Page 2 of 3

Spotlight on : Azure Storage Accounts

What is an Azure Storage Account?

An Azure storage account creates a globally unique namespace that contains the base parameters for what the storage account will be used for and where it is located. Typically the storage account contents will match some performance, locational, security or billing requirement or a combination of these, therefore an Azure subscription may have more than one storage account if requirements differ. Storage can be used for any application you can think of for a vast array of structured, semi-structured and unstructured data.

What are the main things you need to consider when creating a storage account.

Firstly, you need to pick a storage account name. It has to be unique across all of Azure and be between 3 and 23 characters long, lowercase and numbers only. The name will form part of the URI for accessing the storage account.

Next you need to consider then pick your region: the geographic location of the datacentres that will be hosting your data. Generally this will be down to where the closest region is to your customers or users of the data but other factors may be considered such as cost. There is ability do deploy to municipal areas dotted around the world called Edge zones but this is isn’t as popular.

Another important choice is performance. Choosing standard will give you access to general purpose v2. This is the most popular option and supports blob storage (including data lake storage), queue storage, table storage and Azure file storage. Choosing premium gives you premium block blobs, page blobs and file share storage. Premium storage is higher has higher throughput and/or lower latency but you cannot have a mix of storage types such as block blobs and file shares in the same storage account.

There are legacy storage accounts: General purpose v1 and blob storage but these are not considered best practice for the vast majority of cases are deprecated with a retirement date of 31st August2024.

Architect your storage to ensure data is as close to your users as possible

The last major decision is the redundancy level you require which are as follows:

Locally-redundant Storage (LRS) stores 3 copies of the data in a single datacentre in the selected region. It is the lowest option and provides at least 99.999999999% (11 9’s) durability and at least 99.9% availability for read and write requests using the hot tier (access tiers covered later).

Zone-redundant Storage (ZRS) distributes 3 copies of the data into different data centres in the same region (availability zones). Each zone will have independent power, networking and cooling but still be close enough together to have really low latency. The target distance apart is around 300 miles where possible. This option provides at least 99.9999999999% (12 9’s) durability and at least 99.9% availability for read and write requests using the hot tier*.

Geo-redundant storage (GRS) stores 3 copies of the data in a data centre in one region, like LRS, but then asynchronously copies to another region (the paired region, most regions have one) and have 3 copies in a data centre there too. GRS offers durability for storage resources of at least 99.99999999999999% (16 9’s) over a given year. Read and write availability is at least 99.9%*.

Read-access-geo-redundant (RA-GRS) is the same replication method as GRS but you can read the data from the secondary region. This could have advantages from bringing the data close to the user scenario and means data can be accessed without having to initiate a failover, as would be the case for plain GRS (or GZRS). By adding read access to the secondary location, this increases read availability to at least 99.99%*.

Geo-zone-redundant storage (GZRS) as the same suggests is a combination of ZRS and GRS, where there are 3 copies of the data spread over availability zones in the primary region and 3 copies in a single data centre at the secondary location (LRS arrangement). The durability for this method is also at least 99.99999999999999% (16 9’s). Read and write availability is at least 99.9%*.

Read-access geo-zone-redundant storage (RA-GZRS) enhances GZRS by allowing read access at the secondary location without a failover. By adding read access to the secondary location, this increases read availability to at least 99.99%*.

For premium storage, only LRS and ZRS options are available due to the performance requirement. Azure managed disks and Azure elastic SAN also are limited to LRS and ZRS.

* 99% for cool tier.

Block blobs, append blobs, page blobs, queue storage, table storage and Azure file storage. What are the different storage types and when might I use them?

Blobs are stored in a security boundary called a container, where you can set access permissions. There are 3 types of blob: block, append and page. They can be accessed by users and client apps via http or https. There are multiple methods for access including via the Azure Storage REST API, Azure PowerShell, Azure CLI, or an Azure Storage client library which are available for a number of popular programming languages. Blob storage is a flat filesystem but can be made to emulate a folder structure by prefixing the filename with a would-be folder followed by “/” for example images/hello.jpg.

Block blobs are a popular storage type in any cloud provider. They are ideal for storing any unstructured files such as images, text, and video. Typically these will be used to host content for a website or app or streaming audio and video. Blobs can be as big are 190.7TiB.

