3.1 — Foundation

Virtual Machines

A VM gives you a full operating system in the cloud — you manage everything from OS up. Full control, full responsibility. Azure manages the physical hardware underneath.

A Virtual Machine gives you a complete operating system running in Azure. Full control, full responsibility. Microsoft manages the physical hardware, the hypervisor, the power, the cooling. You manage everything from the operating system up: patches, security, runtime, middleware, application code, and data. The private house metaphor works well. VMs are your house. You own everything, the plumbing, the electrical, the roof. You fix it when it breaks. You control every detail. But you also maintain it. App Service is a serviced apartment. Functions are a hotel room by the hour. VM sizing: the series letter tells you the optimisation. D-series is general purpose, balanced CPU and memory, your default choice. E-series is memory optimised, for SAP HANA and in-memory databases. F-series is compute optimised, for batch processing. N-series has GPUs, for machine learning. B-series is burstable, earns CPU credits when idle and spends them during peaks, perfect for dev machines and CI/CD agents. Critical about the temporary disk: every Azure VM has a temp disk, typically the D drive on Windows. It is physically on the host server, not on a managed disk. Fast, great for temp files and the page file. But it is completely wiped when the VM is deallocated, resized, or moved to a different host. Never store application data, databases, or logs on the temp disk. This is the number one data loss scenario in. the exam and in real-world incidents. Managed disks are the right place for persistent data. They are separate Azure resources that survive VM operations. You can detach a data disk from one VM and attach it to another. The billing trap that catches everyone: stopping a VM through the operating system does NOT stop Azure billing. Azure still has the hardware reserved. To stop billing, you must Deallocate the VM through the Portal, CLI with az vm deallocate, or PowerShell. Deallocated means Azure releases the hardware and compute charges stop.. Remember: Temp disk is wiped on deallocate or resize, never store data there. Stop through OS does not stop billing. Deallocate does. D-series for general purpose. Right-size before deploying.

📖 Virtual Machines — Complete Explanation

An Azure VM is an Infrastructure-as-a-Service (IaaS) compute resource. Microsoft manages the physical server, the virtualisation layer, the networking fabric, and the storage hardware. You manage everything from the operating system upwards — OS patches, runtime, middleware, application code, and data.

What happens when you create a VM? Azure allocates physical resources on a host server in the selected region. A hypervisor (Microsoft Hyper-V) creates an isolated virtual machine. Azure provisions managed disks for the OS and any data disks. A virtual NIC is created and attached to your chosen subnet. A private IP is assigned from the subnet's address range. The VM boots from the OS disk image.

Managed Disks are the storage backing for VM disks. They are separate Azure resources — you can see them in your resource group. This separation means you can stop/deallocate a VM without losing disk data, take disk snapshots independently, or attach a disk to a different VM.

The temporary disk (D:\) is physically located on the host server itself — it is NOT a managed disk. This provides very fast I/O but has a critical limitation: if the VM moves to a different host (resize, planned maintenance, deallocate/restart) the temp disk is completely wiped. Never store anything important on D:\ — use it only for the page file, swap space, or truly temporary scratch data.

VM sizes are combinations of vCPUs, RAM, temporary disk size, max data disk count, network bandwidth, and max IOPS. You pay for the size class per second when the VM is running (allocated). When deallocated, compute billing stops but you still pay for managed disk storage.

🏠

The Metaphor

VM = a private house. You own everything — walls, plumbing, electrical. Full control. You fix it when it breaks, you patch the roof, you mow the lawn.

App Service = a serviced apartment. You bring your furniture (code) — maintenance is handled. Can't knock walls down.

Functions = a hotel room by the hour. Pay only when you're there. Nothing is yours permanently.

