AZ-104 Deploy and Manage Azure Compute Resources

Deploy and Manage Azure Compute Resources Detailed Explanation

1. Configure VMs for High Availability and Scalability

Azure provides several mechanisms to ensure that virtual machines (VMs) stay available and can scale up or down depending on demand.

Availability Options

1.1 Availability Sets

• Used to distribute VMs across multiple fault domains and update domains in a single Azure datacenter.

• Protects against:

  • Hardware failures (fault domains)

  • Planned maintenance updates (update domains)

• Ideal for multiple-tier applications needing high uptime.

• A minimum of two or more VMs is required to gain the redundancy benefit.

VMs in an availability set:

• Are spread across multiple physical racks

• Receive rolling updates, not all at once

1.2 Availability Zones

• Provide higher availability than availability sets.

• Azure regions are divided into physically separate zones, each with its own power, cooling, and networking.

• You deploy VMs to specific zones (e.g., Zone 1, Zone 2, Zone 3).

• If one zone fails, others can continue operating.

Use cases:

• Mission-critical workloads

• Low-latency replication between zones

1.3 VM Scale Sets (VMSS)

• Used to deploy and manage a group of identical, auto-scaling VMs.

• Supports:

  • Manual or automatic scaling

  • Integration with Azure Load Balancer or Application Gateway

• Benefits:

  • Built-in load balancing

  • Support for custom images

  • Rolling upgrades and health probes

Perfect for stateless applications like web servers or batch jobs.

1.4 Load Balancer Integration

• Azure Load Balancer distributes incoming traffic to VMs.

• Use with:

  • Availability Sets to balance traffic across healthy VMs

  • Availability Zones to direct traffic to active zones

Use Basic or Standard Load Balancer depending on scale/security needs.

2. Create and Configure VMs

This section covers how to deploy virtual machines, how to size and connect them, and how to extend their capabilities.

2.1 Deployment Methods

2.1.1 Azure Portal

• GUI-based method for beginners.

• Walk-through wizard helps you configure:

  • Image (OS)

  • Size (SKU)

  • Disks

  • Networking

  • Management features

• Best for manual or one-time deployments.

2.1.2 Azure CLI (az vm create)

• Lightweight, scriptable option for developers or DevOps engineers.

• Example:

  az vm create \
    --resource-group MyRG \
    --name MyVM \
    --image UbuntuLTS \
    --admin-username azureuser \
    --generate-ssh-keys
  

2.1.3 Azure PowerShell

• Ideal for Windows admins comfortable with scripting in PowerShell.

• Offers full control with scripting and loops.

2.1.4 ARM Templates

• Infrastructure-as-Code using JSON.

• Declarative: define what you want, not how.

• Great for repeatable and standardized deployments.

2.1.5 Terraform

• Open-source IaC tool, cloud-agnostic.

• Preferred in multi-cloud environments.

• Uses its own configuration language (.tf files).

Best for DevOps teams managing large, repeatable infrastructure setups.

2.2 VM Sizing

2.2.1 Understand VM Series

Azure offers many VM sizes (SKUs), grouped by series:

Series	Use Case
B-series	Burstable, low-cost workloads
D-series	General purpose, good for most apps
E-series	Memory-intensive apps (databases)
F-series	CPU-intensive tasks (gaming, analytics)
N-series	GPU-intensive tasks (AI, ML, rendering)

Choose based on workload profile (CPU-bound, memory-bound, etc.)

2.2.2 Resize VMs

• You can resize a VM if performance or cost needs change.

• Limits:

  • Must deallocate VM first

  • Target size must be available in the region and hardware cluster

Steps:

1. Go to VM > Size > Resize

2. Pick a new SKU

3. Restart VM if required

2.3 Storage Configuration

2.3.1 OS Disk and Data Disks

• OS Disk: Attached by default (contains Windows or Linux OS)

• Data Disks: Optional; for storing app files, databases, logs

• You can attach multiple data disks based on the VM size

Disks are managed by Azure and come in various types (next section)

2.3.2 Disk Types

Type	Description	Use Case
Standard HDD	Low-cost, high-latency	Backup, infrequent access
Standard SSD	Better performance than HDD	Web servers, dev/test
Premium SSD	High performance	Production apps
Ultra Disk	High IOPS and low latency	Databases, OLTP workloads

Choose based on performance needs and budget.

