Deploy and Manage Azure Compute Resources - Q&A
This document contains comprehensive questions and answers for the Deploy and Manage Azure Compute Resources domain of the AZ-104 exam (20-25% weight).
📚 Reference Links
- Azure Virtual Machines Documentation
- ARM Templates Documentation
- Azure App Service Documentation
- AZ-104 Study Guide
Section 1: Infrastructure as Code
Q1.1: What are ARM templates and how do they work?
Answer: ARM (Azure Resource Manager) templates are JSON files that define Azure infrastructure using declarative syntax.
Template Structure:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": { },
"variables": { },
"functions": [ ],
"resources": [ ],
"outputs": { }
}Template Sections:
| Section | Required | Description |
|---|---|---|
| $schema | Yes | Schema location |
| contentVersion | Yes | Template version |
| parameters | No | Input values at deployment |
| variables | No | Reusable values |
| functions | No | User-defined functions |
| resources | Yes | Resources to deploy |
| outputs | No | Return values |
Example Template:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string",
"metadata": {
"description": "Name of the storage account"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"variables": {
"storageSku": "Standard_LRS"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-09-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[variables('storageSku')]"
},
"kind": "StorageV2"
}
],
"outputs": {
"storageEndpoint": {
"type": "string",
"value": "[reference(parameters('storageAccountName')).primaryEndpoints.blob]"
}
}
}Deploying Templates:
# Deploy to resource group
az deployment group create \
--resource-group "MyResourceGroup" \
--template-file "azuredeploy.json" \
--parameters storageAccountName="mystorageaccount"
# Deploy with parameter file
az deployment group create \
--resource-group "MyResourceGroup" \
--template-file "azuredeploy.json" \
--parameters @azuredeploy.parameters.jsonDocumentation Links:
Q1.2: What is Bicep and how does it compare to ARM templates?
Answer: Bicep is a domain-specific language (DSL) for deploying Azure resources that compiles to ARM templates.
Bicep Advantages:
- Simpler, cleaner syntax
- No JSON complexity
- First-class tooling (VS Code extension)
- Automatic dependency management
- Type safety and validation
- Modules for reusability
Syntax Comparison:
ARM Template (JSON):
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-09-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2"
}Bicep:
param storageAccountName string
param location string = resourceGroup().location
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
}
output blobEndpoint string = storageAccount.properties.primaryEndpoints.blobBicep Features:
Parameters:
@description('Storage account name')
@minLength(3)
@maxLength(24)
param storageAccountName string
@allowed([
'Standard_LRS'
'Standard_GRS'
])
param skuName string = 'Standard_LRS'Variables:
var uniqueName = '${storageAccountName}${uniqueString(resourceGroup().id)}'Modules:
module storage './modules/storage.bicep' = {
name: 'storageDeployment'
params: {
storageAccountName: 'mystorage'
location: location
}
}Deploying Bicep:
# Deploy Bicep file
az deployment group create \
--resource-group "MyResourceGroup" \
--template-file "main.bicep" \
--parameters storageAccountName="mystorageaccount"
# Build to ARM template
az bicep build --file main.bicep
# Decompile ARM to Bicep
az bicep decompile --file azuredeploy.jsonDocumentation Links:
Q1.3: What are the deployment modes and what-if analysis?
Answer: ARM/Bicep deployments support two modes that determine how existing resources are handled.
Deployment Modes:
1. Incremental (Default):
- Adds new resources
- Updates existing resources
- Leaves resources not in template unchanged
- Safer for production
2. Complete:
- Adds new resources
- Updates existing resources
- Deletes resources not in template
- Use with caution!
