Tutorials Dojo Study Guide AZ 104
Tutorials Dojo Study Guide AZ 104
AZURE
CERTIFIED
AZ-104
Microsoft Azure
Administrator
TABLE OF CONTENTS
INTRODUCTION
5
AZ-104 MICROSOFT AZURE ADMINISTRATOR EXAM OVERVIEW 6
Exam Details 6
Exam Domains 8
Exam Scoring System 9
Exam Benefit 10
AZ-104 MICROSOFT AZURE ADMINISTRATOR EXAM - STUDY GUIDE AND TIPS 11
Study Materials 11
Azure Services to Focus On 12
Validate Your Knowledge 13
Final Remarks 18
CLOUD COMPUTING CONCEPTS 19
Cloud Service Models 19
Platform as a service (PaaS) 20
Software as a service (SaaS) 20
Serverless Computing 20
Cloud Architecture Models 22
Public Cloud 22
Private Cloud 22
Hybrid Cloud 23
AZURE BASICS 24
Azure Overview 24
Advantages of Azure Cloud Computing 24
Azure Global Infrastructure 25
Azure Security and Compliance 26
Azure Pricing 26
Azure Well-Architected Framework - Five Pillars 28
Best Practices when Architecting in the Cloud 28
THE DIFFERENT AZURE SERVICES 29
DEEP DIVE 30
Azure Virtual Machines 30
Components of a Virtual Machine 30
Types of Virtual Machines 31
Virtual Machine Disks 32
Payment options for Virtual Machines 35
Availability Options for Virtual Machines 36
https://portal.tutorialsdojo.com/ 1
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
https://portal.tutorialsdojo.com/ 2
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
https://portal.tutorialsdojo.com/ 3
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
https://portal.tutorialsdojo.com/ 4
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
INTRODUCTION
ith the rapid advancement of technology, enterprises are adopting newer technologies that will help
W
their businesses transform and grow. Microsoft Azure is one of the emerging technologies that you can
leverage in this age since a lot of companies are shifting their existing infrastructures in the cloud. Unlike
the traditional setup, cloud computing allows you to obtain resources on-demand with just one click on
their platform, including the servers, storage, databases, networking, analytics, artificial intelligence, and
a lot more.
icrosoft Azure offers a range of cloud services, depending on your business needs. These services are
M
continuously upgrading, and new features are being added every year to deliver customer satisfaction.
Since Azure's resources and services are too vast, theMicrosoft Azure Certificationprogram offers
different certification paths that will help aspiring candidates and IT professionals validate their skills
and knowledge to maximize the solutions created in the cloud.
icrosoft Azure is the second biggest cloud service provider in the market next to AWS, and a lot of
M
companies are now adopting amulticloudstrategy,which makes it all the more beneficial for IT
professionals like you to expand your skill set and learn multiple cloud technologies. Learning is a lot
more fun if you merge it with various cloud services. It will be an exciting and enjoyable journey for you,
and the first step is to becomeAZ-104 Microsoft AzureAdministratorcertified. This eBook will help
familiarize yourself with the basic cloud concepts as well as the core services of Microsoft Azure, which
are the building blocks that will help you pass the exam and make a successful career shift to cloud
computing.
ote:We took extra care to come up with these studyguides and cheat sheets, however, this is meant to
N
be just a supplementary resource when preparing for the exam. We highly recommend working on
hands-on sessionsandpractice examsto further expandyour knowledge and improve your test-taking
skills.
https://portal.tutorialsdojo.com/ 5
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Exam Details
he AZ-104 Microsoft Azure Administrator examination is intended for IT Professionals who implement,
T
manage and monitor an organization’s cloud infrastructure. You can take this exam from a local testing
center or online from the comfort of your home. The exam is composed of different types of questions.
For multiple-choice types of questions, you will have to choose one correct response out of four options.
For Drag and Drop questions, match the items by dragging them to their correct descriptions.
https://portal.tutorialsdojo.com/ 6
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
For Dropdown types of questions, select the correct answer from the drop-down list of options.
or Hotspot types of questions such as multiple Yes/No, evaluate whether the presented statements
F
relating to a certain topic are correct/incorrect.
https://portal.tutorialsdojo.com/ 7
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
You can take the exam via online proctoring or from a testing center close to you.
xam Code:
E Z-104
A
Prerequisites: None
No. of Questions: 50-60
Score Range: 100-100
Cost: 0
Passing Score: 165 USD
Time Limit: 700
180
minutes
Exam Domains
he AZ-104 Microsoft Azure Administrator exam has five areas to assess your skills, each with a
T
corresponding weight and topic coverage. The skills measured are: Manage Azure identities and
governance (15–20%), Implement and manage storage (15–20%), Deploy and manage Azure compute
resources (20–25%), Configure and manage virtual networking (20–25%), and Monitor and back up
Azure resources (10–15%).
https://portal.tutorialsdojo.com/ 8
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
ou can get a score from 100 to 1,000 with a minimum passing score of 700 when you take the AZ-104
Y
Microsoft Azure Administrator exam. Microsoft uses a scaled scoring model to associate scores across
multiple exam types that may have different levels of difficulty. Your complete score report will be sent
to you by email 1 - 5 business days after your exam. However, as soon as you finish your exam, you’ll
immediately see a pass or fail notification on the testing screen.
or individuals who unfortunately do not pass their exams, you must wait 24 hours before you are
F
allowed to retake the exam. There is no hard limit on the number of attempts you can retake an exam.
nce you receive your score report via email, the result should also be saved in your Microsoft
O
Certification account. The score report contains a table of your performance in each domain and it will
indicate whether you have met the level of competency required for these. Take note that you do not
need to achieve competency in all areas for you to pass the exam. In the first part of the report, there will
be a performance summary by exam section that highlights your strengths and weaknesses, which can
help you determine the areas you need to improve on.
https://portal.tutorialsdojo.com/ 9
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Exam Benefit
If you successfully pass any Microsoft Certification exam, you will receive aCertified Digital Badge.You
can showcase your achievements to your colleagues and employers by adding these digital badges to
your email signatures, Linkedin profile, or on your social media accounts. To view your badges, simply go
to the “Dashboard” section of your Acclaim Account.
ou can visit the official Microsoft Certification FAQ page to view the frequently asked questions about
Y
getting certified and other information about the Microsoft Certification:
https://docs.microsoft.com/en-us/learn/certifications/certification-exam-policies.
https://portal.tutorialsdojo.com/ 10
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
The content of the exam will test your ability to perform the following:
● anage Azure identities and governance
M
● Implement and manage storage
● Deploy and manage Azure compute resources
● Configure and manage virtual networking
● Monitor and backup Azure resources
or more information about the AZ-104 exam, you can check out thisexam skills outline. This study
F
guide will provide you with comprehensive review materials to help you pass the exam with flying colors.
Study Materials
or the Microsoft Azure Administrator exam, we recommend that you check out these study materials
F
first before you take the actual exam. These resources will help you understand complex concepts and
services that will be useful on your exam day.
1. M
icrosoft Learn– this website provides differentlearning paths for various Microsoft certifications.
For the AZ-104 certification exam, you can focus on the following modules:
● Prerequisites for Azure administrators
● Manage identities and governance in Azure
● Implement and manage storage in Azure
● Deploy and manage Azure compute resources
● Configure and manage virtual networks for Azure administrators
2. A
zure Documentation– these documentations containan overview, tutorials, examples, and how-to
guides that will help broaden your knowledge on different Azure services.
3. A
zure Blog– to get updated on new technologies andofferings of Microsoft Azure, you can
subscribe to their newsletter.
https://portal.tutorialsdojo.com/ 11
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
4. A
zure FAQs– you can find the FAQs section on the Azure documentation. The FAQs section is a
compiled list of commonly asked questions, use cases, and a comparison of several Azure
services.
5. A
zure free account– the Azure portal will help youget hands-on experience with its 12-month trial.
You’ll also get free credits that you can spend for the first 30 days.
6. T
utorials Dojo’s Azure Cheat Sheets– with the help of our cheat sheets, you can easily understand
the information found in the Azure documentation. These are presented in bullet point format to
highlight the important concepts.
7. T
utorials Dojo’s AZ-104 Microsoft Azure Administrator Practice Exams– our practice exams have
always been regarded as the best in the market. Each question in our practice tests contains
detailed explanations at the end of each set to help you digest important concepts that will help you
pass your Microsoft Azure certification exam on your first try.
our primary source of information when studying for the AZ-104 certification exam is the Azure
Y
documentation. To comprehend the different scenarios in the exam, you should have a thorough
understanding of the following services:
1. A
zure Virtual Network– you should know how to createa VNet peering, security rules,
configuration of private/public IP addresses, network interface, subnets, and virtual networks.
2. Azure DNS– the configuration of custom DNS, private,and public DNS zone.
3. A
zure Application Gateway– you should know when touse a load balancer and a web traffic load
balancer, and how to create a web application firewall.
4. A
zure Load Balancer– the types of load balancingrules, the difference between a public load
balancer, and an internal load balancer.
5. Azure VPN Gateway– know how to configure VPN andVPN gateway.
6. A
zure ExpressRoute– understand the concepts of ExpressRouteand how you would implement it
in your environment.
https://portal.tutorialsdojo.com/ 12
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
7. A
zure Virtual Machines– learn how to deploy and configure a VM, scale sets, highly available
solutions, moving and redeploying of VM, creating a backup, backup policy, and recovery services
vaults.
8. A
zure App Service– learn how to create an app serviceplan and what run time can be put in the
same app service plan.
9. Azure Container Instances– understand the conceptsof containers and how to use ACI.
10.Azure Kubernetes Service– the difference betweenACI and AKS, the configuration of AKS.
11.Azure Blob– you need to learn how to configure storageaccounts, import/export of data, storage
tiers, replication, and authentication.
12.Azure Files– learn how to create a file share, filesync, copy data using AZCopy.
13.Microsoft Entra ID– you should know how to managea user, group, guest accounts, joined devices,
device settings, and best practices.
14.Azure RBAC– learn how to create and assign a roleand the types of built-in roles.
15.Azure Policy– you need to learn how to read and createa policy.
16.Azure Monitor– you should know how to interpret metrics,the configuration of log analytics, query
and analyze logs, set up alerts and actions, and other service features.
e suggest that you check outTutorials Dojo’s AzureCheat Sheets, which provide bullet-point
W
summaries of the most important concepts on different Azure services.
If you’re feeling confident because you’ve followed the recommended materials above, it’s time to test
your knowledge of various Azure concepts and services. For high-quality practice exams, you can use
the Tutorials DojoAZ-104 Microsoft Azure AdministratorAssociate practice exams.
hesepractice testscover the relevant topics thatyou can expect from the real exam. It also contains
T
different types of questions such as single choice, multiple responses, hotspot, yes/no, drag and drop,
and case studies. Every question on these practice exams has a detailed explanation and adequate
reference links that help you understand why the correct answer is the most suitable solution. After
you’ve taken the exams, it will highlight the areas that you need to improve on. Together with ourcheat
https://portal.tutorialsdojo.com/ 13
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
heets, we’re confident that you’ll be able to pass the exam and have a deeper understanding of how
s
Azure works.
Question 1
ou added the custom domain nametutorialsdojo.comto Microsoft Entra ID. You need to verify that
Y
Azure can verify the domain name.
.
1 RV
S
2. NSEC
3. NSEC3
4. MX
Correct Answer: 4
https://portal.tutorialsdojo.com/ 14
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
icrosoft Entra IDis Microsoft’s cloud-based identity and access management service, which helps
M
your employees sign in and access resources in:
External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS
–
applications.
Internal resources, such as apps on your corporate network and intranet, along with any cloud apps
–
developed by your own organization.
icrosoft Online business services, such as Office 365 or Microsoft Azure, require Microsoft Entra ID for
M
sign-in and to help with identity protection. If you subscribe to any Microsoft Online business service,
you automatically get Microsoft Entra ID with access to all the free features.
very new Microsoft Entra ID tenant comes with an initial domain name,
E
<domainname>.onmicrosoft.com. You can’t change ordelete the initial domain name, but you can add
your organization’s names. Adding custom domain names helps you to create user names that are
familiar to your users, such as[email protected].
You can verify your custom domain name by using TXT or MX record types.
https://portal.tutorialsdojo.com/ 15
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
RV, NSEC, and NSEC3are incorrect because these record types are not supported by Microsoft Entra
S
ID for verifying your custom domain. Only TXT and MX record types are supported.
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
https://tutorialsdojo.com/microsoft-entra-id/
Question 2
You plan to automate the deployment of Windows Servers using a virtual machine scale set.
You need to make sure that the web components are installed in the virtual machines.
.
1 reate a configuration script.
C
2. Create an automation account.
3. Create a policy.
4. Configure the extensionProfile section of the ARM template.
5. Create a new scale set.
Correct Answer: 1, 4
zure virtual machine scale setslet you create andmanage a group of load-balanced VMs. The number
A
of VM instances can automatically increase or decrease in response to demand or a defined schedule.
Scale sets provide high availability to your applications and allow you to centrally manage, configure, and
update a large number of VMs.
https://portal.tutorialsdojo.com/ 16
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
he Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension
T
is useful for post-deployment configuration, software installation, or any other configuration or
management tasks.
he option that says:Create a policyis incorrectbecause this option only evaluates resources in Azure.
T
Take note that you don’t need to create a policy to install web components.
he option that says:Create a new scale setis incorrectbecause this wouldn’t install the required web
T
components. Instead of creating a new scale set, you should use a custom script extension to install the
web components in the VMs.
https://portal.tutorialsdojo.com/ 17
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
References:
ttps://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-deploy-a
h
pp
ttps://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template#what-
h
is-the-azure-custom-script-extension
ttps://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-deploy-a
h
pp#already-provisioned
https://tutorialsdojo.com/azure-virtual-machines/
Final Remarks
It is not enough to understand the concepts at a high level. You also need to get hands-on experience by
using the Microsoft Azure Portal. Simulate different scenarios that will help you deepen your
understanding of various services. The combination of practical and theoretical knowledge will help you
analyze difficult questions in the exam.
few reminders that we can give is to always check the time and review your answers before
A
proceeding to the next question (especially in the case study and yes/no questions). Before your
scheduled exam day, don’t forget to take a good rest. If you’re not feeling confident yet, there’s always an
option to reschedule your exam. Good luck, and we wish you all the best.
https://portal.tutorialsdojo.com/ 18
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
T
● he three cloud computing service models are IaaS, PaaS, and SaaS.
