdojo.com/‬ ‭45‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭5.‬ T
‭ o create a‬‭Backup Policy‬‭, you need to select a‬‭datasource type‬‭first. You can choose between‬
‭Azure Virtual Machines or Azure Database for PostgreSQL servers. Then choose‬‭frequency‬‭, whether‬
‭it is daily or weekly. After that, you input how many days you want to retain the recovery snapshots.‬
‭At most, you can only retain the instant recovery snapshot for 5 days. Lastly, choose the‬‭retention‬
‭range‬‭of your backups, if it’s daily, weekly, monthly,‬‭or yearly.‬

‭6.‬ F
‭ or hybrid backup solutions for site-to-site recovery or business continuity and disaster recovery‬
‭(BCDR) strategy, you can use‬‭Azure Site Recovery.‬‭It replicates workloads from a primary site to the‬
‭secondary site. For example, your primary site suddenly suffers outages. Since the primary site‬
‭becomes unavailable, Azure Site Recovery will automatically failover to the secondary site and‬
‭ensure that your services are still working. The following resources can be replicated:‬
‭○‬ ‭Azure Virtual Machines (Cross Region Replication)‬
‭○‬ ‭Any operating system‬
‭○‬ ‭On-premise to Azure‬
‭○‬ ‭Other Cloud Service Providers to Azure‬
‭○‬ ‭VMWare, Hyper-V, or Physical Servers‬

‭7.‬ ‭Lastly, it’s important to know these Disaster Recovery terms:‬

‭○‬ ‭Recovery Time Objective (RTO)‬‭is the time it takes‬‭after a disruption to restore a business‬
‭process to its service level.‬
‭○‬ ‭Recovery Point Objective‬‭(RPO) is the acceptable amount‬‭of data loss measured in time‬
‭before the disaster occurs.‬

‭https://portal.tutorialsdojo.com/‬ ‭46‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭vCPU quotas‬

‭The vCPU quotas for VMs and VM scale sets are arranged in two tiers for each region in a subscription.‬

‭‬ T
● ‭ otal Regional vCPUs‬
‭●‬ ‭VM size family cores‬

‭ very time you deploy a new VM, the vCPUs must not exceed the vCPU quota for the VM size family or‬
E
‭the total regional vCPU. If either of those quotas has been exceeded, the VM deployment will not be‬
‭allowed. Take note that there is also a quota for the overall number of virtual machines in the region. The‬
‭quota is calculated based on the total number of cores in use, both allocated and deallocated. If you‬
‭need additional cores, you can request a quota increase or delete VMs that are no longer needed.‬

‭ eferences:‬
R
‭https://docs.microsoft.com/en-us/azure/virtual-machines/‬
‭https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview‬
‭https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-introduction‬
‭https://azure.microsoft.com/en-us/pricing/details/virtual-machines/windows/‬
‭https://learn.microsoft.com/en-us/azure/storage/storage-explorer/vs-azure-tools-storage-manage-with-‬
‭storage-explorer?tabs=windows‬
‭https://learn.microsoft.com/en-us/azure/backup/backup-vault-overview‬

‭https://portal.tutorialsdojo.com/‬ ‭47‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure App Service‬

‭App Service Plans‬

I‭n App Service (Web Apps, API Apps, or Mobile Apps), an application always runs in an App Service plan.‬
‭An‬‭App Service plan‬‭is a collection of compute resources‬‭needed for a web app to run. If you have one‬
‭or more apps, you can set them up to share the same computing resources (or in the same App Service‬
‭plan). Each plan consists of a‬‭region, number & size‬‭of virtual machines,‬‭and‬‭pricing tier‬‭.‬

‭The pricing tiers that you can choose from are:‬

‭1.‬ S ‭ hared Compute‬‭–‬‭Free‬‭and‬‭Shared‬‭are the two base‬‭tiers. These tiers allocate CPU quotas to every‬
‭app running on the shared resources, but the resources cannot scale-out.‬
‭2.‬ ‭Dedicated Compute‬‭– It is composed of‬‭Basic, Standard,‬‭Premium,‬‭and‬‭PremiumV2‬‭tiers. As the‬
‭tier gets higher, you will have more VMs to scale-out.‬
‭3.‬ ‭Isolated‬‭– A dedicated virtual machine that provides‬‭maximum scale-out capabilities.‬

‭Free‬ ‭Shared‬ ‭Basic‬

‭Description‬ ‭Shared environment for dev/test‬ ‭Dedicated environment‬

‭for dev/test‬

‭App Service plan‬ ‭10 per Region‬ ‭10 per Resource Group‬ ‭100 per Resource Group‬

‭Web, mobile, or API‬ ‭10‬ ‭100‬ ‭Unlimited‬

‭apps per App Service‬
‭plan‬

‭Compute Type‬ ‭Shared‬ ‭Shared‬ ‭Dedicated‬

‭Maximum Instances‬ ‭1‬ ‭1‬ ‭up to 3‬

‭Storage Size‬ ‭1 GB‬ ‭1 GB‬ ‭10 GB‬

‭Memory‬ ‭1 GB‬ ‭1 GB‬ ‭up to 7 GB‬

‭Staging Slots‬ ‭-‬ ‭-‬ ‭-‬

‭Scheduled Backups‬ ‭-‬ ‭-‬ ‭-‬

‭Auto Scale‬ ‭-‬ ‭-‬ ‭Supported‬

‭Custom Domain‬ ‭-‬ ‭Supported‬ ‭Supported‬

‭https://portal.tutorialsdojo.com/‬ ‭48‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Hybrid Connectivity‬ ‭-‬ ‭-‬ ‭Supported‬

‭VNet Connectivity‬ ‭-‬ ‭-‬ ‭-‬

‭Private Endpoints‬ ‭-‬ ‭-‬ ‭-‬

‭SLA‬ ‭-‬ ‭-‬ ‭99.95%‬

‭Standard‬ ‭Premium‬ ‭Isolated‬

‭Description‬ ‭Run production‬ ‭Enhanced performance‬ ‭High-Performance,‬

‭workloads‬ ‭and scale‬ ‭Security and Isolation‬

‭App Service plan‬ ‭100 per Resource‬ ‭100 per Resource‬ ‭100 per Resource Group‬
‭Group‬ ‭Group‬

‭Web, mobile, or API‬ ‭Unlimited‬ ‭Unlimited‬ ‭Unlimited‬

‭apps per App Service‬
‭plan‬

‭Compute Type‬ ‭Dedicated‬ ‭Dedicated‬ ‭Isolated‬

‭Maximum Instances‬ ‭up to 10‬ ‭Up to 20 for v1 and v2‬ ‭up to 100‬
‭up to 30 for v3‬

‭Storage Size‬ ‭50 GB‬ ‭250 GB‬ ‭1 TB‬

‭Memory‬ ‭up to 7 GB‬ ‭up to 32 GB‬ ‭up to 14 GB‬

‭Staging Slots‬ ‭5 per app‬ ‭20 per app‬ ‭20 per app‬

‭Scheduled Backups‬ ‭Supported‬ ‭Supported‬ ‭Supported‬

‭Auto Scale‬ ‭Supported‬ ‭Supported‬ ‭Supported‬

‭Custom Domain‬ ‭Supported‬ ‭Supported‬ ‭Supported‬

‭Hybrid Connectivity‬ ‭Supported‬ ‭Supported‬ ‭Supported‬

‭VNet Connectivity‬ ‭Supported‬ ‭Supported‬ ‭Supported‬

‭Private Endpoints‬ ‭-‬ ‭Supported‬ ‭Supported‬

‭SLA‬ ‭99.95%‬ ‭99.95%‬ ‭99.95%‬

‭ efore you launch a web app in Azure App Service, you must also select the Operating System that will‬
B
‭be used in the App Service plan. Take note that some runtime stacks will only work on Windows such as‬
‭ASP.NET while Ruby will only work with Linux.‬

‭https://portal.tutorialsdojo.com/‬ ‭49‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

I‭f you created a Linux web app in a Windows App Service plan, you would receive an error message:‬‭"The‬
‭template deployment is not valid according to the validation procedure". To resolve this error, you must‬
‭create a new App Service plan. Conversely, you will also receive the same error if you run an ASP.NET‬
‭V4.8 application in a Linux App Service plan.‬

‭With Azure App services, you can choose the following runtime environment:‬

‭Runtime stack‬ ‭Linux‬ ‭Windows‬

‭.NET‬

‭.NET 5‬ ‭Yes‬ ‭Yes‬

‭ASP.NET V.3.5 & V.4.8‬ ‭Yes‬

‭.NET Core‬

‭.NET Core 2.1 & 3.1‬ ‭Yes‬ ‭Yes‬

‭Java‬

‭Java SE 8 & 11‬ ‭Yes‬ ‭Yes‬

‭Node‬

‭Node 10, 10.1 & 14‬ ‭Yes‬

‭Node 10.6, 10.14 & 12‬ ‭Yes‬ ‭Yes‬

‭Node 10.10‬ ‭Yes‬

‭PHP‬

‭PHP 7.2, 7.3 & 7.4‬ ‭Yes‬ ‭Yes‬

‭Python‬

‭Python 3.7 & 3.8‬ ‭Yes‬

‭Python 3.6‬ ‭Yes‬ ‭Yes‬

‭Ruby‬

‭Ruby 2.5 & 2.6‬ ‭Yes‬

‭https://portal.tutorialsdojo.com/‬ ‭50‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ hen you create your app, you must also choose a unique web app name because it will become a fully‬
W
‭qualified domain name (FQDN). After you have configured your web app, the default domain name of‬
‭your web app is:‬‭<web-app-name>‬‭.azurewebsites.net.‬

‭ astly, the Azure app service can also run Docker containers (single/multi-container). You can define‬
L
‭custom containers for Windows or Linux operating systems and push the image to Azure Container‬
‭Registry (ACR). This Azure service will handle all your private Docker container images and other related‬
‭artifacts. Then, App Service will pull the image from ACR and takes care of all of the tasks associated‬
‭with deploying container-based web apps, such as OS patching, capacity provisioning, and load‬
‭balancing.‬

‭Deployment Slots‬

‭ hen you deploy a web app, API app, or mobile app to Azure App Service, the default slot is the‬
W
‭production slot. With deployment slots, you can set up different environments for your application, and‬
‭the created slot will have its own hostname. This is very useful when you need to have a staging or‬
‭testing environment. Aside from creating environments, you can also swap environments. This means‬
‭that you can change the staging environment into a production environment.‬

‭When you perform the swap operation, the following settings are swapped:‬
‭●‬ ‭General settings‬
‭●‬ ‭App settings‬
‭●‬ ‭Connection strings‬
‭●‬ ‭Handler mappings‬
‭●‬ ‭Public certificates‬
‭●‬ ‭WebJobs content‬

‭Settings that aren’t swapped are:‬

‭●‬ ‭Publishing endpoints‬
‭●‬ ‭Custom domain names‬
‭●‬ ‭Non-public certificates and TLS/SSL settings‬
‭●‬ ‭Scale settings‬
‭●‬ ‭WebJobs schedulers‬
‭●‬ ‭IP restrictions‬
‭●‬ ‭Always On‬
‭●‬ ‭Diagnostic settings‬
‭●‬ ‭Cross-origin resource sharing (CORS)‬
‭●‬ ‭Virtual network integration‬

‭https://portal.tutorialsdojo.com/‬ ‭51‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭‬
● ‭ anaged identities‬
M
‭●‬ ‭Settings that end with the suffix _EXTENSION_VERSION‬

I‭f you encountered the image shown above, this means that your App Service plan does not have the‬
‭capability to add a staging slot for your application. To solve this problem, you must upgrade your App‬
‭Service plan to a‬‭Standard‬‭or‬‭Premium‬‭tier. After‬‭you successfully upgraded your plan, you can now add‬
‭a slot in the deployment slots.‬

‭To understand deployment slots better, let’s create an example:‬

‭ ou have a web app named tutorialsdojo-portal that is hosted in Azure App Services. The provisioned‬
Y
‭deployment slots for tutorialsdojo-portal are shown in the table below:‬

‭Name‬ ‭Environment‬

‭tutorialsdojo-dev‬ ‭Development‬

‭tutorialsdojo-staging‬ ‭Staging‬

‭tutorialsdojo‬ ‭Production‬
‭You configured several settings in the tutorialsdojo-dev and tutorialsdojo-staging.‬

‭https://portal.tutorialsdojo.com/‬ ‭52‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ ou performed a swap operation between the production and staging slots. Upon testing the‬
Y
‭tutorialsdojo-portal app, it was discovered that the new features are not working properly.‬

‭ possible reason why the tutorialsdojo-portal web app is not working properly is that several settings‬
A
‭are configured in the tutorialsdojo-dev and tutorialsdojo-staging. If you recall, when you perform swap‬
‭operations, various settings are swapped.‬

‭ o fix this issue, you can revert the tutorialsdojo-portal app to its previous state by swapping the slots of‬
T
‭the tutorialsdojo-staging and tutorialsdojo environments. Since the slots have been swapped again, the‬
‭app will no longer experience any performance issues.‬

‭ ach App Service plan tier supports a different number of deployment slots, and there's no additional‬
E
‭charge for using it. Also, take note that when you already have a Premium tier with more than five slots,‬
‭you can't scale it down to a Standard tier because this tier only supports five deployment slots.‬

‭https://portal.tutorialsdojo.com/‬ ‭53‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Diagnostics Logging‬

‭ iagnostics logging helps you access the information logged by Azure. There are five built-in‬
D
‭diagnostics tools to assist you with debugging an App Service app:‬

‭1.‬ ‭Application logging‬

‭○‬ ‭The generated log messages by your application. Each message has the following level and‬
‭categories:‬
‭■‬ ‭Disabled: None‬
‭■‬ ‭Error: Error, Critical‬
‭■‬ ‭Warning: Warning, Error, Critical‬
‭■‬ ‭Information: Info, Warning, Error, Critical‬
‭■‬ ‭Verbose: Trace, Debug, Info, Warning, Error, Critical‬
‭○‬ ‭You can also specify the disk quota (MB) and retention period (days) for the application‬
‭logs.‬
‭○‬ ‭The logs can be found on the App Service file system or Azure Storage blobs.‬
‭2.‬ ‭Web server logging‬
‭○‬ ‭This log message contains an HTTP method, resource URI, client IP, client port, user agent,‬
‭and response code.‬
‭○‬ ‭You can set the retention period (days) for the web server logs.‬
‭○‬ ‭The logs are stored in Azure Storage blobs or App Service file systems.‬
‭3.‬ ‭Detailed Error Messages‬
‭○‬ ‭A copy of the .htm error page. The page contains information on why the server returns an‬
‭error code (HTTP code 400 or greater).‬
‭○‬ ‭The logs are stored in the App Service file system.‬
‭4.‬ ‭Failed request tracing‬
‭○‬ ‭Detailed information on failed requests. The information you can find here helps you‬
‭improve the site performance and isolate a specific HTTP error.‬
‭○‬ ‭For each failed request, one folder is generated, which contains the XML log file and XSL‬
‭stylesheet.‬
‭○‬ ‭The logs can be found on the App Service file system.‬
‭5.‬ ‭Deployment logging‬
‭○‬ ‭This log is created when you publish content to your app.‬
‭○‬ ‭You can also use this log to determine why the deployment failed. For example, if you use a‬
‭custom deployment script and it fails, you can determine why the script is failing through‬
‭deployment logs.‬
‭○‬ ‭Like Detailed Error Messages and Failed request tracing, the logs are also stored in the App‬
‭Service file system only.‬

‭https://portal.tutorialsdojo.com/‬ ‭54‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭App Service Environments‬

‭ et’s talk about another feature of Azure App Service called‬‭App Service Environment (ASE).‬‭It provides‬
L
‭a fully isolated and dedicated environment to securely run apps at a high scale. You can host‬
‭Windows/Linux web apps, Docker containers, mobile apps, and Azure functions. Multiple ASEs in a‬
‭single region or across multiple regions are ideal for horizontally scaling stateless application tiers in‬
‭support of high requests per second workloads.‬

‭There are two types of deployment for ASE:‬

‭1.‬ ‭External ASE‬‭- it exposes the ASE-hosted apps on an‬‭internet-accessible IP address. In other words,‬
‭if the virtual network is connected to your on-premises network, the apps in your ASE will have‬
‭direct access to the on-premises resources. And since the ASE is inside the virtual network, it can‬
‭also access the resources within it.‬
‭2.‬ ‭Internal Load Balancer (ILB) ASE‬‭- almost identical‬‭with External ASE, but the key difference is that‬
‭ILB can expose ASE-hosted apps with an IP address in your virtual network. The internal endpoint is‬
‭an internal load balancer.‬

‭ zure resources can be placed in a non-internet-routable network using Azure Virtual Network. To‬
A
‭access these resources, you can use the VNet Integration feature. It allows your app to access‬
‭resources in your virtual network. This feature is mainly used in multi-tenant apps. But if your app is in‬
‭the App Service Environment, then you don't need to use the VNet Integration feature to reach the‬
‭resources in the same VNet since ASE is already inside a virtual network.‬

‭The VNet Integration feature has two variations:‬

‭1.‬ ‭Regional VNet Integration‬

‭○‬ ‭A dedicated subnet to the services that you integrate with.‬
‭○‬ ‭Block outbound traffic using network security groups.‬
‭○‬ ‭Route table allows you to send outbound traffic.‬
‭2.‬ ‭Gateway-required VNet Integration‬
‭○‬ ‭It allows access to resources in the target virtual network.‬
‭○‬ ‭Sync network allows you to sync certificates and network information.‬
‭○‬ ‭You can add routes for outbound traffic.‬

‭When it comes to application deployment, Azure App Service offers several options:‬

‭1.‬ R ‭ un from package‬‭- instead of copying the package‬‭files directly to the wwwroot directory, the ZIP‬
‭package will be mounted directly as read-only to the wwwroot directory.‬
‭2.‬ ‭Deploy ZIP or WAR‬‭- uses Kudu service to deploy ZIP‬‭and WAR files. Kudu is the engine behind git‬
‭deployments in Azure App Service. It supports the following functionality for ZIP file deployment:‬

