Azure AZ-104 Administrator Compute and Networking

Mastering compute and networking is foundational to any Azure administrator role and a major pillar of the AZ-104 exam. These skills allow you to build, connect, and secure the infrastructure that powers applications. This guide moves from core virtual machine provisioning to advanced network architecture and modern platform services, providing the practical knowledge and exam-focused insights you need to succeed.

Core Concepts of Azure Compute

The Azure compute landscape offers various services, but virtual machines (VMs) remain a critical, exam-heavy topic. You must understand not just deployment but also how to ensure resilience and manage scale effectively.

Virtual Machine Deployment and Management A virtual machine in Azure is an on-demand, scalable computing resource. Deployment involves selecting an image (OS), a size (CPU, RAM), and a region. A key decision is the disk type: OS disks can be HDD, Standard SSD, or Premium SSD, with Ultra Disk available for extreme performance. For the exam, know that when you create a VM, Azure automatically creates resources like a network interface, a public IP address (if selected), and a network security group. Management tasks include resizing (which may require a stop/deallocate), attaching data disks, and automating configurations using the Azure Virtual Machine Agent and custom script extensions.

Ensuring High Availability with Availability Sets and Zones To protect applications from hardware failures and planned maintenance, you use availability constructs. An Availability Set is a logical grouping of VMs that distributes them across fault domains (separate power and network racks) and update domains (groups for sequential reboot) within a single datacenter. For higher resilience against datacenter failure, use Availability Zones, which are physically separate locations within an Azure region. A key exam distinction: VMs in an availability set can use Standard HDD/SSD, while VMs deployed to a specific zone often require Premium SSDs for zone-resilient storage.

Scaling with Virtual Machine Scale Sets A Virtual Machine Scale Set allows you to deploy and manage an identical set of VMs that automatically scales based on CPU, memory, or custom metrics. You define a base VM image and a scaling rule (e.g., increase instance count by 1 when average CPU > 70% for 10 minutes). Scale sets are intrinsically highly available, as they deploy VMs across fault domains. For the exam, understand that while scale sets can be deployed into an availability zone, they cannot be deployed into a traditional availability set; the scale set itself provides the fault domain distribution.

Secure Access with Azure Bastion Providing secure RDP and SSH access to VMs without exposing public IP addresses is a common security requirement. Azure Bastion is a fully platform-managed service you deploy inside your virtual network. Users connect via the Azure portal over TLS, and the Bastion service brokers the session to the target VM privately. This eliminates the need for public IPs on VMs, VPNs, or jump boxes, reducing the attack surface. Know that Bastion is billed on an hourly basis and data transfer, not per VM.

Designing and Securing Azure Networks

A well-architected network is the backbone of any cloud solution. You must be able to design the network topology and enforce security at multiple layers.

Virtual Network Design and Subnetting An Azure virtual network (VNet) is the fundamental building block for private network isolation. Key design decisions involve address space (CIDR block) and subnet segmentation. A best practice is to create subnets for different tiers (e.g., web, app, data). Remember, Azure reserves five IP addresses in each subnet (first four and last). For instance, in a 10.0.0.0/24 subnet (256 addresses), only 251 are usable for resources. VNets in the same region can be connected via VNet Peering, which provides low-latency, Microsoft-backbone connectivity without a gateway.

Controlling Traffic Flow with Network Security Groups A Network Security Group (NSG) is a basic, stateful firewall that filters traffic at the subnet and/or network interface level. Rules are evaluated by priority number (lower is evaluated first) and can allow or deny traffic based on source/destination IP, port, and protocol. Key exam points: NSGs have default rules that allow VNet-internal traffic and inbound Azure Load Balancer probes; all other inbound traffic is denied by default. You manage outbound rules explicitly. For granular control at the application level, use Application Security Groups (ASGs), which let you define rules based on application role rather than static IPs.

Advanced Security with Azure Firewall and Load Balancers For centralized, network-level protection, use Azure Firewall, a stateful, managed firewall-as-a-service. It offers threat intelligence-based filtering, FQDN filtering for outbound traffic, and network traffic filtering rules. It is highly available by design. Azure Load Balancer distributes traffic to improve availability and scalability. The Basic SKU is free but lacks zone redundancy and works within a single region. The Standard SKU supports Availability Zones, outbound rules, and integrates with NSGs. Understand the difference between public (fronted by a public IP) and internal (private IP frontend) load balancers. Azure Application Gateway, a layer-7 load balancer, is for web traffic and offers features like SSL termination and path-based routing.

