Monitor and Maintain Azure Resources - Q&A
This document contains comprehensive questions and answers for the Monitor and Maintain Azure Resources domain of the AZ-104 exam (10-15% weight).
📚 Reference Links
- Azure Monitor Documentation
- Azure Backup Documentation
- Azure Site Recovery Documentation
- AZ-104 Study Guide
Section 1: Azure Monitor
Q1.1: What is Azure Monitor and what are its components?
Answer: Azure Monitor is a comprehensive monitoring solution for collecting, analyzing, and acting on telemetry from Azure and on-premises environments.
Core Components:
| Component | Description |
|---|---|
| Metrics | Numerical time-series data |
| Logs | Text-based records in Log Analytics |
| Alerts | Notifications based on conditions |
| Insights | Pre-built monitoring solutions |
| Workbooks | Interactive reports |
Data Sources:
- Application (Application Insights)
- Operating system (Azure Monitor Agent)
- Azure resources (Platform metrics/logs)
- Azure subscription (Activity log)
- Azure tenant (Entra ID logs)
- Custom sources (APIs)
Data Destinations:
- Metrics database (90 days retention)
- Log Analytics workspace (configurable retention)
- Azure Storage (long-term archive)
- Event Hubs (streaming to external systems)
Key Features:
# View available metrics for a resource
az monitor metrics list-definitions \
--resource "/subscriptions/.../resourceGroups/.../providers/Microsoft.Compute/virtualMachines/myVM"
# Get metric values
az monitor metrics list \
--resource "/subscriptions/.../resourceGroups/.../providers/Microsoft.Compute/virtualMachines/myVM" \
--metric "Percentage CPU" \
--interval PT1HDocumentation Links:
Q1.2: What is the difference between metrics and logs?
Answer: Metrics and logs serve different monitoring purposes.
Metrics:
- Numerical values at regular intervals
- Lightweight, near real-time
- Stored in time-series database
- 90-day retention (free)
- Best for alerting and dashboards
Logs:
- Rich, structured data
- Variable schema
- Stored in Log Analytics workspace
- Configurable retention (up to 2 years)
- Best for deep analysis and troubleshooting
Comparison:
| Aspect | Metrics | Logs |
|---|---|---|
| Data type | Numbers | Text/structured |
| Collection | Automatic | Configured |
| Latency | Near real-time | Minutes |
| Query | Metrics Explorer | KQL |
| Cost | Free (90 days) | Per GB ingested |
| Use case | Dashboards, alerts | Analysis, troubleshooting |
Platform Metrics vs Custom Metrics:
Platform Metrics:
- Automatically collected
- No configuration needed
- Standard Azure resource metrics
Custom Metrics:
- Application-defined
- Sent via API or agent
- Business-specific data
Diagnostic Settings:
# Enable diagnostic settings for a resource
az monitor diagnostic-settings create \
--resource "/subscriptions/.../resourceGroups/.../providers/Microsoft.Storage/storageAccounts/mystorage" \
--name "SendToLogAnalytics" \
--workspace "/subscriptions/.../resourceGroups/.../providers/Microsoft.OperationalInsights/workspaces/myworkspace" \
--logs '[{"category": "StorageRead", "enabled": true}]' \
--metrics '[{"category": "Transaction", "enabled": true}]'Documentation Links:
Q1.3: What is the Activity Log?
Answer: The Activity Log records subscription-level events in Azure.
Event Categories:
| Category | Description |
|---|---|
| Administrative | Create, update, delete operations |
| Service Health | Azure service incidents |
| Resource Health | Resource availability changes |
| Alert | Alert activations |
| Autoscale | Scaling events |
| Recommendation | Azure Advisor recommendations |
| Security | Security Center alerts |
| Policy | Azure Policy events |
Viewing Activity Log:
# List activity log events
az monitor activity-log list \
--resource-group "MyResourceGroup" \
--start-time "2025-01-01T00:00:00Z" \
--end-time "2025-01-31T23:59:59Z"
# Filter by operation
az monitor activity-log list \
--resource-group "MyResourceGroup" \
--filter "eventTimestamp ge '2025-01-01' and operationName.value eq 'Microsoft.Compute/virtualMachines/write'"Activity Log Retention:
- 90 days in Azure portal (free)
- Export to Log Analytics for longer retention
- Export to Storage for archival
Exporting Activity Log:
# Create diagnostic setting for subscription
az monitor diagnostic-settings subscription create \
--name "ExportActivityLog" \
--location "global" \
--workspace "/subscriptions/.../resourceGroups/.../providers/Microsoft.OperationalInsights/workspaces/myworkspace" \
--logs '[{"category": "Administrative", "enabled": true}, {"category": "Security", "enabled": true}]'Documentation Links:
Section 2: Alerts and Action Groups
Q2.1: What are the types of alerts in Azure Monitor?