‭https://portal.tutorialsdojo.com/‬ ‭55‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ .‬ ‭Leftover files from the previous deployment are deleted.‬

a
‭b.‬ ‭Default build process, which includes package restore‬
‭c.‬ ‭Deployment customization and logs‬
‭3.‬ ‭Deploy via FTP‬‭- in order to use the FTP protocol‬‭to upload files, you will need to have your own FTP‬
‭client. Then go to the deployment center and get the FTP credentials for your FTP client.‬
‭ .‬ ‭Deploy via cloud sync‬‭- allows you to use Dropbox‬‭or OneDrive to deploy using cloud sync. When‬
4
‭you turn on Sync, it will create a folder in your cloud storage service.‬

‭The following directory is where the deployment will occur:‬

‭‬ W
● ‭ indows - D:\home\site\wwwroot‬
‭●‬ ‭Linux - /home/site/wwwroot‬

‭ o run background tasks in Azure App Service, you can use‬‭WebJobs‬‭to upload an executable script.‬
T
‭This feature will enable you to run a program in the same instance as a web app, API app or mobile app‬
‭without additional cost.‬

‭There are two types of WebJobs:‬

‭1.‬ ‭Continuous‬
‭○‬ ‭Starts the script immediately after the WebJob is created.‬
‭○‬ ‭Runs on all instances that the web app runs on.‬
‭○‬ ‭Supports remote debugging.‬
‭○‬ ‭Uses WebJobs Scale:‬
‭■‬ ‭Single Instance - keeps a single copy of WebJob running regardless of instance‬
‭count.‬
‭■‬ ‭Multi-Instance - scale all WebJobs across all instances.‬
‭2.‬ ‭Triggered‬
‭○‬ ‭Only starts when triggered: manually or scheduled (CRON expression)‬
‭○‬ ‭Runs on a single instance.‬
‭○‬ ‭Remote debugging is not supported.‬

‭The supported file types for scripts:‬

‭‬
● ‭ indows cmd:‬‭.cmd, .bat, .exe‬
W
‭●‬ ‭PowerShell:‬‭.ps1‬
‭●‬ ‭Bash:‬‭.sh‬
‭●‬ ‭PHP:‬‭.php‬
‭●‬ ‭Python:‬‭.py‬
‭●‬ ‭Node.js:‬‭.js‬
‭●‬ ‭Java:‬‭.jar‬

‭https://portal.tutorialsdojo.com/‬ ‭56‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ eference:‬
R
‭https://docs.microsoft.com/en-us/azure/app-service/overview‬

‭https://portal.tutorialsdojo.com/‬ ‭57‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Container Instances (ACI)‬

‭Sizing and Scaling‬

‭ CI is a serverless container platform that allows you to run Docker containers on-demand without the‬
A
‭need for infrastructure management. When you create an ACI instance, you need to specify the size of‬
‭CPU and memory:‬
‭●‬ ‭CPU‬‭- the number of CPU cores you want to allocate‬‭to your container. The maximum number of‬
‭vCPUs you can assign is determined by the region and SKU you select.‬
‭●‬ ‭Memory‬‭- the amount of memory you want to allocate‬‭to your container. You can start an ACI‬
‭instance with as little as 1 GiB of memory. Similar to CPU, the region and SKU you choose to‬
‭determine the maximum amount of memory you can assign.‬

‭ o ensure that you have enough capacity to handle your workload at all times, you can use auto-scaling‬
T
‭to define rules that automatically increase or decrease the number of container instances based on your‬
‭workload's CPU or memory utilization. You can also manually scale your ACI instances using the Azure‬
‭Portal, CLI, or PowerShell.‬

‭Container Groups‬

I‭n Azure, a‬‭container group‬‭is a collection of containers‬‭that are assigned to run on the same host‬
‭machine, and which share the same lifecycle, resources, local network, and storage volumes. This‬
‭means that you can use ACI to deploy a multi-container application as a single unit. Multi-container‬
‭groups are useful when you need to split a single functional job into a few container images.‬

‭ he minimum number of CPU and memory that you can allocate to a container group is 1 CPU and 1 GiB‬
T
‭of memory. While the maximum resources in a container group can be found in the‬‭resource availability‬
‭for ACI in the deployment region.‬

‭ ontainer groups can share an externally accessible IP address, as well as one or more ports on that‬
C
‭address and a DNS label with a fully qualified domain name (FQDN). To enable external clients to‬
‭connect to a container in the group, you need to expose the port on the IP address and the container.‬
‭Take note that when you delete the container group, its IP address and FQDN are released.‬

‭The supported external volumes that you can mount within a container group are:‬
‭●‬ ‭Azure file share‬
‭●‬ ‭Secret‬
‭●‬ ‭Empty directory‬
‭●‬ ‭Cloned git repo‬

‭https://portal.tutorialsdojo.com/‬ ‭58‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Configuring Container Apps‬

‭ ontainers, cloud-native, and microservices are all used in modern software development and‬
C
‭deployment. A‬‭container‬‭is a standalone executable‬‭package that contains everything needed to run a‬
‭piece of software, creating an isolated environment for the application. While‬‭microservices‬‭are an‬
‭architectural paradigm for developing applications that are composed of small, independent services.‬
‭This enables teams to autonomously build, deploy, and grow their services, increasing the speed and‬
‭agility of the development process.‬

I‭n Microsoft Azure, there is a fully managed service called‬‭Azure Container Apps,‬‭where you can deploy,‬
‭manage, and scale multi-container applications and microservices. You can run your containers without‬
‭worrying about the challenges of managing cloud infrastructure and complex container orchestration‬
‭solutions. To understand how this service works, we’re gonna take a look at a series of step-by-step‬
‭tutorials on creating Container Apps.‬

I‭n this section, we’ll learn how to create, configure and deploy Azure Container Apps using Docker‬
‭images. The container images will be retrieved from‬‭Docker Hub‬‭, which is a repository of container‬
‭images from software vendors, open-source projects, and the community.‬

‭There are several methods for deploying container images:‬

‭●‬ ‭Azure Portal‬
‭●‬ ‭Azure CLI‬
‭●‬ ‭VS Code‬

‭ owever, for this tutorial, we will configure Azure Container Apps using the Azure Portal. The first step‬
H
‭you need to do is search the keyword "container apps" and click‬‭"Create container app".‬

‭1.‬ O
‭ nce you’re in the configuration settings, you must fill in the following details that have a red‬
‭asterisk.‬

‭https://portal.tutorialsdojo.com/‬ ‭59‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭2.‬ T
‭ he‬‭Container Apps Environment‬‭field will be created‬‭automatically by default, but you can also‬
‭configure it based on your needs. When you click‬‭Create‬‭new‬‭, you'll be taken to the Create Container‬
‭Apps Environment page, which includes the following tabs:‬
‭a.‬ ‭Basics - configure environment name and zone redundancy.‬
‭b.‬ ‭Monitoring - create a log analytics workspace to store application logs.‬
‭c.‬ ‭Networking - select the default or custom virtual network.‬

‭https://portal.tutorialsdojo.com/‬ ‭60‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭3.‬ N
‭ ext is the app settings tab; we need to untick the‬‭“Use quickstart image”‬‭to use a custom image‬
‭from Docker Hub. After that, we need to select an image from Docker and the container image that‬
‭we will use is‬‭Grafana‬‭.‬

‭https://portal.tutorialsdojo.com/‬ ‭61‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭4.‬ ‭After you copy the Grafana image and tag, fill in the following details:‬

‭https://portal.tutorialsdojo.com/‬ ‭62‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Note: If you don't specify the image's tag version, you'll always get the latest version.‬

‭5.‬ I‭f you scroll down, you’ll see an‬‭Application ingress‬‭settings‬‭section. Don’t forget to enable the‬
‭ingress, select “‬‭Accepting traffic from anywhere‬‭”,‬‭and the target port of the container. This is the‬
‭port your container is listening on that will receive traffic.‬

‭https://portal.tutorialsdojo.com/‬ ‭63‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ he main reason why we need to enable ingress is so we can generate an application URL. Also, the‬
T
‭insecure connections option will just generate an HTTP URL.‬

‭6.‬ F
‭ or the tags tab, this is optional, but for best practices, Azure recommends that you should add‬
‭always add tags to organize your Azure resources.‬

‭https://portal.tutorialsdojo.com/‬ ‭64‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭7.‬ B
‭ efore creating the container app, review all the details, and once you’re done, click‬‭Create‬‭. Then,‬
‭you’ll be redirected to the‬‭Deployment is in progress‬‭page. The deployment will take a few minutes‬
‭to be completed.‬

‭8.‬ ‭To verify the app that you’ve just deployed, go to resource and find the application URL.‬

‭https://portal.tutorialsdojo.com/‬ ‭65‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭9.‬ ‭After clicking the application URL, you’ll be redirected to the Grafana app container.‬

‭10.‬‭That’s it! Now you’ve deployed a Grafana image from Docker Hub with a few steps. Grafana is‬
‭basically a dashboard to monitor the health and performance of all your resources in one platform.‬
‭If you want to know about its features and how it works, then check out this‬‭article‬‭.‬

‭ eference:‬
R
‭https://learn.microsoft.com/en-us/azure/container-instances/container-instances-overview‬

‭https://portal.tutorialsdojo.com/‬ ‭66‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Kubernetes Service (AKS)‬

‭ KS is an open-source tool for orchestrating and managing many container images and applications. It‬
A
‭lets you deploy a managed Kubernetes cluster in Azure. You use clusters and pods to deploy and scale‬
‭applications. It also supports horizontal scaling, self-healing, load balancing, and secret management.‬
‭Automatic monitoring of application load to determine when to scale the number of containers used.‬

‭Components‬

‭●‬ A ‭ ‬‭control plane‬‭is a managed Azure resource. It is‬‭where the components run, including API server‬
‭and cluster database (etcd).‬
‭○‬ ‭kube-apiserver – allows communication for management tools (kubectl).‬
‭○‬ ‭etcd – a key-value store within Kubernetes.‬
‭○‬ ‭kube-scheduler – defines what nodes should run in the workload.‬
‭○‬ ‭kube-controller-manager – it oversees the smaller controllers that handle node operations‬
‭and replication of pods.‬
‭●‬ ‭Kubernetes runs an application in your instance using‬‭pods‬‭.‬
‭●‬ ‭A‬‭node‬‭is made up of several pods, and‬‭node pools‬‭are a group of nodes with the same‬
‭configuration.‬
‭●‬ ‭Use a‬‭node selector‬‭to control where a pod should‬‭be placed.‬
‭●‬ ‭You can run at least 2 nodes in the default node pool to ensure your cluster operates reliably.‬
‭●‬ ‭Multi-container pods are placed on the same node and allow containers to share the related‬
‭resources.‬
‭●‬ ‭You can specify maximum resource limits that prevent a given pod from consuming too much‬
‭compute resources from the underlying node.‬
‭●‬ ‭A‬‭deployment‬‭determines the number of replicas (pods)‬‭to be created, but you must define a‬
‭manifest file in YAML format first.‬
‭●‬ ‭With‬‭StatefulSets‬‭, you can maintain the application’s‬‭state within a single pod life cycle.‬
‭●‬ ‭The resources are logically grouped into a‬‭namespace‬‭,‬‭and a user may only interact with resources‬
‭within their assigned namespaces.‬

‭Storage‬

‭ ‬‭volume‬‭is used for storing, retrieving, and persisting‬‭data across pods and throughout the application‬
A
‭lifecycle. You can either manually create data volumes to be assigned to pods or have Kubernetes create‬
‭them for you. The data volumes that you can use are:‬
‭●‬ ‭Azure Disks‬‭- only available to a single node.‬
‭●‬ ‭Azure Files‬‭- share data across multiple nodes and‬‭pods.‬
‭●‬ ‭Azure NetApp Files‬
‭●‬ ‭Azure Blobs‬‭- mounted using NFS v3.0 protocol or BlobFuse‬

‭https://portal.tutorialsdojo.com/‬ ‭67‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Common volume types in Kubernetes:‬

‭●‬ ‭emptyDir‬‭- data written to this volume type persists‬‭only for the duration of the pod's lifespan.‬
‭●‬ ‭secret‬‭- passwords and other sensitive data can be‬‭injected into pods.‬
‭●‬ ‭configMap‬‭- inject key-value pair properties (app‬‭configuration) into pods.‬

‭ ‬‭persistent volume‬‭is a storage resource created‬‭and managed by the Kubernetes API that can exist‬
A
‭beyond the lifetime of a single pod. To provide the PersistentVolume, you can use either Azure Disks or‬
‭Azure Files. A PersistentVolume can be created statically by a cluster administrator or dynamically thru‬
‭Kubernetes API. Keep in mind that Windows and Linux pods cannot share persistent volumes because‬
‭of differences in file system.‬

I‭f you need to define different tiers of storage (Premium or Standard) and reclaimPolicy, you can create a‬
‭StorageClass‬‭. When you delete a persistent volume,‬‭the underlying Azure storage resource is controlled‬
‭by the reclaimPolicy. The storage can be deleted or kept for future use with a pod.‬

‭ astly, a‬‭persistent volume claim‬‭requests storage‬‭of a particular StorageClass, access mode, and size.‬
L
‭If no existing resource can fulfill the claim based on the defined StorageClass, the Kubernetes API server‬
‭can dynamically provision the underlying Azure storage resource.‬

‭Scaling‬

‭ hen running applications in a Kubernetes cluster, there will be times when you need to increase or‬
W
‭decrease the amount of compute resources to handle a specific workload. In AKS, you can‬‭manually‬
‭scale pods or nodes‬‭to maintain a fixed amount of‬‭resources and cost. You define the replica or node‬
‭count when manually scaling. Based on that replica or node count, the Kubernetes API schedules the‬
‭creation of additional pods or the draining of nodes.‬

I‭f the requirement is scale based on the demand, then use‬‭horizontal pod autoscaler (HPA)‬‭to monitor‬
‭the resource and automatically scale the number of replicas. By default, the HPA checks the Metrics API‬
‭every 15 seconds for any changes in the replica count, but the Metrics API retrieves data from the‬
‭Kubelet every 60 seconds. You need to define the min and max number of replicas that can run when‬
‭you configure HPA. You also specify the metric on which to base any scaling decisions, such as CPU‬
‭usage.‬

‭ ince HPA is for scaling pods, Kubernetes has a‬‭cluster‬‭autoscaler‬‭that adjusts the number of nodes in‬
S
‭the node pool based on the requested compute resources. By default, the cluster autoscaler checks the‬
‭Metrics API every 10 seconds. It is common practice to combine horizontal pod autoscalers and cluster‬
‭autoscalers. The former changes the number of pods in response to application demand, while the latter‬
‭changes the number of nodes required to accommodate those additional pods.‬

‭https://portal.tutorialsdojo.com/‬ ‭68‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

I‭f you need to rapidly scale your AKS cluster, then integrate it with Azure Container Instances, The virtual‬
‭nodes component is installed in your AKS cluster and presents ACI as a virtual Kubernetes node.‬
‭Kubernetes can then schedule pods that run as ACI instances via virtual nodes, rather than pods that run‬
‭directly on VM nodes in your AKS cluster. You don't need to modify your application using virtual nodes.‬
‭As the cluster autoscaler deploys new nodes in your AKS cluster, deployments can scale across AKS‬
‭and ACI with no delay.‬

‭Network Connections‬

‭ ach pod in a Kubernetes cluster is assigned a unique IP address, and pods can communicate with one‬
E
‭another using these IP addresses. Kube-proxy is a component in Kubernetes networking that enables‬
‭efficient and reliable communication between different components in a cluster. Services in Kubernetes‬
‭provide a consistent endpoint for accessing a collection of pods and can be used to load balance traffic‬
‭across multiple pods.‬

‭The following ServiceTypes are:‬

‭●‬ ‭ClusterIP‬‭- creates an internal IP address that will‬‭be used within the cluster.‬
‭●‬ ‭NodePort‬‭- creates a port mapping on the underlying‬‭node, allowing the application to be accessed‬
‭directly using the node's IP address and port.‬
‭●‬ ‭LoadBalancer -‬‭creates a load balancer resource, assigns‬‭an external IP address, and connects the‬
‭requested pods to the backend pool.‬
‭●‬ ‭ExternalName‬‭- creates a unique DNS entry to make‬‭application access easier.‬

‭ hen you create a LoadBalancer-type Service, you also create an underlying Azure load balancer‬
W
‭resource. The load balancer is configured to distribute traffic at layer 4. With‬‭ingress controllers‬‭, you‬‭can‬
‭distribute application traffic (layer 7) based on the inbound URL.‬

‭In AKS, you can create a cluster that uses one of the following network models:‬
‭●‬ ‭Kubenet networking‬‭- network resources are typically‬‭created and configured as the AKS cluster is‬
‭deployed.‬
‭●‬ ‭Azure CNI networking‬‭- AKS cluster is connected to‬‭existing virtual network resources and‬
‭configurations.‬

‭Capability‬ ‭Kubenet‬ ‭Azure CNI‬

‭Deploy cluster in existing or new virtual network‬ ‭ upported - UDRs‬

S ‭Supported‬
‭manually applied‬

‭Pod-pod connectivity‬ ‭Supported‬ ‭Supported‬

‭https://portal.tutorialsdojo.com/‬ ‭69‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ od-VM connectivity; VM in the same virtual‬

P ‭ orks when initiated‬
W ‭ orks both‬
W
‭network‬ ‭by pod‬ ‭ways‬

‭Pod-VM connectivity; VM in peered virtual network‬ ‭ orks when initiated‬

W ‭ orks both‬
W
‭by pod‬ ‭ways‬

‭On-premises access using VPN or Express Route‬ ‭ orks when initiated‬

W ‭ orks both‬
W
‭by pod‬ ‭ways‬

‭Access to resources secured by service endpoints‬ ‭Supported‬ ‭Supported‬

‭ xpose Kubernetes services using a load balancer‬

E ‭Supported‬ ‭Supported‬
‭service, App Gateway, or ingress controller‬

‭Default Azure DNS and Private Zones‬ ‭Supported‬ ‭Supported‬

‭Support for Windows node pools‬ ‭Not Supported‬ ‭Supported‬

I‭n order to filter network traffic in the AKS node, you need to have a‬‭network security groups‬‭. When‬‭you‬
‭create Services, the Azure platform automatically configures any network security group rules that are‬
‭required. Since the Azure platform creates the NSG, you only need to define the required ports and‬
‭forwarding as part of your Kubernetes Service manifests.‬