Mode Comparison:
| Scenario | Incremental | Complete |
|---|---|---|
| Resource in template, not in Azure | Created | Created |
| Resource in template and Azure | Updated | Updated |
| Resource in Azure, not in template | Unchanged | Deleted |
Specifying Mode:
# Incremental (default)
az deployment group create \
--resource-group "MyResourceGroup" \
--template-file "main.bicep" \
--mode Incremental
# Complete (dangerous!)
az deployment group create \
--resource-group "MyResourceGroup" \
--template-file "main.bicep" \
--mode CompleteWhat-If Analysis: Preview changes before deployment:
# What-if for incremental
az deployment group what-if \
--resource-group "MyResourceGroup" \
--template-file "main.bicep"
# What-if for complete mode
az deployment group what-if \
--resource-group "MyResourceGroup" \
--template-file "main.bicep" \
--mode CompleteWhat-If Output:
- Create: Resource will be created
- Delete: Resource will be deleted
- Modify: Resource will be modified
- NoChange: Resource unchanged
- Ignore: Resource not evaluated
Best Practices:
- Always use what-if before production deployments
- Use incremental mode unless you specifically need complete
- Test complete mode in non-production first
- Consider resource locks for critical resources
Documentation Links:
Section 2: Virtual Machines
Q2.1: What are the VM availability options?
Answer: Azure provides several options to ensure VM availability:
1. Availability Sets:
- Logical grouping within a datacenter
- Protects against hardware failures
- Up to 3 fault domains, 20 update domains
- 99.95% SLA
Fault Domains:
- Separate power and network
- Hardware failure isolation
Update Domains:
- Separate maintenance windows
- Rolling updates
# Create availability set
az vm availability-set create \
--name "WebAvailSet" \
--resource-group "Compute-RG" \
--platform-fault-domain-count 2 \
--platform-update-domain-count 5
# Create VM in availability set
az vm create \
--resource-group "Compute-RG" \
--name "WebVM1" \
--availability-set "WebAvailSet" \
--image Ubuntu22042. Availability Zones:
- Physically separate datacenters within a region
- Independent power, cooling, networking
- Protects against datacenter failures
- 99.99% SLA
# Create VM in specific zone
az vm create \
--resource-group "Compute-RG" \
--name "WebVM1" \
--zone 1 \
--image Ubuntu22043. Virtual Machine Scale Sets:
- Group of identical VMs
- Auto-scaling based on demand
- Supports availability zones
- Managed updates
Comparison:
| Feature | Availability Set | Availability Zone | Scale Set |
|---|---|---|---|
| Scope | Datacenter | Region | Region |
| SLA | 99.95% | 99.99% | 99.95%+ |
| Auto-scale | No | No | Yes |
| Protection | Hardware failure | Datacenter failure | Both |
Documentation Links:
Q2.2: What are VM sizes and how do you choose?
Answer: Azure VMs come in various sizes optimized for different workloads.
VM Size Families:
| Family | Optimized For | Use Cases |
|---|---|---|
| B | Burstable | Dev/test, low traffic web |
| D | General purpose | Most workloads |
| E | Memory optimized | Databases, caching |
| F | Compute optimized | Batch, gaming, analytics |
| G | Memory + storage | Large databases |
| H | High performance compute | Simulations, modeling |
| L | Storage optimized | Big data, NoSQL |
| M | Memory optimized | SAP HANA, large databases |
| N | GPU | AI/ML, rendering |
Size Naming Convention:[Family][Sub-family][vCPUs][Constrained vCPUs][Additive Features][Accelerator Type][Version]
Example: Standard_D4s_v5
- D = General purpose
- 4 = 4 vCPUs
- s = Premium storage capable
- v5 = Version 5
Common Suffixes:
- s: Premium storage support
- d: Local temp disk
- a: AMD processor
- i: Isolated size
- m: Memory intensive
- t: Tiny memory
Listing and Resizing VMs:
# List available sizes in region
az vm list-sizes --location "eastus" --output table
# List sizes available for existing VM
az vm list-vm-resize-options \
--resource-group "Compute-RG" \
--name "MyVM" \
--output table
# Resize VM (requires deallocation for some sizes)
az vm resize \
--resource-group "Compute-RG" \
--name "MyVM" \
--size "Standard_D4s_v5"Resize Considerations:
- Some resizes require VM deallocation
- Cannot resize across hardware clusters
- Check available sizes before planning
Documentation Links:
Q2.3: What are VM extensions?