Next is append blobs which are optimised for appends to files as opposed to random access writes – useful for things like logging. The maximum size for an append blob is slightly more than 195 GiB.

Page blobs store virtual hard drive (VHD) for Azure virtual machine disks and can be up to 8 TiB in size. Although this was once the way for WM disks, this method (unmanaged disks), is being deprecated, with managed disks being a simpler to setup option where the storage account is abstracted away and size and performance are easier to adjust.

Queue storage is used for storing messages that are up to 64Kb in size. The queue can run into millions or messages, the maximum governed by the entire storage account storage limit. Queues help decouple parts of of an application which is ideal for architecting in the cloud. For example, messages are created by one part of an application, perhaps a .net app using the queue storage client library, which can then be processed by another system component in the application architecture, such as Azure functions. For messages over 64Kb, ordering guarantee (FIFO) and other more advanced functionality, then consider Azure Service Bus queues.

Lastly there is table storage. This is used to store tabular data, which is semi-structured, following no fixed schema. Often this data scenario is now stored in Cosmos DB which allows for more performance and scale, but there may be cases where table storage in a storage account is preferable, such as cost.

What is Azure Data Lake Storage Gen2?

Azure data lake storage Gen2 (ADLS Gen2) is built on blob storage but selecting the hierarchical namespace when creating the storage account unlocks the features of ADLS Gen2.

You can turn data lake on when creating your storage account, using either general purpose v2 or premium block blob. Being a blob storage, you can store files of any type whether structured, semi-structured or unstructured. Although, a data lake is used a lot in data analytics which would generally be structured or semi structured.

Azure data lake
Azure Data Lake Storage Gen2 is ideal for data analysis workloads

One of the biggest differences between blob and data lake is the use of a directory structure, useful in ELT (extract, load & transform) data pipelines for big data analytics. By having folders, you can bring, in addition to RBAC, POSIX style Access Control Lists (ACLs). Additionally Microsoft Purview can create security policies for files and folders, based on classifications.

As well as the Azure Blob API, developers and data engineers can use the ABFS driver for Hadoop that communicates with the DFS API to work with a hierarchical directory structure.

ADLS Gen2 being built on blob offers most of the benefits of a standard or premium blob service such as access tiers, redundancy levels, NFS & SFTP. There are some limitations when using ADLS Gen2 over blob so check the latest official documentation for what they are currently.

ADLS Gen 1 is to be retired on the 29th February 2024, so was not described here for that reason.

What security considerations does an Administrator need to factor in when managing a storage account?

We need to secure access to the data with credentials, whether access is via a user or an application. There is an overarching authorisation method which is a storage account key. These are the “keys to the kingdom” which will give access to everything in the storage account and so are not considered best practice. Each account has two storage account keys that can be rotated manually or automatically if the keys are integrated with Azure key vault. The idea of having 2 keys is your application can switch to the 2nd key whilst you rotate the first. An evolution of this, and considered a good solution, especially when there are third party users or apps involved is shared access signatures (SAS). Shared access signatures allow you to build a URI that gives granular and time limited access to account and/or data plane functions. Once a signature has been created you cannot revoke it until it expires but you can rotate the storage account key which was used to generate it (key 1 or key 2). A generally best practice authorisation method when you have users or managed identities in your tenant that require account, container or data rights, is Access control (IAM) which works under Azure role-based access control (RBAC), prevalent throughout all Azure services. With RBAC, you can assign users, groups or managed identities to an Azure created or custom role. This allows fine grained access to control and data plane features.