‭ y default, all pods in an AKS cluster can send and receive traffic without restriction. To improved‬
B
‭security, you can use‬‭network policies‬‭to apply traffic‬‭filter rules to pods. Network policy is a Kubernetes‬
‭feature that allows you to manage the flow of traffic between pods in AKS. You can allow or restrict‬
‭traffic to specific pods by specifying criteria such as assigned labels, namespace, or traffic port. While‬
‭network security groups are better suited to AKS nodes, network policies are a more cloud-native‬
‭approach to controlling pod traffic flow. Since pods are created dynamically in AKS clusters, necessary‬
‭network policies can be implemented automatically.‬

‭ eference:‬
R
‭https://learn.microsoft.com/en-us/azure/aks/intro-kubernetes‬

‭https://portal.tutorialsdojo.com/‬ ‭70‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Resource Manager (ARM)‬

‭‬ A
● ‭ service that allows you to create, update, and delete resources in your Azure account.‬
‭●‬ ‭Enables you to manage access control, locks, and tags for your resources after they have been‬
‭ eployed.‬
d
‭●‬ ‭All requests are authenticated and authorized by ARM before being routed to the appropriate Azure‬
‭service.‬
‭‬
● ‭Manage infrastructure using declarative templates and deploy it in a repeatable manner.‬
‭●‬ ‭Deploy, manage, and monitor all resources as a group.‬
‭●‬ ‭Tag resources to logically organize all the resources in your subscription.‬
‭●‬ ‭You can check the costs for a group of resources sharing the same tag.‬
‭●‬ ‭Define the dependencies between resources, so they’re deployed in the correct order.‬

‭Resource groups‬

‭‬
● ‭ container that holds related resources.‬
A
‭●‬ ‭You can create a resource group using the Azure Portal, PowerShell, CLI, or an ARM template.‬
‭●‬ ‭Each resource can only exist in a single resource group.‬
‭●‬ ‭You can add or remove resources to any resource group at any time.‬
‭●‬ ‭Allows you to move a resource from one resource group to another.‬
‭●‬ ‭Resources from multiple regions can be in one resource group.‬
‭●‬ ‭You can give users access to a resource group.‬
‭●‬ ‭Resources can interact with other resources in different resource groups.‬
‭●‬ ‭A resource group has a location or region, as it stores metadata about the resources.‬
‭●‬ ‭When you delete a resource group, it also deletes all of its resources.‬

‭ARM templates‬

‭●‬ ‭The template is a JSON file with declarative syntax that defines the properties and configuration of‬
‭your resources. It is divided into the following sections:‬
‭○‬ ‭Parameters - values that allow the same template to be used in multiple environments.‬
‭○‬ ‭Variables - values that can be reused in templates.‬
‭○‬ ‭User-defined functions - customized functions to simplify the template.‬
‭○‬ ‭Resources - define the resources to be deployed.‬
‭○‬ ‭Outputs - values from deployed resources.‬
‭ ‬ ‭When a template is deployed, ARM converts it into REST API operations.‬
●
‭●‬ ‭You can specify an apiVersion so that you can reuse the template without worrying about breaking‬
‭changes introduced in later versions.‬

‭https://portal.tutorialsdojo.com/‬ ‭71‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭●‬ ‭To make sure your template adheres to suggested best practices, use an ARM template toolkit‬
(‭ arm-ttk).‬
‭‬
● ‭Before deploying the template, you can preview changes using the what-if operation.‬
‭●‬ ‭To deploy a template, you can use the following:‬
‭○‬ ‭Azure Portal‬
‭○‬ ‭Azure CLI‬
‭○‬ ‭Azure Cloud Shell‬
‭○‬ ‭PowerShell‬
‭○‬ ‭REST API‬
‭○‬ ‭Button in GitHub repository‬
‭●‬ ‭An application can be defined in a single template or divided into a purpose-specific template‬
‭(modular files). You can also create a parent template that links all the nested templates.‬
‭●‬ ‭You can share the template using template specs and manage access using role-based access‬
‭control (RBAC).‬
‭○‬ ‭Link template - a different template file that is linked from the primary template.‬
‭○‬ ‭Nested template - an embedded template syntax within the main template.‬
‭‬
● ‭You can also get the template of an existing resource group by exporting it.‬
‭●‬ ‭With Azure Pipelines, you can continuously build and deploy ARM template projects.‬
‭●‬ ‭You are only charged for the resources deployed by the ARM template.‬

‭Infrastructure as Code, YAML & JSON‬

I‭ nfrastructure as Code (IaC)‬‭is a method of running‬‭IT infrastructure that automates, configures, and‬
‭manages systems and networks using scripts or code. It can work with a variety of file formats,‬
‭including JSON and YAML.‬‭YAML (YAML Ain't Markup Language)‬‭is a data serialization format that is‬
‭commonly used in Ansible, Kubernetes, and other tools. While‬‭JSON (JavaScript Object Notation)‬‭is a‬
‭popular data interchange format that is frequently used in AWS CloudFormation, Terraform, and other‬
‭tools. Both YAML and JSON are simple to understand and can be used in a variety of IaC tools.‬

‭ zure Resource Manager (ARM) templates‬‭is a service‬‭provided by Microsoft Azure that allows you to‬
A
‭provision, manage, and delete Azure resources using declarative syntax. These templates can be used to‬
‭deploy and manage resources such as virtual machines, storage accounts, and virtual networks in a‬
‭consistent and reliable manner. To deploy the template, you can use the Azure Portal, Azure CLI, or‬
‭Azure PowerShell.‬

‭In this section, we'll use the Azure Portal to create, deploy, and export resources using ARM templates:‬

‭https://portal.tutorialsdojo.com/‬ ‭72‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Deploying ARM templates‬

‭1.‬ T
‭ he first thing you need to do is to search for the service‬‭“Deploy a custom template”‬‭. After selecting‬
‭the service, you’ll see the options:‬
‭○‬ ‭Build your own template in the editor‬
‭○‬ ‭Common templates‬
‭○‬ ‭Start with a quickstart template or template spec‬

‭2.‬ B
‭ egin with a quickstart template, then type‬‭"docker-simple-on-ubuntu"‬‭and press‬‭Next‬‭. Add the‬
‭required parameters, such as resource group, username, dns, and password, then click‬‭Create‬‭.‬

‭3.‬ ‭You can also modify the template based on your requirements before creating the resources.‬

‭https://portal.tutorialsdojo.com/‬ ‭73‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭4.‬ O
‭ nce the deployment is successful, you can go to the selected resource group, and you’ll see the‬
‭created resources from the ARM template.‬

‭5.‬ W
‭ hen the Azure resources are no longer needed, you can clean up the resources by deleting the‬
‭resource group.‬

‭https://portal.tutorialsdojo.com/‬ ‭74‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Exporting Template‬
I‭f you want to save the current state of the resource group, scroll down to the Automation section and‬
‭click Export template, then click the download button.‬

‭ efore re-using the template for production deployments, you may want to revise it since the template‬
B
‭we used is a quickstart template.‬

‭Creating ARM templates‬

‭1.‬ N
‭ ow that you’ve learned how to deploy using a quickstart template, let’s now try creating an ARM‬
‭template from scratch. Go back to the‬‭“Deploy a custom‬‭template”‬‭page and click‬‭Build your own‬
‭template in the editor‬‭.‬

‭https://portal.tutorialsdojo.com/‬ ‭75‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭2.‬ O
‭ nce you are redirected to the editor page, you’ll see that there are no parameters, variables, and‬
‭resources. In this section, we’ll create and deploy an Azure web app template.‬

‭3.‬ ‭Click‬‭Add resource‬‭, select Web app, fill up the remaining‬‭fields, and press‬‭OK‬‭.‬

‭https://portal.tutorialsdojo.com/‬ ‭76‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭4.‬ I‭n the editor page, you'll notice that a JSON has been created. Feel free to change any of the‬
‭parameters based on your requirements.‬

‭https://portal.tutorialsdojo.com/‬ ‭77‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭5.‬ I‭f you want to save the template you’ve created, just click the‬‭Download‬‭button. Now let’s save the‬
‭template and you’ll be redirected to the configuration of the resource. Just fill up the required fields‬
‭and click‬‭Create‬‭.‬

‭https://portal.tutorialsdojo.com/‬ ‭78‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭6.‬ A
‭ fter the deployment is completed, you can go to the resource group and select the web app you’ve‬
‭created. To confirm, if the web app is running, you can access the URL generated by the App‬
‭Service. The format is:‬‭https://‬‭<web-app-name>‬‭.azurewebsites.net/‬

‭https://portal.tutorialsdojo.com/‬ ‭79‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭7.‬ T
‭ hat's how simple it is to create and deploy a custom ARM template for your own project. Again, if‬
‭you no longer need the resource, don't forget to delete the resource group to avoid unexpected‬
‭billing in your account.‬

‭https://portal.tutorialsdojo.com/‬ ‭80‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Storage Accounts‬

‭Types of Storage Accounts‬

‭1.‬ ‭General-purpose v2 accounts‬

‭○‬ ‭Supports Data Lake Gen2, Blobs, Files, Disks, Queues, Tables.‬
‭○‬ ‭Delivers the lowest per-gigabyte capacity prices for Azure Storage.‬
‭2.‬ ‭General-purpose v1 accounts‬
‭○‬ ‭Supports Blobs, Files, Disks, Queues, Tables.‬
‭○‬ ‭You can upgrade a general-purpose v1 account to a general-purpose v2 account with no‬
‭downtime and without copying the data.‬
‭○‬ ‭You can use general-purpose v1 accounts since the General-purpose v2 accounts and Blob‬
‭storage accounts only support the Azure Resource Manager deployment model.‬
‭○‬ ‭If you don’t need a large capacity for transaction-intensive or significant geo-replication‬
‭bandwidth, GPv1 is a suitable choice.‬
‭3.‬ ‭BlockBlobStorage accounts‬
‭○‬ ‭Provides low, consistent latency and higher transaction rates.‬
‭○‬ ‭Upgrading a Blob storage account to a general-purpose v2 account has no downtime and‬
‭you don’t need to copy the data.‬
‭○‬ ‭It doesn’t support hot, cool, and archive access tiers.‬
‭○‬ ‭You can use BlockBlobStorage for storing unstructured object data as block blobs or append‬
‭blobs.‬
‭4.‬ ‭FileStorage accounts‬
‭○‬ ‭Only support file shares.‬
‭○‬ ‭Offers IOPS bursting.‬
‭5.‬ ‭BlobStorage accounts‬
‭○‬ ‭Only supports block and append blobs.‬
‭○‬ ‭BlobStorage account offers standard performance, while the BlockBlobStorage account‬
‭supports premium performance.‬

‭https://portal.tutorialsdojo.com/‬ ‭81‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Stora‬ ‭Servic‬ ‭ erfor‬

P ‭Acce‬ ‭Replic‬ ‭ eplo‬
D ‭ ncry‬
E
‭ge‬ ‭es‬ ‭mance‬ ‭ss‬ ‭ation‬ ‭yment‬ ‭ption‬
‭Accou‬ ‭Tiers‬ ‭Tiers‬ ‭Optio‬ ‭Model‬
‭nt‬ ‭ns‬
‭Type‬

‭Gener‬ ‭ lob,‬
B ‭Standa‬ ‭ ot,‬
H ‭ RS,‬
L ‭Resou‬ ‭ ncry‬
E
‭al-‬ ‭File,‬ ‭rd,‬ ‭Cool,‬ ‭GRS,‬ ‭rce‬ ‭pted‬
‭purpo‬ ‭Queue‬ ‭Premi‬ ‭Archi‬ ‭RA-GR‬ ‭Mana‬
‭se V2‬ ‭,‬ ‭um‬ ‭ve‬ ‭S,‬ ‭ger‬
‭Table,‬ ‭ZRS,‬
‭Disk,‬ ‭GZRS,‬
‭and‬ ‭RA-GZ‬
‭Data‬ ‭RS‬
‭Lake‬
‭Gen2‬

‭Gener‬ ‭ lob,‬
B ‭Standa‬ ‭N/A‬ ‭ RS,‬
L ‭Resou‬ ‭ ncry‬
E
‭al-‬ ‭File,‬ ‭rd,‬ ‭GRS,‬ ‭rce‬ ‭pted‬
‭purpo‬ ‭Queue‬ ‭Premi‬ ‭RA-GR‬ ‭Mana‬
‭se V1‬ ‭,‬ ‭um‬ ‭S‬ ‭ger,‬
‭Table,‬ ‭Classi‬
‭and‬ ‭c‬
‭Disk‬

‭ lock‬
B ‭Blob‬ ‭Premi‬ ‭N/A‬ ‭ RS,‬
L ‭Resou‬ ‭ ncry‬
E
‭Blob‬ ‭(block‬ ‭um‬ ‭ZRS‬ ‭rce‬ ‭pted‬
‭Stora‬ ‭and‬ ‭Mana‬
‭ge‬ ‭appen‬ ‭ger‬
‭d‬
‭blobs‬
‭only)‬

‭ ileSt‬
F ‭ ile‬
F ‭Premi‬ ‭N/A‬ ‭ RS,‬
L ‭Resou‬ ‭ ncry‬
E
‭orage‬ ‭only‬ ‭um‬ ‭ZRS‬ ‭rce‬ ‭pted‬
‭Mana‬
‭ger‬

‭https://portal.tutorialsdojo.com/‬ ‭82‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ lobS‬
B ‭Blob‬ ‭Standa‬ ‭Hot,‬ ‭LRS,‬ ‭Resou‬ ‭ ncry‬
E
‭torag‬ ‭(block‬ ‭rd‬ ‭ ool,‬
C ‭ RS,‬
G ‭rce‬ ‭pted‬
‭e‬ ‭and‬ ‭Archi‬ ‭RA-GR‬ ‭Mana‬
‭appen‬ ‭ve‬ ‭S‬ ‭ger‬
‭d‬
‭blobs‬
‭only)‬

‭Storage Account Endpoint‬

‭ storage account in Azure gives your data a unique namespace. Every object you save to Azure Storage‬
A
‭has a unique address that includes your account name. The endpoints for your storage account are‬
‭formed by the account name and the Azure Storage service endpoint.‬

‭‬
● ‭ lob storage:‬‭https://‬‭tutorialsdojo‬‭.blob.core.windows.net‬
B
‭●‬ ‭Table storage:‬‭https://‬‭tutorialsdojo‬‭.table.core.windows.net‬
‭●‬ ‭Queue storage‬‭: https://‬‭tutorialsdojo‬‭.queue.core.windows.net‬
‭●‬ ‭Azure Files‬‭: https://‬‭tutorialsdojo‬‭.file.core.windows.net‬
‭●‬ ‭Azure Data Lake Storage Gen2:‬‭https://‬‭tutorialsdojo‬‭.dfs.core.windows.net‬

‭Storage Account Redundancy‬

‭ zure Storage keeps several copies of your data to protect it from both planned and unexpected events,‬
A
‭such as transient hardware failures, network or power outages, and massive natural disasters. Even in‬
‭the event of a breakdown, redundancy guarantees that your storage account fulfills its availability and‬
‭durability goals. The greater level of redundancy, the more expensive the cost of replication.‬

‭ rimary Region Redundancy‬

P
‭The data in the storage account is always replicated three times in the primary region. Azure offers two‬
‭options on how your data will be replicated:‬

‭●‬ ‭Locally Redundant Storage (LRS)‬

‭○‬ ‭A low-cost redundancy strategy.‬
‭○‬ ‭Your data is copied synchronously three times within the primary region.‬
‭●‬ ‭Zone-Redundant Storage (ZRS)‬
‭○‬ ‭Redundancy for high availability.‬
‭○‬ ‭The data is copied synchronously across three Azure availability zones in the primary region.‬

‭Secondary Region Redundancy‬

‭https://portal.tutorialsdojo.com/‬ ‭83‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ he data in the storage account is copied to a secondary region. This redundancy option is mainly used‬
T
‭for applications that require high durability since the data is durable even if there’s a complete regional‬
‭outage or disaster in the primary region. Also, the paired secondary region is determined based on the‬
‭selected primary region, and can’t be changed.‬

‭●‬ ‭Geo-Redundant Storage (GRS)‬

‭○‬ ‭Cross-regional redundancy‬
‭○‬ ‭In the primary region, data is synchronously copied three times and then asynchronously‬
‭copied to the secondary region.‬
‭●‬ ‭Geo-Zone-Redundant Storage (GZRS)‬
‭○‬ ‭Redundancy for both high availability and maximum durability‬
‭○‬ ‭Data is copied synchronously across three Azure availability zones in the primary region,‬
‭then copied asynchronously to the secondary region.‬

‭Secondary Region Redundancy with Read Access‬

‭ he data is replicated to another location in the secondary region, and it is only available for read‬
T
‭access. For example, if the primary region becomes unavailable, your data is still available to be read at‬
‭all times in the secondary region. You can only enable read access to the following redundancy options:‬

‭●‬ ‭Read-Access Geo-Redundant Storage (RA-GRS)‬

‭○‬ ‭The data is copied synchronously in the primary region and secondary region.‬
‭●‬ ‭Read-Access Geo-Zone-Redundant Storage (RA-GZRS)‬
‭○‬ ‭The data is copied synchronously across three availability zones in the primary region, then‬
‭synchronously copied to the secondary region.‬

‭Parame‬ ‭LRS‬ ‭ZRS‬ ‭GRS/RA-GRS‬ ‭GZRS/RA-GZRS‬

‭ter‬

‭ urabili‬
D ‭ t least‬
a ‭ t least‬
a ‭ t least‬
a ‭ t least‬
a
‭ty of‬ ‭99.999999‬ ‭99.9999999‬ ‭99.99999999999‬ ‭99.99999999999‬
‭objects‬ ‭999% (11‬ ‭999% (12‬ ‭999% (16 9's)‬ ‭999% (16 9's)‬
‭over a‬ ‭9's)‬ ‭9's)‬
‭given‬
‭year‬