Answer: VM extensions are small applications that provide post-deployment configuration and automation.
Common Extensions:
| Extension | Purpose |
|---|---|
| CustomScript | Run scripts on VMs |
| DSC | PowerShell Desired State Configuration |
| AzureMonitorAgent | Monitoring and logging |
| AADLoginForWindows | Entra ID login |
| IaaSAntimalware | Microsoft Antimalware |
| BGInfo | Desktop background info |
| DependencyAgent | VM Insights dependencies |
Custom Script Extension:
# Linux - run script from URL
az vm extension set \
--resource-group "Compute-RG" \
--vm-name "LinuxVM" \
--name "customScript" \
--publisher "Microsoft.Azure.Extensions" \
--settings '{"fileUris": ["https://raw.githubusercontent.com/user/repo/script.sh"], "commandToExecute": "./script.sh"}'
# Windows - run PowerShell
az vm extension set \
--resource-group "Compute-RG" \
--vm-name "WindowsVM" \
--name "CustomScriptExtension" \
--publisher "Microsoft.Compute" \
--settings '{"fileUris": ["https://storage.blob.core.windows.net/scripts/install.ps1"], "commandToExecute": "powershell -ExecutionPolicy Unrestricted -File install.ps1"}'Azure Monitor Agent:
# Install Azure Monitor Agent
az vm extension set \
--resource-group "Compute-RG" \
--vm-name "LinuxVM" \
--name "AzureMonitorLinuxAgent" \
--publisher "Microsoft.Azure.Monitor"Listing Extensions:
# List installed extensions
az vm extension list \
--resource-group "Compute-RG" \
--vm-name "MyVM" \
--output table
# List available extensions
az vm extension image list --output tableDocumentation Links:
Q2.4: What is Azure Bastion?
Answer: Azure Bastion provides secure RDP/SSH connectivity to VMs without public IP addresses.
Key Features:
- Browser-based access (no client needed)
- No public IP on VMs required
- Protection against port scanning
- Hardened against zero-day exploits
- Integrated with Azure portal
SKUs:
| Feature | Basic | Standard |
|---|---|---|
| Concurrent connections | 25 | 50 |
| Native client support | No | Yes |
| Upload/download files | No | Yes |
| Shareable link | No | Yes |
| Kerberos auth | No | Yes |
Deploying Bastion:
# Create Bastion subnet (must be named AzureBastionSubnet)
az network vnet subnet create \
--resource-group "Compute-RG" \
--vnet-name "MyVNet" \
--name "AzureBastionSubnet" \
--address-prefix "10.0.1.0/26"
# Create public IP for Bastion
az network public-ip create \
--resource-group "Compute-RG" \
--name "BastionIP" \
--sku Standard \
--allocation-method Static
# Create Bastion host
az network bastion create \
--resource-group "Compute-RG" \
--name "MyBastion" \
--vnet-name "MyVNet" \
--public-ip-address "BastionIP" \
--sku StandardRequirements:
- Dedicated subnet named "AzureBastionSubnet"
- Minimum /26 subnet
- Standard SKU public IP
- No NSG on Bastion subnet (or specific rules)
Documentation Links:
Section 3: VM Scale Sets
Q3.1: What are Virtual Machine Scale Sets?
Answer: VM Scale Sets (VMSS) let you create and manage a group of identical, load-balanced VMs.
Key Features:
- Automatic scaling based on metrics
- High availability across zones
- Automatic OS updates
- Large-scale deployments (up to 1000 VMs)
- Integration with Azure Load Balancer
Orchestration Modes:
Uniform:
- Identical VMs from same model
- Best for stateless workloads
- Automatic scaling
- Traditional VMSS behavior
Flexible:
- Mix different VM sizes
- Manual or automatic scaling
- Better for stateful workloads
- More control over individual VMs
Creating Scale Set:
# Create VMSS with autoscaling
az vmss create \
--resource-group "Compute-RG" \
--name "WebVMSS" \
--image Ubuntu2204 \
--vm-sku Standard_B2s \
--instance-count 2 \
--admin-username azureuser \
--generate-ssh-keys \
--upgrade-policy-mode Automatic \
--zones 1 2 3Scale Set Components:
- Instance count: Number of VMs
- Upgrade policy: How updates are applied
- Scaling policy: When to scale
- Health probes: Monitor instance health
Documentation Links:
Q3.2: How do you configure autoscaling for VMSS?