Azure storage shared access signatures (SAS) options

Moving onto networking considerations, starting with encryption in transit. When creating a new storage account, the setting, require secure transfer, is on as default and should be left that way. This setting disables http access to the data via the API and only allows encrypted connections to SMB 2.1 or SMB 2.3. Unless there is a specific use case, it is recommended to keep this setting on. Deactivating will allow http access as well as https. Note: currently, using a custom domain will not allow you to use secure transfer so the setting will not have any affect when using a custom domain. Every storage account has a firewall. There are three settings, disabled, which blocks all traffic and so the only way to access the data is via a private endpoint and there is enabled from all networks, which is great if the storage account is used for hosting website assets, images for a product catalogue for example. The third option Enabled from selected virtual networks and IP addresses does just that; allows the administrator to specify which virtual networks can access the storage account, also specify access via IP address or CIDR range, and finally by Azure service type and scope such as “Microsoft.EventGrid/Topics in this resource group”. If specifying a virtual network, you must enable the service endpoint on the virtual network(s) you specify, applying the Microsoft.Storage for regional storage accounts or Microsoft.Storage.Global for cross-region storage accounts. Some options you can also consider on the storage account firewall. There are some some firewall exceptions you can turn on, such as “allow read access to storage logging from any network”. Also, you can specify Microsoft routing or Internet routing, will determine where the traffic traverses to connect the client and storage account. A really good solution for storage account security is to select disabled on the firewall settings and then set up a private endpoint. A private endpoint works over Azure private link, where the storage service traffic travels on the Microsoft backbone and has a special network interface in a subnet you select, which is assigned an IP address from your subnet’s CIDR range. Once the private endpoint has been established in your chosen subnet, you can setup connectivity beyond that subnet or VNet with networking features such as VNet peering, custom routes and on prem connectivity via VPN or ExpressRoute.

Lastly in this section we have Encryption. We’ve already discussed encryption in transit in the networking section able. Azure storage also provides encryption at rest with a technology called Storage Service Encryption (SSE). This is on all storage accounts and cannot be deactivated. All data is stored using 256-bit AES encryption and is FIPS 140-2 compliant. Data is stored using Microsoft managed keys but an administrator can also use customer managed keys which must be stored in Azure Key Vault (AKV)or Azure Key Vault Managed Hardware Security Model (HSM) or customer provided keys which will allow the client to provide the key on request to the blob storage – keys can be stored in the Azure key vaults (standard or HSM) or another key store. As well as whole accounts you can specify encryption scopes for blob storage at the container or for an individual blob. Another encryption options available is infrastructure encryption, for double encryption of data (infrastructure and service).

What backup and recovery options are available?

To restore files accidentally or maliciously deleted, you can turn on soft delete. By setting a retention period for containers from 1 to 365 days. If a file gets deleted, you have until the retention period to undelete the file.

To automatically retain copies of a file before the latest amendment, you can turn on blob versioning. To restore a previous version, you select the version you wish to restore to recover your data if it’s modified or deleted. Blob versioning is often used alongside soft delete to form an overall data protection strategy. Storing lots of versions carries a cost consideration and can create latency when running a list blob command, for this it is recommended to change access tiers or delete older versions using lifecycle management which is covered later in this document.

You can also take a snapshot of a blob. This is a manual process that appends the blob URI with a DateTime value. Snapshots exist until they are independently deleted or as part of a delete blob operation. Versioning maybe best practice but at the time of writing, versioning doesn’t work with ADLS Gen2, whereas snapshots do (in preview).

If you are using geo redundant storage (GRS / RA-GRS / GZRS / RA-GZRS) and the primary region suffers a failure, you can initiate a customer managed failover where upon completion the secondary region becomes the primary and the old primary, the secondary. If Microsoft detects a failure at the primary region deemed to be severe enough, the system may initiate a failover automatically without customer intervention. This is called a Microsoft-managed failover.

For business-critical data that must not be changed or deleted after being created, you can apply a WORM (Write Once, Read Many) state called immutable storage. Set at account, container or blob version level, you can set a time-based retention policy. Blobs can be created and read, but not modified or deleted. After the retention period has expired, objects can be deleted but not overwritten. There is also a legal hold type of immutable storage, which can be set at blob level. Legal hold prevents deleting or modifying an object until the legal hold is explicitly cleared. If any container has version-level immutability enabled, the storage account is protected from deletion, likewise a container cannot be deleted whilst a blob has an immutable storage policy active.

If you enable soft delete, change feed and blob versioning on your storage account, you can take advantage of point-in-time restore for block blobs, where you set the maximum restore point in days in the storage account. From then, if you need to restore a file (or entire container, or virtual directory), you can choose a restore date and time in UTC.

To protect the storage account itself from being removed or its configuration modified, you can apply an Azure Resource Manager lock. Locks come in two types; CannotDelete lock prevents the account being deleted but the configuration settings can be changed whereas ReadOnly lock prevents changing the configuration or deleting the storage account. Both locks still allow the account configuration to be read.