VM Architecture — Components & Relationships

VM Size Families

Series	Optimised For	CPU:RAM	Use Case
B-series (Burstable)	Variable workloads — earns CPU credits idle, spends when busy	Variable	Dev/test, low-traffic apps, CI/CD agents
D-series	General purpose — balanced CPU + memory	1:4	Web servers, APIs, most workloads — DEFAULT choice
E-series	Memory optimised	1:8	SAP HANA, Redis, in-memory databases
F-series	Compute optimised	1:2	Batch processing, gaming, CPU-heavy computation
N-series	GPU enabled	Varies	ML training, rendering, AI/computer vision
M-series	Massive memory	1:30+	Largest SAP workloads, TBs of RAM
L-series	Storage optimised — high disk throughput	1:8	NoSQL databases, data warehousing

📋

Exam Pattern — VM Series Selection

"High CPU, low memory" → F-series. "SAP HANA or Redis" → E-series. "ML/GPU training" → N-series. "Dev/test with low baseline but occasional spikes" → B-series. "Unknown/general" → D-series (always safe default).

Disk Types — Performance vs Cost

Type	Latency	Max IOPS	Use Case
Ultra Disk	<1ms	160,000+	SAP HANA, tier-1 databases — highest performance
Premium SSD v2	~1ms	80,000	Production databases, I/O-sensitive workloads
Premium SSD	~5ms	20,000	Production VMs, SQL Server — most common choice
Standard SSD	~10ms	6,000	Dev/test, lightly used web servers
Standard HDD	Variable	2,000	Infrequent access, backups, archival

⚠️

Temp Disk (D:\) — #1 Data Loss Scenario on Exam

The temporary disk is physically on the host server. It is wiped when the VM is deallocated, resized, or moved. Never store anything you want to keep on D:\. Use it only for: page file, swap, temp files. Application data, databases, logs → always on a data disk or OS disk.

Availability — Sets vs Zones

Availability Set vs Availability Zones — What Each Protects Against

⚠️

Availability Set is configured AT CREATION ONLY

You cannot add an existing VM to an Availability Set after creation. You must delete and recreate the VM. Same for moving to Availability Zones. Plan this before deployment — not after.

Option	Protects Against	SLA	Min VMs	Location
No option	Nothing	No SLA guarantee	1	Single host
Availability Set	Rack failure + planned maintenance (FDs + UDs)	99.95%	2+	Same datacenter
Availability Zones	Full datacenter failure	99.99%	2+	Different datacenters, same region
VMSS Flex (cross-zone)	Both above + auto-scale	99.99%	2+	Multiple zones

Stop vs Deallocate — Critical Billing Difference

STOP (OS shutdown)

❌ Still Billing

VM is off inside the OS.
Azure still reserves the hardware for you.
You are still charged for compute.
Public IP (if dynamic) stays assigned.

Like: turning off your office lights but still paying rent.

DEALLOCATE

✅ Stops Billing

VM is off AND Azure releases the hardware.
Compute charges stop (you still pay for disks).
Dynamic public IP released → may get new IP on restart.

Like: vacating the office — no rent owed.

Azure CLI — VM Power Operations
# WRONG — still charges you
az vm stop --resource-group RG-Prod --name kube-vm-01

# CORRECT — stops billing (except disk storage)
az vm deallocate --resource-group RG-Prod --name kube-vm-01

# Start VM again
az vm start --resource-group RG-Prod --name kube-vm-01

# Check power state
az vm get-instance-view \
  --resource-group RG-Prod \
  --name kube-vm-01 \
  --query "instanceView.statuses[1].displayStatus"

VM Scale Sets (VMSS)

🏭

The Metaphor

A VMSS is like a factory floor that automatically adds or removes workstations based on how busy it is. Rush hour → more workstations spin up. Quiet time → extra workstations spin down. All workstations are identical clones — same OS image, same config, same code.

VMSS — Autoscale Architecture

Animated — VMSS Scale Out Flow: High CPU triggers new VM

📋

VMSS Key Facts for Exam

Default autoscale cooldown = 5 minutes (prevents thrashing).
Max instances per VMSS = 1,000 (100 with custom images).
Orchestration modes: Uniform (identical VMs, auto-repair) vs Flexible (mix VM types, cross-zone).
Scale-in policy: default removes the VM with highest instance ID. Can customise.

📊 Virtual Machines — was this clear?