Answer: Autoscaling automatically adjusts the number of VM instances based on demand.
Autoscale Components:
1. Autoscale Setting:
- Contains profiles and rules
- Attached to VMSS
2. Profile:
- Default or scheduled
- Contains capacity and rules
3. Rules:
- Metric-based triggers
- Scale actions
Configuring Autoscale:
# Create autoscale setting
az monitor autoscale create \
--resource-group "Compute-RG" \
--resource "WebVMSS" \
--resource-type Microsoft.Compute/virtualMachineScaleSets \
--name "WebVMSS-Autoscale" \
--min-count 2 \
--max-count 10 \
--count 2
# Add scale-out rule (CPU > 70%)
az monitor autoscale rule create \
--resource-group "Compute-RG" \
--autoscale-name "WebVMSS-Autoscale" \
--condition "Percentage CPU > 70 avg 5m" \
--scale out 2
# Add scale-in rule (CPU < 30%)
az monitor autoscale rule create \
--resource-group "Compute-RG" \
--autoscale-name "WebVMSS-Autoscale" \
--condition "Percentage CPU < 30 avg 5m" \
--scale in 1Common Metrics:
- Percentage CPU
- Network In/Out
- Disk Read/Write Bytes
- Memory percentage (requires agent)
- Custom metrics
Scale Actions:
- Increase count by: Add fixed number
- Increase count to: Set to specific number
- Increase percent by: Add percentage
Best Practices:
- Use multiple metrics (CPU + memory)
- Set appropriate cooldown periods
- Scale out quickly, scale in slowly
- Test scaling behavior
- Set appropriate min/max limits
Documentation Links:
Section 4: Containers
Q4.1: What is Azure Container Instances (ACI)?
Answer: Azure Container Instances provides the fastest and simplest way to run containers in Azure.
Key Features:
- No VM management
- Per-second billing
- Fast startup (seconds)
- Linux and Windows containers
- Public IP or VNet integration
- Persistent storage with Azure Files
Creating Container Instance:
# Simple container
az container create \
--resource-group "Compute-RG" \
--name "mycontainer" \
--image nginx:latest \
--cpu 1 \
--memory 1.5 \
--ports 80 \
--dns-name-label "myapp-$(date +%s)" \
--ip-address Public
# Container with environment variables
az container create \
--resource-group "Compute-RG" \
--name "webapp" \
--image myregistry.azurecr.io/webapp:v1 \
--cpu 2 \
--memory 4 \
--ports 80 443 \
--environment-variables 'DB_HOST=mydb.database.azure.com' \
--secure-environment-variables 'DB_PASSWORD=secret123'Container Groups: Multiple containers sharing lifecycle, network, and storage:
# container-group.yaml
apiVersion: 2021-09-01
location: eastus
name: myContainerGroup
properties:
containers:
- name: webapp
properties:
image: nginx
ports:
- port: 80
resources:
requests:
cpu: 1
memoryInGb: 1.5
- name: sidecar
properties:
image: busybox
command: ["/bin/sh", "-c", "while true; do echo hello; sleep 10; done"]
resources:
requests:
cpu: 0.5
memoryInGb: 0.5
osType: Linux
ipAddress:
type: Public
ports:
- port: 80# Deploy container group
az container create \
--resource-group "Compute-RG" \
--file container-group.yamlUse Cases:
- Simple applications
- Task automation
- Build jobs
- Event-driven processing
- Dev/test environments
Documentation Links:
Q4.2: What is Azure Container Registry (ACR)?
Answer: Azure Container Registry is a managed Docker registry for storing and managing container images.
