AZ-104 Microsoft Azure Administrator Exam

Create a virtual machine

When you create a virtual machine in Azure, you start by choosing a base image from the Marketplace or a custom image you previously uploaded. You must select a resource group, region, and availability options such as Availability Zones or Sets to ensure proper placement and redundancy. Naming conventions and tags help with later billing and management tasks.

Next, you pick the VM size, which determines the number of vCPUs, memory, and disk throughput. Azure offers many predefined sizes that cater to general-purpose, compute-optimized, memory-optimized, and storage-optimized workloads. You can also view pricing and performance metrics to balance cost and capacity.

For networking, you associate your VM with a virtual network (VNet) and one or more subnets. You configure a public IP address or rely on private connectivity, and you control traffic flow using network security groups (NSGs). These NSGs use inbound and outbound rules to secure your VM from unauthorized access.

Finally, you set up authentication by choosing either SSH keys for Linux or password/RDP for Windows. You can also install VM extensions to add monitoring agents, backup solutions, or custom scripts. This level of customization ensures your VM is ready for production workloads.

Configure Azure Disk Encryption

Azure Disk Encryption (ADE) helps protect your virtual machine’s data and operating system disks by using the platform’s encryption features. It leverages BitLocker for Windows VMs and DM-Crypt for Linux VMs to encrypt data at rest. Enabling ADE requires an Azure Key Vault to store the encryption keys securely.

When you enable ADE, Azure automatically encrypts the OS and data disks without needing to re-provision your VM. You specify the Key Vault and key permissions, ensuring that only authorized identities can access sensitive keys. Once encryption is in place, all new and existing data is protected.

Managing ADE involves monitoring the encryption status through the Azure Portal, CLI, or PowerShell. You can rotate or revoke keys in the Key Vault to maintain compliance with security policies. Proper key management is critical for maintaining data confidentiality.

While disk encryption adds a small performance overhead, Azure’s underlying infrastructure is optimized to minimize impact. Always review the compatibility matrix for VM sizes and operating system versions before enabling encryption.

Move a virtual machine to another resource group, subscription, or region

You may need to move a VM for cost management, organizational structure, or disaster recovery. Moving within the same region to another resource group or subscription is straightforward using the Azure Portal, CLI, or PowerShell. Before moving, ensure there are no locks or dependencies that block the process.

When relocating a VM across regions, use the Azure Resource Mover service to handle replication of disks, network settings, and configurations. This service automates the steps needed to replicate resources, perform a test migration, and complete the move with minimal downtime. You still need to reconfigure some settings, such as public IP addresses, after the move.

Dependencies like network interfaces, managed disks, and availability sets must be moved together to maintain VM integrity. Azure enforces this grouping to prevent configuration mismatch or resource orphaning. Always review the move operation’s validation report to address any issues before starting the migration.

Post-migration, verify that the VM boots correctly and that all attached resources are accessible. Update any scripts or automation runbooks that reference the old resource IDs or locations to reflect the new environment.

Manage virtual machine sizes

Selecting the right VM size is essential for cost efficiency and performance. Azure categorizes sizes into families like B-series for burstable workloads, D-series for general-purpose, and E-series for memory-intensive applications. Each size offers a specific combination of vCPUs, RAM, and disk throughput.

To change the VM size, you must first stop (deallocate) the VM, apply the new size, and then start it again. Not all sizes are available in every region, so you need to verify availability before resizing. Azure Portal, CLI, and PowerShell provide commands to list supported sizes and perform the change.

Resizing can help you scale up for high-demand periods or scale down to save costs during low usage. Azure’s pay-as-you-go model means you only pay for the new capacity while the VM is running. Always monitor usage metrics to decide when a resize is beneficial.

If you need to scale out rather than up, consider using Virtual Machine Scale Sets to automatically add or remove instances based on load. This approach distributes traffic and workloads across multiple VMs for better resilience and performance.

Conclusion

In this section, we covered the key steps to create and configure virtual machines in Azure, starting from selecting images, sizes, and network settings. We explored how to enable Azure Disk Encryption to protect data at rest and how to manage encryption keys securely with Azure Key Vault. We also detailed the process to move VMs between resource groups, subscriptions, or regions while maintaining dependencies and minimizing downtime.

Moreover, we looked at strategies for managing VM sizes, including family types, resizing procedures, and considerations for cost and performance. Understanding these concepts ensures that Azure VMs are properly provisioned, secured, and optimized for various workloads. By mastering these tasks, administrators can deliver reliable, scalable, and secure virtual machine environments in Azure.