● You can also use serverless computing to eliminate the need to manage infrastructure.
● The shared responsibility model determines the security tasks that are handled by the cloud
provider and handled by the customer.
○ Azure is responsible for protecting the infrastructure such as hosts, network, and
data center.
○ The customer is responsible for protecting their data, endpoints, account, and
access management.
● IaaS, PaaS, and SaaS have different levels of managed services:
https://portal.tutorialsdojo.com/ 19
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
● ost user management
M
● You are responsible for managing theoperating systems,data,andapplications.
● IaaS helps you to extend resources rapidly to meet the spikes required for your application.
● Used in the following scenarios:
○ Migrating workloads– move existing applications tothe cloud.
○ Test and development– quickly set up and dismantle test and development environments.
IaaS makes scaling development and testing environments fast and economical.
○ Storage, backup, and recovery– simplify the planningand management of backup and
recovery systems.
○ Website hosting– less expensive than traditionalweb hosting.
○ High-performance computing (HPC)– clusters of computersthat help solve complex
problems involving millions of variables or calculations.
○ Big data analysis– for massive data sets that requirea huge amount of processing power.
L
● ess user management
● The operating systems are managed by the cloud provider, while the user is responsible for the
applications and data they run and store.
● PaaS offers all the functionality you need to support the entire lifecycle of web applications:
building, testing the application,deploying the sourcecode,managing, andupdatingwithin the
same integrated environment.
● Used in the following scenarios:
○ Development framework– a framework for creating orcustomizing cloud-based
applications.
○ Analytics or business intelligence– find insightsand patterns, and predict outcomes to
improve business decisions.
L
● east amount of management
● The cloud provider is responsible for managing everything, and the end-user just uses the software.
Serverless Computing
F
● unction as a Service (FaaS)
● You simply deploy the code with a serverless platform, and it runs at high availability.
● Dynamically scales up and down to meet the demands of each workload within seconds.
https://portal.tutorialsdojo.com/ 20
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
● A
pay-per-execution modelthat charges sub-second billing only for the time and resources required
to execute the code.
https://portal.tutorialsdojo.com/ 21
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
T
● hree deployment methods of cloud computing:Publicvs Private vs Hybrid.
● The model you choose for cloud deployment depends on your budget, security, scalability, and
maintenance needs.
Public Cloud
● F ocus on maintaining your applications without having to worry about purchasing, managing, or
maintaining the hardware on which it runs.
● You can use multiple public cloud providers of varying scale.
Advantages Disadvantages
Private Cloud
● A dedicated on-premises datacenter configured to be a cloud environment that provides users in
your organization with self-service access to compute resources.
● You are responsible for the purchase and maintenance of the hardware and software services.
● You can use a private cloud when an organization has data that cannot be put in the public cloud,
perhaps for legal reasons.
Advantages Disadvantages
https://portal.tutorialsdojo.com/ 22
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Hybrid Cloud
D
● ata and applications can move betweenprivateandpublic clouds.
● When there is a spike in demand in your private cloud, you can “burst through” to the public cloud
for additional computing resources.
Advantages Disadvantages
https://portal.tutorialsdojo.com/ 23
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
AZURE BASICS
Azure Overview
zure is a cloud computing platform that was introduced by Microsoft in 2010. It enables you to create,
A
manage, and deploy applications across a large global network. Microsoft Azure also provides a variety
of services to assist your business in addressing current and potential business challenges in your
infrastructure and applications.
oday, Microsoft Azure has the second-largest share in the cloud industry. It also has specialized
T
regions for compliance or legal purposes.
● C ost– Eliminate the capital expense of buying hardware,software, and setting up of data centers.
The principle of the cloud is, you will only pay for the computing resources you have consumed.
● Global scale– One of the benefits of cloud computingis the ability to scale elastically. This means
that you can easily add resources such as compute and storage capacity in different regions with
just a few clicks.
● Performance– Cloud computing services are hostedon a global network of secure data centers
that are upgraded with the latest generation of computing hardware on a regular basis. Compared
to a single corporate datacenter, this has several advantages, including lower application network
latency and greater economies of scale.
● Security– Cloud service providers offer a broadset of policies, technologies, and controls to
protect your data and infrastructure against potential threats.
● Speed– In a cloud computing environment, you canprovision computing resources in minutes with
just a few clicks. Providing businesses with a great deal of flexibility and relieving capacity planning
pressure.
● Productivity– The cloud provides a lot of convenienceto your IT teams since it reduces the time
needed to obtain additional resources, allowing them to focus solely on achieving more important
business goals.
● Reliability– With cloud computing, you can easilymanage backup data, disaster recovery and
business continuity since the data can be mirrored at multiple redundant sites.
https://portal.tutorialsdojo.com/ 24
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Regions
E
● ach region has more than one data center, which is a physical location.
● A group of data centers deployed in a latency-defined perimeter and connected through a dedicated
regional low-latency network.
● Criteria in choosing a Region:
○ Location– a region closest to your users minimizesthe latency.
○ Features– some features are not available in allregions.
○ Price– the price of services varies from region toregion.
● Each Region is paired within the same geographic area.
● If the primary region has an outage, you canfailoverto the secondary region.
● You can use paired regions forreplication.
● Regions that are unique when it comes to compliance:
○ Azure Government Cloud– only US federal, state, local,and tribal governments and their
partners have access to this dedicated instance.
○ China Region– data center is physically located withinChina and has no connection outside
of China, including other Azure regions.
Availability Zones
E
● ach availability zone is a physical location within a region.
● A zone is composed of one or more data centers with independent power, cooling, and networking
facilities.
● Azure services that support Availability Zones fall into two categories:
○ Zonal services– a resource is pinned to a specificzone.
○ Zone-redundant services– replicates automaticallyacross zones.
https://portal.tutorialsdojo.com/ 25
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
In the cloud, the responsibility of security is a shared one. Microsoft Azure secures what they can on
their end, while you secure what you can on your end. Only this way can everyone protect their valuable
data. Also as a customer, you inherit all the best practices of Azure policies, architecture, and operational
processes built to satisfy the requirements of their most security-sensitive customers.
icrosoft Azure has also developed multiple tools and services to help you achieve your security
M
objectives. You can also review the numerous audits and certifications that third-party auditors have
conducted on Azure so that whenever you need to fulfill strict compliance with the use of a service, you
can simply verify its status through the catalog.
Azure Pricing
A
● zure offers pay-as-you-go and reserved instances for pricing.
● Azure Pricing Factors:
○ Resource size and resource type.
○ Different Azure locations have different prices for services.
○ The bandwidth of your services.
○ Any data transfer between two different billing zones is charged.
■ Ingress (data in)= free
■ Egress (data out)= charged based on data going outof Azure datacenters.
● Factors that can reduce costs:
○ By purchasing areserved instance(one-year or three-yearterms), you can significantly
reduce costs by up to 72 percent compared to pay-as-you-go pricing.
○ Areserved capacityis a commitment for a period ofone or three years for SQL Database
and SQL Managed Instance.
○ Hybrid Benefitallows you to use your on-premisesSoftware Assurance-enabled Windows
Server and SQL Server licenses on Azure.
○ If you purchase an unused compute capacity, you can get deep discounts up to 90 percent
compared to pay-as-you-go pricing.A spot virtualmachineis for workloads that can tolerate
interruptions.
● All resources belong to asubscription.
○ An Azure account can have multiple subscriptions.
○ Organize your resources and subscriptions usingAzuremanagement groups.
● Azure Cost Managementgives you a detailed view ofcurrent and projected costs.
● For new accounts, theAzure Free Tieris available.
○ Free Tier offers limited usage of Azure products at no charge for 12 months.
○ You also get $200 credit that you can spend during the first 30 days.
○ More details athttps://azure.microsoft.com/en-us/free/
https://portal.tutorialsdojo.com/ 26
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
It is the commitment of Microsoft for the uptime and connectivity of a service.
●
● You could obtain a service credit if the service level agreement is not met by Microsoft.
● Composite SLAs include several resources (with differentavailability levels) to support an
application.
● SLAs for multi-region deployments distribute the application in more than one region for high
availability and use Azure Traffic Manager for failover if one region fails.
Service Lifecycle
● P rivate Previewis only available to a few customersfor early access to new technologies and
features.
● Public Previewmakes the service in the public phaseand can be used by any customers to
evaluate the new features but SLA does not apply.
● General Availabilityis the release of service tothe general public and is fully supported by SLAs.
● Azure updates allow you to get the latest updates on any Azure products and features.
https://portal.tutorialsdojo.com/ 27
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
● O perational Excellence- run and monitor systems todeliver business value and to continually
improve supporting processes and procedures.
● Reliability- recover the system from infrastructureor service disruptions, dynamically acquire
computing resources to meet demand, and mitigate disruptions such as misconfigurations or
transient network issues.
● Performance Efficiency- use computing resources efficientlyto meet system requirements and to
maintain that efficiency as demand changes and technologies evolve.
● Cost Optimization- avoid or eliminate unneeded costsor suboptimal resources.
● Security- protect information, systems, and assetswhile delivering business value through risk
assessments and mitigation strategies.
● D esign for self healing- Failures occur in a distributedsystem. Design your application to be
self-healing in the event of failure.
● Make all things redundant- Design a resilient andhighly available application to avoid single points
of failure.
● Minimize coordination- To achieve scalability, youmust minimize coordination between application
services.
● Design to scale out- Design an application that canscale horizontally (adding or removing new
instances) as needed.
● Partition around limits- Use partition for database,network, and compute limits
● Design for operations- The operations team must beable to access the tools they need for the
application.
● Use managed services- When designing an application,use PaaS rather than IaaS.
● Use the best data store for the job- Select the storagetechnology that is most appropriate for your
data and its intended use.
● Design for evolution- An evolutionary design is requiredfor continuous innovation.
● Build for the needs of business- Always considerthe business requirements when designing an
application.
https://portal.tutorialsdojo.com/ 28
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
toragein the cloud is used to store different typesof data, such as objects, files, and backups.
S
Services: Blob, Disk, and Files
ecurityallows you to authenticate and authorizeusers and services to access your applications.
S
Services: Active Directory, RBAC, and Security Center
https://portal.tutorialsdojo.com/ 29
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
DEEP DIVE
1. W
hen creating a virtual machine, you always start off by choosing asubscriptionandresource
group. A subscription is a container where you canprovision Azure resources. Before you can
deploy resources, you also need to create a new resource group. This is a logical group to organize
and manage all your resources in your subscription.
2. A
fter you have chosen the resource group, you configure theavailability optionof your virtual
machine. You can choose between the availability zone, availability set or no infrastructure
redundancy option. The option you selected here would determine the availability and resiliency of
your applications.
3. T
heimageof your virtual machine contains the OS,settings, and other applications that you will use
in your server. In the Azure Marketplace, you can choose between images provided by Microsoft or
your own custom image
4. O
nce you have chosen the image of your virtual machine, select thetype and sizeof your virtual
machine. This will determine the physical properties of your instance, such as vCPUs, RAM, disks,
and more.
5. D
uring the creation of your virtual machine, you can also specify whether you'd like to launch it in a
spot instanceor use another instance billing type(pay as you go or reserved).
6. T
o access your virtual machine, you will need to use akey pair. It is generated after you launch your
virtual machine. Make sure to secure your copy of your public key. Once you delete your public key,
you wouldn't be able to directly access your instance.
7. A
fter you have configured the basic settings, you need to addstoragefor your virtual machine. The
disks that can be added are the operating system disk, data disk, and temporary disk. Encryption for
your disks is automatically configured.
8. Y
ou also need to configure whichvirtual networkthevirtual machine should be launched in. And
thenetwork security groupwill serve as a firewallto your servers. It contains rules that allow or
deny network traffic coming to or from your firewall.
https://portal.tutorialsdojo.com/ 30
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
9. W
hen you have configured the network settings of your virtual machines, you can also enable
monitoring, auto-shutdown, and backupin the managementoptions.
10.In the advanced configuration option of your virtual machine, you can addextensionsfor
post-deployment configuration,custom and user datato execute certain commands while the
instance is being provisioned, andproximity placementgroup to enable you to group your resources
closer in the same region.
12.Once you have reviewed the configuration of your instance, proceed with the launch. Wait for your
virtual machine to finish preparing itself, and you should be able to connect to it if there aren’t any
issues.
13.If you are having difficulties connecting to a virtual machine, you can try redeploying the VM to
move it to a new node in the Azure infrastructure. Don’t worry, all of the existing configurations in
the resource will still be there after completing the redeployment.
1. G
eneral Purpose- provides a balanced CPU-to-memoryratio. This instance is ideal for testing,
development, and low to medium-traffic web servers. The B-series have burstable performance that
allows the VM to use the build-up credits when the application requires higher CPU performance.
2. C
ompute Optimized- designed to have a high CPU-to-memoryratio. Instances belonging to this
family are well suited for medium-traffic web servers, network appliances, batch processes,
analytics, application, and gaming servers.
3. M
emory Optimized- offers a high memory-to-CPU ratio.Ideal for relational database servers,
medium to large caches, and in-memory analytics.
4. S
torage Optimized- provides high disk throughputand IO. This VM size is ideal for SQL, NoSQL
databases, big data, data warehousing, and large transactional databases.
5. G
PU- designed for compute-intensive, graphics-intensive,and visualization workloads. It is
available in single, multiple, or fractional GPUs.