‭ ead‬
R ‭ t least‬
A ‭ t least‬
A -‭ At least 99.9%‬ -‭ At least 99.9%‬
‭request‬ ‭99.9% (99%‬ ‭99.9% (99%‬ ‭(99% for cool‬ ‭(99% for cool‬
‭s‬ ‭for cool‬ ‭for cool‬ ‭access tier) for‬ ‭access tier) for‬
‭availabi‬ ‭access tier)‬ ‭access tier)‬ ‭GRS‬ ‭GZRS‬
‭lity‬

‭https://portal.tutorialsdojo.com/‬ ‭84‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

-‭ At least 99.99%‬ -‭ At least 99.99%‬

‭(99.9% for cool‬ ‭(99.9% for cool‬
‭access tier) for‬ ‭access tier) for‬
‭RA-GRS‬ ‭RA-GZRS‬

‭ rite‬
W ‭ t least‬
A ‭ t least‬
A ‭ t least 99.9%‬
A ‭ t least 99.9%‬
A
‭request‬ ‭99.9% (99%‬ ‭99.9% (99%‬ ‭(99% for cool‬ ‭(99% for cool‬
‭s‬ ‭for cool‬ ‭for cool‬ ‭access tier)‬ ‭access tier)‬
‭availabi‬ ‭access tier)‬ ‭access tier)‬
‭lity‬

‭ umbe‬
N ‭ hree‬
T ‭ hree copies‬
T -‭ Three in the‬ -‭ Three across‬
‭r of‬ ‭copies‬ ‭across‬ ‭primary region‬ ‭separate‬
‭copies‬ ‭within a‬ ‭separate‬ ‭and‬ ‭availability zones‬
‭of data‬ ‭single‬ ‭availability‬ ‭- Three in the‬ ‭in the primary‬
‭maintai‬ ‭region‬ ‭zones within‬ ‭secondary region‬ ‭region‬
‭ned on‬ ‭a single‬ ‭- Three locally‬
‭separat‬ ‭region‬ ‭redundant copies‬
‭e‬ ‭in the secondary‬
‭nodes‬ ‭region‬

‭ he availability and durability of your data during outages is entirely dependent on the type of‬
T
‭redundancy configured for your storage account.‬

‭Outage Scenario‬ ‭LRS‬ ‭ZRS‬ ‭GRS/RA-‬ ‭GZRS/RA‬

‭GRS‬ ‭-GZRS‬

‭ vailable if a node went‬

A ‭✓‬ ‭✓‬ ‭✓‬ ‭✓‬
‭down within a data‬
‭center?‬

‭ vailable if the entire data‬

A ‭-‬ ‭✓‬ ‭✓‬ ‭✓‬
‭center (zonal or‬
‭non-zonal) went down?‬

‭ vailable on region-wide‬
A ‭-‬ ‭-‬ ‭✓‬ ‭✓‬
‭outage in the primary‬
‭region?‬

‭https://portal.tutorialsdojo.com/‬ ‭85‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ as read access to the‬

H ‭-‬ ‭-‬ ‭✓‬ ‭✓‬
‭secondary region if the‬ (‭ with‬ (‭ with‬
‭primary region is‬ ‭RA-GRS)‬ ‭RA-GZRS‬
‭unavailable‬ ‭)‬

‭Storage Encryption‬

‭‬
● ‭ ll storage accounts are encrypted using Storage Service Encryption (SSE) for data at rest.‬
A
‭●‬ ‭The type of encryption used is 256-bit AES encryption.‬
‭●‬ ‭Storage redundancy options support the encryption of data.‬
‭●‬ ‭You can use a Microsoft-managed key, a customer-managed key, and a customer-provided key to‬
‭manage the encryption of your data.‬

‭Key‬ ‭Microsoft-man‬ ‭Customer-man‬ ‭Customer-prov‬

‭management‬ ‭aged keys‬ ‭aged keys‬ ‭ided keys‬
‭parameter‬

‭ ncryption/decry‬
E ‭Azure‬ ‭Azure‬ ‭Azure‬
‭ption operations‬

‭ zure Storage‬
A ‭All‬ ‭ lob storage,‬
B ‭Blob storage‬
‭services‬ ‭Azure Files1,2‬
‭supported‬

‭Key storage‬ ‭ icrosoft key‬

M ‭ zure Key Vault‬
A ‭ ustomer's‬
C
‭store‬ ‭or Key Vault‬ ‭own key store‬
‭HSM‬

‭ ey rotation‬
K ‭Microsoft‬ ‭Customer‬ ‭Customer‬
‭responsibility‬

‭Key control‬ ‭Microsoft‬ ‭Customer‬ ‭Customer‬

‭ eference:‬
R
‭https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview‬

‭https://portal.tutorialsdojo.com/‬ ‭86‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Blob Storage‬

‭Blob Storage Resources‬

‭The blob storage is composed of three types of resources:‬
‭1.‬ ‭Storage account‬‭which provides a unique namespace‬‭in Azure for your data. The name of the‬
‭storage account is also the endpoint of your blob storage. For example, if the storage account name‬
‭is “tutorialsdojo-manila” then the endpoint is:‬‭http://tutorialsdojo-manila.blob.core.windows.net.‬
‭2.‬ ‭Container‬‭- organizes a set of blobs that are similar‬‭to a directory in a file system. A storage‬
‭account can have an unlimited number of containers, and each container can hold an unlimited‬
‭number of blobs.‬
‭3.‬ ‭Blob‬‭- a collection of binary data stored as a single‬‭entity. Examples of blobs are images, videos,‬
‭audios, log files, backups, and many more. Azure supports three types of blobs:‬
‭○‬ ‭Block‬
‭i.‬ ‭Made up of blocks of data that can be managed individually‬
‭ii.‬ ‭Store binary and text data up to 4.7 TB.‬
‭iii.‬ ‭Preview larger block blobs up to 190.7 TiB.‬
‭○‬ ‭Append‬
‭i.‬ ‭Optimized for append operations.‬
‭ii.‬ ‭Ideal for logging data from virtual machines.‬
‭○‬ ‭Page‬
‭i.‬ ‭Store random-access files up to 8 TB in size.‬
‭ii.‬ ‭Store virtual hard drive (VHD) files and serve as disks for Azure VMs.‬

‭It’s also important to understand the features available in a blob storage:‬

‭ ersioning -‬‭when you enable blob versioning, you‬‭can easily restore an earlier version of a blob to‬
V
‭recover your data. If you disable the versioning of the blob, it does not delete existing blobs, versions, or‬
‭snapshots.‬

‭ napshots -‬‭a read-only version of a blob that was‬‭taken at a given point in time. The snapshots persist‬
S
‭until they are explicitly deleted.‬

‭ bject Replication -‬‭copies block blobs asynchronously‬‭between a source Storage account and a‬
O
‭destination account. A source account can have up to two destination accounts. But there can be no‬
‭more than two source accounts in the destination account.‬

‭ tatic Website -‬‭serve your static website directly‬‭from a storage container named‬‭$web‬‭. You can grant‬
S
‭read-only access in your resources with a public access level. If you want to configure a custom domain‬
‭endpoint for your website, you can use Azure CDN.‬

‭https://portal.tutorialsdojo.com/‬ ‭87‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Access Tiers‬

‭1.‬ ‭Hot‬
‭○‬ ‭Highest storage costs, but lowest access costs‬
‭○‬ ‭Store data that is accessed frequently‬
‭○‬ ‭By default, new storage accounts are created in the hot tier‬
‭2.‬ ‭Cool‬
‭○‬ ‭Lower storage costs, but higher access costs‬
‭○‬ ‭Store data that is infrequently accessed (at least 30 days)‬
‭○‬ ‭You can use a cool access tier for short-term backup.‬
‭3.‬ ‭Archive‬
‭○‬ ‭Lowest storage costs, but the highest retrieval costs‬
‭○‬ ‭Store data that is rarely accessed (at least 180 days)‬
‭○‬ ‭Data needs to be stored for a long time.‬

‭Hot tier‬ ‭Cool tier‬ ‭Archive tier‬

‭Availability‬ ‭99.90%‬ ‭99%‬ ‭Offline‬

‭ vailability (RA-GRS‬
A ‭99.99%‬ ‭99.90%‬ ‭Offline‬
‭reads)‬

‭Usage charges‬ ‭ igher storage‬

H ‭ ower storage‬
L ‭ owest storage‬
L
‭costs, lower‬ ‭costs, higher‬ ‭costs, highest‬
‭access, and‬ ‭access, and‬ ‭access, and‬
‭transaction‬ ‭transaction‬ ‭transaction‬
‭costs‬ ‭costs‬ ‭costs‬

‭ inimum storage‬
M ‭N/A‬ ‭30 days‬ ‭180 days‬
‭duration‬

‭Latency‬ ‭milliseconds‬ ‭milliseconds‬ ‭hours‬

‭Use case‬ ‭ ata that is‬

D ‭ arge data sets‬
L ‭ ata that needs‬
D
‭staged for‬ ‭for future‬ ‭to be preserved‬
‭processing and‬ ‭processing,‬ ‭and hardly ever‬
‭eventual‬ ‭backup for‬ ‭accessed‬
‭migration to‬ ‭disaster‬
‭cool access tier‬ ‭recovery‬

‭https://portal.tutorialsdojo.com/‬ ‭88‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ hen using access tiers, there are important tiering concepts that you also need to know like‬
W
‭account-level tiering‬‭and‬‭blob-level tiering‬‭. Let’s‬‭describe first what is account level tiering. If a blob‬
‭doesn’t have an explicitly assigned tier, it infers the tier from the storage account access tier settings.‬
‭Take note that you can only set hot and cool access tiers as the default account access tier since the‬
‭archive tier can only be set at the object level.‬

‭ he next tiering concept allows you to upload data to the access tier of your choice. This means that you‬
T
‭can select your preferred access tier then change the blob access tier as your usage patterns change.‬
‭All tier change requests are processed immediately, and the changes between hot and cool tiers are‬
‭done instantly. But if you move a blob from the archive tier into another tier, this would take several‬
‭hours. This process is called‬‭rehydrating‬‭.‬

I‭f you want to transition your data to the appropriate access tiers, you can configure a lifecycle rule in the‬
‭blob lifecycle management. The tiers that you can transition are: blob to cool storage, blob to archive‬
‭storage, and delete the blob at the end of its lifecycle.‬

‭https://portal.tutorialsdojo.com/‬ ‭89‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

I‭n blob-level tiering, when a blob is uploaded or moved to a different tier, you are charged at the new tier’s‬
‭rate immediately. Let’s say you move a blob to a cooler tier, the operation billed to you is a‬‭write‬
‭operation‬‭to the destination tier. But if you moved‬‭to a hotter tier, the operation billed to you is a read‬
‭operation from the source tier. There are also charges for early deletion if a blob is moved out of the cool‬
‭or archive tier. To conclude how tier changes are billed, let’s take a look at the table below:‬

‭https://portal.tutorialsdojo.com/‬ ‭90‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ rite Charges‬
W ‭ ead charges‬
R
‭(Operation + Access)‬ ‭(Operation + Access)‬

‭Hot -> Cool‬ ‭Archive -> Cool‬

‭Set Blob‬ ‭Hot -> Archive‬ ‭Archive -> Hot‬

‭Tier‬
‭Cool -> Archive‬ ‭Cool -> Hot‬

‭Transfer Data with AzCopy‬

‭●‬ A ‭ zCopy is a command-line utility that allows you to transfer blobs or files to or from a storage‬
‭account.‬
‭●‬ ‭You can use Microsoft Entra ID and SAS tokens to provide authorization credentials.‬
‭●‬ ‭These are the tasks that you can do using AzCopy:‬
‭○‬ ‭Upload files‬
‭○‬ ‭Download blobs and directories‬
‭○‬ ‭Copy blobs, directories, and containers between accounts.‬
‭○‬ ‭Synchronize local storage‬
‭●‬ ‭You can run AzCopy on Windows, Linux, and macOS.‬
‭●‬ ‭AzCopy method of authorization‬
‭○‬ ‭Azure Blob storage‬‭- Microsoft Entra ID and Shared‬‭Access Signature‬
‭○‬ ‭Azure Files‬‭- Shared Access Signature only‬
‭●‬ ‭A‬‭shared access signature (SAS)‬‭is a uniform resources‬‭identifier (URI) that grants restricted‬
‭access to your storage account. You can share the URI to grant users temporary access to a‬
‭specific set of permissions. There are three types of shared access signatures:‬
‭○‬ ‭User Delegation SAS‬‭- provides access to storage accounts‬‭using Microsoft Entra ID‬
‭credentials. This SAS is only applicable to Blob storage.‬
‭○‬ ‭Service SAS‬‭- grants access to one Azure storage service‬‭(Blob, Queue, Table, Files) using a‬
‭storage account key.‬
‭○‬ ‭Account SAS‬‭- provides access to one or more storage‬‭services using a storage account‬
‭key.‬
‭●‬ ‭A shared access signature can be in different forms:‬
‭○‬ ‭Ad hoc SAS‬‭- start time, expiry time, and permissions‬‭are specified in the URI. The three‬
‭types of SAS can be an ad hoc SAS.‬
‭○‬ ‭Service SAS with stored access policy‬‭- the stored‬‭access policy is defined on a resource‬
‭container (blob container, file share, table or queue). The policy can be used to manage‬
‭constraints to multiple SAS.‬

‭https://portal.tutorialsdojo.com/‬ ‭91‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Import/Export Data to and from Azure‬

‭ he‬‭Azure Import/Export service‬‭allows you to import‬‭large amounts of data to Blob storage and Files‬
T
‭by shipping the disk drives to an Azure data center. You can also use this service to transfer data from a‬
‭Blob storage to disk drives and then ship it to your on-premises environment. The data from one or more‬
‭drives can be imported to a Blob storage or Files.‬

‭ ‬‭WAImportExport tool‬‭is a command-line tool that‬‭you can use to prepare your disk drives that are‬
A
‭shipped for import. By using this tool, it will be easier to copy your data to the drive. The data on the‬
‭drive is encrypted with AES 256-bit BitLocker. To protect your BitLocker key, you can use an external key‬
‭protector. You can also use this tool to generate the drive journal files used during import creation and‬
‭identify the number of drives needed for export jobs.‬

‭ he disk drives that you can ship to the Azure data center can be solid-state drives (SSDs) or hard disk‬
T
‭drives (HDDs). When you create an import job, the disk drives you ship contain data. But when you‬
‭create an export job, the drives you ship to the data center are empty disk drives.‬

‭ n‬‭import‬‭job allows you to import data into Azure‬‭Blobs or Azure files, whereas the‬‭export‬‭job allows‬
A
‭data to be exported from Azure Blobs. For an import job, you ship drives containing your data. When you‬
‭create an export job, you ship empty drives to an Azure datacenter. In each case, you can ship up to 10‬
‭disk drives per job.‬

‭Use this service on the following scenarios:‬

‭●‬ D ‭ ata migration to the cloud‬‭- transfer large amounts‬‭of data to Azure in a timely and cost-effective‬
‭manner.‬
‭●‬ ‭Content distribution‬‭- send data to your clients'‬‭websites in a timely manner.‬
‭●‬ ‭Backup‬‭- backup your on-premises data and save it‬‭on Azure Storage.‬
‭●‬ ‭Data recovery‬‭- recover a significant quantity of‬‭data and have it delivered to your on-premises‬
‭location.‬

‭https://portal.tutorialsdojo.com/‬ ‭92‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭https://portal.tutorialsdojo.com/‬ ‭93‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ eferences:‬
R
‭https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers‬
‭https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10‬
‭https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service‬

‭https://portal.tutorialsdojo.com/‬ ‭94‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Files‬

‭Storage Tiers‬

‭●‬ ‭Premium file shares (SSD)‬

‭○‬ ‭High performance & low latency, within single-digit milliseconds for most IO operations.‬
‭○‬ ‭For IO-intensive workloads.‬
‭●‬ ‭Standard file shares (HDD)‬
‭○‬ ‭Reliable performance for IO workloads which are less latency-sensitive.‬
‭●‬ ‭If you created either a premium or a standard file share, you cannot automatically convert it to the‬
‭other tier.‬

‭Detail‬ ‭Premium‬ ‭Standard‬

‭Billing model‬ ‭ rovisioned Billing Model,‬

P ‭ ay-As-You-Go Model, the‬
P
‭pay for how much storage‬ ‭bill will increase if you use‬
‭you provision rather than‬ ‭(read/write/mount) the‬
‭how much storage you‬ ‭Azure file share more.‬
‭actually ask for.‬

‭ edundancy‬
R I‭t is available for locally‬ I‭t is available for locally‬
‭options‬ ‭redundant (LRS) and zone‬ ‭redundant, zone redundant,‬
‭redundant (ZRS) storage.‬ ‭geo-redundant (GRS), and‬
‭geo-zone redundant (GZRS)‬
‭storage.‬

‭ aximum size of‬

M ‭ rovisioned for up to 100‬
P ‭ TiB by default, 100 TiB for‬
5
‭file share‬ ‭TiB.‬ ‭locally redundant or zone‬
‭redundant storage‬
‭accounts.‬

‭ egional‬
R ‭ ile shares are not‬
F ‭ vailable in every Azure‬
A
‭availability‬ ‭available in each region,‬ ‭region.‬
‭but zone redundant‬
‭support is available in a‬
‭smaller subset of regions.‬

‭https://portal.tutorialsdojo.com/‬ ‭95‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure File Sync‬