NB Some of these features will not work when hierarchical namespace is enabled, so check the latest official documentation to ensure what data protection options you have if that applies to your configuration.

What services can import or export volumes of data to or from Azure storage?

There are various ways to get data in and out of Azure storage, let’s have a look at some of them. Firstly, if you are only transferring a small amount of data, you can use a command line or graphical interface tool.

For command line, you can use Azure CLI, PowerShell or the dedicated AzCopy program, which supports concurrency and parallelism, and the ability to resume copy operations when interrupted.

If you want to use a GUI, then you can upload and download files in the Azure portal, or there is Azure Storage Explorer, available on Linux, Mac and Windows.

Microsoft Azure Storage Explorer

If you are doing a massive data transfer exercise or moving data from somewhere with little or no Internet access, you may want to use the Azure Import/Export service which allows you to prep and send SATA HDD or SSDs to Microsoft to securely upload or download data. For larger data still, Azure has physical appliances it can ship to and from customers to do data transfers; Data Box Disk and Data Box Heavy which are encrypted and logistics are done via an approved carrier.

For regular transfers of big data, you may want to use a service such as Azure Data Factory where you build data pipelines between source and sink and can perform in-transit transformations as well as other features. Similarly, you can use pipelines and activities Azure Synapse Analytics. Microsoft also have Azure Data Box Gateway which is a virtual appliance you can run in your co-location datacentre or on premises. Azure Data Box Gateway transfers data to and from Azure via NFS and SMB protocols.

If you need a programmatic ability to transfer data, then the Data movement library for .net & .net core is an option or there is the Azure Storage REST API and Azure blob storage libraries for .net, Java, C++, Python, Go & JavaScript. If you have static website mode activated, you can deploy your static website assets via Terraform.

There are other tools, that can be used, including AdlCopy, Distcp, Sqoop, PolyBase, Hadoop command line, Azure Data Factory integration runtime and the new Microsoft Fabric data analytics platform.

Any best practice or cost saving tips?

A good first step is considering the amount of redundancy you need for a given workload and break the varying requirements into different storage accounts. For example, for a customer facing global website may benefit from having data in two regions and so RA-GRS or RA-GZRS maybe ideal, but if you have some internal documents primarily used in one region, LRS or ZRS may have all the redundancy required, at a lower cost.

Access tiers are designed to get maximum value for money, depending on the access requirements of your data. The four tiers are hot, cool, cold and archive. Hot tier will be the most expensive to store but cost less to access and transact with the data, whilst on the other extreme, archive tier is cheap offline storage for backup or compliance date storage, but to gain access will come with a higher cost, this data should be stored for a minimum of 180 days. In the middle, there is cool tier, used for infrequently accessed or modified data, which should be stored for a minimum of 30 days. For rarely accessed data that still needs to remain online, there is cold storage which should be stored for a minimum of 90 days. If you move anything to archive tier, note that it will take hours to move it back to hot, cool or cold tier and isn’t modifiable whilst in the archive tier. Blobs will incur an deletion penalty if they are deleted or moved to a different tier before the minimum number of days required by the tier. A storage account has a default access tier, which is inherited by all containers contained in the account but can be changed at blob level.

Developing on the access tiers concept, Azure has functionality to automate the tiers of blobs. This is called lifecycle management. This allows blobs to move to different access tiers or be deleted, depending on the rules you create. This is best practice for cost and data compliance. Purposes. By using lifecycle management, you take some of the guesswork out of when blobs are candidates to change to a more suitable tier. For example, a pdf of a manual for a product on a manufacturer’s website could be read and updated regularly so would be ideal to be in the hot tier, but as the model is discontinued and time passes, it could be accessed so infrequently that moving to cool or cold would be better suited, which can be done automatically using lifecycle management. At some point, the data maybe archived or deleted, which can also be automated. Lifecycle management policies can be applied to block and append blobs in general-purpose v2, premium block blob, and Blob Storage accounts. System containers such as $logs or $web are not affected by these policies.

Reserved capacity allows users to commit to storage in units of 100 TiB and 1 PiB (higher discounts for 1 PiB blocks), for a one-year or three-year term. Committing gives a discount that will vary depending on the length of time you reserve for, the region, the total capacity you reserve, the access tier and type of redundancy that you are using. It is worth doing the analysis on the Azure pricing calculator to illustrate the discount and commitment spend involved.