6. H
igh-performance compute- the HPC VM size is themost powerful and fastest CPU with high
throughput network interfaces. It is optimized for fluid dynamics, explicit and implicit finite element
analysis, weather modeling, seismic processing, reservoir simulation, and RTL simulation.
https://portal.tutorialsdojo.com/ 31
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
he disks of a virtual machine are block-level storage volumes. This storage is managed by Azure and
T
mainly used for Azure VMs. With managed disks, all you have to do is specify the type and size of the
disk and provision it.
2. D
ata disk- this disk is also managed by Azure, andyou can store your application data or any other
data that you need to keep. Before you use a data disk, there are two options that you can select:
a. Create and attach a new disk - you have the option to create the new disk from a snapshot,
storage blob, or an empty disk.
b. Attach an existing disk - allows you to add the disks you’ve already created. It’s also
important to know that the number of data disks that you can attach will depend on the size
of your VM.
3. T
emporary disk- provides you short-term storage tostore pages and swap files. Take note that the
data on this disk may be lost when you redeploy a VM or during a maintenance event. Also, to
configure a server-side encryption on this disk, you need to enable encryption at host.
https://portal.tutorialsdojo.com/ 32
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
isk
D HDD SSD SSD SSD
type
Scen ackup,
B eb
W Production IO-intensive
ario non-crit servers, and workloads, top
ical, and performance tier databases,
infrequ light sensitive and other
ent applicat workloads transaction-he
access ions of avy workloads
enterpri
se
ax
M 32,767 32,767 32,767 GiB 65,536 GiB
Disk GiB GiB
Size
ax
M 2,000 6,000 20,000 160,000
IOPS
It’s also very important to understand how you can secure your data inside your virtual machine disks.
Let’s now take a look at disk encryption, Azure managed disks supports three types of encryption:
1. Server Side Encryption (SSE)- the data stored onmanaged disks are automatically encrypted at
rest by default when persisting it to the cloud.
a. Platform-managed keys - the keys are managed by Azure. The data, images, and snapshots
written to an existing managed disks are automatically encrypted-at-rest.
b. Customer-managed keys - since you are providing your own keys, you also manage the level
of encryption on each managed disk. To manage your own keys, you can use Azure Key
Vault. This service enables you to import your own RSA keys or generate a new ones.
2. A
zure Disk Encryption (ADE)- provides volume encryptionon both OS and data disks of Azure VMs.
The encryption for Windows is done using BitLocker. On the other hand, the encryption for Linux is
done using DM-Crypt.
https://portal.tutorialsdojo.com/ 33
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
3. E
ncryption at host- this type of encryption is different from SSE. The encryption of data is provided
by the server hosting your virtual machine and the encrypted data flows into the Azure Storage
service.
ncry
E Temp ncry
E Encry ust
C ncry
E
ption Disk ption pted omer ption
at Encry of Data Keys Statu
rest ption Cach Flow s
es s
ncryption
E ✓ - - - - nhe
U
at rest with althy
PMK
ncryption
E ✓ - - - ✓ nhe
U
at rest with althy
CMK
zure Disk
A ✓ ✓ ✓ ✓ ✓ Healt
Encryption hy
ncryption
E ✓ ✓ ✓ ✓ ✓ nhe
U
at Host althy
Note:
● The encrypted data flows are between Compute and Storage service.
● The disk encryption status is labeled by Azure Security Center.
hen creating a copy of your managed disks, there are comparisons between images and snapshots.
W
As discussed earlier in data disks, snapshots allow you to create a point in time recovery. But how is it
different from images?
https://portal.tutorialsdojo.com/ 34
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
o conclude the comparison, a snapshot is only aware of the disk that it contains. For scenarios that
T
require the coordination of multiple disks, like striping, snapshot wouldn’t be able to meet this
requirement. Therefore, this is where you would want to use custom images.
hen talking about how the virtual machine handles unexpected disk traffic, Azure offers a feature
W
calledbursting. This will grant the virtual machineand disk the ability to boost the IOPS and MB/s
performance for a period of time. In other words, it will allow you to get more use out of your disk and
also helps you avoid upgrading the disk just to accommodate traffic spikes. The bursting on virtual
machines and disks are independent from one another. So if you need to burst the disk performance,
you don't need to burst the virtual machine. Bursting is enabled by default for both virtual machine and
disk.
zure provides you with a variety of options to pay for compute capacity. Here are the following payment
A
options:
1. Pay as you go- you are billed on a per-second basis.You can start or stop anytime, and you only
pay for what you use. This payment option is ideal for users who prefer flexibility or have
unpredictable workloads that cannot be interrupted.
2. Reserved Instance- you get up to 72 percent pricesavings compared to pay-as-you-go, but in
return, you need to pay the upfront cost and be committed for one or three years in a specified
region. There are three options to scope a reservation:
a. Single resource group- the reservation discount appliessolely to the corresponding
resources in the resource group you've chosen. Keep in mind that discounts will not be
applied if the resource group is moved or deleted.
b. Single subscription - the reservation discount appliesonly to the corresponding resources
in the subscription you've selected.
c. Shared- the reservation discount is applied to thecorresponding resources in eligible
subscriptions within the billing context. If the subscription is moved to a different billing
https://portal.tutorialsdojo.com/ 35
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
ontext, the discounts no longer apply to that subscription but will continue to apply to the
c
remaining subscriptions in the billing context.
i. The billing context for Enterprise Agreement customers is enrollment. In an
enrollment, the reservation shared scope contains multiple Active Directory tenants.
ii. The billing scope for Microsoft Customer Agreement customers is billing profile.
iii. The billing scope for individual subscriptions with pay-as-you-go rates is all eligible
subscriptions.
After purchasing a reservation, you can always update the scope. Go to the reservation, click
Configuration, and then rescope the reservation. Rescopinga reservation won't change the
reservation term.
3. S
pot- save up to 90 percent when you purchase unusedcompute capacity. This is only ideal for
workloads that can tolerate interruptions. Discounts may vary based on:
a. Region
b. Virtual machine type
c. Compute capacity
ince Azure Spot Virtual Machines are unused capacity, at any point in time, Azure infrastructure can
S
evict Spot VMs with 30 seconds notice. Eviction is based on the capacity or the max price you've set.
When creating a Spot VMs, you can set the eviction policy to Deallocate (default) or Delete.
he Deallocate policy moves your virtual machine to the stopped-deallocated state, allowing you to
T
redeploy it later. However, there is no assurance that the allocation will be successful. Your quota will be
depleted by the deallocated VMs, and you will be charged for the underlying disks.
If you want your virtual machines to be deleted when it is evicted, you can set the eviction policy to
Delete. The underlying disks are also deleted, so you won't be charged for the storage. In the portal, you
can look up the eviction rates by size in a certain region. Go toView pricing history and compare prices
in nearby regionsto see a table or graph of pricingfor a specific size.
There are two ways to manage the availability and resiliency of your applications in a virtual machine:
1. Availability zones- to protect your resources froman entire data center failure, you need to deploy
the VMs to a minimum of three Availability Zones to ensure resiliency. Azure services that support
Availability Zones are classified into two types:
a. Zonal services - resources are pinned to a specific Availability Zone.
Examples: Virtual machines, Managed disks, Standard IP addresses
b. Zone-redundant services - replicate resources automatically across Availability Zones to
protect from single points of failure.
https://portal.tutorialsdojo.com/ 36
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
hen you need to improve the performance of your applications and also provide redundancy, you
W
should scale your resources horizontally. Horizontal scaling means you are adding more servers to the
system. By doing this, the workload will be distributed across multiple resources and accommodate the
increasing demand. Take note that this type of scaling is different from vertical scaling. When you say
scale vertically, you are increasing or decreasing the resources of a single server instead of adding new
servers to the system.
he horizontal scaling service in Azure is calledvirtual machine scale sets. A VM scale set allowsyou to
T
create and manage a group of load-balanced VMs. Since the workload is distributed, if one VM fails, you
can still continue to access your application through other VMs with minimal interruption. You can also
distribute VMs in a scale set within a single data center or across various data centers. This service
supports both layer 4 basic traffic distribution and layer 7 advanced traffic distribution and TLS
termination.
https://portal.tutorialsdojo.com/ 37
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
● Y ou can associate virtual machine scale sets with a load balancer. This will allow you to distribute
virtual machines across Availability Zones. By implementing this practice, you can make your
application redundant and highly available.
● Lastly, virtual machine scale sets allow you to scale hundreds or even thousands of virtual
machines.
ow that we know scale sets can be associated with load balancers, this will help us implement one of
N
the best practices on architecting in the cloud by evenly distributing the virtual machines across
different Availability Zones. The main reason why you need to configure it with a load balancer is to give
you high availability. An application that can run continuously even if one of the virtual machines fails.
Aside from distributing the load across AZs, one of the added benefits is you can use Load Balancer
health probes for more robust health checks.
When associating scale sets with a load balancer, you have two options:
1. Azure Application Gateway- is an HTTP/HTTPs web trafficload balancer that has the capability to
do the following: URL-based routing, SSL termination, session persistence, and web application
firewall.
2. Azure Load Balancer- a TCP/UDP network traffic loadbalancer that supports port forwarding and
outbound flows.
fter going through load balancing, let’s now talk about the scaling policy and how it works. Ascaling
A
policycan determine when a virtual machine shouldbe added or removed to meet the current capacity
requirements of your application. When you create a virtual machine scale set, you would see this
configuration in the portal.
https://portal.tutorialsdojo.com/ 38
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
hese configurations can only be seen if you select the custom scaling policy option. The first thing that
T
you can set is the number of instances. But let’s focus on the remaining two options, the scaling out and
the scaling in.Scale outis when you need to addvirtual machines to the scale set to increase the
current capacity. In order to scale out, you should input certain values on the following fields:
● CPU threshold - is the CPU usage percentage threshold on when to trigger the scale out rule.
● Duration in minutes - is the amount of time that the autoscale will check the threshold again.
● Number of instances to increase by - this will determine how many virtual machines should be
added when the scale out rule is triggered.
n the other hand, thescale inrule is when shouldthe scale sets remove a virtual machine in order to
O
decrease the capacity. Unlike scale out, you only need to input two values in the scale in fields. After you
create a virtual machine scale set, you will see a lot of options available that you can configure in the
scaling policy.
https://portal.tutorialsdojo.com/ 39
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
s seen in the image above, you can still configure other options in order to meet certain requirements
A
on when to scale your virtual machines. Here are the options that you can customize:
1. Metric Name- allows you to set the metric that willbe collected to your virtual machine. Some of
the metrics that you can choose from are:
○ Percentage CPU
https://portal.tutorialsdojo.com/ 40
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Network In or Out
○
○ Disk Read or Write Bytes
○ Disk Read or Write Operations/Sec
○ CPU Credits Consumed or Remaining
2. Aggregates- it is how you want to collect the data.For example, TimeAggregation = “Sum” will
aggregate the sampled metrics by taking the sum. The methods that you can select from are:
○ Average
○ Minimum
○ Maximum
○ Sum
○ Last
○ Count
. Operators- this will determine when to trigger scaleaction.
3
○ Greater than
○ Greater than or equal to
○ Less than
○ Less than or equal to
○ Equal to
○ Not equal to
4. Actions- what should the scaling policy do afterit is triggered.
○ Increase count by
○ Increase percent by
○ Increase count to
○ Decrease count by
○ Decrease percent by
○ Decrease count to
If you want to collect more information based on different metrics, you need to install the following:
● App Insights- when you want to collect applicationmetrics such as page load performance and
session counts, you can install app insights in your application, and it will monitor your app and
send telemetry to Azure.
● Azure Diagnostic Extension- when you want detailedHost-based metrics, you can install this
extension. This agent will run inside your virtual machine. It will monitor and save performance
metrics to an Azure storage service to collect more detailed information.
https://portal.tutorialsdojo.com/ 41
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
There are also other options that you can configure when creating a virtual machine scale set:
1. Scale-In Policy- allows you to specify the orderin which virtual machines are deleted during a
scale-in operation. The options that you can select from are:
a. Default
■ Balance across availability zones and fault domains
■ Deletes the VM with the highest instance ID
b. Newest VM
■ Balance across availability zones
■ Deletes the newest created virtual machine
c. Oldest VM
■ Balance across availability zones
■ Deletes the oldest created virtual machine
2. Update Policy- allows you to set how you can upgradeyour virtual machines to the latest scale set
model.
a. Automatic - upgrades will start immediately in random order.
b. Manual - the existing virtual machines must be manually upgraded.
c. Rolling - upgrades are rolled out in batches with the option to pause.
3. Automatic OS Upgrades- by enabling this option, theupgrades on the OS disk will be done
automatically for all virtual machines.
4. Health Monitoring- helps you determine if your resourcesare healthy or unhealthy. There are two
modes that you can select:
a. Application Health Extension - pings an HTTP/HTTPs request with a specific path and
returns an HTTP status.
b. Load Balancer Probe - checks are done through TCP/UDP or HTTP/HTTPs requests. You
can only select this option if you have an associated load balancer.
5. Automatic Repair Policy- automatically replace unhealthyvirtual machines with a new one.
6. Allocation Policy- allows you to scale beyond 100instances (default).
https://portal.tutorialsdojo.com/ 42
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
If you need to reduce the physical distance between virtual machines, you place it in a single region. To
bring VMs physically close together, you deploy it in a single availability zone. However, a single AZ may
span in different data centers, which can result in network latency that impacts your application. To
achieve the lowest possible latency, you need to deploy the virtual machines in a proximity placement
group.
his is a logical grouping to make sure that the resources are physically close to each other. It could be
T
used with VMs, availability sets, and VM scale sets. You can also move your existing resources into a
proximity placement group. This configuration is helpful if latency is your first priority. But, if you need to
have resiliency, you should spread your virtual machines across availability zones. Remember that a
single proximity placement group cannot span zones, and by default, it can only hold 100 virtual
machines. You can scale beyond the limit if thesinglePlacementGroupproperty is set to false.