‭‬
● ‭ ransform an on-premises (or cloud) Windows Server into a quick cache of your Azure file share.‬
T
‭●‬ ‭Use Azure File Sync agent to synchronize files from a server to an Azure file share.‬
‭●‬ ‭To create sync groups, you need to deploy a Storage Sync Service.‬
‭●‬ ‭A sync group defines the sync relationship between a cloud endpoint and a server endpoint.‬
‭○‬ ‭Cloud endpoint‬‭– represents an Azure file share and‬‭multiple server endpoints.‬
‭○‬ ‭Server endpoint‬‭– a path registered on the Windows‬‭Server.‬
‭○‬ ‭When you make changes to your cloud endpoint or server endpoint, your files are‬
‭automatically synced to your sync group’s remaining endpoints.‬
‭○‬ ‭When you make a change directly to the cloud endpoint, Azure files must first detect it via a‬
‭change detection job, which only happens once every 24 hours.‬
‭○‬ ‭A change detection job enumerates all the files in the file share and compares it to the sync‬
‭version of that file. When the change detection job determines that there are changes, Azure‬
‭File sync will initiate a sync session.‬
‭‬
● ‭The sync group you created should only have one cloud endpoint.‬
‭●‬ ‭A sync group may have server endpoints with different Active Directory memberships, even if they‬
‭are not domain-joined.‬
‭●‬ ‭The storage accounts used for Azure Files deployments are:‬
‭○‬ ‭General purpose version 2 (GPv2) storage accounts‬
‭○‬ ‭FileStorage storage accounts‬
‭‬
● ‭You can use cloud tiering to cache frequently accessed files locally on the server.‬
‭●‬ ‭The service supports interop with DFS Namespaces (DFS-N) and DFS Replication (DFS-R).‬
‭○‬ ‭DFS-N allows you to group shared folders located on multiple servers into one or more‬
‭logically structured namespaces.‬
‭○‬ ‭DFS-R enables you to replicate folders across multiple servers and sites.‬
‭●‬ ‭Azure File Sync has three layers of encryption:‬
‭○‬ ‭Encryption at rest (Windows Server)‬
‭○‬ ‭Encryption in transit‬
‭○‬ ‭Encryption at rest (Azure file share)‬

‭ eference:‬
R
‭https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction‬

‭https://portal.tutorialsdojo.com/‬ ‭96‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Virtual Network‬

‭Components of a Virtual Network‬
‭●‬ B ‭ efore you can create a virtual network, you must first select a‬‭subscription‬‭,‬‭resource group‬‭and‬
‭region‬‭. Keep in mind that when choosing a region,‬‭you must consider the following factors: service‬
‭availability, costs, compliance, and data residency.‬
‭●‬ ‭When you've finished setting up the basic details, you can move on to the selection of‬‭IPv4 and IPv6‬
‭(dual-stack) address space‬‭. A virtual network can‬‭have one or more address prefixes in CIDR‬
‭notation.‬
‭●‬ ‭A‬‭subnet‬‭is a range of IP addresses in your VNet.‬‭You can also create multiple subnets and launch‬
‭Azure resources into a specified subnet. Use a‬‭public‬‭subnet‬‭for resources that need to connect to‬
‭the Internet, and a‬‭private subnet‬‭for resources that‬‭do not require Internet access.‬
‭●‬ ‭To allow the resources from a subnet to have an outbound connection, you must deploy a‬‭NAT‬
‭gateway‬‭. By assigning a NAT gateway to a subnet, you‬‭can simplify the connectivity to the internet‬
‭without having a load balancer or a public IP address attached to a virtual machine.‬
‭●‬ ‭If you need private IP addresses in your virtual network to reach the endpoint of an Azure service‬
‭without the need for a public IP address, you can create a‬‭service endpoint‬‭. These endpoints will‬
‭help you secure your critical Azure resources by only allowing traffic from your virtual network.‬
‭●‬ ‭Lastly, you can use‬‭tags‬‭to easily identify and categorize‬‭your resources.‬
‭●‬ ‭Once you're satisfied with the configuration of your virtual network, proceed with the launch. Wait‬
‭for your virtual network to complete its preparations, and then you should be able to deploy‬
‭resources in the subnet.‬

‭Network Security Group (NSG) and Application Security Group (ASG)‬

‭ ‬‭network security group‬‭controls the inbound and‬‭outbound traffic of Azure resources. While an‬
A
‭application security group‬‭allows you to define a‬‭group of virtual machines and‬‭define network security‬
‭policies based on those groups.‬
‭●‬ ‭The rules are processed from lowest to highest numbers.‬
‭●‬ ‭You can set a number between 100 and 4096.‬
‭●‬ ‭The rules can be applied to both inbound or outbound traffic.‬
‭●‬ ‭You can allow or deny incoming or outgoing traffic.‬
‭●‬ ‭When you create a network security group, Azure assigns default security rules for inbound and‬
‭outbound traffic.‬
‭●‬ ‭NSG can be attached to a subnet or a network interface. Refrain from attaching a network security‬
‭group to both subnet and network interface.‬

‭ ules are processed in priority order, with lower numbers processed before higher numbers since lower‬
R
‭numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that‬

‭https://portal.tutorialsdojo.com/‬ ‭97‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ xist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities‬
e
‭are not processed.‬

‭https://portal.tutorialsdojo.com/‬ ‭98‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Virtual Network Peering‬

‭ Net peering enables you to connect two virtual networks seamlessly. Plan accordingly before initiating‬
V
‭a peer, and ensure that your VNet address ranges do not overlap with one another.‬

‭There are two types of peering:‬

‭ .‬ V
1 ‭ irtual Network Peering‬‭- connect virtual networks‬‭in the same Azure region.‬
‭2.‬ ‭Global Virtual Network Peering‬‭- connect virtual networks‬‭across different Azure regions.‬

‭Here are some of the advantages of using VNet peering:‬

‭●‬ P ‭ rovides a high-bandwidth and low-latency connection between resources in different virtual‬
‭networks.‬
‭●‬ ‭The resources in one virtual network can communicate with resources in another virtual network.‬
‭●‬ ‭Enables you to transmit data between virtual networks across Azure subscriptions, Azure regions,‬
‭Microsoft Entra tenants ID, and deployment models.‬
‭●‬ ‭There is no downtime in either virtual network when creating the peering or after the peering is‬
‭created.‬
‭●‬ ‭Traffic between virtual networks is private. This means that the communication between the virtual‬
‭networks does not require the use of the public Internet, gateways, or encryption.‬

‭ eference:‬
R
‭https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview‬

‭https://portal.tutorialsdojo.com/‬ ‭99‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Load Balancer‬

‭Components of a Load Balancer‬

‭●‬ A ‭ load balancer‬‭distributes incoming network traffic‬‭across multiple targets.‬‭There are two types of‬
‭load balancers:‬
‭○‬ ‭Public load balancer‬‭- allows outbound connections‬‭for your virtual machines.‬
‭○‬ ‭Internal load balancer‬‭- controls the flow of traffic‬‭inside your private virtual network.‬
‭●‬ ‭A group of VMs or instances in a VM scale set serving the incoming request is called a‬‭backend‬
‭pool‬‭.‬
‭●‬ ‭Determine the health status of backend pool instances with‬‭health probes‬‭.‬
‭○‬ ‭Health probe down behavior – if the probes in a backend pool fail, it will stop receiving traffic‬
‭until it starts passing health probes again.‬
‭●‬ ‭Use Azure Monitor to check the metrics, alerts, and resource health of Azure Load Balancer.‬
‭●‬ ‭High Availability (HA) ports enable load balancing on all ports of TCP and UDP protocols.‬
‭●‬ ‭With multiple frontends, you can load balance services on multiple ports and multiple IP addresses.‬
‭●‬ ‭SLA guarantees that two or more healthy VMS will always be available.‬
‭●‬ ‭The load balancer tiers are:‬‭Basic‬‭and‬‭Standard‬
‭●‬ ‭Standard load balancer‬‭availability zones‬‭:‬
‭○‬ ‭Zonal‬‭= single zone‬
‭○‬ ‭Zone-redundant‬‭= multiple zones‬

‭Details‬ ‭Basic Load Balancer‬ ‭Standard Load Balancer‬

‭ ackend pool‬
B ‭ upports up to 300‬
S ‭ upports up to 1000‬
S
‭size‬ ‭instances.‬ ‭instances.‬

‭ ackend pool‬
B ‭ single availability set for‬
A ‭ single virtual network for‬
A
‭endpoints‬ ‭VMs or VM scale set.‬ ‭any VMs or VM scale sets.‬

‭Health probes‬ ‭TCP, HTTP‬ ‭TCP, HTTP, HTTPS‬

‭ ealth probe‬
H ‭ CP connections stay alive‬
T ‭ CP connections stay alive‬
T
‭down behavior‬ ‭on an instance probe down.‬ ‭on an instance probe down‬
‭All TCP connections‬ ‭and on all probes down.‬
‭terminate when all probes‬
‭are down.‬

‭ vailability‬
A ‭Not available‬ ‭ one-redundant and zonal‬
Z
‭Zones‬ ‭frontends for inbound and‬
‭outbound traffic.‬

‭https://portal.tutorialsdojo.com/‬ ‭100‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Diagnostics‬ ‭Azure Monitor logs‬ ‭ zure Monitor‬

A
‭multi-dimensional metrics‬

‭HA Ports‬ ‭Not available‬ ‭ vailable for Internal Load‬

A
‭Balancer‬

‭ ecure by‬
S ‭ pen by default. Network‬
O ‭ losed to inbound flows‬
C
‭default‬ ‭security group optional.‬ ‭unless allowed by a network‬
‭security group. Please note‬
‭that internal traffic from the‬
‭VNet to the internal load‬
‭balancer is allowed.‬

‭Outbound Rules‬ ‭Not available‬ ‭ eclarative outbound NAT‬

D
‭configuration‬

‭ CP Reset on‬
T ‭Not available‬ ‭Available on any rule‬
‭Idle‬

‭ ultiple‬
M ‭Inbound only‬ ‭Inbound and outbound‬
‭frontends‬

‭ anagement‬
M ‭60-90+ seconds typical‬ ‭ ost operations < 30‬
M
‭Operations‬ ‭seconds‬

‭SLA‬ ‭Not available‬ ‭99.99%‬

‭Load Balancing Algorithm‬

‭ load balancing rule distributes the incoming traffic to the resources in the backend pool. Health probes‬
A
‭can determine which VMs in the backend pool can receive the load-balanced traffic. The load-balancing‬
‭decision is based on the following tuple connection:‬

‭ .‬ S
1 ‭ ource IP address and port‬
‭2.‬ ‭Destination IP address and port‬
‭3.‬ ‭Protocol‬

‭Session persistence maintains the traffic from a client to the same virtual machine.‬

‭ .‬ N
1 ‭ one‬‭– any virtual machine can handle successive requests‬‭from the same client.‬
‭2.‬ ‭Client IP‬‭– the same virtual machine will handle successive‬‭requests from the same client IP‬
‭address.‬

‭https://portal.tutorialsdojo.com/‬ ‭101‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭3.‬ C
‭ lient IP and protocol‬‭– the same virtual machine will handle successive requests from the same‬
‭client IP address and protocol combination.‬

‭ eference:‬
R
‭https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview‬

‭https://portal.tutorialsdojo.com/‬ ‭102‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure DNS‬
‭Public and Private DNS‬

‭ he‬‭Public DNS‬‭handles the domains, DNS zones, DNS‬‭records, and record sets. A DNS zone is used to‬
T
‭host the DNS records of a particular domain. An example of a domain is “‬‭tutorialsdojo.com‬‭”. It may‬
‭contain a number of DNS records such as “‬‭mail.tutorialsdojo.com‬‭”‬‭(for a mail server) and‬
‭“‬‭www.tutorialsdojo.com‬‭” (for a website). A record‬‭set is a collection of DNS records in a zone that have‬
‭the same name and type. Here is an example of a record set:‬

‭ ww.tutorialsdojo.com.
w 3600 IN A 12.238.154.93‬
‭www.tutorialsdojo.com. 3600 IN A 12.238.157.186‬

‭ n the other hand, a‬‭Private DNS‬‭allows you to manage‬‭and resolve domain names in a virtual network‬
O
‭without adding a custom DNS. The records in a private DNS zone are not reachable through the Internet‬
‭and DNS resolution against a private DNS zone is only possible from virtual networks linked to it.‬

‭DNS Record Types‬

‭‬ A
● ‭ ‬‭- maps the host to an IPv4 address.‬
‭●‬ ‭AAAA‬‭- maps the host to an IPv6 address.‬
‭●‬ ‭CNAME‬‭- indicates that the name it refers to is not‬‭an alias. In other words, all other records that‬
‭you use are all aliases.‬
‭●‬ ‭MX‬‭- used for mail exchange and maps mail requests‬‭to your mail servers.‬
‭●‬ ‭PTR‬‭- maps the IP address to a domain or host name.‬
‭●‬ ‭SOA‬‭- stores important information about a domain‬‭or zone.‬
‭●‬ ‭SRV‬‭- helps you specify server locations.‬
‭●‬ ‭TXT‬‭- often associated with text strings in a domain‬‭name and used for verifying a domain name.‬

‭Import/Export a DNS Zone File‬

‭ he importing and exporting of zone files is only applicable using the Azure CLI. If a zone file is‬
T
‭imported, it generates a new zone in Azure Private DNS. If the zone already exists, the zone file's record‬
‭sets must be merged with the existing record sets.‬

‭●‬ T ‭ he CLI command to import a zone file is:‬

‭az network dns zone import -g‬‭<resource-group-name>‬‭-n‬‭<zone-name>‬‭.com -f‬‭<filename>‬‭.txt‬
‭●‬ ‭If you need to export a zone file, the command is:‬
‭az network dns zone export -g‬‭<resource-group-name>‬‭-n‬‭<zone-name>‬‭.com -f‬‭<file-name>‬‭.txt‬

‭ eference:‬
R
‭https://docs.microsoft.com/en-us/azure/dns/dns-overview‬

‭https://portal.tutorialsdojo.com/‬ ‭103‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure VPN Gateway‬

‭VPN Gateway Connections‬

‭1.‬ S
‭ ite-to-Site‬‭- creates a secure connection from your‬‭on-premises network to an Azure virtual‬
‭network.‬

‭2.‬ V
‭ Net-to-VNet‬‭- connection automatically routes to‬‭the updated address space, if you updated the‬
‭address space on the other VNet.‬

‭3.‬ ‭Point-to-Site‬‭-‬‭establish a connection to your virtual‬‭network from a remote location.‬

I‭n an‬‭active-active configuration‬‭, each Azure VPN‬‭gateway instance will establish S2S VPN tunnels, and‬
‭the traffic will be routed to multiple tunnels. For‬‭active-passive configuration‬‭, the standby instance‬
‭would only take over if a disruption happens on the active instance.‬

‭Details‬ ‭Site-to-Site‬ ‭Point-to-Site‬

‭ upported‬
S ‭ loud Services and Virtual‬
C ‭ loud Services and Virtual‬
C
‭Services‬ ‭Machines‬ ‭Machines‬

‭Bandwidths‬ ‭ ypically < 1 Gbps‬

T ‭Based on the gateway SKU‬
‭aggregate‬

‭Protocols‬ ‭IPsec‬ ‭ ecure Sockets Tunneling‬

S
‭Protocol (SSTP), OpenVPN‬
‭and IPsec‬

‭Routing‬ ‭ upport both PolicyBased‬

S ‭RouteBased (dynamic)‬
‭(static routing) and‬
‭RouteBased (dynamic‬
‭routing VPN)‬

‭ onnection‬
C ‭ ctive-passive or‬
a ‭active-passive‬
‭resiliency‬ ‭active-active‬

‭Use case‬ ‭ ev / test / lab scenarios‬

D ‭ rototyping, dev / test / lab‬
P
‭and small scale production‬ ‭scenarios for cloud‬
‭workloads for cloud‬ ‭services and virtual‬
‭services and virtual‬ ‭machines‬
‭machines‬

‭https://portal.tutorialsdojo.com/‬ ‭104‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭VPN Types‬

‭1.‬ P
‭ olicy-based gateway‬‭implements a policy-based VPN. The policy-based VPNs are used to encrypt‬
‭and direct packets to IPsec tunnels. The policy or traffic selector is defined as an access list in the‬
‭VPN configuration. You cannot change a policy-based VPN to a route-based VPN and vice versa.‬

‭2.‬ R
‭ oute-based gateway‬‭- implements a route-based VPN.‬‭The route-based VPNs use routes in the‬
‭routing table to direct packets to tunnel interfaces. Tunnel interfaces can encrypt and decrypt‬
‭packets. The policy or traffic selector are configured as wild cards (any-to-any).‬

‭ eference:‬
R
‭https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways‬

‭https://portal.tutorialsdojo.com/‬ ‭105‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Microsoft Entra ID‬

‭Managing Users, Groups, Roles and Devices‬

‭1. Users‬

‭‬ Y
● ‭ ou can create a new user in your organization or a guest user.‬
‭●‬ ‭By enabling Multi-Factor Authentication, you provide additional security by requiring the user‬
‭a second form of authentication. The additional forms that can be used with Microsoft Entra‬
‭ID MFA are:‬
‭○‬ ‭Microsoft Authenticator app‬
‭○‬ ‭OATH hardware token‬
‭○‬ ‭SMS‬
‭○‬ ‭Voice call‬
‭●‬ ‭You can also perform the following bulk operations:‬
‭○‬ ‭Bulk create‬
‭○‬ ‭Bulk invite‬
‭○‬ ‭Bulk delete‬
‭○‬ ‭Bulk restore‬
‭○‬ ‭Download users‬
‭●‬ ‭Self-service password reset enables users to manage their passwords from any device, at‬
‭any time, and from any location.‬
‭●‬ ‭In the device settings, you can change the maximum number of devices per user.‬
‭●‬ ‭You can assign licenses to multiple users or groups to allow them to use the licensed‬
‭Microsft Entra ID services. Licenses are applied per tenant, and you can’t transfer them to‬
‭other tenants.‬

‭2. Groups‬

‭‬
● ‭ collection of users, devices, groups, and service principals.‬
A
‭●‬ ‭You can easily manage access to your resources by creating an Microsoft Entra group.‬
‭●‬ ‭A user can belong to multiple groups.‬
‭●‬ ‭Groups do not have security credentials.‬
‭●‬ ‭Group Types:‬
‭○‬ ‭Security‬‭– it contains users, devices, groups, and‬‭service principals as its members.‬
‭The users and service principals are the owners of this group.‬
‭○‬ ‭Microsoft 365‬‭– it contains users as its members.‬‭Both the users and service‬
‭principals can be owners of this group.‬
‭ ‬ ‭Membership type:‬
●
‭○‬ ‭Assigned‬‭– manually add users to be members of the‬‭group.‬
‭○‬ ‭Dynamic user‬‭– automatically add and remove members‬‭using the dynamic‬
‭membership rules.‬