SKUs:
| Feature | Basic | Standard | Premium |
|---|---|---|---|
| Storage | 10 GiB | 100 GiB | 500 GiB |
| Webhooks | 2 | 10 | 500 |
| Geo-replication | No | No | Yes |
| Private link | No | No | Yes |
| Content trust | No | No | Yes |
Creating ACR:
# Create registry
az acr create \
--resource-group "Compute-RG" \
--name "myregistry" \
--sku Standard \
--admin-enabled true
# Login to registry
az acr login --name "myregistry"
# Get login server
az acr show --name "myregistry" --query loginServerWorking with Images:
# Tag image for ACR
docker tag myimage:v1 myregistry.azurecr.io/myimage:v1
# Push image
docker push myregistry.azurecr.io/myimage:v1
# List repositories
az acr repository list --name "myregistry" --output table
# List tags
az acr repository show-tags --name "myregistry" --repository myimage
# Delete image
az acr repository delete --name "myregistry" --image myimage:v1ACR Tasks: Automated image builds:
# Quick build
az acr build \
--registry "myregistry" \
--image myimage:v1 \
--file Dockerfile .
# Create build task (triggered by git commit)
az acr task create \
--registry "myregistry" \
--name "buildtask" \
--image myimage:{{.Run.ID}} \
--context https://github.com/user/repo.git \
--file Dockerfile \
--git-access-token $PATDocumentation Links:
Q4.3: What is Azure Kubernetes Service (AKS)?
Answer: Azure Kubernetes Service is a managed Kubernetes container orchestration service.
Key Features:
- Managed control plane (free)
- Automatic upgrades and patching
- Integration with Azure services
- Multiple node pools
- Azure CNI or kubenet networking
- Azure AD integration
Creating AKS Cluster:
# Create AKS cluster
az aks create \
--resource-group "Compute-RG" \
--name "myAKSCluster" \
--node-count 3 \
--node-vm-size Standard_D2s_v3 \
--enable-managed-identity \
--generate-ssh-keys \
--zones 1 2 3
# Get credentials
az aks get-credentials \
--resource-group "Compute-RG" \
--name "myAKSCluster"
# Verify connection
kubectl get nodesNode Pools:
# Add node pool
az aks nodepool add \
--resource-group "Compute-RG" \
--cluster-name "myAKSCluster" \
--name "gpupool" \
--node-count 2 \
--node-vm-size Standard_NC6 \
--labels workload=gpu
# Scale node pool
az aks nodepool scale \
--resource-group "Compute-RG" \
--cluster-name "myAKSCluster" \
--name "nodepool1" \
--node-count 5AKS Networking:
| Option | Description |
|---|---|
| kubenet | Basic networking, NAT for pods |
| Azure CNI | Pods get VNet IPs |
| Azure CNI Overlay | Pods get overlay IPs |
Cluster Autoscaler:
# Enable cluster autoscaler
az aks update \
--resource-group "Compute-RG" \
--name "myAKSCluster" \
--enable-cluster-autoscaler \
--min-count 1 \
--max-count 10Documentation Links:
Section 5: Azure App Service
Q5.1: What is Azure App Service?
Answer: Azure App Service is a fully managed platform for building, deploying, and scaling web applications.
App Service Features:
- Multiple languages (Node.js, Python, .NET, Java, PHP)
- Auto-scaling
- CI/CD integration
- Custom domains and SSL
- Authentication/authorization
- Deployment slots
App Service Plans:
| Tier | Features | Use Case |
|---|---|---|
| Free/Shared | Limited resources, shared | Dev/test |
| Basic | Dedicated compute | Dev/test |
| Standard | Auto-scale, slots, backups | Production |
| Premium | More scale, VNet integration | High-performance |
| Isolated | Private, dedicated environment | Compliance |
Creating App Service:
# Create App Service plan
az appservice plan create \
--name "MyAppPlan" \
--resource-group "Compute-RG" \
--sku S1 \
--is-linux
# Create web app
az webapp create \
--resource-group "Compute-RG" \
--plan "MyAppPlan" \
--name "mywebapp-unique" \
--runtime "NODE:18-lts"
# Deploy from GitHub
az webapp deployment source config \
--resource-group "Compute-RG" \
--name "mywebapp-unique" \
--repo-url "https://github.com/user/repo" \
--branch main \
--manual-integrationDocumentation Links:
Q5.2: What are deployment slots?