Therefore, multiple placement groups can hold up to 1,000 virtual machines.
https://portal.tutorialsdojo.com/ 43
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
o prevent unintended destruction or deletion of data on a virtual machine, you need to create a backup
T
of your data. With theAzure Backupservice, you canback up on-premises machines, workloads, and
Azure VMs. The backup schedule can be configured on a daily or weekly basis. While the backup
retention can be set on a daily, weekly, monthly, and yearly schedule.
If you would recall, the VM in a stopped/deallocated state only stops the virtual machine and Azure
Backup only takes snapshots of the VM disks. This means that even if the VM status is running or
stopped, you can still create a backup as long as the disk is attached to the VM. Remember that you can
only backup data sources or virtual machines that are in the same region as the Recovery Services vault.
You can also back up virtual machines that have different resource groups or operating systems as long
as they are in the same region as the vault.
To understand how Azure Backup works, let’s take a look at its components:
1. A
Recovery Services vaultis a storage entity thatstores data and recovery points that have been
created over time. The data stored in the vault is a copy of data or configuration information for
https://portal.tutorialsdojo.com/ 44
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
v irtual machines, workloads or servers. It also supports service integration like System Center DPM,
Windows Server, Azure Backup Server, and many more.
2. T
heMicrosoft Azure Recovery Services (MARS)agentallows you to backup data from Windows
virtual machines and on-premises machines. The backups are directly stored to the Recovery
Services vault. In order to install the MARS agent and perform backups, you need to have the
following:
○ Recovery Services vault
○ Backup policy
○ Secure route (ExpressRoute or Private Endpoint)
3. A
zure Backup Vault is an important component of the Azure Backup service. It serves as a storage
entity that houses backup data for various Azure services. It’s designed to support newer workloads
and services like Azure Database for PostgreSQL servers. The vault simplifies the organization of
backup data, reducing management overhead. It incorporates enhanced security features to protect
cloud backups and ensure safe data recovery, even in compromised environments. The vault is
compatible with Azure role-based access control (RBAC), providing fine-grained access
management. It also ensures data isolation by storing backup data in a Microsoft-managed Azure
subscription and tenant, separate from the production environment. The vault handles storage
settings and encryption settings, offering options for platform-managed keys and
customer-managed keys for backup data encryption.
4. T
heAzure Storage Exploreris a standalone applicationthat offers a unified interface for managing
Azure Storage data. It simplifies the process of managing and navigating Azure Storage accounts,
including Blob Containers, File Shares, Queues, and Tables. Users can easily upload, download, and
manage data across multiple subscriptions using this tool. It also supports advanced features such
as blob snapshots, blob versioning, and setting up blob access tiers. Azure Storage Explorer is
available on Windows, macOS, and Linux, which makes it a convenient choice for developers and
administrators working on different platforms.
https://portal.tutorialsdojo.com/ 45
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
5. T
o create aBackup Policy, you need to select adatasource typefirst. You can choose between
Azure Virtual Machines or Azure Database for PostgreSQL servers. Then choosefrequency, whether
it is daily or weekly. After that, you input how many days you want to retain the recovery snapshots.
At most, you can only retain the instant recovery snapshot for 5 days. Lastly, choose theretention
rangeof your backups, if it’s daily, weekly, monthly,or yearly.
6. F
or hybrid backup solutions for site-to-site recovery or business continuity and disaster recovery
(BCDR) strategy, you can useAzure Site Recovery.It replicates workloads from a primary site to the
secondary site. For example, your primary site suddenly suffers outages. Since the primary site
becomes unavailable, Azure Site Recovery will automatically failover to the secondary site and
ensure that your services are still working. The following resources can be replicated:
○ Azure Virtual Machines (Cross Region Replication)
○ Any operating system
○ On-premise to Azure
○ Other Cloud Service Providers to Azure
○ VMWare, Hyper-V, or Physical Servers
https://portal.tutorialsdojo.com/ 46
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
vCPU quotas
The vCPU quotas for VMs and VM scale sets are arranged in two tiers for each region in a subscription.
T
● otal Regional vCPUs
● VM size family cores
very time you deploy a new VM, the vCPUs must not exceed the vCPU quota for the VM size family or
E
the total regional vCPU. If either of those quotas has been exceeded, the VM deployment will not be
allowed. Take note that there is also a quota for the overall number of virtual machines in the region. The
quota is calculated based on the total number of cores in use, both allocated and deallocated. If you
need additional cores, you can request a quota increase or delete VMs that are no longer needed.
eferences:
R
https://docs.microsoft.com/en-us/azure/virtual-machines/
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-introduction
https://azure.microsoft.com/en-us/pricing/details/virtual-machines/windows/
https://learn.microsoft.com/en-us/azure/storage/storage-explorer/vs-azure-tools-storage-manage-with-
storage-explorer?tabs=windows
https://learn.microsoft.com/en-us/azure/backup/backup-vault-overview
https://portal.tutorialsdojo.com/ 47
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
In App Service (Web Apps, API Apps, or Mobile Apps), an application always runs in an App Service plan.
AnApp Service planis a collection of compute resourcesneeded for a web app to run. If you have one
or more apps, you can set them up to share the same computing resources (or in the same App Service
plan). Each plan consists of aregion, number & sizeof virtual machines,andpricing tier.
1. S hared Compute–FreeandSharedare the two basetiers. These tiers allocate CPU quotas to every
app running on the shared resources, but the resources cannot scale-out.
2. Dedicated Compute– It is composed ofBasic, Standard,Premium,andPremiumV2tiers. As the
tier gets higher, you will have more VMs to scale-out.
3. Isolated– A dedicated virtual machine that providesmaximum scale-out capabilities.
App Service plan 10 per Region 10 per Resource Group 100 per Resource Group
https://portal.tutorialsdojo.com/ 48
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
App Service plan 100 per Resource 100 per Resource 100 per Resource Group
Group Group
Maximum Instances up to 10 Up to 20 for v1 and v2 up to 100
up to 30 for v3
Staging Slots 5 per app 20 per app 20 per app
efore you launch a web app in Azure App Service, you must also select the Operating System that will
B
be used in the App Service plan. Take note that some runtime stacks will only work on Windows such as
ASP.NET while Ruby will only work with Linux.
https://portal.tutorialsdojo.com/ 49
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
If you created a Linux web app in a Windows App Service plan, you would receive an error message:"The
template deployment is not valid according to the validation procedure". To resolve this error, you must
create a new App Service plan. Conversely, you will also receive the same error if you run an ASP.NET
V4.8 application in a Linux App Service plan.
With Azure App services, you can choose the following runtime environment:
.NET
.NET Core
Java
Node
PHP
Python
Ruby
https://portal.tutorialsdojo.com/ 50
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
hen you create your app, you must also choose a unique web app name because it will become a fully
W
qualified domain name (FQDN). After you have configured your web app, the default domain name of
your web app is:<web-app-name>.azurewebsites.net.
astly, the Azure app service can also run Docker containers (single/multi-container). You can define
L
custom containers for Windows or Linux operating systems and push the image to Azure Container
Registry (ACR). This Azure service will handle all your private Docker container images and other related
artifacts. Then, App Service will pull the image from ACR and takes care of all of the tasks associated
with deploying container-based web apps, such as OS patching, capacity provisioning, and load
balancing.
Deployment Slots
hen you deploy a web app, API app, or mobile app to Azure App Service, the default slot is the
W
production slot. With deployment slots, you can set up different environments for your application, and
the created slot will have its own hostname. This is very useful when you need to have a staging or
testing environment. Aside from creating environments, you can also swap environments. This means
that you can change the staging environment into a production environment.
When you perform the swap operation, the following settings are swapped:
● General settings
● App settings
● Connection strings
● Handler mappings
● Public certificates
● WebJobs content
https://portal.tutorialsdojo.com/ 51
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
● anaged identities
M
● Settings that end with the suffix _EXTENSION_VERSION
If you encountered the image shown above, this means that your App Service plan does not have the
capability to add a staging slot for your application. To solve this problem, you must upgrade your App
Service plan to aStandardorPremiumtier. Afteryou successfully upgraded your plan, you can now add
a slot in the deployment slots.
ou have a web app named tutorialsdojo-portal that is hosted in Azure App Services. The provisioned
Y
deployment slots for tutorialsdojo-portal are shown in the table below:
Name Environment
tutorialsdojo-dev Development
tutorialsdojo-staging Staging
tutorialsdojo Production
You configured several settings in the tutorialsdojo-dev and tutorialsdojo-staging.
https://portal.tutorialsdojo.com/ 52
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
ou performed a swap operation between the production and staging slots. Upon testing the
Y
tutorialsdojo-portal app, it was discovered that the new features are not working properly.
possible reason why the tutorialsdojo-portal web app is not working properly is that several settings
A
are configured in the tutorialsdojo-dev and tutorialsdojo-staging. If you recall, when you perform swap
operations, various settings are swapped.
o fix this issue, you can revert the tutorialsdojo-portal app to its previous state by swapping the slots of
T
the tutorialsdojo-staging and tutorialsdojo environments. Since the slots have been swapped again, the
app will no longer experience any performance issues.
ach App Service plan tier supports a different number of deployment slots, and there's no additional
E
charge for using it. Also, take note that when you already have a Premium tier with more than five slots,
you can't scale it down to a Standard tier because this tier only supports five deployment slots.
https://portal.tutorialsdojo.com/ 53
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Diagnostics Logging
iagnostics logging helps you access the information logged by Azure. There are five built-in
D
diagnostics tools to assist you with debugging an App Service app:
https://portal.tutorialsdojo.com/ 54
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
et’s talk about another feature of Azure App Service calledApp Service Environment (ASE).It provides
L
a fully isolated and dedicated environment to securely run apps at a high scale. You can host
Windows/Linux web apps, Docker containers, mobile apps, and Azure functions. Multiple ASEs in a
single region or across multiple regions are ideal for horizontally scaling stateless application tiers in
support of high requests per second workloads.
zure resources can be placed in a non-internet-routable network using Azure Virtual Network. To
A
access these resources, you can use the VNet Integration feature. It allows your app to access
resources in your virtual network. This feature is mainly used in multi-tenant apps. But if your app is in
the App Service Environment, then you don't need to use the VNet Integration feature to reach the
resources in the same VNet since ASE is already inside a virtual network.
When it comes to application deployment, Azure App Service offers several options:
1. R un from package- instead of copying the packagefiles directly to the wwwroot directory, the ZIP
package will be mounted directly as read-only to the wwwroot directory.
2. Deploy ZIP or WAR- uses Kudu service to deploy ZIPand WAR files. Kudu is the engine behind git
deployments in Azure App Service. It supports the following functionality for ZIP file deployment:
https://portal.tutorialsdojo.com/ 55
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
W
● indows - D:\home\site\wwwroot
● Linux - /home/site/wwwroot
o run background tasks in Azure App Service, you can useWebJobsto upload an executable script.
T
This feature will enable you to run a program in the same instance as a web app, API app or mobile app
without additional cost.
1. Continuous
○ Starts the script immediately after the WebJob is created.
○ Runs on all instances that the web app runs on.
○ Supports remote debugging.
○ Uses WebJobs Scale:
■ Single Instance - keeps a single copy of WebJob running regardless of instance
count.
■ Multi-Instance - scale all WebJobs across all instances.
2. Triggered
○ Only starts when triggered: manually or scheduled (CRON expression)
○ Runs on a single instance.
○ Remote debugging is not supported.
● indows cmd:.cmd, .bat, .exe
W
● PowerShell:.ps1
● Bash:.sh
● PHP:.php
● Python:.py
● Node.js:.js
● Java:.jar
https://portal.tutorialsdojo.com/ 56
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
eference:
R
https://docs.microsoft.com/en-us/azure/app-service/overview
https://portal.tutorialsdojo.com/ 57
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
CI is a serverless container platform that allows you to run Docker containers on-demand without the
A
need for infrastructure management. When you create an ACI instance, you need to specify the size of
CPU and memory:
● CPU- the number of CPU cores you want to allocateto your container. The maximum number of
vCPUs you can assign is determined by the region and SKU you select.
● Memory- the amount of memory you want to allocateto your container. You can start an ACI
instance with as little as 1 GiB of memory. Similar to CPU, the region and SKU you choose to
determine the maximum amount of memory you can assign.
o ensure that you have enough capacity to handle your workload at all times, you can use auto-scaling
T
to define rules that automatically increase or decrease the number of container instances based on your
workload's CPU or memory utilization. You can also manually scale your ACI instances using the Azure
Portal, CLI, or PowerShell.
Container Groups
In Azure, acontainer groupis a collection of containersthat are assigned to run on the same host
machine, and which share the same lifecycle, resources, local network, and storage volumes. This
means that you can use ACI to deploy a multi-container application as a single unit. Multi-container
groups are useful when you need to split a single functional job into a few container images.
he minimum number of CPU and memory that you can allocate to a container group is 1 CPU and 1 GiB
T
of memory. While the maximum resources in a container group can be found in theresource availability
for ACI in the deployment region.
ontainer groups can share an externally accessible IP address, as well as one or more ports on that
C
address and a DNS label with a fully qualified domain name (FQDN). To enable external clients to
connect to a container in the group, you need to expose the port on the IP address and the container.
Take note that when you delete the container group, its IP address and FQDN are released.
The supported external volumes that you can mount within a container group are:
● Azure file share
● Secret
● Empty directory
● Cloned git repo
https://portal.tutorialsdojo.com/ 58
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
ontainers, cloud-native, and microservices are all used in modern software development and
C
deployment. Acontaineris a standalone executablepackage that contains everything needed to run a
piece of software, creating an isolated environment for the application. Whilemicroservicesare an
architectural paradigm for developing applications that are composed of small, independent services.
This enables teams to autonomously build, deploy, and grow their services, increasing the speed and
agility of the development process.