2.3.3 Disk Encryption

• Azure uses Azure Disk Encryption (ADE) for encrypting VM disks.

• For Windows: uses BitLocker

• For Linux: uses DM-Crypt

• You can choose:

  • Microsoft-managed keys

  • Customer-managed keys in Azure Key Vault

Encryption is important for compliance and data protection.

2.4 Networking

2.4.1 IP Addressing

• Dynamic IP: Changes upon VM restart (default for most VMs)

• Static IP: Stays fixed; useful for DNS or firewall rules

2.4.2 NSGs (Network Security Groups)

• Used to control inbound and outbound traffic.

• Rules define:

  • Priority

  • Protocol

  • Source/destination

  • Port

  • Allow/Deny

Attach NSGs to:

• Subnets (broader control)

• NICs (per-VM control)

2.4.3 VNets and Subnets

• All VMs must be deployed inside a Virtual Network (VNet).

• VNets are divided into subnets.

• Subnets can host:

  • VMs

  • Gateways

  • App Services with VNet integration

2.5 VM Extensions

2.5.1 What Are Extensions?

Extensions are small programs that run inside a VM to perform tasks such as:

• Post-deployment configuration

• Monitoring

• Security scanning

2.5.2 Common Extensions

Extension	Use
Custom Script Extension	Run PowerShell or shell scripts after deployment
Azure Monitor Agent	Collect performance and diagnostic data
Diagnostics Extension	Collects boot diagnostics and crash data

Use extensions to automate software installs, deploy agents, or register VMs with monitoring services.

3. Automate Deployment of VMs

Automation is essential for consistency, scalability, and repeatability in Azure environments. Azure offers several tools to automate the deployment of virtual machines.

3.1 ARM Templates

3.1.1 What are ARM Templates?

• ARM (Azure Resource Manager) templates are JSON files that define your infrastructure as code.

• They allow you to deploy and configure Azure resources declaratively.

ARM templates are ideal for:

• Enforcing consistent environments across dev/test/prod

• Deploying entire applications or infrastructure stacks

3.1.2 Key Elements of an ARM Template

Element	Description
Parameters	Input values you can provide during deployment
Variables	Reusable values, often derived from parameters
Resources	Definitions of Azure services to deploy (e.g., VMs, NSGs, storage)
Outputs	Return values after deployment (e.g., VM IP address)

3.1.3 Example: Simple VM Template Snippet

"resources": [
  {
    "type": "Microsoft.Compute/virtualMachines",
    "apiVersion": "2021-07-01",
    "name": "[parameters('vmName')]",
    "location": "[resourceGroup().location]",
    "properties": {
      "hardwareProfile": {
        "vmSize": "Standard_B2s"
      }
    }
  }
]

3.2 Custom Script Extension

3.2.1 What is the Custom Script Extension?

• It allows you to run scripts automatically on a VM after it’s provisioned.

• Scripts can:

  • Install software

  • Modify system settings

  • Perform configuration steps

Very useful in automated deployment pipelines.

3.2.2 Example Use Case

Install Apache on a Linux VM using a shell script:

#!/bin/bash
apt-get update
apt-get install apache2 -y

Upload the script to Azure Storage and reference it in the extension:

"fileUris": ["https://<storageaccount>.blob.core.windows.net/scripts/install-apache.sh"]

3.3 Cloud-init

3.3.1 What is cloud-init?

• A Linux-specific initialization tool used for automating configuration during VM provisioning.

• It uses YAML syntax.

3.3.2 Use cases

• Create users

• Set hostnames

• Install packages

• Configure network or SSH settings

3.3.3 Example cloud-init config

#cloud-config
users:
  - name: azureuser
    groups: sudo
    shell: /bin/bash
    ssh-authorized-keys:
      - ssh-rsa AAAAB3NzaC...

packages:
  - nginx

runcmd:
  - systemctl start nginx

You pass this YAML file during VM creation via the Azure Portal, CLI, or Terraform.

4. Create and Configure Containers

Azure provides tools to run and manage containers without needing to manage virtual machines directly. This section introduces two key services: Azure Container Instances (ACI) and Azure Kubernetes Service (AKS).