‭https://portal.tutorialsdojo.com/‬ ‭106‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭○‬ D
‭ ynamic device‬‭– automatically add and remove members using the dynamic group‬
‭rules.‬

‭3. Roles‬

‭●‬ W ‭ ith external identities, you can allow users outside your organization to sign in using an‬
‭external identity provider like Facebook and Google.‬
‭●‬ ‭Administrative roles can be used to grant access to Microsft Entra ID and other Microsoft‬
‭services. There are two types of role definitions:‬
‭○‬ ‭Built-in roles‬‭– it has a fixed set of permissions.‬
‭○‬ ‭Custom roles‬‭– you can select permissions from a preset‬‭list. To create a custom‬
‭role, you need to have an Microsoft Entra ID P1 or P2 plan.‬
‭●‬ ‭A Microsft Entra resource that can be a container for other Microsft Entra resources is called‬
‭an administrative unit. It can only contain users and groups.‬

‭4. Devices‬

‭●‬ ‭Microsoft Entra registered‬

‭○‬ ‭The devices registered are personally owned devices (bring your own device or‬
‭mobile device). These devices are signed in with a personal Microsoft account.‬
‭○‬ ‭A Mobile Device Management (MDM) helps you enforce configurations like storage‬
‭must be encrypted, password complexity, and up-to-date security software.‬
‭○‬ ‭Key capabilities:‬
‭■‬ ‭Single sign-on (SSO) to cloud resources.‬
‭■‬ ‭Conditional access when enrolled in Microsoft Intune or via App protection‬
‭policy.‬
‭■‬ ‭Enables phone sign-in with Microsoft Authenticator app.‬
‭●‬ ‭Microsoft Entra joined‬
‭○‬ ‭The devices and accounts are owned by an organization. It only exists in the cloud.‬
‭○‬ ‭Microsoft Entra join is primarily used for organizations that do not have an‬
‭on-premises Windows Server AD infrastructure.‬
‭○‬ ‭Key capabilities:‬
‭■‬ ‭SSO to both cloud and on-premises resources.‬
‭■‬ ‭Conditional access through MDM enrollment and MDM compliance‬
‭evaluation.‬
‭■‬ ‭Self-service password reset and Windows Hello PIN reset on the lock screen.‬
‭■‬ ‭Enterprise State Roaming across devices.‬
‭●‬ ‭Microsoft Entra hybrid joined‬
‭○‬ ‭The devices and Active Directory Domain Services account are owned by an‬
‭organization. It exists both in the cloud and on-premises resources.‬
‭○‬ ‭You can implement hybrid joined devices if you have an existing on-premises AD‬
‭footprint and you want to benefit from the capabilities provided by Microsoft Entra.‬

‭https://portal.tutorialsdojo.com/‬ ‭107‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭○‬ ‭Key capabilities:‬

‭■‬ ‭SSO to both cloud and on-premises resources.‬
‭■‬ ‭Conditional access through Domain join or through Microsoft Intune if‬
‭co-managed.‬
‭■‬ ‭Self-service password reset and Windows Hello PIN reset on the lock screen.‬
‭■‬ ‭Enterprise State Roaming across devices.‬
‭●‬ ‭If you register your application to use Microsoft Entra ID, the users in your organization can‬
‭do the following:‬
‭○‬ ‭Get an identity for their application that is recognized by Microft Entra ID.‬
‭○‬ ‭Get secrets/keys that the application will use for authentication.‬
‭○‬ ‭Create a custom name and logo for your application.‬
‭○‬ ‭Apply Microsoft Entra authorization (RBAC and oAuth)‬
‭○‬ ‭Declare the necessary permissions for the application.‬
‭ ‬ ‭With application proxy, you can provide SSO, and remote access for web apps hosted‬
●
‭on-premises.‬

‭ eference:‬
R
‭https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis‬

‭https://portal.tutorialsdojo.com/‬ ‭108‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure RBAC‬
‭How Permissions are Enforced‬

‭ efore we dive in on how to control access to resources using Azure role-based access control, let's first‬
B
‭go through what can you do with this authorization system. Azure RBAC allows you to manage user’s‬
‭access to Azure resources, including what they can do with those resources and what areas they can‬
‭access. For example, if you want to allow a group of database administrators to only manage SQL‬
‭databases, then you have to assign an Azure role to that group.‬

‭ ttaching a role definition to a user, group, service principal, and managed identity to grant access to a‬
A
‭particular scope is called‬‭role assignment‬‭. You can‬‭assign a role using Azure Portal, PowerShell, CLI,‬
‭SDKs, or REST APIs.‬

‭A role assignment is composed of three elements:‬

‭1.‬ S ‭ ecurity Principal‬‭– an object representing a user,‬‭group, service principal, and managed identity‬
‭that requests access to Azure resources.‬
‭a.‬ ‭User‬‭- an entity that you create in Microsoft Entra‬‭ID to represent a person who interacts with‬
‭Azure services.‬
‭b.‬ ‭Group‬‭- a collection of users created in Microsoft‬‭Entra ID.‬
‭c.‬ ‭Service Principal‬‭- an identity that applications‬‭use to gain access to different Azure‬
‭resources.‬
‭d.‬ ‭Managed Identity‬‭- an identity in Microsoft Entra‬‭ID that is managed by Azure. There are two‬
‭types of managed identities:‬
‭■‬ ‭System-assigned‬‭- when you enable this option, an‬‭identity will be created in‬
‭Microsoft Entra ID and this identity will be tied to the lifecycle of the service instance.‬
‭Therefore, if the resource is deleted, the identity will automatically be deleted by‬
‭Azure.‬
‭■‬ ‭User-assigned‬‭- since system-assigned is tied with‬‭the service instance, the‬
‭user-assigned identity is managed separately from the resource. You can also assign‬
‭the created user-assigned managed identity to one or more instances of an Azure‬
‭service.‬
‭2.‬ ‭Role Definition‬‭– a list of permissions that can be‬‭performed, such as read, write and delete. You‬
‭can either use the Azure built-in roles or construct your own custom roles if the provided roles don't‬
‭meet the specific needs of your organization.‬
‭a.‬ ‭Built-in roles‬‭- since it takes time to create custom‬‭roles, you can use the built-in roles‬
‭managed by Azure to easily grant the permissions needed by the principal.‬
‭b.‬ ‭Custom roles‬‭- this role's permissions are defined‬‭by you. It can also be shared between‬
‭subscriptions that trust the same Microsoft Entra ID.‬

‭https://portal.tutorialsdojo.com/‬ ‭109‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭3.‬ S
‭ cope‬‭– set of resources to which access applies. When you assign a role, you can define a scope‬
‭to further limit the actions that are permitted. Scopes are structured in a parent-child relationship.‬
‭You can assign roles at any of these levels:‬
‭a.‬ ‭Management Group‬
‭b.‬ ‭Subscription‬
‭c.‬ ‭Resource Group‬

‭ emember that role assignments are transitive for groups. If a user is a member of Group A, and Group‬
R
‭A is a member of Group B with a role assignment, then the user will inherit the role assignment's‬
‭permissions. For multiple overlapping role assignments, the effective permissions are the sum of your‬
‭role assignments. For example, a user has a Contributor role at the subscription scope and a Reader role‬
‭in a resource group. The sum of these two permissions is effectively the Contributor role for the‬
‭subscription.‬

‭ ou can also attach a set of deny actions to a user, group, service principal, or managed identity at a‬
Y
‭particular scope using‬‭deny assignments‬‭. Take note‬‭that deny assignments take precedence over role‬
‭assignments. In other words, deny assignments can restrict users from performing a specified action‬
‭even if it has a role assignment.‬

‭Different Types of Roles‬

‭ lassic Subscription Administrator Roles‬‭- have full‬‭access to an Azure subscription like managing‬
C
‭resources using the Azure Portal, Resource Manager API, and the classic deployment model APIs. The‬
‭three classic subscription administrative roles are:‬

‭1.‬ A ‭ ccount Administrator‬‭- this role is the billing owner‬‭of the Azure subscription. It can manage‬
‭subscriptions and billings in the account. You can only have 1 Account Administrator per Azure‬
‭account.‬
‭2.‬ ‭Service Administrator‬‭- you can only have 1 Service‬‭Administrator per Azure subscription. In new‬
‭subscriptions, the Account Administrator also serves as the Service Administrator. This role has full‬
‭access to the Azure portal and it can assign users with a Co-Administrator role.‬
‭3.‬ ‭Co-Administrator‬‭- you can only create 200 Co-Administrator‬‭per Azure subscription. This role has‬
‭the same privileges as the Service Administrator, but it can’t change the association of‬
‭subscriptions to Azure directories. A user with this role can only assign a Co-Administrator role to‬
‭other users.‬

‭ zure Roles‬‭– provides fine-grained access management‬‭of Azure resources. The following are the four‬
A
‭fundamental Azure built-in roles:‬

‭ .‬ O
1 ‭ wner‬‭- provides full access to all Azure resources.‬‭It can also delegate access to other users.‬
‭2.‬ ‭Contributor‬‭- allows the user to create and manage‬‭all types of resources in Azure. The role can‬
‭also create a new tenant in Microsoft Entra ID, but it cannot grant access to other users.‬

‭https://portal.tutorialsdojo.com/‬ ‭110‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ .‬ R
3 ‭ eader‬‭- a user with this role can only view Azure resources.‬
‭4.‬ ‭User Access Administrator‬‭- this role has permission‬‭to manage user access to all types of‬
‭resources.‬

‭Built-in Roles‬ ‭Read‬ ‭Gran‬ ‭Create, Update,‬

‭t‬ ‭Delete‬

‭Owner‬ ‭✓‬ ‭✓‬ ‭✓‬

‭Contributor‬ ‭✓‬ ‭✓‬

‭Reader‬ ‭✓‬

‭ ser Access‬
U ‭✓‬
‭Administrator‬

‭ icrosoft Entra Roles‬‭– provide access to manage Microsoft‬‭Entra resources in a directory such as‬
M
‭create users, assign administrative roles to others, manage licenses, reset passwords, and manage‬
‭domains. The important Microsoft Entra built-in roles are:‬

‭1.‬ G ‭ lobal Administrator‬‭- this role can manage access‬‭to all the administrative features in Microsoft‬
‭Entra. It can assign administrator roles to the users in your organization and reset the password of‬
‭users or administrators in your account.‬
‭2.‬ ‭User Administrator‬‭- allows the user to create and‬‭manage different types of users and groups in‬
‭Azure. Manage support tickets and monitor service health. Also, this role can only change the‬
‭passwords of users and administrators.‬
‭3.‬ ‭Billing Administrator‬‭- this role has permission to‬‭make purchases, monitor service health, manage‬
‭subscriptions, and support tickets in Azure.‬

‭You can also create custom roles, but you need to upgrade your Microsoft Entra ID to P1 or P2.‬

‭Microsoft Entra Roles‬ ‭Azure Roles‬

‭Definition‬ ‭ anage access to‬

M ‭ anage access to Azure‬
M
‭Microsoft Entra resources:‬ ‭resources: Virtual Machine,‬
‭Users, Groups, Billing,‬ ‭Database, Storage,‬
‭Licensing, Application‬ ‭Networking, etc.‬
‭Registration, etc.‬

‭Custom Role‬ ‭Supported‬ ‭Supported‬

‭Scope‬ ‭ he scope is only at the‬

T ‭ he scope can be specified‬
T
‭tenant level.‬ ‭at multiple levels:‬
‭Management group,‬

‭https://portal.tutorialsdojo.com/‬ ‭111‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ ubscription, and Resource‬

S
‭group‬

‭Role Information‬ I‭t can be accessed through‬
‭Azure Admin Portal,‬
‭Microsoft 365 Admin‬
‭Center, Microsoft Graph,‬
‭and Azure AD PowerShell.‬
I‭t can be accessed through‬
‭Azure Portal, CLI,‬
‭PowerShell, Resource‬
‭Manager templates, and‬
‭REST APIs.‬

‭Role Definition Structure‬

I‭f you are planning to create your own Azure custom role, it is important to understand how roles are‬
‭defined. The following structure is displayed when using Azure PowerShell:‬

{‭ ‬
‭"Name": ,‬
‭"Id": ,‬
‭"IsCustom": ,‬
‭"Description" ,‬
‭"Actions": [ ],‬
‭"NotActions": [ ],‬
‭"DataActions": [ ],‬
‭"NotDataActions" [ ],‬
‭"AssignableScopes" [ ]‬
‭}‬

‭The following structure is displayed when using Azure Portal, CLI, or the REST API:‬

{‭ ‬
‭"roleName": ,‬
‭"name": ,‬
‭"type": ,‬
‭"description" ,‬
‭"actions": [ ],‬
‭"notActions": [ ],‬
‭"dataActions": [ ],‬
‭"notDataActions" [ ],‬
‭"assignableScopes" [ ]‬
‭}‬

‭●‬ ‭Name / roleName‬‭- the display name of the created‬‭role.‬

‭https://portal.tutorialsdojo.com/‬ ‭112‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭‬
● I‭ d / name‬‭- the auto-generated unique ID of the role.‬
‭●‬ ‭IsCustom / type‬‭- indicates whether the role is a‬‭CustomRole (true) or a BuiltInRole (false).‬
‭●‬ ‭Description / description‬‭- the description of the‬‭custom role.‬
‭●‬ ‭Actions / actions‬‭- an array of strings that defines‬‭the management operations that can be‬
‭performed by the role.‬
‭‬
● ‭NotActions / notActions‬‭- an array of strings that‬‭are excluded from the allowed Actions.‬
‭●‬ ‭DataActions / dataActions‬‭- an array of strings that‬‭defines the data operations that can be‬
‭performed to the data within an object.‬
‭●‬ ‭NotDataActions / notDataActions‬‭- an array of strings‬‭that are excluded from the allowed‬
‭DataActions.‬
‭●‬ ‭AssignableScopes / assignableScopes‬‭- an array of‬‭strings that defines the scope that the role is‬
‭available for assignment. Take note that you can only define one management group in a custom‬
‭role.‬

‭The operations that you can perform are specified in a string:‬

‭●‬ ‭*‬‭- a wildcard allows you to apply all the operations‬‭that match the string.‬
‭●‬ ‭read‬‭- allows read (GET) operations.‬
‭●‬ ‭write‬‭- allows write (PUT or PATCH) operations.‬
‭●‬ ‭action‬‭- allows custom operations like restarting‬‭a virtual machine (POST).‬
‭●‬ ‭delete‬‭- allows delete (DELETE) operations.‬

‭ eference:‬
R
‭https://docs.microsoft.com/en-us/azure/role-based-access-control/overview‬

‭https://portal.tutorialsdojo.com/‬ ‭113‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Policy‬
‭Policy Components‬

I‭n order to implement governance for resource consistency, regulatory compliance, security, cost and‬
‭management, you need to enforce a set of rules by creating a policy. But before you create a policy, you‬
‭need to understand the following components:‬

‭1.‬ T ‭ he‬‭policy definition‬‭is created in a JSON format.‬‭It is used to describe resource compliance‬
‭conditions and the effect to take if the conditions are met. You can assign a built-in policy or define‬
‭your own rules by creating a custom policy.‬
‭2.‬ ‭When creating a policy definition, it is also a good practice to make it flexible or reusable by‬
‭reducing the number of policy definitions.‬‭Policy‬‭parameters‬‭allow you to define parameters when‬
‭assigning the policy definition. A parameter is composed of a name and optionally, a given value.‬
‭Let's say, you define a parameter for a policy titled "location". Then you can give it different values,‬
‭such as "East US" or "West US" when assigning a policy.‬
‭3.‬ ‭Once the policy is created, you can proceed to‬‭policy‬‭assignment‬‭. This is where the policy will take‬
‭place within a specific scope. The scope refers to management groups, subscriptions, and resource‬
‭groups. Policy assignments are inherited by child resources. This means that if the policy is applied‬
‭to a resource group, it is also applied to all the resources in that resource group.‬
‭4.‬ ‭The‬‭initiative definition‬‭is a collection of policy‬‭definitions that you can assign. This will help you‬
‭simplify a group of policies as one single item. One example is, create an initiative titled “Enable‬
‭Monitoring in Azure Security Center”. The goal of this initiative is to monitor all the available security‬
‭recommendations. There are three policy definitions under this initiative: Monitor unencrypted SQL‬
‭Database, Monitor OS Vulnerabilities, and Monitor missing endpoint.‬
‭5.‬ ‭Lastly, once the policy is assigned, it will now evaluate for the compliance state. You can find the‬
‭non-compliant resources in the Compliance tab.‬

‭Policy Definition Structure‬

‭ e will be breaking down what constitutes a policy definition and what conditions you can add to your‬
W
‭policies. The structure is as follows:‬

‭{‬
‭"properties": {‬
‭"displayName": " ",‬
‭"description": " ",‬
‭"mode": " ",‬
‭"metadata": {},‬
‭"parameters": {},‬
‭"policyRule": {}‬

‭https://portal.tutorialsdojo.com/‬ ‭114‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭}‬
‭}‬