In Microsoft Azure, there is a fully managed service calledAzure Container Apps,where you can deploy,
manage, and scale multi-container applications and microservices. You can run your containers without
worrying about the challenges of managing cloud infrastructure and complex container orchestration
solutions. To understand how this service works, we’re gonna take a look at a series of step-by-step
tutorials on creating Container Apps.
In this section, we’ll learn how to create, configure and deploy Azure Container Apps using Docker
images. The container images will be retrieved fromDocker Hub, which is a repository of container
images from software vendors, open-source projects, and the community.
owever, for this tutorial, we will configure Azure Container Apps using the Azure Portal. The first step
H
you need to do is search the keyword "container apps" and click"Create container app".
1. O
nce you’re in the configuration settings, you must fill in the following details that have a red
asterisk.
https://portal.tutorialsdojo.com/ 59
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
2. T
heContainer Apps Environmentfield will be createdautomatically by default, but you can also
configure it based on your needs. When you clickCreatenew, you'll be taken to the Create Container
Apps Environment page, which includes the following tabs:
a. Basics - configure environment name and zone redundancy.
b. Monitoring - create a log analytics workspace to store application logs.
c. Networking - select the default or custom virtual network.
https://portal.tutorialsdojo.com/ 60
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
3. N
ext is the app settings tab; we need to untick the“Use quickstart image”to use a custom image
from Docker Hub. After that, we need to select an image from Docker and the container image that
we will use isGrafana.
https://portal.tutorialsdojo.com/ 61
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
4. After you copy the Grafana image and tag, fill in the following details:
https://portal.tutorialsdojo.com/ 62
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Note: If you don't specify the image's tag version, you'll always get the latest version.
5. If you scroll down, you’ll see anApplication ingresssettingssection. Don’t forget to enable the
ingress, select “Accepting traffic from anywhere”,and the target port of the container. This is the
port your container is listening on that will receive traffic.
https://portal.tutorialsdojo.com/ 63
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
he main reason why we need to enable ingress is so we can generate an application URL. Also, the
T
insecure connections option will just generate an HTTP URL.
6. F
or the tags tab, this is optional, but for best practices, Azure recommends that you should add
always add tags to organize your Azure resources.
https://portal.tutorialsdojo.com/ 64
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
7. B
efore creating the container app, review all the details, and once you’re done, clickCreate. Then,
you’ll be redirected to theDeployment is in progresspage. The deployment will take a few minutes
to be completed.
8. To verify the app that you’ve just deployed, go to resource and find the application URL.
https://portal.tutorialsdojo.com/ 65
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
9. After clicking the application URL, you’ll be redirected to the Grafana app container.
10.That’s it! Now you’ve deployed a Grafana image from Docker Hub with a few steps. Grafana is
basically a dashboard to monitor the health and performance of all your resources in one platform.
If you want to know about its features and how it works, then check out thisarticle.
eference:
R
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-overview
https://portal.tutorialsdojo.com/ 66
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
KS is an open-source tool for orchestrating and managing many container images and applications. It
A
lets you deploy a managed Kubernetes cluster in Azure. You use clusters and pods to deploy and scale
applications. It also supports horizontal scaling, self-healing, load balancing, and secret management.
Automatic monitoring of application load to determine when to scale the number of containers used.
Components
● A control planeis a managed Azure resource. It iswhere the components run, including API server
and cluster database (etcd).
○ kube-apiserver – allows communication for management tools (kubectl).
○ etcd – a key-value store within Kubernetes.
○ kube-scheduler – defines what nodes should run in the workload.
○ kube-controller-manager – it oversees the smaller controllers that handle node operations
and replication of pods.
● Kubernetes runs an application in your instance usingpods.
● Anodeis made up of several pods, andnode poolsare a group of nodes with the same
configuration.
● Use anode selectorto control where a pod shouldbe placed.
● You can run at least 2 nodes in the default node pool to ensure your cluster operates reliably.
● Multi-container pods are placed on the same node and allow containers to share the related
resources.
● You can specify maximum resource limits that prevent a given pod from consuming too much
compute resources from the underlying node.
● Adeploymentdetermines the number of replicas (pods)to be created, but you must define a
manifest file in YAML format first.
● WithStatefulSets, you can maintain the application’sstate within a single pod life cycle.
● The resources are logically grouped into anamespace,and a user may only interact with resources
within their assigned namespaces.
Storage
volumeis used for storing, retrieving, and persistingdata across pods and throughout the application
A
lifecycle. You can either manually create data volumes to be assigned to pods or have Kubernetes create
them for you. The data volumes that you can use are:
● Azure Disks- only available to a single node.
● Azure Files- share data across multiple nodes andpods.
● Azure NetApp Files
● Azure Blobs- mounted using NFS v3.0 protocol or BlobFuse
https://portal.tutorialsdojo.com/ 67
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
persistent volumeis a storage resource createdand managed by the Kubernetes API that can exist
A
beyond the lifetime of a single pod. To provide the PersistentVolume, you can use either Azure Disks or
Azure Files. A PersistentVolume can be created statically by a cluster administrator or dynamically thru
Kubernetes API. Keep in mind that Windows and Linux pods cannot share persistent volumes because
of differences in file system.
If you need to define different tiers of storage (Premium or Standard) and reclaimPolicy, you can create a
StorageClass. When you delete a persistent volume,the underlying Azure storage resource is controlled
by the reclaimPolicy. The storage can be deleted or kept for future use with a pod.
astly, apersistent volume claimrequests storageof a particular StorageClass, access mode, and size.
L
If no existing resource can fulfill the claim based on the defined StorageClass, the Kubernetes API server
can dynamically provision the underlying Azure storage resource.
Scaling
hen running applications in a Kubernetes cluster, there will be times when you need to increase or
W
decrease the amount of compute resources to handle a specific workload. In AKS, you canmanually
scale pods or nodesto maintain a fixed amount ofresources and cost. You define the replica or node
count when manually scaling. Based on that replica or node count, the Kubernetes API schedules the
creation of additional pods or the draining of nodes.
If the requirement is scale based on the demand, then usehorizontal pod autoscaler (HPA)to monitor
the resource and automatically scale the number of replicas. By default, the HPA checks the Metrics API
every 15 seconds for any changes in the replica count, but the Metrics API retrieves data from the
Kubelet every 60 seconds. You need to define the min and max number of replicas that can run when
you configure HPA. You also specify the metric on which to base any scaling decisions, such as CPU
usage.
ince HPA is for scaling pods, Kubernetes has aclusterautoscalerthat adjusts the number of nodes in
S
the node pool based on the requested compute resources. By default, the cluster autoscaler checks the
Metrics API every 10 seconds. It is common practice to combine horizontal pod autoscalers and cluster
autoscalers. The former changes the number of pods in response to application demand, while the latter
changes the number of nodes required to accommodate those additional pods.
https://portal.tutorialsdojo.com/ 68
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
If you need to rapidly scale your AKS cluster, then integrate it with Azure Container Instances, The virtual
nodes component is installed in your AKS cluster and presents ACI as a virtual Kubernetes node.
Kubernetes can then schedule pods that run as ACI instances via virtual nodes, rather than pods that run
directly on VM nodes in your AKS cluster. You don't need to modify your application using virtual nodes.
As the cluster autoscaler deploys new nodes in your AKS cluster, deployments can scale across AKS
and ACI with no delay.
Network Connections
ach pod in a Kubernetes cluster is assigned a unique IP address, and pods can communicate with one
E
another using these IP addresses. Kube-proxy is a component in Kubernetes networking that enables
efficient and reliable communication between different components in a cluster. Services in Kubernetes
provide a consistent endpoint for accessing a collection of pods and can be used to load balance traffic
across multiple pods.
hen you create a LoadBalancer-type Service, you also create an underlying Azure load balancer
W
resource. The load balancer is configured to distribute traffic at layer 4. Withingress controllers, youcan
distribute application traffic (layer 7) based on the inbound URL.
In AKS, you can create a cluster that uses one of the following network models:
● Kubenet networking- network resources are typicallycreated and configured as the AKS cluster is
deployed.
● Azure CNI networking- AKS cluster is connected toexisting virtual network resources and
configurations.
https://portal.tutorialsdojo.com/ 69
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
In order to filter network traffic in the AKS node, you need to have anetwork security groups. Whenyou
create Services, the Azure platform automatically configures any network security group rules that are
required. Since the Azure platform creates the NSG, you only need to define the required ports and
forwarding as part of your Kubernetes Service manifests.
y default, all pods in an AKS cluster can send and receive traffic without restriction. To improved
B
security, you can usenetwork policiesto apply trafficfilter rules to pods. Network policy is a Kubernetes
feature that allows you to manage the flow of traffic between pods in AKS. You can allow or restrict
traffic to specific pods by specifying criteria such as assigned labels, namespace, or traffic port. While
network security groups are better suited to AKS nodes, network policies are a more cloud-native
approach to controlling pod traffic flow. Since pods are created dynamically in AKS clusters, necessary
network policies can be implemented automatically.
eference:
R
https://learn.microsoft.com/en-us/azure/aks/intro-kubernetes
https://portal.tutorialsdojo.com/ 70
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Resource groups
● container that holds related resources.
A
● You can create a resource group using the Azure Portal, PowerShell, CLI, or an ARM template.
● Each resource can only exist in a single resource group.
● You can add or remove resources to any resource group at any time.
● Allows you to move a resource from one resource group to another.
● Resources from multiple regions can be in one resource group.
● You can give users access to a resource group.
● Resources can interact with other resources in different resource groups.
● A resource group has a location or region, as it stores metadata about the resources.
● When you delete a resource group, it also deletes all of its resources.
ARM templates
● The template is a JSON file with declarative syntax that defines the properties and configuration of
your resources. It is divided into the following sections:
○ Parameters - values that allow the same template to be used in multiple environments.
○ Variables - values that can be reused in templates.
○ User-defined functions - customized functions to simplify the template.
○ Resources - define the resources to be deployed.
○ Outputs - values from deployed resources.
When a template is deployed, ARM converts it into REST API operations.
●
● You can specify an apiVersion so that you can reuse the template without worrying about breaking
changes introduced in later versions.
https://portal.tutorialsdojo.com/ 71
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
● To make sure your template adheres to suggested best practices, use an ARM template toolkit
( arm-ttk).
● Before deploying the template, you can preview changes using the what-if operation.
● To deploy a template, you can use the following:
○ Azure Portal
○ Azure CLI
○ Azure Cloud Shell
○ PowerShell
○ REST API
○ Button in GitHub repository
● An application can be defined in a single template or divided into a purpose-specific template
(modular files). You can also create a parent template that links all the nested templates.
● You can share the template using template specs and manage access using role-based access
control (RBAC).
○ Link template - a different template file that is linked from the primary template.
○ Nested template - an embedded template syntax within the main template.
● You can also get the template of an existing resource group by exporting it.
● With Azure Pipelines, you can continuously build and deploy ARM template projects.
● You are only charged for the resources deployed by the ARM template.
I nfrastructure as Code (IaC)is a method of runningIT infrastructure that automates, configures, and
manages systems and networks using scripts or code. It can work with a variety of file formats,
including JSON and YAML.YAML (YAML Ain't Markup Language)is a data serialization format that is
commonly used in Ansible, Kubernetes, and other tools. WhileJSON (JavaScript Object Notation)is a
popular data interchange format that is frequently used in AWS CloudFormation, Terraform, and other
tools. Both YAML and JSON are simple to understand and can be used in a variety of IaC tools.
zure Resource Manager (ARM) templatesis a serviceprovided by Microsoft Azure that allows you to
A
provision, manage, and delete Azure resources using declarative syntax. These templates can be used to
deploy and manage resources such as virtual machines, storage accounts, and virtual networks in a
consistent and reliable manner. To deploy the template, you can use the Azure Portal, Azure CLI, or
Azure PowerShell.
In this section, we'll use the Azure Portal to create, deploy, and export resources using ARM templates:
https://portal.tutorialsdojo.com/ 72
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
2. B
egin with a quickstart template, then type"docker-simple-on-ubuntu"and pressNext. Add the
required parameters, such as resource group, username, dns, and password, then clickCreate.
3. You can also modify the template based on your requirements before creating the resources.
https://portal.tutorialsdojo.com/ 73
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
4. O
nce the deployment is successful, you can go to the selected resource group, and you’ll see the
created resources from the ARM template.
5. W
hen the Azure resources are no longer needed, you can clean up the resources by deleting the
resource group.
https://portal.tutorialsdojo.com/ 74
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Exporting Template
If you want to save the current state of the resource group, scroll down to the Automation section and
click Export template, then click the download button.
efore re-using the template for production deployments, you may want to revise it since the template
B
we used is a quickstart template.
1. N
ow that you’ve learned how to deploy using a quickstart template, let’s now try creating an ARM
template from scratch. Go back to the“Deploy a customtemplate”page and clickBuild your own
template in the editor.
https://portal.tutorialsdojo.com/ 75
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
2. O
nce you are redirected to the editor page, you’ll see that there are no parameters, variables, and
resources. In this section, we’ll create and deploy an Azure web app template.