Answer: Azure Monitor supports multiple alert types for different scenarios.
Alert Types:
| Type | Data Source | Use Case |
|---|---|---|
| Metric alerts | Metrics | Resource performance |
| Log alerts | Log Analytics | Complex queries |
| Activity log alerts | Activity log | Administrative events |
| Service health alerts | Service Health | Azure outages |
| Smart detection | Application Insights | Anomaly detection |
Metric Alert Example:
# Create metric alert for high CPU
az monitor metrics alert create \
--name "HighCPUAlert" \
--resource-group "Monitor-RG" \
--scopes "/subscriptions/.../resourceGroups/.../providers/Microsoft.Compute/virtualMachines/myVM" \
--condition "avg Percentage CPU > 80" \
--window-size 5m \
--evaluation-frequency 1m \
--action "/subscriptions/.../resourceGroups/.../providers/Microsoft.Insights/actionGroups/myActionGroup" \
--description "Alert when CPU exceeds 80%"Log Alert Example:
# Create log alert for failed logins
az monitor scheduled-query create \
--name "FailedLoginsAlert" \
--resource-group "Monitor-RG" \
--scopes "/subscriptions/.../resourceGroups/.../providers/Microsoft.OperationalInsights/workspaces/myworkspace" \
--condition "count > 5" \
--condition-query "SecurityEvent | where EventID == 4625" \
--window-size 15m \
--evaluation-frequency 5m \
--action "/subscriptions/.../resourceGroups/.../providers/Microsoft.Insights/actionGroups/myActionGroup"Activity Log Alert Example:
# Create alert for VM deletion
az monitor activity-log alert create \
--name "VMDeletedAlert" \
--resource-group "Monitor-RG" \
--condition category=Administrative and operationName="Microsoft.Compute/virtualMachines/delete" \
--action-group "/subscriptions/.../resourceGroups/.../providers/Microsoft.Insights/actionGroups/myActionGroup"Alert States:
- New: Alert fired, not acknowledged
- Acknowledged: Being investigated
- Closed: Resolved
Documentation Links:
Q2.2: What are Action Groups?
Answer: Action Groups define notification and automation actions triggered by alerts.
Action Types:
| Action | Description |
|---|---|
| Email/SMS/Push/Voice | Notify people |
| Azure Function | Run serverless code |
| Logic App | Run workflow |
| Webhook | Call external URL |
| ITSM | Create ticket in ITSM tool |
| Automation Runbook | Run Azure Automation |
| Event Hub | Stream to Event Hub |
| Secure Webhook | Webhook with Entra auth |
Creating Action Group:
# Create action group with email and SMS
az monitor action-group create \
--name "ITOpsTeam" \
--resource-group "Monitor-RG" \
--short-name "ITOps" \
--action email admin admin@contoso.com \
--action sms oncall 1 5551234567
# Create action group with webhook
az monitor action-group create \
--name "AutoRemediation" \
--resource-group "Monitor-RG" \
--short-name "AutoRem" \
--action webhook remediate https://myfunction.azurewebsites.net/api/remediateAction Group Limits:
- 10 email actions per group
- 10 SMS actions per group
- 10 voice actions per group
- 10 webhook actions per group
- 5 ITSM actions per group
Rate Limits:
- SMS: 1 per 5 minutes
- Voice: 1 per 5 minutes
- Email: 100 per hour
Documentation Links:
Section 3: Log Analytics
Q3.1: What is Log Analytics?