4.1 Azure Container Instances (ACI)

4.1.1 What is ACI?

Azure Container Instances allow you to run containers directly in Azure without provisioning or managing VMs.

It’s a serverless container service, best for:

• Running single containers or simple applications

• Short-term or batch jobs

• Testing and development

4.1.2 Key Features

• Fast startup (containers launch in seconds)

• Per-second billing

• Supports Linux and Windows containers

• Supports public IPs, DNS, environment variables

4.1.3 How to deploy a container in ACI

Using Azure CLI:

az container create \
  --resource-group myResourceGroup \
  --name myContainer \
  --image mcr.microsoft.com/azuredocs/aci-helloworld \
  --cpu 1 --memory 1 \
  --dns-name-label myacilabel --ports 80

This deploys a container running a basic web server, accessible via a DNS name.

4.1.4 Networking Options

• Public IP: Exposes the container to the internet

• VNet Integration: Runs container privately inside a Virtual Network (for secure internal access)

4.2 Azure Kubernetes Service (AKS) – Basic Knowledge

4.2.1 What is AKS?

AKS is a managed Kubernetes service in Azure. Kubernetes is an open-source platform for orchestrating containers.

In AZ-104, you are only expected to understand the basics, not in-depth AKS operations.

4.2.2 Key Concepts

Concept	Description
Node pool	A group of VMs (nodes) that run containerized apps
Scaling	AKS can automatically scale node pools based on demand
Azure AD integration	Use Azure AD for Kubernetes API authentication
Helm	A package manager for Kubernetes apps

4.2.3 When to use AKS

• Complex, multi-container applications

• Apps requiring load balancing, auto-scaling, service discovery

• Production workloads with microservices architecture

AKS is best when you need full control over container lifecycle and orchestration.

5. Create and Configure Web Apps

Azure provides Platform as a Service (PaaS) options for deploying and managing web applications with minimal infrastructure management.

The primary service is Azure App Service.

5.1 Azure App Services

5.1.1 What is Azure App Service?

Azure App Service lets you deploy web applications and APIs without managing servers or virtual machines.

Key features:

• Fully managed infrastructure

• Autoscaling and high availability

• Continuous deployment support (GitHub, Azure DevOps, etc.)

• Built-in monitoring and diagnostics

5.1.2 Supported Languages

• .NET / .NET Core

• Node.js

• Python

• Java

• PHP

• Also supports custom containers (Docker)

5.1.3 Deployment Slots

• Used for safe deployment and testing.

• You can create multiple slots like:

  • Staging

  • Testing

  • Production

• You can swap slots to move new code into production with no downtime.

5.2 Configuration

5.2.1 App Settings and Connection Strings

• Define key/value pairs used by your app at runtime.

• Used for:

  • App behavior customization

  • Connection strings to databases or storage

• Environment variables are injected into the app runtime.

You can set them from:
App Service > Configuration

5.2.2 Authentication and Authorization

• App Service integrates with identity providers like:

  • Azure Active Directory

  • Google

  • Facebook

  • Twitter

This provides secure user authentication without writing custom login code.

Steps:

1. Go to App Service > Authentication

2. Enable App Service Authentication

3. Choose your identity provider

4. Configure client IDs/secrets

5.3 Scaling

Azure App Services support multiple scaling options:

5.3.1 Manual Scaling

• You manually increase or decrease the number of instances (servers) running your app.

5.3.2 Autoscaling

• App Service can automatically scale based on:

  • CPU usage

  • Memory usage

  • HTTP queue length

  • Time schedule (e.g., scale up during business hours)

Define rules under:
App Service Plan > Scale out (App Service Plan)

5.3.3 Pricing Tiers

Tier	Features
Free / Shared	Test only; very limited resources
Basic	Custom domains, SSL
Standard	Autoscaling, backups
Premium	Enhanced performance, VNet integration, more slots
Isolated	Runs in a VNet for maximum security (App Service Environment - ASE)

5.4 Monitoring and Backup

5.4.1 Diagnostics and Logs

• Enable detailed error messages, HTTP logs, and App logs for troubleshooting.