3. ClickAdd resource, select Web app, fill up the remainingfields, and pressOK.
https://portal.tutorialsdojo.com/ 76
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
4. In the editor page, you'll notice that a JSON has been created. Feel free to change any of the
parameters based on your requirements.
https://portal.tutorialsdojo.com/ 77
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
5. If you want to save the template you’ve created, just click theDownloadbutton. Now let’s save the
template and you’ll be redirected to the configuration of the resource. Just fill up the required fields
and clickCreate.
https://portal.tutorialsdojo.com/ 78
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
6. A
fter the deployment is completed, you can go to the resource group and select the web app you’ve
created. To confirm, if the web app is running, you can access the URL generated by the App
Service. The format is:https://<web-app-name>.azurewebsites.net/
https://portal.tutorialsdojo.com/ 79
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
7. T
hat's how simple it is to create and deploy a custom ARM template for your own project. Again, if
you no longer need the resource, don't forget to delete the resource group to avoid unexpected
billing in your account.
https://portal.tutorialsdojo.com/ 80
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
https://portal.tutorialsdojo.com/ 81
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Gener lob,
B Standa ot,
H RS,
L Resou ncry
E
al- File, rd, Cool, GRS, rce pted
purpo Queue Premi Archi RA-GR Mana
se V2 , um ve S, ger
Table, ZRS,
Disk, GZRS,
and RA-GZ
Data RS
Lake
Gen2
Gener lob,
B Standa N/A RS,
L Resou ncry
E
al- File, rd, GRS, rce pted
purpo Queue Premi RA-GR Mana
se V1 , um S ger,
Table, Classi
and c
Disk
lock
B Blob Premi N/A RS,
L Resou ncry
E
Blob (block um ZRS rce pted
Stora and Mana
ge appen ger
d
blobs
only)
ileSt
F ile
F Premi N/A RS,
L Resou ncry
E
orage only um ZRS rce pted
Mana
ger
https://portal.tutorialsdojo.com/ 82
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
lobS
B Blob Standa Hot, LRS, Resou ncry
E
torag (block rd ool,
C RS,
G rce pted
e and Archi RA-GR Mana
appen ve S ger
d
blobs
only)
storage account in Azure gives your data a unique namespace. Every object you save to Azure Storage
A
has a unique address that includes your account name. The endpoints for your storage account are
formed by the account name and the Azure Storage service endpoint.
● lob storage:https://tutorialsdojo.blob.core.windows.net
B
● Table storage:https://tutorialsdojo.table.core.windows.net
● Queue storage: https://tutorialsdojo.queue.core.windows.net
● Azure Files: https://tutorialsdojo.file.core.windows.net
● Azure Data Lake Storage Gen2:https://tutorialsdojo.dfs.core.windows.net
zure Storage keeps several copies of your data to protect it from both planned and unexpected events,
A
such as transient hardware failures, network or power outages, and massive natural disasters. Even in
the event of a breakdown, redundancy guarantees that your storage account fulfills its availability and
durability goals. The greater level of redundancy, the more expensive the cost of replication.
https://portal.tutorialsdojo.com/ 83
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
he data in the storage account is copied to a secondary region. This redundancy option is mainly used
T
for applications that require high durability since the data is durable even if there’s a complete regional
outage or disaster in the primary region. Also, the paired secondary region is determined based on the
selected primary region, and can’t be changed.
he data is replicated to another location in the secondary region, and it is only available for read
T
access. For example, if the primary region becomes unavailable, your data is still available to be read at
all times in the secondary region. You can only enable read access to the following redundancy options:
urabili
D t least
a t least
a t least
a t least
a
ty of 99.999999 99.9999999 99.99999999999 99.99999999999
objects 999% (11 999% (12 999% (16 9's) 999% (16 9's)
over a 9's) 9's)
given
year
ead
R t least
A t least
A - At least 99.9% - At least 99.9%
request 99.9% (99% 99.9% (99% (99% for cool (99% for cool
s for cool for cool access tier) for access tier) for
availabi access tier) access tier) GRS GZRS
lity
https://portal.tutorialsdojo.com/ 84
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
rite
W t least
A t least
A t least 99.9%
A t least 99.9%
A
request 99.9% (99% 99.9% (99% (99% for cool (99% for cool
s for cool for cool access tier) access tier)
availabi access tier) access tier)
lity
umbe
N hree
T hree copies
T - Three in the - Three across
r of copies across primary region separate
copies within a separate and availability zones
of data single availability - Three in the in the primary
maintai region zones within secondary region region
ned on a single - Three locally
separat region redundant copies
e in the secondary
nodes region
he availability and durability of your data during outages is entirely dependent on the type of
T
redundancy configured for your storage account.
vailable on region-wide
A - - ✓ ✓
outage in the primary
region?
https://portal.tutorialsdojo.com/ 85
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Storage Encryption
● ll storage accounts are encrypted using Storage Service Encryption (SSE) for data at rest.
A
● The type of encryption used is 256-bit AES encryption.
● Storage redundancy options support the encryption of data.
● You can use a Microsoft-managed key, a customer-managed key, and a customer-provided key to
manage the encryption of your data.
ncryption/decry
E Azure Azure Azure
ption operations
zure Storage
A All lob storage,
B Blob storage
services Azure Files1,2
supported
ey rotation
K Microsoft Customer Customer
responsibility
eference:
R
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://portal.tutorialsdojo.com/ 86
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
ersioning -when you enable blob versioning, youcan easily restore an earlier version of a blob to
V
recover your data. If you disable the versioning of the blob, it does not delete existing blobs, versions, or
snapshots.
napshots -a read-only version of a blob that wastaken at a given point in time. The snapshots persist
S
until they are explicitly deleted.
bject Replication -copies block blobs asynchronouslybetween a source Storage account and a
O
destination account. A source account can have up to two destination accounts. But there can be no
more than two source accounts in the destination account.
tatic Website -serve your static website directlyfrom a storage container named$web. You can grant
S
read-only access in your resources with a public access level. If you want to configure a custom domain
endpoint for your website, you can use Azure CDN.
https://portal.tutorialsdojo.com/ 87
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Access Tiers
1. Hot
○ Highest storage costs, but lowest access costs
○ Store data that is accessed frequently
○ By default, new storage accounts are created in the hot tier
2. Cool
○ Lower storage costs, but higher access costs
○ Store data that is infrequently accessed (at least 30 days)
○ You can use a cool access tier for short-term backup.
3. Archive
○ Lowest storage costs, but the highest retrieval costs
○ Store data that is rarely accessed (at least 180 days)
○ Data needs to be stored for a long time.
vailability (RA-GRS
A 99.99% 99.90% Offline
reads)
inimum storage
M N/A 30 days 180 days
duration
https://portal.tutorialsdojo.com/ 88
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
hen using access tiers, there are important tiering concepts that you also need to know like
W
account-level tieringandblob-level tiering. Let’sdescribe first what is account level tiering. If a blob
doesn’t have an explicitly assigned tier, it infers the tier from the storage account access tier settings.
Take note that you can only set hot and cool access tiers as the default account access tier since the
archive tier can only be set at the object level.
he next tiering concept allows you to upload data to the access tier of your choice. This means that you
T
can select your preferred access tier then change the blob access tier as your usage patterns change.
All tier change requests are processed immediately, and the changes between hot and cool tiers are
done instantly. But if you move a blob from the archive tier into another tier, this would take several
hours. This process is calledrehydrating.
If you want to transition your data to the appropriate access tiers, you can configure a lifecycle rule in the
blob lifecycle management. The tiers that you can transition are: blob to cool storage, blob to archive
storage, and delete the blob at the end of its lifecycle.
https://portal.tutorialsdojo.com/ 89
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
In blob-level tiering, when a blob is uploaded or moved to a different tier, you are charged at the new tier’s
rate immediately. Let’s say you move a blob to a cooler tier, the operation billed to you is awrite
operationto the destination tier. But if you movedto a hotter tier, the operation billed to you is a read
operation from the source tier. There are also charges for early deletion if a blob is moved out of the cool
or archive tier. To conclude how tier changes are billed, let’s take a look at the table below:
https://portal.tutorialsdojo.com/ 90
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
rite Charges
W ead charges
R
(Operation + Access) (Operation + Access)
● A zCopy is a command-line utility that allows you to transfer blobs or files to or from a storage
account.
● You can use Microsoft Entra ID and SAS tokens to provide authorization credentials.
● These are the tasks that you can do using AzCopy:
○ Upload files
○ Download blobs and directories
○ Copy blobs, directories, and containers between accounts.
○ Synchronize local storage
● You can run AzCopy on Windows, Linux, and macOS.
● AzCopy method of authorization
○ Azure Blob storage- Microsoft Entra ID and SharedAccess Signature
○ Azure Files- Shared Access Signature only
● Ashared access signature (SAS)is a uniform resourcesidentifier (URI) that grants restricted
access to your storage account. You can share the URI to grant users temporary access to a
specific set of permissions. There are three types of shared access signatures:
○ User Delegation SAS- provides access to storage accountsusing Microsoft Entra ID
credentials. This SAS is only applicable to Blob storage.
○ Service SAS- grants access to one Azure storage service(Blob, Queue, Table, Files) using a
storage account key.
○ Account SAS- provides access to one or more storageservices using a storage account
key.
● A shared access signature can be in different forms:
○ Ad hoc SAS- start time, expiry time, and permissionsare specified in the URI. The three
types of SAS can be an ad hoc SAS.
○ Service SAS with stored access policy- the storedaccess policy is defined on a resource
container (blob container, file share, table or queue). The policy can be used to manage
constraints to multiple SAS.
https://portal.tutorialsdojo.com/ 91
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
heAzure Import/Export serviceallows you to importlarge amounts of data to Blob storage and Files
T
by shipping the disk drives to an Azure data center. You can also use this service to transfer data from a
Blob storage to disk drives and then ship it to your on-premises environment. The data from one or more
drives can be imported to a Blob storage or Files.
WAImportExport toolis a command-line tool thatyou can use to prepare your disk drives that are
A
shipped for import. By using this tool, it will be easier to copy your data to the drive. The data on the
drive is encrypted with AES 256-bit BitLocker. To protect your BitLocker key, you can use an external key
protector. You can also use this tool to generate the drive journal files used during import creation and
identify the number of drives needed for export jobs.
he disk drives that you can ship to the Azure data center can be solid-state drives (SSDs) or hard disk
T
drives (HDDs). When you create an import job, the disk drives you ship contain data. But when you
create an export job, the drives you ship to the data center are empty disk drives.
nimportjob allows you to import data into AzureBlobs or Azure files, whereas theexportjob allows
A
data to be exported from Azure Blobs. For an import job, you ship drives containing your data. When you
create an export job, you ship empty drives to an Azure datacenter. In each case, you can ship up to 10
disk drives per job.
● D ata migration to the cloud- transfer large amountsof data to Azure in a timely and cost-effective
manner.
● Content distribution- send data to your clients'websites in a timely manner.
● Backup- backup your on-premises data and save iton Azure Storage.
● Data recovery- recover a significant quantity ofdata and have it delivered to your on-premises
location.
https://portal.tutorialsdojo.com/ 92
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
https://portal.tutorialsdojo.com/ 93
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
eferences:
R
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
https://docs.microsoft.com/en-us/azure/import-export/storage-import-export-service
https://portal.tutorialsdojo.com/ 94
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Azure Files
Storage Tiers
edundancy
R It is available for locally It is available for locally
options redundant (LRS) and zone redundant, zone redundant,
redundant (ZRS) storage. geo-redundant (GRS), and
geo-zone redundant (GZRS)
storage.
egional
R ile shares are not
F vailable in every Azure
A
availability available in each region, region.
but zone redundant
support is available in a
smaller subset of regions.
https://portal.tutorialsdojo.com/ 95
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
● ransform an on-premises (or cloud) Windows Server into a quick cache of your Azure file share.
T
● Use Azure File Sync agent to synchronize files from a server to an Azure file share.
● To create sync groups, you need to deploy a Storage Sync Service.
● A sync group defines the sync relationship between a cloud endpoint and a server endpoint.
○ Cloud endpoint– represents an Azure file share andmultiple server endpoints.
○ Server endpoint– a path registered on the WindowsServer.
○ When you make changes to your cloud endpoint or server endpoint, your files are
automatically synced to your sync group’s remaining endpoints.
○ When you make a change directly to the cloud endpoint, Azure files must first detect it via a
change detection job, which only happens once every 24 hours.
○ A change detection job enumerates all the files in the file share and compares it to the sync
version of that file. When the change detection job determines that there are changes, Azure
File sync will initiate a sync session.
● The sync group you created should only have one cloud endpoint.
● A sync group may have server endpoints with different Active Directory memberships, even if they
are not domain-joined.
● The storage accounts used for Azure Files deployments are:
○ General purpose version 2 (GPv2) storage accounts
○ FileStorage storage accounts
● You can use cloud tiering to cache frequently accessed files locally on the server.
● The service supports interop with DFS Namespaces (DFS-N) and DFS Replication (DFS-R).
○ DFS-N allows you to group shared folders located on multiple servers into one or more
logically structured namespaces.
○ DFS-R enables you to replicate folders across multiple servers and sites.
● Azure File Sync has three layers of encryption:
○ Encryption at rest (Windows Server)
○ Encryption in transit
○ Encryption at rest (Azure file share)
eference:
R
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction
https://portal.tutorialsdojo.com/ 96
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
network security groupcontrols the inbound andoutbound traffic of Azure resources. While an
A
application security groupallows you to define agroup of virtual machines anddefine network security
policies based on those groups.
● The rules are processed from lowest to highest numbers.
● You can set a number between 100 and 4096.
● The rules can be applied to both inbound or outbound traffic.
● You can allow or deny incoming or outgoing traffic.
● When you create a network security group, Azure assigns default security rules for inbound and
outbound traffic.
● NSG can be attached to a subnet or a network interface. Refrain from attaching a network security
group to both subnet and network interface.
ules are processed in priority order, with lower numbers processed before higher numbers since lower
R
numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that
https://portal.tutorialsdojo.com/ 97
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
xist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities
e
are not processed.
https://portal.tutorialsdojo.com/ 98
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Net peering enables you to connect two virtual networks seamlessly. Plan accordingly before initiating
V
a peer, and ensure that your VNet address ranges do not overlap with one another.
. V
1 irtual Network Peering- connect virtual networksin the same Azure region.
2. Global Virtual Network Peering- connect virtual networksacross different Azure regions.
● P rovides a high-bandwidth and low-latency connection between resources in different virtual
networks.
● The resources in one virtual network can communicate with resources in another virtual network.
● Enables you to transmit data between virtual networks across Azure subscriptions, Azure regions,
Microsoft Entra tenants ID, and deployment models.
● There is no downtime in either virtual network when creating the peering or after the peering is
created.