✓ Saved

3.2 — PaaS Web Hosting

App Service

MS Docs

App Service is a fully managed PaaS hosting platform for web apps, APIs, and mobile backends. You deploy code — Azure handles OS patches, hardware, load balancing, and scaling.

App Service is Azure's Platform-as-a-Service web hosting. With a VM you manage the operating system, the web server, the runtime, the patches, the scaling, everything. With App Service you deploy your code and Microsoft handles everything else. The OS, IIS or Nginx, the runtime, patching, load balancing, scaling, certificate renewal, all of it. The serviced apartment metaphor: you bring your furniture, your code, and move in. Building management handles maintenance. You have constraints, you cannot knock down walls, but you also do not get called at 3am because the boiler broke. The App Service Plan is the infrastructure layer. You pay for the plan, not the apps. A single plan can host multiple apps. Plan tiers determine available features. Free and Shared are development only. Basic gives dedicated compute but no deployment slots. Standard is where production features start: autoscale up to 10 instances and up to 5 deployment slots. Premium gives 30 instances, 20 slots, and VNet Integration. Isolated runs in a dedicated App Service Environment for maximum security requirements. Deployment Slots are the most important and most tested App Service feature on AZ-104. A slot is a separate live version of your app with its own URL. Production slot is your live site. Create a staging slot at myapp-staging.azurewebsites.net. Deploy your new version to staging. Test it thoroughly. Then swap. The swap is nearly instantaneous, usually under 10 seconds. Azure redirects traffic from staging to production. Zero downtime. No users experience an outage. If you find a bug, swap back immediately. The old version is sitting in staging ready to return.. The exam gotcha about sticky settings: settings marked as deployment slot settings stay with their slot regardless of swaps. Always mark connection strings as slot-sticky. Production code should connect to the production database, staging code to the staging database. If settings are not sticky, your production code suddenly connects to the staging database after a swap. Catastrophic.. Remember: Standard tier minimum for deployment slots. Swap gives zero-downtime deployment. Mark connection strings as slot-sticky. VNet Integration requires Premium for private resource access.

🏢

The Metaphor

App Service is a fully serviced office suite. You bring your furniture (code) and move in. The building management (Azure) handles electricity, cleaning, security, lifts, and repairs. You cannot knock walls down (no OS-level access) but you also never worry about the boiler breaking.

App Service Plans — Tiers

Tier	Autoscale	Slots	VNet Integration	Always On	Custom Domain + SSL
Free (F1)	✗	✗	✗	✗	✗
Shared (D1)	✗	✗	✗	✗	✓
Basic (B1-B3)	Manual only	✗	✗	✓	✓
Standard (S1-S3)	✓ 10 instances	✓ 5 slots	✗	✓	✓
Premium (P1v3-P3v3)	✓ 30 instances	✓ 20 slots	✓	✓	✓
Isolated (I1v2+)	✓ 100 instances	✓	✓ Dedicated ASE	✓	✓

⚠️

Deployment Slots require Standard tier minimum

Free and Basic plans have NO deployment slots. Zero-downtime swap (staging → production) requires at least Standard. VNet Integration for private endpoint access requires Premium. This is a very common exam scenario.

Deployment Slots — Zero Downtime Deployment

Deployment Slots — Staging to Production Swap

Animated — Zero Downtime Deploy: Step by step

⚠️

Sticky Settings — Critical for Slot Swaps

After a swap, if production connects to the staging database — sticky settings were NOT configured. Settings marked as "Deployment slot setting" stay with their slot and do NOT swap. Always mark: DB connection strings, environment-specific app settings as sticky. Non-sticky settings travel with the code.

Azure CLI — Deployment Slots
# Create staging slot
az webapp deployment slot create \
  --resource-group RG-Prod \
  --name kube-webapp \
  --slot staging

# Deploy to staging (not production)
az webapp deployment source config-zip \
  --resource-group RG-Prod \
  --name kube-webapp \
  --slot staging \
  --src app.zip

# Swap staging → production (zero downtime)
az webapp deployment slot swap \
  --resource-group RG-Prod \
  --name kube-webapp \
  --slot staging \
  --target-slot production

# Mark app setting as sticky (stays with slot)
az webapp config appsettings set \
  --resource-group RG-Prod \
  --name kube-webapp \
  --slot-settings DB_CONNECTION=Server=prod-db;...