• Use Application Insights for:

  • Performance tracking

  • Exception logging

  • Live metrics stream

Enable from:
App Service > Monitoring > Diagnostics settings

5.4.2 Backup and Restore

• App Services support automatic backups (in Standard tier or higher).

• You can back up:

  • Web app content

  • Database connections

  • Configuration settings

Restore from backups through the portal if needed.

Deploy and Manage Azure Compute Resources (Additional Content)

1. Monitor VM Performance

Azure provides multiple mechanisms to monitor performance and diagnose issues for virtual machines.

1.1 Performance Metrics

Collected through Azure Monitor, including:

• CPU usage

• Disk IOPS and latency

• Network in/out

• Available memory (Windows only)

Access via:

• VM > Monitoring > Metrics

• Azure Monitor > Metrics

1.2 Diagnostic Settings and Extensions

To collect guest-level metrics and logs:

• Enable diagnostic settings on the VM.

• Install Azure Monitor Agent (AMA) or Diagnostics extension.

1.3 Recommended KQL Query Example

Perf
| where ObjectName == "Processor"
| where CounterName == "% Processor Time"
| where InstanceName == "_Total"
| summarize avg(CounterValue) by bin(TimeGenerated, 5m)

Use this to analyze CPU patterns over time.

Exam Tip: Know the difference between platform metrics (available without agent) and guest metrics (require agent or extension).

2. Run Command on VM

Run Command allows administrators to execute remote scripts or commands on a VM without RDP/SSH.

2.1 Use Cases

• Fix broken extensions

• Reset services

• Run administrative scripts remotely

2.2 Azure Portal Path

Virtual Machine > Operations > Run Command
Choose:

• Windows: RunPowerShellScript

• Linux: RunShellScript

2.3 Azure CLI Example

az vm run-command invoke \
  --resource-group MyRG \
  --name MyVM \
  --command-id RunShellScript \
  --scripts "sudo apt update && sudo apt install nginx -y"

Exam Tip: This is often tested in scenarios where SSH or RDP access is unavailable.

3. AKS Azure AD Integration (RBAC Control)

While AZ-104 doesn’t cover deep AKS admin tasks, you should understand how Azure RBAC integrates with AKS.

3.1 RBAC Flow Overview

• Azure AD is used to authenticate users to AKS cluster control plane.

• RoleBindings or ClusterRoleBindings authorize access via Kubernetes RBAC.

3.2 Enabling AD Integration

During cluster creation:

• Use --enable-aad and specify --aad-admin-group-object-ids for admin group(s).

3.3 Example: Grant Reader Access to kubectl

1. Assign Azure user to a group with Azure Kubernetes Service Cluster User role.

2. Use kubectl with AAD authentication to access the cluster.

Exam Tip: You may be asked which Azure role is needed to access AKS using kubectl → Azure Kubernetes Service Cluster User.

4. VM Scale Sets (VMSS) Upgrade Policies

VMSS supports automated VM updates via defined upgrade modes.

4.1 Upgrade Types

Mode	Description
Manual	Admin must trigger updates; safest option
Automatic	VMs updated as soon as a new version is available
Rolling	VMs updated gradually, with health probes and batch control

4.2 Rolling Upgrade Details

• Health probe integration ensures only healthy instances are upgraded.

• Settings:

  • Max batch size

  • Pause between batches

  • Failure thresholds

Exam Tip: Know the difference between these types—especially Manual vs Rolling.

5. Boot Diagnostics and Serial Console for Troubleshooting

5.1 Boot Diagnostics

• Captures screenshot and console logs from a VM’s boot process.

• Useful when OS fails to boot or VM becomes unresponsive.

Enable from:
VM > Support + Troubleshooting > Boot Diagnostics

5.2 Serial Console Access

• Provides a command-line interface via the Azure portal, even when RDP/SSH is unavailable.

• Works if:

  • Boot diagnostics are enabled

  • VM OS supports it (e.g., Linux, Windows Server 2016+)

Path:
VM > Serial Console

Use Cases:

• Reset admin password

• Modify fstab or firewall rules

• Repair misconfigured startup scripts

Exam Tip: Expect a question involving troubleshooting boot failure, with clues pointing to serial console or boot diagnostics usage.