● Traffic between virtual networks is private. This means that the communication between the virtual
networks does not require the use of the public Internet, gateways, or encryption.
eference:
R
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
https://portal.tutorialsdojo.com/ 99
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
● A load balancerdistributes incoming network trafficacross multiple targets.There are two types of
load balancers:
○ Public load balancer- allows outbound connectionsfor your virtual machines.
○ Internal load balancer- controls the flow of trafficinside your private virtual network.
● A group of VMs or instances in a VM scale set serving the incoming request is called abackend
pool.
● Determine the health status of backend pool instances withhealth probes.
○ Health probe down behavior – if the probes in a backend pool fail, it will stop receiving traffic
until it starts passing health probes again.
● Use Azure Monitor to check the metrics, alerts, and resource health of Azure Load Balancer.
● High Availability (HA) ports enable load balancing on all ports of TCP and UDP protocols.
● With multiple frontends, you can load balance services on multiple ports and multiple IP addresses.
● SLA guarantees that two or more healthy VMS will always be available.
● The load balancer tiers are:BasicandStandard
● Standard load balanceravailability zones:
○ Zonal= single zone
○ Zone-redundant= multiple zones
ackend pool
B upports up to 300
S upports up to 1000
S
size instances. instances.
ackend pool
B single availability set for
A single virtual network for
A
endpoints VMs or VM scale set. any VMs or VM scale sets.
ealth probe
H CP connections stay alive
T CP connections stay alive
T
down behavior on an instance probe down. on an instance probe down
All TCP connections and on all probes down.
terminate when all probes
are down.
vailability
A Not available one-redundant and zonal
Z
Zones frontends for inbound and
outbound traffic.
https://portal.tutorialsdojo.com/ 100
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
ecure by
S pen by default. Network
O losed to inbound flows
C
default security group optional. unless allowed by a network
security group. Please note
that internal traffic from the
VNet to the internal load
balancer is allowed.
CP Reset on
T Not available Available on any rule
Idle
ultiple
M Inbound only Inbound and outbound
frontends
anagement
M 60-90+ seconds typical ost operations < 30
M
Operations seconds
load balancing rule distributes the incoming traffic to the resources in the backend pool. Health probes
A
can determine which VMs in the backend pool can receive the load-balanced traffic. The load-balancing
decision is based on the following tuple connection:
. S
1 ource IP address and port
2. Destination IP address and port
3. Protocol
Session persistence maintains the traffic from a client to the same virtual machine.
. N
1 one– any virtual machine can handle successive requestsfrom the same client.
2. Client IP– the same virtual machine will handle successiverequests from the same client IP
address.
https://portal.tutorialsdojo.com/ 101
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
3. C
lient IP and protocol– the same virtual machine will handle successive requests from the same
client IP address and protocol combination.
eference:
R
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
https://portal.tutorialsdojo.com/ 102
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Azure DNS
Public and Private DNS
hePublic DNShandles the domains, DNS zones, DNSrecords, and record sets. A DNS zone is used to
T
host the DNS records of a particular domain. An example of a domain is “tutorialsdojo.com”. It may
contain a number of DNS records such as “mail.tutorialsdojo.com”(for a mail server) and
“www.tutorialsdojo.com” (for a website). A recordset is a collection of DNS records in a zone that have
the same name and type. Here is an example of a record set:
ww.tutorialsdojo.com.
w 3600 IN A 12.238.154.93
www.tutorialsdojo.com. 3600 IN A 12.238.157.186
n the other hand, aPrivate DNSallows you to manageand resolve domain names in a virtual network
O
without adding a custom DNS. The records in a private DNS zone are not reachable through the Internet
and DNS resolution against a private DNS zone is only possible from virtual networks linked to it.
he importing and exporting of zone files is only applicable using the Azure CLI. If a zone file is
T
imported, it generates a new zone in Azure Private DNS. If the zone already exists, the zone file's record
sets must be merged with the existing record sets.
eference:
R
https://docs.microsoft.com/en-us/azure/dns/dns-overview
https://portal.tutorialsdojo.com/ 103
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
1. S
ite-to-Site- creates a secure connection from youron-premises network to an Azure virtual
network.
2. V
Net-to-VNet- connection automatically routes tothe updated address space, if you updated the
address space on the other VNet.
In anactive-active configuration, each Azure VPNgateway instance will establish S2S VPN tunnels, and
the traffic will be routed to multiple tunnels. Foractive-passive configuration, the standby instance
would only take over if a disruption happens on the active instance.
upported
S loud Services and Virtual
C loud Services and Virtual
C
Services Machines Machines
onnection
C ctive-passive or
a active-passive
resiliency active-active
https://portal.tutorialsdojo.com/ 104
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
VPN Types
1. P
olicy-based gatewayimplements a policy-based VPN. The policy-based VPNs are used to encrypt
and direct packets to IPsec tunnels. The policy or traffic selector is defined as an access list in the
VPN configuration. You cannot change a policy-based VPN to a route-based VPN and vice versa.
2. R
oute-based gateway- implements a route-based VPN.The route-based VPNs use routes in the
routing table to direct packets to tunnel interfaces. Tunnel interfaces can encrypt and decrypt
packets. The policy or traffic selector are configured as wild cards (any-to-any).
eference:
R
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
https://portal.tutorialsdojo.com/ 105
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
1. Users
Y
● ou can create a new user in your organization or a guest user.
● By enabling Multi-Factor Authentication, you provide additional security by requiring the user
a second form of authentication. The additional forms that can be used with Microsoft Entra
ID MFA are:
○ Microsoft Authenticator app
○ OATH hardware token
○ SMS
○ Voice call
● You can also perform the following bulk operations:
○ Bulk create
○ Bulk invite
○ Bulk delete
○ Bulk restore
○ Download users
● Self-service password reset enables users to manage their passwords from any device, at
any time, and from any location.
● In the device settings, you can change the maximum number of devices per user.
● You can assign licenses to multiple users or groups to allow them to use the licensed
Microsft Entra ID services. Licenses are applied per tenant, and you can’t transfer them to
other tenants.
2. Groups
● collection of users, devices, groups, and service principals.
A
● You can easily manage access to your resources by creating an Microsoft Entra group.
● A user can belong to multiple groups.
● Groups do not have security credentials.
● Group Types:
○ Security– it contains users, devices, groups, andservice principals as its members.
The users and service principals are the owners of this group.
○ Microsoft 365– it contains users as its members.Both the users and service
principals can be owners of this group.
Membership type:
●
○ Assigned– manually add users to be members of thegroup.
○ Dynamic user– automatically add and remove membersusing the dynamic
membership rules.
https://portal.tutorialsdojo.com/ 106
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
○ D
ynamic device– automatically add and remove members using the dynamic group
rules.
3. Roles
● W ith external identities, you can allow users outside your organization to sign in using an
external identity provider like Facebook and Google.
● Administrative roles can be used to grant access to Microsft Entra ID and other Microsoft
services. There are two types of role definitions:
○ Built-in roles– it has a fixed set of permissions.
○ Custom roles– you can select permissions from a presetlist. To create a custom
role, you need to have an Microsoft Entra ID P1 or P2 plan.
● A Microsft Entra resource that can be a container for other Microsft Entra resources is called
an administrative unit. It can only contain users and groups.
4. Devices
https://portal.tutorialsdojo.com/ 107
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
eference:
R
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
https://portal.tutorialsdojo.com/ 108
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Azure RBAC
How Permissions are Enforced
efore we dive in on how to control access to resources using Azure role-based access control, let's first
B
go through what can you do with this authorization system. Azure RBAC allows you to manage user’s
access to Azure resources, including what they can do with those resources and what areas they can
access. For example, if you want to allow a group of database administrators to only manage SQL
databases, then you have to assign an Azure role to that group.
ttaching a role definition to a user, group, service principal, and managed identity to grant access to a
A
particular scope is calledrole assignment. You canassign a role using Azure Portal, PowerShell, CLI,
SDKs, or REST APIs.
1. S ecurity Principal– an object representing a user,group, service principal, and managed identity
that requests access to Azure resources.
a. User- an entity that you create in Microsoft EntraID to represent a person who interacts with
Azure services.
b. Group- a collection of users created in MicrosoftEntra ID.
c. Service Principal- an identity that applicationsuse to gain access to different Azure
resources.
d. Managed Identity- an identity in Microsoft EntraID that is managed by Azure. There are two
types of managed identities:
■ System-assigned- when you enable this option, anidentity will be created in
Microsoft Entra ID and this identity will be tied to the lifecycle of the service instance.
Therefore, if the resource is deleted, the identity will automatically be deleted by
Azure.
■ User-assigned- since system-assigned is tied withthe service instance, the
user-assigned identity is managed separately from the resource. You can also assign
the created user-assigned managed identity to one or more instances of an Azure
service.
2. Role Definition– a list of permissions that can beperformed, such as read, write and delete. You
can either use the Azure built-in roles or construct your own custom roles if the provided roles don't
meet the specific needs of your organization.
a. Built-in roles- since it takes time to create customroles, you can use the built-in roles
managed by Azure to easily grant the permissions needed by the principal.
b. Custom roles- this role's permissions are definedby you. It can also be shared between
subscriptions that trust the same Microsoft Entra ID.
https://portal.tutorialsdojo.com/ 109
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
3. S
cope– set of resources to which access applies. When you assign a role, you can define a scope
to further limit the actions that are permitted. Scopes are structured in a parent-child relationship.
You can assign roles at any of these levels:
a. Management Group
b. Subscription
c. Resource Group
emember that role assignments are transitive for groups. If a user is a member of Group A, and Group
R
A is a member of Group B with a role assignment, then the user will inherit the role assignment's
permissions. For multiple overlapping role assignments, the effective permissions are the sum of your
role assignments. For example, a user has a Contributor role at the subscription scope and a Reader role
in a resource group. The sum of these two permissions is effectively the Contributor role for the
subscription.
ou can also attach a set of deny actions to a user, group, service principal, or managed identity at a
Y
particular scope usingdeny assignments. Take notethat deny assignments take precedence over role
assignments. In other words, deny assignments can restrict users from performing a specified action
even if it has a role assignment.
lassic Subscription Administrator Roles- have fullaccess to an Azure subscription like managing
C
resources using the Azure Portal, Resource Manager API, and the classic deployment model APIs. The
three classic subscription administrative roles are:
1. A ccount Administrator- this role is the billing ownerof the Azure subscription. It can manage
subscriptions and billings in the account. You can only have 1 Account Administrator per Azure
account.
2. Service Administrator- you can only have 1 ServiceAdministrator per Azure subscription. In new
subscriptions, the Account Administrator also serves as the Service Administrator. This role has full
access to the Azure portal and it can assign users with a Co-Administrator role.
3. Co-Administrator- you can only create 200 Co-Administratorper Azure subscription. This role has
the same privileges as the Service Administrator, but it can’t change the association of
subscriptions to Azure directories. A user with this role can only assign a Co-Administrator role to
other users.
zure Roles– provides fine-grained access managementof Azure resources. The following are the four
A
fundamental Azure built-in roles:
. O
1 wner- provides full access to all Azure resources.It can also delegate access to other users.
2. Contributor- allows the user to create and manageall types of resources in Azure. The role can
also create a new tenant in Microsoft Entra ID, but it cannot grant access to other users.
https://portal.tutorialsdojo.com/ 110
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
. R
3 eader- a user with this role can only view Azure resources.
4. User Access Administrator- this role has permissionto manage user access to all types of
resources.
Reader ✓
ser Access
U ✓
Administrator
icrosoft Entra Roles– provide access to manage MicrosoftEntra resources in a directory such as
M
create users, assign administrative roles to others, manage licenses, reset passwords, and manage
domains. The important Microsoft Entra built-in roles are:
1. G lobal Administrator- this role can manage accessto all the administrative features in Microsoft
Entra. It can assign administrator roles to the users in your organization and reset the password of
users or administrators in your account.
2. User Administrator- allows the user to create andmanage different types of users and groups in
Azure. Manage support tickets and monitor service health. Also, this role can only change the
passwords of users and administrators.
3. Billing Administrator- this role has permission tomake purchases, monitor service health, manage
subscriptions, and support tickets in Azure.
You can also create custom roles, but you need to upgrade your Microsoft Entra ID to P1 or P2.
https://portal.tutorialsdojo.com/ 111
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Role Information It can be accessed through It can be accessed through
Azure Admin Portal, Azure Portal, CLI,
Microsoft 365 Admin PowerShell, Resource
Center, Microsoft Graph, Manager templates, and
and Azure AD PowerShell. REST APIs.
If you are planning to create your own Azure custom role, it is important to understand how roles are
defined. The following structure is displayed when using Azure PowerShell:
{
"Name": ,
"Id": ,
"IsCustom": ,
"Description" ,
"Actions": [ ],
"NotActions": [ ],
"DataActions": [ ],
"NotDataActions" [ ],
"AssignableScopes" [ ]
}
The following structure is displayed when using Azure Portal, CLI, or the REST API:
{
"roleName": ,
"name": ,
"type": ,
"description" ,
"actions": [ ],
"notActions": [ ],
"dataActions": [ ],
"notDataActions" [ ],
"assignableScopes" [ ]
}
https://portal.tutorialsdojo.com/ 112
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
● I d / name- the auto-generated unique ID of the role.
● IsCustom / type- indicates whether the role is aCustomRole (true) or a BuiltInRole (false).
● Description / description- the description of thecustom role.
● Actions / actions- an array of strings that definesthe management operations that can be
performed by the role.
● NotActions / notActions- an array of strings thatare excluded from the allowed Actions.
● DataActions / dataActions- an array of strings thatdefines the data operations that can be
performed to the data within an object.
● NotDataActions / notDataActions- an array of stringsthat are excluded from the allowed
DataActions.
● AssignableScopes / assignableScopes- an array ofstrings that defines the scope that the role is
available for assignment. Take note that you can only define one management group in a custom
role.
eference:
R
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
https://portal.tutorialsdojo.com/ 113
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Azure Policy
Policy Components
In order to implement governance for resource consistency, regulatory compliance, security, cost and
management, you need to enforce a set of rules by creating a policy. But before you create a policy, you
need to understand the following components:
1. T hepolicy definitionis created in a JSON format.It is used to describe resource compliance
conditions and the effect to take if the conditions are met. You can assign a built-in policy or define
your own rules by creating a custom policy.