Answer: Log Analytics is a tool for querying and analyzing log data collected by Azure Monitor.
Key Components:
Log Analytics Workspace:
- Central repository for log data
- Configurable retention (30 days to 2 years)
- Access control via RBAC
- Multiple data sources
Creating Workspace:
# Create Log Analytics workspace
az monitor log-analytics workspace create \
--resource-group "Monitor-RG" \
--workspace-name "MyWorkspace" \
--location "eastus" \
--retention-time 90Data Collection:
- Azure resources (diagnostic settings)
- VMs (Azure Monitor Agent)
- Applications (Application Insights)
- Custom sources (Data Collector API)
Workspace Architecture Options:
| Design | Description | Use Case |
|---|---|---|
| Centralized | Single workspace | Small organizations |
| Decentralized | Workspace per team/region | Large organizations |
| Hybrid | Mix of both | Complex requirements |
Access Control:
- Workspace-level: Access to all data
- Resource-level: Access to specific resource data
- Table-level: Access to specific tables
Documentation Links:
Q3.2: What is Kusto Query Language (KQL)?
Answer: KQL is the query language used to analyze data in Log Analytics.
Basic Query Structure:
TableName
| where TimeGenerated > ago(1h)
| where Column == "value"
| summarize count() by AnotherColumn
| order by count_ descCommon Operators:
| Operator | Description | Example |
|---|---|---|
| where | Filter rows | where Status == "Error" |
| project | Select columns | project Name, Status |
| summarize | Aggregate | summarize count() by Type |
| order by | Sort | order by TimeGenerated desc |
| take | Limit rows | take 100 |
| extend | Add column | extend Duration = EndTime - StartTime |
| join | Combine tables | join kind=inner Table2 on Id |
| render | Visualize | render timechart |
Common Functions:
| Function | Description | Example |
|---|---|---|
| ago() | Time offset | ago(1h), ago(7d) |
| now() | Current time | now() |
| count() | Count rows | summarize count() |
| avg() | Average | summarize avg(Value) |
| sum() | Sum | summarize sum(Bytes) |
| bin() | Time buckets | bin(TimeGenerated, 1h) |
| contains | String search | where Message contains "error" |
Example Queries:
VM CPU Usage:
Perf
| where ObjectName == "Processor" and CounterName == "% Processor Time"
| where TimeGenerated > ago(1h)
| summarize AvgCPU = avg(CounterValue) by Computer, bin(TimeGenerated, 5m)
| render timechartFailed Sign-ins:
SigninLogs
| where ResultType != 0
| where TimeGenerated > ago(24h)
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| order by FailedAttempts desc
| take 10Storage Operations:
StorageBlobLogs
| where TimeGenerated > ago(1h)
| where StatusCode >= 400
| summarize ErrorCount = count() by OperationName, StatusCode
| order by ErrorCount descResource Changes:
AzureActivity
| where OperationNameValue endswith "write" or OperationNameValue endswith "delete"
| where TimeGenerated > ago(24h)
| project TimeGenerated, Caller, OperationNameValue, ResourceGroup
| order by TimeGenerated descDocumentation Links:
Section 4: Azure Backup
Q4.1: What is Azure Backup?
Answer: Azure Backup provides simple, secure, and cost-effective solutions for backing up and recovering data.
Supported Workloads:
| Workload | Backup Method |
|---|---|
| Azure VMs | VM backup (full VM) |
| Azure Files | File share backup |
| SQL in Azure VM | SQL backup |
| SAP HANA in Azure VM | SAP HANA backup |
| Azure Blobs | Blob backup |
| Azure Disks | Disk backup |
| On-premises | MARS agent, MABS, DPM |
Backup Components:
Recovery Services Vault:
- Container for backup data
- Stores backup policies
- Manages recovery points
- Geo-redundant by default
Backup Policy:
- Schedule (daily, weekly)
- Retention (days, weeks, months, years)
- Instant restore snapshots
Creating Backup:
# Create Recovery Services vault
az backup vault create \
--resource-group "Backup-RG" \
--name "MyBackupVault" \
--location "eastus"
# Enable backup for VM
az backup protection enable-for-vm \
--resource-group "Backup-RG" \
--vault-name "MyBackupVault" \
--vm "MyVM" \
--policy-name "DefaultPolicy"
# Trigger immediate backup
az backup protection backup-now \
--resource-group "Backup-RG" \
--vault-name "MyBackupVault" \
--container-name "IaasVMContainer;iaasvmcontainerv2;Compute-RG;MyVM" \
--item-name "VM;iaasvmcontainerv2;Compute-RG;MyVM" \
--retain-until "2025-12-31"Backup Storage Redundancy:
| Type | Description |
|---|---|
| LRS | 3 copies in single datacenter |
| ZRS | 3 copies across zones |
| GRS | 6 copies across regions |
Documentation Links:
Q4.2: How do you restore from Azure Backup?