Configuring Hybrid and External Connectivity

Connecting on-premises networks or individual clients to Azure is a common administrative task, with multiple solutions depending on requirements.

Site-to-Site Connections with VPN Gateway An Azure VPN Gateway is a specific type of virtual network gateway that sends encrypted traffic across the public internet. For a site-to-site connection, you deploy a VPN gateway in its own subnet (named GatewaySubnet) in your VNet and configure it to connect to an on-premises VPN device. The gateway's performance (bandwidth, connections) is determined by its SKU (e.g., VpnGw1, VpnGw2). A key point for high availability: deploy an Active-Standby gateway for automatic failover within a zone, or an Active-Active configuration for even higher resilience.

Private Connectivity with ExpressRoute For high-throughput, low-latency, private connections that don't traverse the internet, use Azure ExpressRoute. It establishes a private connection from your premises to Azure via an ExpressRoute partner (exchange provider) or directly from your WAN. This offers more reliable, faster, and lower-latency connectivity than a VPN. Key exam concepts include ExpressRoute circuits (the logical connection), peering types (Microsoft, Private, Azure public), and the ExpressRoute Global Reach feature that allows you to connect your on-premises sites through Azure's backbone.

Name Resolution with Azure DNS Azure DNS is a hosting service for DNS domains. You can host your public domains in Azure, leveraging its global network of name servers, and manage records (A, CNAME, MX, etc.) just like any other DNS service. For private resolution within your virtual networks, you use Azure Private DNS zones. These allow you to use your own custom domain name (e.g., corp.contoso.com) inside your VNets without deploying and managing custom DNS servers.

Modern Application Platform Services

The AZ-104 exam expects you to understand Platform-as-a-Service (PaaS) and container options, which abstract away underlying VM management.

Web Apps and App Service Plans Azure App Service is a fully managed platform for building web apps, mobile backends, and RESTful APIs. The compute resources are defined by an App Service plan, which specifies the region, number of VMs, VM size, and pricing tier (Free, Shared, Basic, Standard, Premium, Isolated). Scaling can be manual or automatic. For the exam, know that apps within the same App Service plan share the same VM instances, which can affect performance and cost. Also, understand deployment slots (staging environments) and how to perform a swap for zero-downtime deployments.

Containers: Instances and Kubernetes For running containerized applications without managing servers, Azure Container Instances (ACI) is the simplest solution. You can run a single container with per-second billing. For orchestrating multi-container applications, Azure Kubernetes Service (AKS) is the managed Kubernetes offering. As an administrator, you are responsible for the worker nodes and deployed applications, while Azure manages the control plane (API server). Key exam tasks include understanding AKS cluster configuration (node pools, networking models like kubenet or Azure CNI), and basic kubectl commands for interacting with the cluster.

Common Pitfalls

1. Mixing Availability Sets and Zones: Attempting to add an existing VM in an availability set to an availability zone is impossible. Zonal deployment is a decision made at VM creation. You would need to recreate the VM.
2. Misunderstanding NSG Rule Priorities: Creating a low-priority "allow" rule that is overridden by a higher-priority "deny" rule is a frequent configuration error and an exam trap. Always verify rule order and priority.
3. Neglecting the GatewaySubnet: When creating a VPN Gateway, you must provision a dedicated subnet named GatewaySubnet with a CIDR block of at least /27. Using any other name or a smaller subnet will cause the deployment to fail.
4. Confusing Load Balancer SKUs: Assuming a Basic Load Balancer can perform outbound SNAT for all protocols or integrate with Availability Zones is incorrect. These are features exclusive to the Standard SKU, which is a common point of differentiation in exam scenarios.

Summary

• Virtual Machines are the core IaaS component; master their deployment, disk types, and high-availability configurations using Availability Sets (for fault/update domains) and Availability Zones (for datacenter resilience).
• Virtual Machine Scale Sets provide automated scaling of identical VMs, while Azure Bastion provides secure, seamless RDP/SSH access without exposing public IPs.
• Network security is layered: use Network Security Groups for basic port filtering, Azure Firewall for centralized network-level policy, and Application Gateway for layer-7 web traffic management.
• Connect on-premises networks using a VPN Gateway (over internet) or ExpressRoute (private connection), and manage name resolution with Azure DNS (public) and Azure Private DNS zones (internal).
• Platform services abstract infrastructure management: an App Service plan defines the compute for web apps, Azure Container Instances run single containers simply, and Azure Kubernetes Service manages orchestrated container workloads.