App Service Networking

Feature	Direction	What It Does	Tier Required
VNet Integration	Outbound	App reaches resources inside VNet (Private Endpoints, VMs)	Premium+
Private Endpoint	Inbound	App accessible only via private IP in VNet (no public)	Standard+
Access Restrictions	Inbound	IP allowlist/blocklist on public endpoint	All tiers
Hybrid Connections	Outbound	Reach on-premises resources without VNet	Basic+

💡

VNet Integration vs Private Endpoint

VNet Integration = App reaches OUT into VNet. Needed to call Cosmos DB/Storage private endpoints.
Private Endpoint = Others reach INTO app via private IP. Hides app from public internet.
For Kube: Function App uses VNet Integration (outbound) to reach Cosmos DB private endpoint.

📊 App Service — was this clear?

✓ Saved

3.3 — Serverless

Azure Functions

MS Docs

Functions are event-driven, serverless compute. You write a function — it runs when triggered (HTTP request, queue message, timer, blob created). Pay only when executing. Azure handles everything else.

Azure Functions is serverless compute. Serverless does not mean no server. It means you do not manage any server. You write a function, a single piece of code that does one thing, and Azure runs it in response to an event. HTTP request, queue message, timer, file uploaded to blob. You pay per execution and per memory used. Nothing running means nothing billed. The hosting plan choice is the most important Functions decision. Consumption plan is pure serverless. You pay per million executions. Scale to zero when idle. Scales to hundreds of instances automatically under load. But it has cold starts. When your function has been idle and a new request arrives, Azure needs to provision an instance, load the runtime, and start your code. This can take one to ten seconds. For background processes that is fine. For user-facing APIs that is a terrible first response experience. The Consumption plan also cannot access VNet resources. If your function needs to call a Cosmos DB behind a private endpoint, or a storage account restricted to a VNet, the Consumption plan cannot do this. This is the most tested Function App scenario on AZ-104, and it is directly relevant to your Kube platform. The Premium plan adds a pre-warmed instance that is always ready, eliminating cold starts. It supports VNet Integration. It can run indefinitely. The trade-off is a minimum billing of one instance always running. The Dedicated plan runs functions on an App Service Plan you already have. Same VNet capabilities as Premium.. For Kube: your function apps processing IoT events and writing to Cosmos DB private endpoints must use Premium plan. VNet Integration is non-negotiable when Cosmos DB is behind a private endpoint. Durable Functions extend serverless to stateful long-running workflows. An orchestrator coordinates multiple activity functions, calls APIs, waits for results, handles human approval steps. All serverless, all automatically retried if steps fail.. Remember: Consumption has cold starts and no VNet Integration. Premium has pre-warmed instances and VNet Integration. Use Premium for private endpoint access. Durable Functions for stateful multi-step workflows.

⚡

The Metaphor

Functions are like a light switch in a hotel corridor. Nobody pays for electricity when the corridor is empty. Someone walks in (trigger) → light turns on (function runs) → person leaves → light turns off. You pay only for the time the light was on. The hotel (Azure) maintains the wiring — you just define what the switch controls.

Hosting Plans — Critical Differences

Plan	Cold Start	Scale to Zero	VNet Integration	Max Timeout	Cost Model
Consumption	⚠ Yes (1-10s)	✓ Yes (free at zero)	✗ No	10 min	Per execution + GB-s
Premium (EP1-EP3)	✓ No (pre-warmed)	✗ Min 1 instance	✓ Yes	Unlimited	Per instance (flat rate)
Dedicated (App Svc)	✓ No	✗ No	✓ Yes	Unlimited	App Service plan cost
Container Apps	Configurable	✓ Yes	✓ Yes	Unlimited	Per vCPU/memory

⚠️

Private Endpoint Access Requires Premium Plan

Consumption plan Function Apps CANNOT use VNet Integration. If your Function App needs to reach a Cosmos DB private endpoint, Service Bus private endpoint, or any resource inside a VNet — you MUST use Premium plan. This is the most common Function App exam scenario.