Answer: Azure Backup provides multiple restore options depending on the workload.
VM Restore Options:
| Option | Description | Use Case |
|---|---|---|
| Create new VM | Restore to new VM | Replace failed VM |
| Replace existing | Restore disks to existing VM | In-place recovery |
| Restore disks | Restore disks only | Custom recovery |
| Cross-region | Restore to secondary region | DR scenario |
| File recovery | Mount disks, copy files | Recover specific files |
Restoring VM:
# List recovery points
az backup recoverypoint list \
--resource-group "Backup-RG" \
--vault-name "MyBackupVault" \
--container-name "IaasVMContainer;iaasvmcontainerv2;Compute-RG;MyVM" \
--item-name "VM;iaasvmcontainerv2;Compute-RG;MyVM"
# Restore VM
az backup restore restore-disks \
--resource-group "Backup-RG" \
--vault-name "MyBackupVault" \
--container-name "IaasVMContainer;iaasvmcontainerv2;Compute-RG;MyVM" \
--item-name "VM;iaasvmcontainerv2;Compute-RG;MyVM" \
--rp-name "RecoveryPointName" \
--storage-account "mystorageaccount" \
--target-resource-group "Restore-RG"File Recovery:
- Generate recovery script from portal
- Run script to mount recovery point as drive
- Copy needed files
- Unmount when complete
Instant Restore:
- Snapshots stored locally (1-5 days)
- Faster restore from snapshot
- No need to copy from vault
Documentation Links:
Section 5: Azure Site Recovery
Q5.1: What is Azure Site Recovery?
Answer: Azure Site Recovery (ASR) provides disaster recovery by replicating workloads to a secondary location.
Supported Scenarios:
| Source | Target |
|---|---|
| Azure VM | Another Azure region |
| VMware VM | Azure |
| Hyper-V VM | Azure |
| Physical servers | Azure |
| Azure VM | Another Azure region |
Key Components:
Replication:
- Continuous data replication
- Application-consistent snapshots
- Crash-consistent snapshots
Recovery Plans:
- Orchestrated failover
- Multiple VMs in sequence
- Custom scripts and actions
Failover Types:
| Type | Description | Use Case |
|---|---|---|
| Test failover | Non-disruptive test | DR drills |
| Planned failover | Graceful failover | Maintenance |
| Unplanned failover | Emergency failover | Disaster |
Setting Up ASR for Azure VMs:
# Enable replication (via portal recommended)
# Key configuration:
# - Source region
# - Target region
# - Replication policy
# - Target resource group
# - Target virtual networkRecovery Plan Example:
Group 1: Database servers (start first)
- SQL Server VM
- Wait for SQL to be healthy
Group 2: Application servers
- App Server 1
- App Server 2
Group 3: Web servers (start last)
- Web Server 1
- Web Server 2Documentation Links:
Q5.2: What is the difference between Azure Backup and Site Recovery?
Answer: Azure Backup and Site Recovery serve different purposes.