‭‬ D
● ‭ isplay Name‬‭and‬‭Description‬‭-‬‭helps you identify‬‭the policy definition and when it's used.‬
‭●‬ ‭Mode‬‭- it determines which resource types are evaluated‬‭for a policy definition. There are two types‬
‭of modes:‬
‭a.‬ ‭all - evaluates subscription, resource group and all resource types.‬
‭b.‬ ‭Indexed - evaluates only the resource types that support tags and location.‬
‭●‬ ‭Metadata‬‭- although this property is optional, it‬‭is useful if you need to store information about the‬
‭policy definition. The common metadata properties are:‬
‭a.‬ ‭version (string)‬
‭b.‬ ‭category (string)‬
‭c.‬ ‭preview (boolean)‬
‭d.‬ ‭deprecated (boolean)‬
‭●‬ ‭Parameters‬‭- enables you to reuse the policy in different‬‭scenarios by using different values. To‬
‭understand it better, think of parameters like a field on a form (name, address, city, state). These‬
‭parameters are always the same, but their values change depending on who fills out the form. The‬
‭following properties are used in the policy definition:‬
‭a.‬ ‭name - the name of your parameter.‬
‭b.‬ ‭type - it can be string, integer, float, boolean, array, object, or datetime.‬
‭c.‬ ‭metadata - the subproperties used by the Azure portal to display the following information:‬
‭■‬ ‭description - defines what the parameter is used for.‬
‭■‬ ‭displayName - the name shown in the portal‬
‭■‬ ‭strongType (optional) - provides a multi-select list of options in the Azure Portal. Use‬
‭Get-AzResourceProvider‬‭to determine whether a resource‬‭type is valid for‬
‭strongType.‬
‭■‬ ‭assignPermissions (optional) - allows you to assign permissions outside the‬
‭assignment scope.‬
‭d.‬ ‭defaultValue (optional) - if parameter value is not defined, it sets the default value.‬
‭e.‬ ‭allowedValues (optional) - an array of values that the parameter will accept.‬
‭●‬ ‭Policy Rule‬‭- this is where you apply the logical‬‭operators and conditions. The rules consist of “if”‬
‭and “then” statements.‬
‭a.‬ ‭The supported logical operators are:‬
‭■‬ ‭not‬
‭■‬ ‭allOf‬
‭■‬ ‭anyOf‬
‭b.‬ ‭The conditions that you should be aware of are:‬
‭■‬ ‭less, lessOrEquals, greater, and greaterOrEquals - an error is thrown if the property‬
‭type does not match the condition type.‬
‭■‬ ‭like and notLike - you only need to provide one wildcard (*) value.‬

‭https://portal.tutorialsdojo.com/‬ ‭115‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭■‬ ‭match and notMatch - the condition is case sensitive‬

‭●‬ ‭# to match a digit‬
‭●‬ ‭? for letter‬
‭●‬ ‭. to match any character‬
‭■‬ ‭matchInsensitively and notMatchInsensitively - case-insensitive alternatives‬

‭Policy Effects‬

‭ policy definition has a single effect and this will define what happens when the policy rule is evaluated‬
A
‭to match. The effects operate differently depending on whether they are applied to a new resource, an‬
‭updated resource, or an existing resource.‬

‭The supported effects in a policy definition are:‬

‭●‬ ‭Append‬‭– add additional fields to the requested resource.‬
‭●‬ ‭Audit‬‭– a warning event for a non-compliant resource.‬
‭●‬ ‭AuditIfNotExists‬‭– audit the resources when the condition‬‭is met.‬
‭●‬ ‭Deny‬‭– prevents the request before being sent to the‬‭Resource Provider.‬
‭●‬ ‭DeployIfNotExists‬‭– if the condition is met, it allows‬‭you to execute a template deployment.‬
‭●‬ ‭Disabled‬‭– allows you to disable a single assignment,‬‭rather than disabling all assignments under‬
‭that policy.‬
‭●‬ ‭Modify‬‭– manage tags of resources (add, update, or‬‭remove).‬
‭●‬ ‭The order of evaluation is managed by the Resource Provider and forward the results back to Azure‬
‭Policy. When a resource fails to meet the designated governance controls of Azure Policy, this order‬
‭will prevent unnecessary processing.‬
‭●‬ ‭Disabled‬‭- check this effect first to see if the policy‬‭rule should be evaluated.‬
‭●‬ ‭Append‬‭and‬‭Modify‬‭- since these two could alter the‬‭request, making a change could prevent an‬
‭audit or deny effect from being triggered.‬
‭●‬ ‭Deny‬‭- by evaluating this effect before audit, double‬‭logging of an unwanted resource is avoided.‬
‭●‬ ‭Audit‬‭- the last evaluation‬

‭ eference:‬
R
‭https://docs.microsoft.com/en-us/azure/governance/policy/overview‬

‭https://portal.tutorialsdojo.com/‬ ‭116‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Monitor‬
‭Log Analytics‬

‭‬ A
● ‭ ll log data obtained by Azure Monitor shall be stored in a Log Analytics workspace‬
‭●‬ ‭Query simple to advanced logs.‬
‭●‬ ‭The data is retrieved from a workspace using a log query written using Kusto Query Language‬
‭(KQL).‬
‭●‬ ‭The queries that you can run are:‬
‭a.‬ ‭Table-based queries‬‭– the query organizes log data‬‭into tables.‬
‭b.‬ ‭Search queries‬‭– use this query if you need to find‬‭a specific value in your table.‬
‭c.‬ ‭Sort and top‬‭– to display the results in a particular‬‭order, you must sort the preferred‬
‭column. To get the latest records in the entire table, you can use top.‬
‭d.‬ ‭Where‬‭– this operator allows you to add a filter to‬‭a query. You can use different expressions‬
‭when writing filter conditions.‬
‭e.‬ ‭Time filter in query‬‭– you can define a specific time‬‭range by adding the time filter to the‬
‭query.‬
‭f.‬ ‭Project and Extend‬‭– project allows you to select‬‭specific columns, and extend will add‬
‭additional columns.‬
‭g.‬ ‭Summarize‬‭– you can identify a group of records and‬‭apply aggregations using the‬
‭summarize operator.‬
‭●‬ ‭If the query includes workspaces in 20 or more regions, your query will be blocked from running.‬
‭●‬ ‭Log Analytics results are limited to a maximum of 10,000 records.‬
‭●‬ ‭With a log analytics agent, you can collect logs and performance data from virtual or physical‬
‭devices outside Azure.‬
‭●‬ ‭A log analytics agent cannot send data to Azure Monitor Metrics, Azure Storage, or Azure Event‬
‭Hubs.‬

‭Alert Rules and Action Groups‬

‭ ction rules‬‭help you define or suppress actions at‬‭any Azure Resource Manager scope (Azure‬
A
‭subscription, resource group, or target resource). It has various filters that can help you narrow down the‬
‭specific subset of alert instances that you want to act on.‬

‭ n‬‭action group‬‭is a collection of notification preferences‬‭defined by the owner of an Azure subscription.‬

A
‭Azure Monitor and Service Health alerts use action groups to notify users that an alert has been‬
‭triggered. Various alerts may use the same action group or different action groups depending on the‬
‭user's requirements.‬

‭To understand these concepts better, let’s see the example below:‬

‭https://portal.tutorialsdojo.com/‬ ‭117‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Your company has an Azure subscription that contains the following resources:‬

‭Name‬ ‭Type‬ ‭Location‬

‭tdvm‬ ‭Virtual machine‬ ‭East US‬

‭tdstorage‬ ‭Storage account‬ ‭West US‬

‭tdapp‬ ‭App Service‬ ‭East US‬

‭tdsql‬ ‭SQL server‬ ‭North Central US‬

‭ ou are instructed to monitor the storage account and configure an SMS notification for the following‬
Y
‭signals.‬

‭Signal name‬ ‭Signal type‬ ‭Users that will be‬

‭notified‬

‭Availability‬ ‭Metric‬ ‭ ser 1, User 2, and‬

U
‭User 3‬

‭Transactions‬ ‭Metric‬ ‭User 2 and User 3‬

‭ reate/Update‬
C ‭Activity Log‬ ‭ ser 1, User 2, and‬
U
‭Storage Account‬ ‭User 3‬

‭ egenerate‬
R ‭Activity Log‬ ‭User 3‬
‭Storage Account‬
‭Keys‬

‭How many alert rules and action groups should you create?‬

‭ he requirement in the scenario is to identify how many alert rules and action groups should be created.‬
T
‭Based on the given signal types, you should create four alert rules. Take note that you need to create one‬
‭alert rule per signal type.‬

‭ or the action groups, you only need to create 3 action groups because the users that will be notified for‬
F
‭Availability and Create/Update Storage Account are the same (User 1, User 2, and User 3). Remember‬
‭that action groups are created for each un‬‭ique set‬‭of users that will be notified.‬

‭https://portal.tutorialsdojo.com/‬ ‭118‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ eference:‬
R
‭https://docs.microsoft.com/en-us/azure/azure-monitor/overview‬

‭https://portal.tutorialsdojo.com/‬ ‭119‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Network Watcher‬

‭Network Connectivity Monitoring‬

‭ he designated tool to monitor the communication between a VM and an endpoint is called‬‭connection‬

T
‭monitor‬‭. An endpoint can be an IPv4 address, uniform‬‭resource identifier (URI), the fully qualified domain‬
‭name (FQDN), or a virtual machine. The minimum, average, and maximum latency detected over time‬
‭are displayed in the connection monitor. After you've determined the latency for a connection, you can‬
‭reduce the latency by relocating Azure resources to different Azure regions.‬

‭Diagnosing Virtual Machine Network Traffic‬

‭ hen you deploy a virtual machine, default security rules are applied to the virtual machine that‬
W
‭allow/deny network traffic. Since Azure applies these rules by default, you might override the default‬
‭rules and may prevent the virtual machine from communicating with other resources. To diagnose‬
‭network traffic problems to or from a virtual machine, you can use‬‭IP flow verify‬‭.‬

‭ his tool will help you specify the source and destination of an IPv4 address, protocol, port and the‬
T
‭traffic direction. After the test is conducted, it informs you if the connection succeeds or fails. If the‬
‭connection fails, IP flow verify will tell you which security rule allowed or denied the communication.‬

‭Verify a TCP connection from a Virtual Machine‬

‭ he tool for diagnosing outbound connections from a virtual machine is called‬‭connection troubleshoot‬‭.‬
T
‭It allows you to test the connection between a virtual machine and IPv4 address, URI, FQDN and another‬
‭virtual machine. The information returned by connection troubleshoot is the connection at a specific‬
‭point in time. If an endpoint becomes unreachable, this tool will inform you of the possible cause.‬

‭The type of issues that connection troubleshoot can detect are:‬

‭●‬ ‭DNS resolution failures‬
‭●‬ ‭High VM CPU and memory utilization‬
‭●‬ ‭NSG and firewall rules that blocks the traffic‬
‭●‬ ‭Misconfigured or missing routes‬

‭Analyze the ingress and egress IP traffic through a Network Security Group‬

‭ o allow/deny an inbound or outbound network traffic to a network interface, you need to create a‬
T
‭network security group (NSG). It is also vital to monitor the traffic flowing through the NSG, and flow logs‬
‭can help you optimize network flows, detect intrusions, monitor throughput, verifying compliance and‬
‭many more.‬

‭https://portal.tutorialsdojo.com/‬ ‭120‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ he NSG flow logs allow you to log the source and destination of an IP address, protocol, port, and‬
T
‭whether traffic was allowed or denied by an NSG. If you need to analyze the logs, you can use tools like‬
‭PowerBI or Traffic Analytics.‬

‭ eference:‬
R
‭https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview‬

‭https://portal.tutorialsdojo.com/‬ ‭121‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭COMPARISON OF AZURE SERVICES‬

‭Azure Virtual Machine vs Web App‬

‭Azure Virtual Machine‬ ‭Azure Web App‬

I‭nfrastructure as a‬
‭ latform as a service, it‬
P
‭service, if you need to‬
‭allows you to integrate the‬
‭Description‬ ‭have full control over‬
‭app without managing the‬
‭your computing‬
‭underlying infrastructure.‬
‭environment.‬
‭Deploy‬ ‭Uses an OS image.‬ ‭Uses a runtime stack.‬

‭ tate‬
S
‭Stateful or stateless‬ ‭Stateless‬
‭Management‬

‭ ou need to use VM‬

Y
‭scale sets to support‬ ‭ utoscaling is a built-in‬
A
‭Autoscaling‬
‭auto scaling in virtual‬ ‭service in App Service.‬
‭machines.‬
‭ 000 nodes per scale‬
1
‭set for platform image‬
‭ 0 instances and 100 with‬
2
‭Scale Limit‬ ‭and 600 nodes per‬
‭App Service Environment‬
‭scale set for custom‬
‭image‬
‭ istribute the incoming‬
D
‭ raffic‬
T ‭ oad balancing is integrated‬
L
‭network traffic using‬
‭Distribution‬ ‭into App Service.‬
‭Azure load balancer.‬
‭ he supported‬
T
‭ he supported architecture‬
T
‭ rchitecture‬
A ‭architecture styles are‬
‭styles are N-Tier and Big‬
‭Styles‬ ‭N-Tier and‬
‭compute (HPC).‬
‭Web-Queue-Worker.‬

‭https://portal.tutorialsdojo.com/‬ ‭122‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Container Instances (ACI) vs Azure Kubernetes Service (AKS)‬

‭ACI‬ ‭AKS‬
‭ rchestrate and manage‬
O
‭ un containers without‬
R
‭Description‬ ‭multiple container images and‬
‭managing servers.‬
‭applications.‬
‭ or event-driven applications,‬
F
‭quickly deploy from your‬
‭ eploymen‬
D ‭ ses clusters and pods to‬
U
‭container development‬
‭t‬ ‭scale and deploy applications.‬
‭pipelines, run data processing,‬
‭and build jobs.‬
‭ eb Apps‬
W
‭(Monolithic‬ ‭Yes‬ ‭Yes‬
‭)‬
‭ -Tier‬
N
‭Apps‬ ‭Yes‬ ‭Yes‬
‭(Services)‬
‭ loud-Nati‬
C
‭ve‬ ‭ es, recommended for Linux‬
Y
‭Yes‬
‭(Microservi‬ ‭containers‬
‭ces)‬
‭ atch/Jobs‬
B
‭(Backgroun‬ ‭Yes‬ ‭Yes‬
‭d tasks)‬
‭‬
● ‭Containers and‬
‭application configuration‬
‭‬
● ‭Dev/Test scenarios‬ ‭portability‬
‭●‬ ‭Task automation‬ ‭●‬ ‭Enables you to select‬
‭●‬ ‭CI/CD agents‬ ‭the number of hosts, size, and‬
‭Use cases‬
‭●‬ ‭Small/scale batch‬ ‭orchestrator tools‬
‭processing‬ ‭●‬ ‭Transfer container‬
‭●‬ ‭Simple web apps‬ ‭workloads to the cloud‬
‭without changing your current‬
‭management practices.‬

‭ ajor‬
M
‭ ou should use AKS if you need full container orchestration, such as‬
Y
‭Difference‬
‭service discovery across multiple containers, automatic scaling, and‬

‭https://portal.tutorialsdojo.com/‬ ‭123‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭coordinated application upgrades.‬

‭https://portal.tutorialsdojo.com/‬ ‭124‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Scale Set vs Availability Set‬

‭Scale Set‬ ‭Availability Set‬

‭ group of identically‬
A
‭ group of discrete virtual‬
A
‭configured virtual machines‬
‭Description‬ ‭machines spread across‬
‭spread across fault‬
‭fault domains.‬
‭domains.‬
‭ se Scale Set for‬
U
‭ se Availability Set for‬
U
‭Workloads‬ ‭unpredictable workloads‬
‭predictable workloads.‬
‭(autoscale).‬
‭ omain‬
D ‭ as 5 fault domains and 5‬
H ‭ as 3 fault domains and 5‬
H
‭default‬ ‭update domains by default‬ ‭update domains by default‬

‭ irtual machines are‬

V ‭ irtual machines are‬
V
‭ onfiguratio‬
C
‭created from the same‬ ‭created from different‬
‭n‬
‭image and configuration.‬ ‭images and configurations.‬

‭ irtual machine scale sets‬

V
‭ irtual machines are‬
V
‭can be distributed within a‬
‭Distribution‬ ‭automatically distributed‬
‭single datacenter or across‬
‭within a data center.‬
‭multiple data centers.‬
‭ cale sets can increase the‬
S ‭ ou can only add a virtual‬
Y
‭ umber of‬
N
‭number of virtual machines‬ ‭machine to the availability‬
‭VMs‬
‭based on demand.‬ ‭set when it is created.‬
‭ cale sets have no‬
S ‭ vailability set has no‬
A
‭additional charge. You only‬ ‭additional charge. You only‬
‭Pricing‬
‭pay for the computing‬ ‭pay for the computing‬
‭resources.‬ ‭resources.‬

‭https://portal.tutorialsdojo.com/‬ ‭125‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Blob vs Disk vs File Storage‬

‭Blob Storage‬ ‭Disk Storage‬ ‭File Storage‬

‭ bject storage to‬
O ‭ ile system‬
F
‭ ype of‬
T ‭ lock storage for‬
B
‭store all types of‬ ‭across multiple‬
‭storage‬ ‭virtual machines.‬
‭data formats.‬ ‭machines.‬
‭ 5,536 GiB for‬
6
‭ ax‬
M ‭ ame as‬
S ‭ultra disk‬
‭ cale up to 100‬
S
‭Storage‬ ‭maximum storage‬ ‭32,767 GiB for‬
‭TiB‬
‭Size‬ ‭account capacity‬ ‭standard and‬
‭premium drives‬
‭ 90.7 TiB for‬
1
‭block blob‬
‭ quivalent to the‬
E
‭ ax File‬
M ‭195 GiB for‬ ‭ TiB for a single‬
4
‭maximum size of‬
‭Size‬ ‭append blob‬ ‭file‬
‭your volumes‬
‭8 TiB for page‬
‭blob‬

‭ ,204 MiB/s for‬

6
‭ erform‬
P ‭ 00 requests per‬
5
‭ p to 2000 MBps‬
U ‭egress‬
‭ance‬ ‭second for a‬
‭per disk.‬ ‭4,136 MiB/s for‬
‭(Throug‬ ‭single blob‬
‭ingress‬
‭hput)‬
‭ hare your files‬
S
‭ ata‬
D ‭ bjects can be‬
O ‭ single virtual‬
A
‭either‬
‭Accessi‬ ‭accessed via‬ ‭machine in a‬
‭on-premises or in‬
‭ng‬ ‭HTTP/HTTPs.‬ ‭single AZ.‬
‭the cloud.‬
‭ ncrypti‬
E ‭ SE by storage‬
S
‭ ncrypt your data‬
E ‭ ncrypt your data‬
E
‭on‬ ‭service and ADE‬
‭using Azure SSE‬ ‭using Azure SSE‬
‭Method‬ ‭for OS and data‬
‭(256-bit AES)‬ ‭(256-bit AES)‬
‭s‬ ‭disks.‬
‭ ou can back up‬
Y
‭ ackup‬
B
‭ ersioning,‬
V ‭your managed‬
‭and‬ ‭ ses file share‬
U
‭snapshots and‬ ‭disks at any point‬
‭Restorat‬ ‭snapshots‬
‭object replication‬ ‭in time using‬
‭ion‬
‭snapshots.‬