📋

Cold Start — What It Is and How to Fix

Cold start: when a Function App on Consumption plan has been idle, the first request takes 1-10 seconds extra as Azure provisions the runtime.

Fix options:
1. Upgrade to Premium plan (always-warm pre-warmed instance)
2. Set minimum instances = 1 on Consumption (keeps 1 warm, still pay)
3. Use timer-based warm-up function to ping your own endpoint every 5 min

Azure CLI — Function App with Premium Plan
# Create Premium Function App with VNet Integration
az functionapp create \
  --resource-group RG-Prod \
  --name kube-func-prod \
  --storage-account kubestgprod \
  --plan kube-premium-plan \
  --runtime dotnet \
  --runtime-version 8 \
  --functions-version 4

# Enable VNet Integration (required for private endpoints)
az functionapp vnet-integration add \
  --resource-group RG-Prod \
  --name kube-func-prod \
  --vnet kube-vnet \
  --subnet func-subnet

# Assign Managed Identity (for accessing Key Vault, Cosmos etc.)
az functionapp identity assign \
  --resource-group RG-Prod \
  --name kube-func-prod

Durable Functions — Stateful Workflows

🔗

The Metaphor

Regular Functions are one-off tasks. Durable Functions are like a project manager coordinating a team. The manager (Orchestrator) assigns tasks, waits for results, then assigns next tasks based on outcomes — all without everyone being in a room at the same time.

Role	What It Does	Runs Once?
Client Function	Starts the orchestration (receives HTTP, queue, etc.)	Yes
Orchestrator Function	Defines the workflow — calls activities in order, handles errors	Replays multiple times (must be deterministic)
Activity Function	Does the actual work (call API, write to DB, send email)	Once per call

📋

Durable Functions Exam Scenarios

"Process IoT sensor data in multiple sequential steps without losing state" → Durable Functions.
"Human approval required mid-workflow (wait for days)" → Durable Functions with human interaction pattern.
"Fan-out: process 100 items in parallel then aggregate results" → Durable Functions fan-out/fan-in pattern.

📊 Azure Functions — was this clear?

✓ Saved

3.4 — Containers

Containers — Docker, ACR, ACI, Container Apps

MS Docs

Containers package code + runtime + dependencies into a portable unit. Same container runs identically on any machine. Azure offers multiple container hosting options from simple single-container to full orchestration.

A Docker image is a blueprint. Read-only. It defines your application's code, runtime, dependencies, and configuration. A container is a running instance built from that image. You can run ten containers from the same image, ten identical copies of your application running in isolation. Same image runs identically on your laptop, test server, and in Azure. No more it works on my machine. Azure Container Registry, ACR, is your private image registry. Instead of pushing images to public Docker Hub, you push them to ACR, which is private, secured, and inside Azure. For authentication, use Managed Identity. Your compute resources authenticate to ACR using their identity. No credentials in code. Three Azure services for running containers. Azure Container Instances, ACI, is the simplest. Run a container in about 30 seconds. No cluster, no orchestration, just specify the image, CPU, memory, and port. ACI restart policy: Always means keep restarting if the container exits, for long-running services. Never means run once and stop, for batch jobs. OnFailure means restart only on errors. ACI is great for batch processing, CI/CD pipeline steps, and dev/test environments. Not designed for production web applications needing scaling. Container Apps is the middle ground, managed Kubernetes without you managing Kubernetes. Microsoft runs the cluster. Define your app and its scaling rules. Container Apps supports scale to zero, billing stops when nobody uses your app. Supports traffic splitting between revisions for canary deployments. Built-in KEDA support for event-driven scaling. For AZ-104, Container Apps is. the exam-tested production container service. AKS, Azure Kubernetes Service, is managed Kubernetes for when you need full capabilities. Microsoft manages the control plane for free. You manage and pay for the worker nodes. AKS is covered in depth in AZ-204 and AZ-305.. Remember: Image is blueprint, container is running instance. ACR is your private registry, use Managed Identity to authenticate. ACI for simple short-lived containers with restart policy Always, Never, or OnFailure. Container Apps for production microservices with auto-scaling.