Comparison:
| Aspect | Azure Backup | Site Recovery |
|---|---|---|
| Purpose | Data protection | Disaster recovery |
| RPO | Hours to days | Minutes |
| RTO | Hours | Minutes to hours |
| Scope | Individual resources | Entire workloads |
| Replication | Point-in-time copies | Continuous |
| Cost | Per protected instance | Per protected instance |
When to Use Each:
Azure Backup:
- Protect against data loss
- Accidental deletion recovery
- Ransomware recovery
- Compliance requirements
- Long-term retention
Site Recovery:
- Business continuity
- Regional outage protection
- Datacenter migration
- DR testing
- Minimal downtime requirements
Combined Strategy:
- Use both for comprehensive protection
- Backup for data recovery
- ASR for business continuity
Documentation Links:
Section 6: Network Watcher
Q6.1: What is Network Watcher?
Answer: Network Watcher provides tools to monitor, diagnose, and gain insights into Azure network health.
Key Tools:
| Tool | Description |
|---|---|
| IP flow verify | Test if traffic is allowed/denied |
| Next hop | Determine next hop for traffic |
| Connection troubleshoot | Test connectivity between resources |
| NSG diagnostics | Analyze NSG rules |
| Packet capture | Capture network packets |
| Connection monitor | Monitor connectivity over time |
| Traffic analytics | Analyze NSG flow logs |
IP Flow Verify:
# Test if traffic is allowed
az network watcher test-ip-flow \
--resource-group "Network-RG" \
--vm "MyVM" \
--direction Inbound \
--protocol TCP \
--local "10.0.0.4:80" \
--remote "203.0.113.5:12345"Connection Troubleshoot:
# Test connectivity
az network watcher test-connectivity \
--resource-group "Network-RG" \
--source-resource "SourceVM" \
--dest-resource "DestVM" \
--dest-port 443NSG Flow Logs:
# Enable flow logs
az network watcher flow-log create \
--resource-group "Network-RG" \
--name "MyFlowLog" \
--nsg "MyNSG" \
--storage-account "mystorageaccount" \
--enabled true \
--retention 7Documentation Links:
Practice Questions
Question 1
You need to be notified when a VM is deleted in your subscription. What should you configure?
A. Metric alert
B. Log alert
C. Activity log alert
D. Service health alert
Answer: C
Activity log alerts monitor subscription-level events like resource creation, modification, and deletion. VM deletion is an administrative event captured in the Activity log.
Question 2
You want to analyze failed sign-in attempts over the past week. Which tool should you use?
A. Metrics Explorer
B. Log Analytics with KQL
C. Activity Log
D. Azure Advisor
Answer: B
Log Analytics with KQL allows you to query SigninLogs table for detailed analysis of sign-in events. Metrics don't contain sign-in details.
Question 3
You need to protect VMs against regional outages with minimal data loss (RPO < 15 minutes). What should you use?
A. Azure Backup
B. Azure Site Recovery
C. VM snapshots
D. Availability Zones
Answer: B
Azure Site Recovery provides continuous replication with RPO of minutes, suitable for disaster recovery scenarios. Azure Backup has RPO of hours to days.
Question 4
Which KQL query returns the top 10 computers by average CPU usage?
A. Perf | where CounterName == "% Processor Time" | top 10 by CounterValue
B. Perf | where CounterName == "% Processor Time" | summarize avg(CounterValue) by Computer | top 10 by avg_CounterValue
C. Perf | where CounterName == "% Processor Time" | take 10
D. Perf | where CounterName == "% Processor Time" | order by CounterValue | take 10
Answer: B
You need to summarize (aggregate) by Computer to get average per computer, then use top to get the highest values.
Question 5
You need to test if a VM can receive HTTP traffic from the internet. Which Network Watcher tool should you use?
A. Connection troubleshoot
B. IP flow verify
C. Next hop
D. Packet capture
Answer: B
IP flow verify tests whether traffic is allowed or denied by NSG rules. It shows which rule allows or blocks the traffic.
Summary
Key topics for the Monitoring domain:
- Azure Monitor: Metrics, logs, data sources
- Metrics vs Logs: When to use each
- Activity Log: Subscription-level events
- Alerts: Metric, log, activity log, service health
- Action Groups: Notifications and automation
- Log Analytics: Workspace design, data collection
- KQL: Query syntax, common operators
- Azure Backup: Vaults, policies, restore options
- Site Recovery: Replication, failover, recovery plans
- Backup vs ASR: Different purposes, when to use
- Network Watcher: Diagnostics and troubleshooting