‭https://portal.tutorialsdojo.com/‬ ‭126‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ ou are billed‬
Y
‭ ou pay for the‬
Y
‭based on the‬ ‭ ou pay for the‬
Y
‭provisioned GiB‬
‭stored data per‬ ‭disk size,‬
‭per month and the‬
‭Pricing‬ ‭month, operations‬ ‭snapshots, and‬
‭number of servers‬
‭performed, data‬ ‭number of‬
‭connected to the‬
‭transfer, and‬ ‭transactions.‬
‭cloud endpoint.‬
‭redundancy.‬
‭ tatic website,‬
S
‭ entral location of‬
C
‭media and log‬ ‭ oot volumes and‬
B
‭ se‬
U ‭your files,‬
‭files, backups,‬ ‭transaction-intensi‬
‭Cases‬ ‭monitoring logs‬
‭analytics‬ ‭ve workloads‬
‭and applications‬
‭workloads‬

‭https://portal.tutorialsdojo.com/‬ ‭127‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Locally Redundant Storage vs Zone-Redundant Storage vs Geo-Redundant Storage‬

‭Locally-Redundant‬ ‭Zone-Redundant‬ ‭Geo-Redundant‬

‭Storage (LRS)‬
‭ eplicates your‬
R ‭ eplicates your‬
‭data 3 times within‬
‭a single physical‬
‭Replication‬
‭location‬
‭synchronously in‬
‭the primary region.‬
‭Storage (ZRS)‬ ‭Storage (GRS)‬
R
‭data across 3‬ ‭ eplicates your‬
R
‭Azure Availability‬ ‭data in your‬
‭Zones‬ ‭storage account to‬
‭synchronously in‬ ‭a secondary region‬
‭the primary region‬

‭Redundancy‬ ‭Low‬ ‭Moderate‬ ‭High‬

‭ osts more than‬

‭Cost‬
‭ ercent durability‬
P ‭ t least‬
‭of objects over a‬
‭given year‬
‭ vailability SLA for‬
A
‭read requests‬
‭ vailability SLA for‬
A
‭write requests‬
‭ vailable if a node‬
A
‭went down within a‬
‭data center?‬
C
‭ rovides the least‬
P ‭ osts more than‬
C ‭ZRS but provides‬
‭expensive‬ ‭LRS but provides‬ ‭availability in the‬
‭replication option‬ ‭higher availability‬ ‭event of regional‬
‭outages‬
A ‭ t least‬
A ‭ t least‬
a
‭99.999999999%‬ ‭99.9999999999%‬ ‭99.999999999999‬
‭(11 9's)‬ ‭(12 9's)‬ ‭99% (16 9's)‬
‭ t least 99.9%‬
A
‭(99% for cool‬
‭access tier) for‬
‭ t least 99.9%‬
A ‭ t least 99.9%‬
A ‭GRS‬
‭(99% for cool‬ ‭(99% for cool‬
‭access tier)‬ ‭access tier)‬ ‭ t least 99.99%‬
A
‭(99.9% for cool‬
‭access tier) for‬
‭RA-GRS‬
‭ t least 99.9%‬
A ‭ t least 99.9%‬
A ‭ t least 99.9%‬
A
‭(99% for cool‬ ‭(99% for cool‬ ‭(99% for cool‬
‭access tier)‬ ‭access tier)‬ ‭access tier)‬
‭Yes‬ ‭Yes‬ ‭Yes‬

‭https://portal.tutorialsdojo.com/‬ ‭128‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ vailable if the‬
A
‭entire data center‬
‭(zonal or‬ ‭No‬ ‭Yes‬ ‭Yes‬
‭non-zonal) went‬
‭down?‬
‭ vailable on‬
A
‭region-wide outage‬
‭No‬ ‭No‬ ‭Yes‬
‭in the primary‬
‭region?‬
‭ as read access to‬
H
‭the secondary‬
‭region if the‬ ‭No‬ ‭No‬ ‭Yes‬
‭primary region is‬
‭unavailable?‬
‭ eneral-purpose v2‬
G
‭General-purpose v1‬ ‭ eneral-purpose v2‬
G ‭ eneral-purpose v2‬
G
‭ upported storage‬
S
‭Block blob storage‬ ‭Block blob storage‬ ‭General-purpose v1‬
‭account types‬
‭Blob storage‬ ‭File storage‬ ‭Blob storage‬
‭File storage‬

‭https://portal.tutorialsdojo.com/‬ ‭129‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Load Balancer vs App Gateway vs Traffic Manager vs Front Door‬

‭ oad‬
L ‭Application‬ ‭ raffic‬
T ‭Front Door‬
‭ alancer‬
B ‭Gateway‬ ‭Manager‬

‭Service‬ ‭ etwork load‬

N ‭ eb traffic‬
W ‭ NS-based‬
D ‭ lobal‬
G
‭balancer.‬ ‭load balancer.‬ ‭traffic load‬ ‭application‬
‭balancer.‬ ‭delivery‬

‭ etwork‬
N ‭ ayer 4 (TCP‬
L ‭ ayer 7‬
L ‭Layer 7 (DNS)‬ ‭ ayer 7‬
L
‭Protocols‬ ‭or UDP)‬ ‭(HTTP/HTTPS‬ ‭(HTTP/HTTPS‬
‭)‬ ‭)‬

‭Type‬ I‭nternal and‬ ‭ tandard and‬

S ‭–‬ ‭ tandard and‬
S
‭Public‬ ‭WAF‬ ‭Premium‬

‭Routing‬ ‭ ash-based,‬
H ‭Path-based‬ ‭ erformance,‬
P ‭ atency,‬
L
‭Source IP‬ ‭Weighted,‬ ‭Priority,‬
‭affinity‬ ‭Priority,‬ ‭Weighted,‬
‭Geographic,‬ ‭Session‬
‭MultiValue,‬ ‭Affinity‬
‭Subnet‬

‭ lobal/R‬
G ‭Global‬ ‭Regional‬ ‭Global‬ ‭Global‬
‭egional‬
‭Service‬

‭ ecomm‬
R ‭Non-HTTP(S)‬ ‭HTTP(S)‬ ‭Non-HTTP(S)‬ ‭HTTP(S)‬
‭ended‬
‭Traffic‬

‭ ndpoint‬
E ‭ IC‬
N I‭P‬ ‭ loud service,‬
C ‭ pp service,‬
A
‭s‬ ‭(VM/VMSS),‬ ‭address/FQD‬ ‭App‬ ‭Cloud service,‬
‭IP address‬ ‭N, Virtual‬ ‭service/slot,‬ ‭Storage,‬
‭machine/VMS‬ ‭Public IP‬ ‭Application‬
‭S, App‬ ‭address‬ ‭Gateway, API‬
‭services‬ ‭Management,‬
‭Public IP‬
‭address,‬
‭Traffic‬
‭Manager,‬

‭https://portal.tutorialsdojo.com/‬ ‭130‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Custom Host‬

‭ ndpoint‬
E ‭Health probes‬ ‭Health probes‬ ‭ TTP/HTTPS‬
H ‭Health probes‬
‭Monitorin‬ ‭GET requests‬
‭g‬

‭ edunda‬
R ‭ one‬
Z ‭ one‬
Z ‭ esilient to‬
R ‭ esilient to‬
R
‭ncy‬ ‭redundant‬ ‭redundant‬ ‭regional‬ ‭regional‬
‭and Zonal‬ ‭failures‬ ‭failures‬

‭ SL/TLS‬
S ‭–‬ ‭Supported‬ ‭–‬ ‭Supported‬
‭Terminati‬
‭on‬

‭ eb‬
W ‭–‬ ‭Supported‬ ‭–‬ ‭Supported‬
‭Applicati‬
‭on‬
‭Firewall‬

‭ ticky‬
S ‭Supported‬ ‭Supported‬ ‭–‬ ‭Supported‬
‭Sessions‬

‭ Net‬
V ‭Supported‬ ‭Supported‬ ‭–‬ ‭–‬
‭Peering‬

‭SKU‬ ‭ asic and‬

B ‭ tandard and‬
S ‭–‬ ‭ tandard and‬
S
‭Standard‬ ‭WAF (v1 & v2)‬ ‭Premium‬

‭Pricing‬ ‭ tandard‬
S ‭ harged‬
C ‭ harged per‬
C ‭ harged‬
C
‭Load Balancer‬ ‭based on‬ ‭DNS queries,‬ ‭based on‬
‭– charged‬ ‭Application‬ ‭health checks,‬ ‭outbound/inb‬
‭based on the‬ ‭Gateway type,‬ ‭measurement‬ ‭ound data‬
‭number of‬ ‭processed‬ ‭s, and‬ ‭transfers, and‬
‭rules and‬ ‭data,‬ ‭processed‬ ‭incoming‬
‭processed‬ ‭outbound‬ ‭data points.‬ ‭requests from‬
‭data.‬ ‭data transfers,‬ ‭client to Front‬
‭and SKU.‬ ‭Door POPs.‬

‭https://portal.tutorialsdojo.com/‬ ‭131‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Network Security Group (NSG) vs Application Security Group (ASG)‬

‭Network Security Group‬ ‭Application Security Group‬

‭ network security group is‬
A ‭ n application security group is‬
A
‭ escri‬
D
‭used to enforce and control‬ ‭an object reference within an‬
‭ption‬
‭network traffic.‬ ‭NSG.‬
‭ ontrols the inbound and‬
C ‭ ontrols the inbound and‬
C
‭ eatur‬
F
‭outbound traffic at the subnet‬ ‭outbound traffic at the network‬
‭es‬
‭level.‬ ‭interface level.‬
‭ ules are applied to all‬
R
‭ ules are applied to all ASGs in‬
R
‭Rules‬ ‭resources in the associated‬
‭the same virtual network.‬
‭subnet.‬

‭ irecti‬
D ‭ as separate rules for inbound‬
H ‭ as separate rules for inbound‬
H
‭on‬ ‭and outbound traffic.‬ ‭and outbound traffic.‬

‭ SGs that can be specified‬

A
‭Limits‬ ‭NSG has a limit of 1000 rules.‬ ‭within all security rules of an‬
‭NSG have a limit of 100 rules.‬

‭ upports ALLOW and DENY‬

S ‭ upports ALLOW and DENY‬
S
‭Action‬
‭rules.‬ ‭rules.‬

‭ ou are not allowed to specify‬

Y
‭multiple IP addresses and IP‬ ‭ ou are not allowed to specify‬
Y
‭ onstr‬
C
‭address ranges in the NSG‬ ‭multiple ASGs in the source or‬
‭aints‬
‭created by the classic‬ ‭destination.‬
‭deployment model.‬

‭https://portal.tutorialsdojo.com/‬ ‭132‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Azure Policy vs Azure Role-Based Access Control (RBAC)‬

‭Role-based Access Control‬

‭Azure Policy‬ ‭(RBAC)‬
‭ escriptio‬
D ‭ nsure resources are‬
E ‭ uthorization system to provide‬
A
‭n‬ ‭compliant with a set of rules.‬ ‭fine-grained access controls.‬
‭ olicy is focused on the‬
P ‭ BAC focuses on what‬
R
‭Focus‬
‭properties of resources.‬ ‭resources the users can access.‬
‭ ou specify a set of rules to‬
Y
I‭ mplemen‬ ‭ ou grant permission on what‬
Y
‭prevent over-provisioning of‬
‭tation‬ ‭users can create.‬
‭resources.‬

‭ efault‬
D ‭ y default, rules are set to‬
B
‭By default, all access is denied.‬
‭access‬ ‭ALLOW.‬

‭ olicy within the resource‬

P ‭ rant access to users or groups‬
G
‭Scope‬
‭group or subscription.‬ ‭within a subscription.‬

I‭ ntegratio‬ ‭ oth services work hand-in-hand to provide governance around your‬

B
‭n‬ ‭environment.‬

‭https://portal.tutorialsdojo.com/‬ ‭133‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭Microsoft Entra ID vs Azure Role-Based Access Control (RBAC)‬

‭Microsoft Entra ID‬ ‭Azure RBAC‬

‭ escri‬
D ‭ n identity and access‬
A ‭ n authorization system that‬
A
‭ption‬ ‭management service that helps‬ ‭manages users’ access to Azure‬
‭you access internal and external‬ ‭resources, including what they can‬
‭resources.‬ ‭do with those resources and what‬
‭areas they can access.‬

‭Focus‬ ‭ rants permissions to manage‬

G ‭ rants permissions to manage‬
G
‭access to Microsoft Entra ID‬ ‭access to Azure resources.‬
‭resources.‬

‭Scope‬ ‭Tenant level‬ ‭ pecify at multiple levels‬

S
‭(management group, subscription,‬
‭resource group, and resource)‬

‭Roles‬ I‭mportant Entra ID built-in roles:‬ ‭ undamental Azure RBAC built-in‬

‭1.‬ ‭Global Administrator –‬ ‭roles:‬
‭manage access to all the‬
‭administrative features in‬
‭Microsoft Entra.‬
‭2.‬ ‭User Administrator –‬
‭create and manage different‬
‭types of users and groups in‬
‭Azure.‬
‭3.‬ ‭Billing Administrator – it‬
‭can manage subscriptions,‬
‭support tickets, make purchases,‬
‭and monitor service health.‬
‭Supports custom roles.‬
‭You can assign multiple roles to‬
‭a user.‬
F
‭1.‬ ‭Owner – full access to all‬
‭Azure resources.‬
‭2.‬ ‭Contributor – create and‬
‭manage all types of resources in‬
‭Azure.‬
‭3.‬ ‭Reader – a user with this role‬
‭can only view Azure resources‬
‭4.‬ ‭User Access Administrator –‬
‭it has permissions to manage user‬
‭access to all types of resources.‬
‭Supports custom roles in P1 and P2‬
‭licenses.‬
‭You can assign multiple roles on a‬
‭user.‬

‭ ole‬
R ‭ ou can access the role‬
Y ‭ ou can access the role information‬
Y
‭inform‬ ‭information in the Azure Portal,‬ ‭in the Azure Portal, CLI, PowerShell,‬
‭ation‬ ‭Microsoft 365 admin center,‬ ‭Resource Manager templates, and‬
‭Microsoft Graph, and Azure AD‬ ‭REST API.‬
‭PowerShell.‬

‭https://portal.tutorialsdojo.com/‬ ‭134‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ ricin‬
P ‭ icrosoft Entra ID has three‬
M ‭ zure RBAC is free and included in‬
A
‭g‬ ‭editions: Free, P1, and P2. For the‬ ‭your Azure subscription.‬
‭P1 and P2 licenses, you are‬
‭charged on a monthly basis.‬

‭https://portal.tutorialsdojo.com/‬ ‭135‬
 ‭Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator‬
‭by Jon Bonso and Gerome Pagatpatan‬

‭ABOUT THE AUTHORS‬

‭Jon Bonso‬
‭ orn‬ ‭and‬ ‭raised‬ ‭in‬ ‭the‬ ‭Philippines,‬ ‭Jon‬ ‭is‬ ‭the‬ ‭Co-Founder‬ ‭of‬
B
‭Tutorials‬‭Dojo‬‭.‬‭Now‬‭based‬‭in‬‭Sydney,‬‭Australia,‬‭he‬‭has‬‭over‬‭a‬
‭decade‬ ‭of‬ ‭diversified‬ ‭experience‬ ‭in‬ ‭Banking,‬ ‭Financial‬
‭Services,‬ ‭and‬ ‭Telecommunications.‬ ‭He's‬ ‭10x‬ ‭AWS‬ ‭Certified‬
‭and‬ ‭has‬ ‭worked‬ ‭with‬ ‭various‬ ‭cloud‬ ‭services‬ ‭such‬ ‭as‬ ‭Google‬
‭Cloud,‬ ‭and‬‭Microsoft‬‭Azure.‬‭Jon‬‭is‬‭passionate‬‭about‬‭what‬‭he‬
‭does‬‭and‬‭dedicates‬‭a‬‭lot‬‭of‬‭time‬‭creating‬‭educational‬‭courses.‬
‭He‬ ‭has‬ ‭given‬ ‭IT‬ ‭seminars‬ ‭to‬ ‭different‬ ‭universities‬ ‭in‬ ‭the‬
‭Philippines‬ ‭for‬ ‭free‬ ‭and‬ ‭has‬ ‭launched‬ ‭educational‬ ‭websites‬
‭using his own money and without any external funding.‬

‭Gerome Pagatpatan‬
‭ erome‬ ‭Gerome‬ ‭currently‬ ‭works‬ ‭as‬ ‭a‬ ‭software‬ ‭engineer‬‭and‬
G
‭holds‬ ‭5‬ ‭cloud‬ ‭certifications‬ ‭from‬ ‭Amazon‬ ‭Web‬ ‭Services,‬
‭Microsoft‬‭Azure,‬‭and‬‭Oracle.‬‭He‬‭also‬‭co-authored‬‭high-quality‬
‭educational‬ ‭materials‬ ‭in‬ ‭the‬ ‭cloud‬ ‭computing‬ ‭space,‬ ‭which‬
‭have‬ ‭been‬ ‭used‬ ‭by‬ ‭over‬ ‭a‬ ‭quarter-million‬ ‭people‬ ‭worldwide.‬
‭He‬ ‭is‬ ‭passionate‬ ‭about‬ ‭education,‬ ‭and‬ ‭now‬ ‭it's‬ ‭his‬ ‭turn‬ ‭to‬
‭share‬ ‭his‬ ‭knowledge,‬ ‭experiences,‬ ‭and‬ ‭passion‬ ‭for‬ ‭cloud‬
‭computing.‬

‭https://portal.tutorialsdojo.com/‬ ‭136‬