📦

The Metaphor

Docker Image = a shipping container blueprint (the mold). Read-only. Defines everything inside.
Docker Container = an actual container built from the blueprint. Running instance.
ACR (Azure Container Registry) = Azure's private DockerHub. Your company's secure registry to store and pull images.

Container Flow — Build to Run in Azure

ACI — Azure Container Instances

Serverless Containers — No VM Management

Run a Container in Seconds — No Cluster Needed

ACI = the simplest way to run a container in Azure. No VM, no Kubernetes, no cluster. Just: az container create and it's running in ~30 seconds.

Restart policies:
Always (default) — restart on exit (long-running services)
Never — run once, exit when done (batch jobs)
OnFailure — restart only on error exit code

Use for: batch jobs, CI/CD tasks, short-lived tasks, dev/test. NOT for production web apps with autoscaling needs.

Container Apps vs AKS — The Key Difference

Feature	ACI	Container Apps	AKS
Kubernetes managed by	N/A	Microsoft ✓	You manage
Scale to zero	✗	✓ Yes	✗ Nodes cost money
Traffic splitting (revisions)	✗	✓ Yes	✓ Ingress
Event-driven scaling (KEDA)	✗	✓ Built-in	✓ Add-on
AZ-104 exam tested?	✓ Yes	✓ Yes	Background only
Best for	Simple tasks, batch	Microservices, event processors	Full enterprise k8s

⚠️

AZ-104 Tests Container Apps — NOT AKS Deeply

AKS is covered at awareness level only in AZ-104. Container Apps is the exam-tested container service. Know: revisions (versions of your app), traffic splitting between revisions, KEDA event-driven scaling, and scale-to-zero behaviour. AKS deep knowledge is for AZ-204 (Developer) or AZ-305 (Architect).

AKS — Awareness Level for AZ-104

Azure Kubernetes Service — What You Need to Know

AKS = managed Kubernetes cluster. Microsoft manages the control plane (free). You manage worker nodes (you pay for VMs).

For AZ-104 exam — know these facts only:
• AKS uses system-assigned managed identity by default to pull from ACR
• Node pools can use Availability Zones for VM placement
• Azure CNI vs Kubenet networking modes
• Integration with Azure Monitor + Log Analytics for container insights

Deep Kubernetes = AZ-204 / CKA certification territory.

📊 Containers — was this clear?

✓ Saved

3.5 — Infrastructure as Code

ARM Templates & Bicep

MS Docs

Infrastructure as Code — define Azure resources in files, deploy consistently every time. ARM = JSON format (verbose). Bicep = Microsoft's cleaner DSL that compiles to ARM.

Infrastructure as Code means defining your Azure environment in files rather than clicking through the portal. Azure has two formats: ARM Templates and Bicep. ARM stands for Azure Resource Manager. Every operation you do in Azure, whether through the portal, CLI, PowerShell, or any SDK, ultimately becomes an ARM API call. ARM Templates are JSON files describing the desired state of your Azure resources. Submit the template and Azure creates exactly what you described. Bicep is a domain-specific language designed by Microsoft specifically for Azure. It compiles to ARM JSON. Azure never sees Bicep directly, it is a developer-friendly wrapper that converts to ARM before deployment. ARM JSON is legalese. Bicep is the same document written in plain English. Same legal effect, much easier for humans to write and read. A concrete comparison: creating a storage account in ARM JSON takes about 20 lines of deeply nested JSON with schema declarations and API version strings. The same storage account in Bicep is 7 clean readable lines. Bicep also automatically detects dependencies between resources. If resource B references resource A, Bicep knows to create A first. In ARM JSON you would have to explicitly declare that with a dependsOn array. Deployment modes are critical for. the exam. Incremental mode, the default, is additive. It creates or updates resources in your template and leaves everything else alone. If your resource group has a Cosmos DB not in the template, Incremental mode does not touch it. Safe for production. Complete mode is dangerous and powerful. It creates and updates everything in the template, and deletes everything in the resource group that is not in the template. If Cosmos DB is not in your template and you run Complete mode, it gets deleted. No warning. No confirmation. Gone. Always run what-if before any deployment. The command az deployment group what-if shows exactly what will be created, modified, and deleted without doing anything. In Complete mode, what-if is not optional, it is mandatory.. Remember: Bicep compiles to ARM, same capability, better developer experience. Incremental mode is safe and the default. Complete mode deletes resources not in the template. Always run what-if before deploying.