Answer: Deployment slots are live apps with their own hostnames, used for staging and testing before production.
Slot Features:
- Separate configuration
- Swap with production
- Auto-swap option
- Traffic routing
- Slot-specific settings
Creating and Using Slots:
# Create staging slot
az webapp deployment slot create \
--resource-group "Compute-RG" \
--name "mywebapp" \
--slot staging
# Deploy to staging
az webapp deployment source config \
--resource-group "Compute-RG" \
--name "mywebapp" \
--slot staging \
--repo-url "https://github.com/user/repo" \
--branch develop
# Swap staging to production
az webapp deployment slot swap \
--resource-group "Compute-RG" \
--name "mywebapp" \
--slot staging \
--target-slot production
# Swap with preview (multi-phase)
az webapp deployment slot swap \
--resource-group "Compute-RG" \
--name "mywebapp" \
--slot staging \
--action preview
# Complete or cancel swap
az webapp deployment slot swap \
--resource-group "Compute-RG" \
--name "mywebapp" \
--slot staging \
--action swap # or resetSlot Settings:
- Slot-specific: Stay with slot (connection strings, app settings marked as slot)
- Swapped: Move with content (most app settings)
Traffic Routing:
# Route 10% traffic to staging
az webapp traffic-routing set \
--resource-group "Compute-RG" \
--name "mywebapp" \
--distribution staging=10Documentation Links:
Practice Questions
Question 1
You need to deploy 50 VMs with identical configuration that can automatically scale based on CPU usage. What should you use?
A. Availability Set
B. Availability Zone
C. VM Scale Set
D. Multiple individual VMs
Answer: C
VM Scale Sets are designed for deploying and managing identical VMs with automatic scaling capabilities. Availability Sets don't provide auto-scaling.
Question 2
You're deploying resources using an ARM template. You want to see what changes will be made without actually deploying. What should you use?
A. Incremental mode
B. Complete mode
C. What-if operation
D. Validate operation
Answer: C
What-if operation shows the changes that would be made by a deployment without actually making them. Validate only checks syntax, not the actual changes.
Question 3
You have a web app in production. You need to test a new version without affecting users. What should you do?
A. Create a new App Service plan
B. Use a deployment slot
C. Create a new web app
D. Use Azure DevOps
Answer: B
Deployment slots allow you to deploy and test new versions in a staging environment, then swap to production with minimal downtime.
Question 4
You need to run a container for a batch job that runs once per day for about 10 minutes. What is the most cost-effective option?
A. Azure Kubernetes Service
B. Azure Container Instances
C. VM with Docker
D. App Service Container
Answer: B
Azure Container Instances is billed per-second and requires no infrastructure management, making it ideal for short-running batch jobs.
Question 5
You're using Complete deployment mode with an ARM template. A storage account exists in the resource group but is not in the template. What happens?
A. The storage account is unchanged
B. The storage account is deleted
C. The deployment fails
D. The storage account is updated
Answer: B
Complete mode deletes resources that exist in the resource group but are not defined in the template. This is why Complete mode should be used with caution.
Summary
Key topics for the Compute domain:
- ARM Templates: Structure, parameters, variables, functions
- Bicep: Syntax, modules, deployment
- Deployment Modes: Incremental vs Complete, what-if
- VM Availability: Availability Sets, Zones, Scale Sets
- VM Sizes: Families, naming, resizing
- VM Extensions: Custom Script, monitoring agents
- Azure Bastion: Secure RDP/SSH access
- VMSS: Autoscaling, upgrade policies
- ACI: Container groups, quick deployments
- ACR: Image management, tasks
- AKS: Managed Kubernetes, node pools
- App Service: Plans, deployment, slots