2. When creating a policy definition, it is also a good practice to make it flexible or reusable by
reducing the number of policy definitions.Policyparametersallow you to define parameters when
assigning the policy definition. A parameter is composed of a name and optionally, a given value.
Let's say, you define a parameter for a policy titled "location". Then you can give it different values,
such as "East US" or "West US" when assigning a policy.
3. Once the policy is created, you can proceed topolicyassignment. This is where the policy will take
place within a specific scope. The scope refers to management groups, subscriptions, and resource
groups. Policy assignments are inherited by child resources. This means that if the policy is applied
to a resource group, it is also applied to all the resources in that resource group.
4. Theinitiative definitionis a collection of policydefinitions that you can assign. This will help you
simplify a group of policies as one single item. One example is, create an initiative titled “Enable
Monitoring in Azure Security Center”. The goal of this initiative is to monitor all the available security
recommendations. There are three policy definitions under this initiative: Monitor unencrypted SQL
Database, Monitor OS Vulnerabilities, and Monitor missing endpoint.
5. Lastly, once the policy is assigned, it will now evaluate for the compliance state. You can find the
non-compliant resources in the Compliance tab.
e will be breaking down what constitutes a policy definition and what conditions you can add to your
W
policies. The structure is as follows:
{
"properties": {
"displayName": " ",
"description": " ",
"mode": " ",
"metadata": {},
"parameters": {},
"policyRule": {}
https://portal.tutorialsdojo.com/ 114
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
}
}
D
● isplay NameandDescription-helps you identifythe policy definition and when it's used.
● Mode- it determines which resource types are evaluatedfor a policy definition. There are two types
of modes:
a. all - evaluates subscription, resource group and all resource types.
b. Indexed - evaluates only the resource types that support tags and location.
● Metadata- although this property is optional, itis useful if you need to store information about the
policy definition. The common metadata properties are:
a. version (string)
b. category (string)
c. preview (boolean)
d. deprecated (boolean)
● Parameters- enables you to reuse the policy in differentscenarios by using different values. To
understand it better, think of parameters like a field on a form (name, address, city, state). These
parameters are always the same, but their values change depending on who fills out the form. The
following properties are used in the policy definition:
a. name - the name of your parameter.
b. type - it can be string, integer, float, boolean, array, object, or datetime.
c. metadata - the subproperties used by the Azure portal to display the following information:
■ description - defines what the parameter is used for.
■ displayName - the name shown in the portal
■ strongType (optional) - provides a multi-select list of options in the Azure Portal. Use
Get-AzResourceProviderto determine whether a resourcetype is valid for
strongType.
■ assignPermissions (optional) - allows you to assign permissions outside the
assignment scope.
d. defaultValue (optional) - if parameter value is not defined, it sets the default value.
e. allowedValues (optional) - an array of values that the parameter will accept.
● Policy Rule- this is where you apply the logicaloperators and conditions. The rules consist of “if”
and “then” statements.
a. The supported logical operators are:
■ not
■ allOf
■ anyOf
b. The conditions that you should be aware of are:
■ less, lessOrEquals, greater, and greaterOrEquals - an error is thrown if the property
type does not match the condition type.
■ like and notLike - you only need to provide one wildcard (*) value.
https://portal.tutorialsdojo.com/ 115
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Policy Effects
policy definition has a single effect and this will define what happens when the policy rule is evaluated
A
to match. The effects operate differently depending on whether they are applied to a new resource, an
updated resource, or an existing resource.
eference:
R
https://docs.microsoft.com/en-us/azure/governance/policy/overview
https://portal.tutorialsdojo.com/ 116
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Azure Monitor
Log Analytics
A
● ll log data obtained by Azure Monitor shall be stored in a Log Analytics workspace
● Query simple to advanced logs.
● The data is retrieved from a workspace using a log query written using Kusto Query Language
(KQL).
● The queries that you can run are:
a. Table-based queries– the query organizes log datainto tables.
b. Search queries– use this query if you need to finda specific value in your table.
c. Sort and top– to display the results in a particularorder, you must sort the preferred
column. To get the latest records in the entire table, you can use top.
d. Where– this operator allows you to add a filter toa query. You can use different expressions
when writing filter conditions.
e. Time filter in query– you can define a specific timerange by adding the time filter to the
query.
f. Project and Extend– project allows you to selectspecific columns, and extend will add
additional columns.
g. Summarize– you can identify a group of records andapply aggregations using the
summarize operator.
● If the query includes workspaces in 20 or more regions, your query will be blocked from running.
● Log Analytics results are limited to a maximum of 10,000 records.
● With a log analytics agent, you can collect logs and performance data from virtual or physical
devices outside Azure.
● A log analytics agent cannot send data to Azure Monitor Metrics, Azure Storage, or Azure Event
Hubs.
ction ruleshelp you define or suppress actions atany Azure Resource Manager scope (Azure
A
subscription, resource group, or target resource). It has various filters that can help you narrow down the
specific subset of alert instances that you want to act on.
To understand these concepts better, let’s see the example below:
https://portal.tutorialsdojo.com/ 117
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Your company has an Azure subscription that contains the following resources:
ou are instructed to monitor the storage account and configure an SMS notification for the following
Y
signals.
reate/Update
C Activity Log ser 1, User 2, and
U
Storage Account User 3
egenerate
R Activity Log User 3
Storage Account
Keys
How many alert rules and action groups should you create?
he requirement in the scenario is to identify how many alert rules and action groups should be created.
T
Based on the given signal types, you should create four alert rules. Take note that you need to create one
alert rule per signal type.
or the action groups, you only need to create 3 action groups because the users that will be notified for
F
Availability and Create/Update Storage Account are the same (User 1, User 2, and User 3). Remember
that action groups are created for each unique setof users that will be notified.
https://portal.tutorialsdojo.com/ 118
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
eference:
R
https://docs.microsoft.com/en-us/azure/azure-monitor/overview
https://portal.tutorialsdojo.com/ 119
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
hen you deploy a virtual machine, default security rules are applied to the virtual machine that
W
allow/deny network traffic. Since Azure applies these rules by default, you might override the default
rules and may prevent the virtual machine from communicating with other resources. To diagnose
network traffic problems to or from a virtual machine, you can useIP flow verify.
his tool will help you specify the source and destination of an IPv4 address, protocol, port and the
T
traffic direction. After the test is conducted, it informs you if the connection succeeds or fails. If the
connection fails, IP flow verify will tell you which security rule allowed or denied the communication.
he tool for diagnosing outbound connections from a virtual machine is calledconnection troubleshoot.
T
It allows you to test the connection between a virtual machine and IPv4 address, URI, FQDN and another
virtual machine. The information returned by connection troubleshoot is the connection at a specific
point in time. If an endpoint becomes unreachable, this tool will inform you of the possible cause.
Analyze the ingress and egress IP traffic through a Network Security Group
o allow/deny an inbound or outbound network traffic to a network interface, you need to create a
T
network security group (NSG). It is also vital to monitor the traffic flowing through the NSG, and flow logs
can help you optimize network flows, detect intrusions, monitor throughput, verifying compliance and
many more.
https://portal.tutorialsdojo.com/ 120
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
he NSG flow logs allow you to log the source and destination of an IP address, protocol, port, and
T
whether traffic was allowed or denied by an NSG. If you need to analyze the logs, you can use tools like
PowerBI or Traffic Analytics.
eference:
R
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
https://portal.tutorialsdojo.com/ 121
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
tate
S
Stateful or stateless Stateless
Management
https://portal.tutorialsdojo.com/ 122
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
ACI AKS
rchestrate and manage
O
un containers without
R
Description multiple container images and
managing servers.
applications.
or event-driven applications,
F
quickly deploy from your
eploymen
D ses clusters and pods to
U
container development
t scale and deploy applications.
pipelines, run data processing,
and build jobs.
eb Apps
W
(Monolithic Yes Yes
)
-Tier
N
Apps Yes Yes
(Services)
loud-Nati
C
ve es, recommended for Linux
Y
Yes
(Microservi containers
ces)
atch/Jobs
B
(Backgroun Yes Yes
d tasks)
● Containers and
application configuration
● Dev/Test scenarios portability
● Task automation ● Enables you to select
● CI/CD agents the number of hosts, size, and
Use cases
● Small/scale batch orchestrator tools
processing ● Transfer container
● Simple web apps workloads to the cloud
without changing your current
management practices.
ajor
M
ou should use AKS if you need full container orchestration, such as
Y
Difference
service discovery across multiple containers, automatic scaling, and
https://portal.tutorialsdojo.com/ 123
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
https://portal.tutorialsdojo.com/ 124
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
https://portal.tutorialsdojo.com/ 125
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
https://portal.tutorialsdojo.com/ 126
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
ou are billed
Y
ou pay for the
Y
based on the ou pay for the
Y
provisioned GiB
stored data per disk size,
per month and the
Pricing month, operations snapshots, and
number of servers
performed, data number of
connected to the
transfer, and transactions.
cloud endpoint.
redundancy.
tatic website,
S
entral location of
C
media and log oot volumes and
B
se
U your files,
files, backups, transaction-intensi
Cases monitoring logs
analytics ve workloads
and applications
workloads
https://portal.tutorialsdojo.com/ 127
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
https://portal.tutorialsdojo.com/ 128
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
vailable if the
A
entire data center
(zonal or No Yes Yes
non-zonal) went
down?
vailable on
A
region-wide outage
No No Yes
in the primary
region?
as read access to
H
the secondary
region if the No No Yes
primary region is
unavailable?
eneral-purpose v2
G
General-purpose v1 eneral-purpose v2
G eneral-purpose v2
G
upported storage
S
Block blob storage Block blob storage General-purpose v1
account types
Blob storage File storage Blob storage
File storage
https://portal.tutorialsdojo.com/ 129
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
oad
L Application raffic
T Front Door
alancer
B Gateway Manager
etwork
N ayer 4 (TCP
L ayer 7
L Layer 7 (DNS) ayer 7
L
Protocols or UDP) (HTTP/HTTPS (HTTP/HTTPS
) )
Routing ash-based,
H Path-based erformance,
P atency,
L
Source IP Weighted, Priority,
affinity Priority, Weighted,
Geographic, Session
MultiValue, Affinity
Subnet
lobal/R
G Global Regional Global Global
egional
Service
ecomm
R Non-HTTP(S) HTTP(S) Non-HTTP(S) HTTP(S)
ended
Traffic
ndpoint
E IC
N IP loud service,
C pp service,
A
s (VM/VMSS), address/FQD App Cloud service,
IP address N, Virtual service/slot, Storage,
machine/VMS Public IP Application
S, App address Gateway, API
services Management,
Public IP
address,
Traffic
Manager,
https://portal.tutorialsdojo.com/ 130
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Custom Host
ndpoint
E Health probes Health probes TTP/HTTPS
H Health probes
Monitorin GET requests
g
edunda
R one
Z one
Z esilient to
R esilient to
R
ncy redundant redundant regional regional
and Zonal failures failures
SL/TLS
S – Supported – Supported
Terminati
on
eb
W – Supported – Supported
Applicati
on
Firewall
ticky
S Supported Supported – Supported
Sessions
Net
V Supported Supported – –
Peering
Pricing tandard
S harged
C harged per
C harged
C
Load Balancer based on DNS queries, based on
– charged Application health checks, outbound/inb
based on the Gateway type, measurement ound data
number of processed s, and transfers, and
rules and data, processed incoming
processed outbound data points. requests from
data. data transfers, client to Front
and SKU. Door POPs.
https://portal.tutorialsdojo.com/ 131
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
irecti
D as separate rules for inbound
H as separate rules for inbound
H
on and outbound traffic. and outbound traffic.
https://portal.tutorialsdojo.com/ 132
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
efault
D y default, rules are set to
B
By default, all access is denied.
access ALLOW.
https://portal.tutorialsdojo.com/ 133
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
escri
D n identity and access
A n authorization system that
A
ption management service that helps manages users’ access to Azure
you access internal and external resources, including what they can
resources. do with those resources and what
areas they can access.
ole
R ou can access the role
Y ou can access the role information
Y
inform information in the Azure Portal, in the Azure Portal, CLI, PowerShell,
ation Microsoft 365 admin center, Resource Manager templates, and
Microsoft Graph, and Azure AD REST API.
PowerShell.
https://portal.tutorialsdojo.com/ 134
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
ricin
P icrosoft Entra ID has three
M zure RBAC is free and included in
A
g editions: Free, P1, and P2. For the your Azure subscription.
P1 and P2 licenses, you are
charged on a monthly basis.
https://portal.tutorialsdojo.com/ 135
Tutorials Dojo Study Guide - AZ-104 Microsoft Azure Administrator
by Jon Bonso and Gerome Pagatpatan
Jon Bonso
orn and raised in the Philippines, Jon is the Co-Founder of
B
TutorialsDojo.NowbasedinSydney,Australia,hehasovera
decade of diversified experience in Banking, Financial
Services, and Telecommunications. He's 10x AWS Certified
and has worked with various cloud services such as Google
Cloud, andMicrosoftAzure.Jonispassionateaboutwhathe
doesanddedicatesalotoftimecreatingeducationalcourses.
He has given IT seminars to different universities in the
Philippines for free and has launched educational websites
using his own money and without any external funding.
Gerome Pagatpatan
erome Gerome currently works as a software engineerand
G
holds 5 cloud certifications from Amazon Web Services,
MicrosoftAzure,andOracle.Healsoco-authoredhigh-quality
educational materials in the cloud computing space, which
have been used by over a quarter-million people worldwide.
He is passionate about education, and now it's his turn to
share his knowledge, experiences, and passion for cloud
computing.
https://portal.tutorialsdojo.com/ 136