📐

The Metaphor

ARM Template = architect's blueprint written in legalese. Precise, complete, but takes an expert to read.
Bicep = same blueprint rewritten in plain English. Same end result, much easier to write and maintain. A junior engineer can read it.

Both describe the same building — Bicep is just friendlier to the architect.

Feature	ARM Template (JSON)	Bicep
Language	JSON (verbose, deeply nested)	Bicep DSL (clean, readable)
dependsOn	Must write manually	Auto-detected from references
Modules	Linked templates (complex)	Native modules (simple)
Compiles to	Itself	ARM JSON (Azure only sees ARM)
What-if support	✓	✓
Microsoft recommendation	Legacy (still supported)	Current standard ✓

ARM Template (JSON)

ARM — Storage Account

{
  "$schema": "https://schema.management.azure.com/...",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageName": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2023-01-01",
      "name": "[parameters('storageName')]",
      "location": "[resourceGroup().location]",
      "sku": { "name": "Standard_LRS" },
      "kind": "StorageV2"
    }
  ]
}

Bicep (Same Resource)

Bicep — Storage Account
// Much cleaner — same result
param storageName string

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: storageName
  location: resourceGroup().location
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
}

// Output the endpoint
output blobEndpoint string = storageAccount.properties.primaryEndpoints.blob

Deployment Modes — CRITICAL EXAM TOPIC

Mode	Resources IN Template	Resources NOT in Template	Safe?
Incremental (DEFAULT)	Created or updated	LEFT ALONE ✓	✓ Safe for production
Complete (DANGEROUS)	Created or updated	DELETED ❌	✗ Never without what-if

⚠️

Complete Mode Deleted My Cosmos DB

Complete mode deploys your template and deletes everything else in the Resource Group that is not in the template. Always run --what-if before any Complete mode deployment. In production, use Incremental always unless you deliberately want to remove resources not in template.

Azure CLI — Deploy ARM/Bicep with What-If
# Preview changes BEFORE deploying (always do this)
az deployment group what-if \
  --resource-group RG-Prod \
  --template-file main.bicep \
  --parameters storageName=kubestgprod

# Deploy Bicep (Incremental = default = SAFE)
az deployment group create \
  --resource-group RG-Prod \
  --template-file main.bicep \
  --parameters storageName=kubestgprod \
  --mode Incremental

# Share template with team (version it in Template Specs)
az ts create \
  --resource-group RG-Templates \
  --name kube-storage-template \
  --version "1.0" \
  --template-file main.bicep

# Deploy from Template Spec (team uses approved template)
az deployment group create \
  --resource-group RG-Prod \
  --template-spec /subscriptions/.../templateSpecs/kube-storage-template/versions/1.0

📊 ARM & Bicep — was this clear?

✓ Saved

Exam Prep

Phase 3 — Exam Q&A

Exam Guide

Click to reveal. Real AZ-104 exam pattern questions from last 2–3 years.

QA VM was resized from D4s_v3 to E8s_v3. The application data stored on D:\ is now missing. Why?

ANSWER

D:\ is the temporary disk, which is local to the physical host. When a VM is resized it may move to a different host — temp disk is wiped.

The temp disk is physically on the hypervisor host server. It provides very fast I/O but is not durable. Always store persistent data on managed data disks (not D:\).

⚠️ Trap: Resizing a VM, deallocating, or platform maintenance can wipe the temp disk. This is guaranteed to appear on your exam.

QYou stopped a VM via the Azure portal Stop button but the bill still shows compute charges. Why and how do you fix it?

ANSWER

Stop only shuts down the OS but Azure still reserves the hardware. Use Deallocate to stop compute billing.

Portal: VM → Stop → this is Stop (billed). To deallocate: VM → Stop → check "Deallocate" option OR use CLI: az vm deallocate.

You will always pay for managed disk storage even when deallocated — only compute stops.

QA web app needs zero-downtime deployments with instant rollback capability. App Service Basic tier is currently used. What change is required and what is the process?

ANSWER

Upgrade to Standard tier (minimum for deployment slots). Then use staging slot + swap.

Process: Deploy new code to staging slot → test on staging URL → swap staging ↔ production (instantaneous, no downtime) → if issues: swap back immediately (old version is now in staging).

Mark DB connection strings as sticky settings so production always connects to production DB after swap.

QA Function App on Consumption plan cannot connect to a Cosmos DB behind a private endpoint. What is the solution?

ANSWER

Upgrade Function App to Premium plan and enable VNet Integration pointing to a subnet in the same VNet as the Cosmos DB private endpoint.

Steps: 1) Create Premium Function App plan. 2) Enable VNet Integration → select a dedicated subnet in your VNet. 3) Ensure private DNS zone for Cosmos is linked to that VNet. 4) Function App can now resolve private IP for Cosmos.

Consumption plan cannot use VNet Integration — this is an absolute platform limitation.

QAn ARM template deployment removes a Cosmos DB that was manually created in the Resource Group. What caused this?

ANSWER

Complete deployment mode was used. Complete mode deletes all resources in the Resource Group that are NOT defined in the template.

Fix: switch to Incremental mode (the default). Always run az deployment group what-if before deploying to see what will be created, modified, or deleted.

⚠️ Never use Complete mode without running what-if first. Even if only testing — production RGs may have resources you forgot about.

QWhich VM series would you choose for: (a) SAP HANA with 2TB RAM, (b) ML model training, (c) burst-only CI/CD pipeline agent?

ANSWER

(a) M-series — massive memory (TBs of RAM) for SAP HANA.
(b) N-series — GPU-enabled for ML training and AI workloads.
(c) B-series — burstable, earns CPU credits when idle, spends on burst. Perfect for CI/CD agents that run intermittently.

QContainer Apps vs ACI — when would you use each?

ANSWER

ACI: simple, short-lived tasks — batch jobs, one-off processing, dev/test. Run once, exit. No auto-scaling, no revisions.

Container Apps: production microservices — autoscale (including to zero), traffic splitting between revisions (A/B testing), KEDA event-driven scaling, VNet integration.

If the scenario mentions autoscaling, microservices, or traffic splitting → Container Apps. If it says "batch job, run and complete" → ACI.

Phase 3 — Cheat Sheet

Stop VM to stop billing completelyDEALLOCATE — not Stop (Stop still bills)

VM data lost after resizeWas on temp disk D:\ — local to host, wiped on resize/deallocate

Zero downtime web app deploymentDeployment Slots — requires Standard tier minimum

Sticky settings — what happens on swap?Stay with slot — DB connection points to correct env after swap

Function App → private endpointPremium plan + VNet Integration (Consumption cannot)

Function App cold start fixPremium plan OR set min instances = 1

Container: run and exit, batch jobACI with restart policy: Never

Container: autoscale, scale to zeroContainer Apps (not ACI, not AKS for exam)

ARM Complete mode deleted resourcesExpected — Complete deletes anything NOT in template. Use Incremental

Preview ARM changes before deployaz deployment group what-if

SAP HANA, 2TB RAMM-series VM

ML training, GPUN-series VM

Availability Set vs Availability ZonesSet = rack protection 99.95%. Zones = datacenter protection 99.99%

VMSS autoscale cooldown5 minutes default

How was Phase 3 — Compute?

One tap — takes a second

✓ Saved — thank you!

Leave a note

Which topic needs more clarity? What was confusing? What was excellent?

✓ Copied!