Azure pricing calculator will illustrate reserved capacity vs PAYG costs

There are options you can toggle in your storage account which carry extra charges, for example SFTP, which is charged by the hour. To reduce the cost, consider having an Azure automation runbook to toggle the service off and on depending on the hours it is required in your organisation. In this scenario, you could also consider using the Azure storage explorer application for your team and therefore would not require the cost or management overhead of using SFTP.

How can I find out more information?

There are lots of other parts of Azure storage accounts you can investigate, depending on your requirements. We could have covered them here but this post could have been a book. Notable key focus areas to consider are monitoring, Defender for cloud, static website mode, Front door & CDN, custom domain names, Resource sharing (CORS) and blob inventory.

If you want to be certified in Azure storage, then look at the DP-203 exam which, upon passing will give you the Microsoft Certified: Azure Data Engineer Associate certification. As well as Azure storage and ADLS Gen2, the certification covers Azure Data Factory, Azure Synapse Analytics, Azure Stream Analytics, Azure Event Hubs and Azure Databricks.

Exploring Certifications: Microsoft Azure Administrator Associate

For many Azure learners, the next logical certification to train for after completing Azure Fundamentals is Azure Administrator Associate. Whereas Fundamentals will provide an overview of cloud concepts and a broad insight into Azure services at a very high level, the Administrator certification is more in the nuts and bolts of popular Azure services covering compute, storage, networking, security, governance and backup.

Let’s look at this certification in more detail.

Who is this certification for?

As the name may suggest, the Azure Administrator certification is for those who want to demonstrate practical skills in using Azure. Moving away from the conceptual view that Azure Fundamentals provides.

A candidate may have been using Azure for some time and wants to validate their skills. Alternatively, if someone is an IT professional working with on premises technology or has existing skills with another cloud provider, then gaining skills on Azure provides them and their organisation with options to move workloads into the cloud or devising a multi cloud strategy.

A cloud administrator is a hands-on role so practice using the services

Passing the AZ-104 exam is also one of two exams you need to pass to gain your Microsoft Certified: Azure Solutions Architect Expert and Microsoft Certified: DevOps Engineer Expert badges, once you have also passed the AZ-305 and AZ-400 respectively. Whilst the latter can also be obtained by passing the AZ-204 (Azure Developer) instead, the fact you can unlock two expert level certifications with this one associate level cert, it makes strong choice to give yourself the most future opportunities, depending on your interests.

Exam requirements

To obtain the Microsoft Certified: Azure Administrator Associate certification, you have to pass a single exam, AZ-104: Microsoft Azure Administrator. There are no prerequisite exam or certification but if you haven’t already, why not attempt the AZ-900, Azure Fundamentals exam first? Whilst at a higher level, the fundamental learning path has some crossover and would enhance your understanding.

Microsoft associate level certifications expire after one year, so they will require a yearly renewal assessment which can be completed as soon as six months before expiry. The renewal assessment is free and there is usually some modules Microsoft presents for you to study before taking the assessment. It is recommended to go through the modules as the idea of the certification renewal is to be up to date with your knowledge, and Microsoft shapes the content to cover new features and concepts. Be sure to take the assessment in plenty of time, so if you fail, you can take it again before it expires – you can take it as many times as you need.

Microsoft role-based (associate, speciality and expert, not fundamentals) exams are now open book, meaning you will have access to the Microsoft Lean website for the exam. There isn’t extra time given for using it, which forces the candidate to use it sparingly, but it may help on a question such as help recalling some CLI or PowerShell syntax for a given task.

Topics covered

As well as some perquisite subjects including Azure Resource Manager, ARM Templates, CLI and PowerShell, the five header learning path topics for the Azure Administrator Learning Path are Manage identities and governance in Azure, Implement and manage storage in Azure, Deploy and manage Azure compute resources, Configure and manage virtual networks for Azure administrators and Monitor and back up Azure resources. Let’s look at each section in more detail.

The first topic is Manage identities and governance in Azure which has a big emphasis on Microsoft Entra ID (formally Azure Active Directory). Entra ID is Microsoft’s Directory and Identity Management service in the Azure cloud, part of the wider Entra Identity and Access Management (IAM) solution. Moving into the practical parts of this section, the candidate is expected to know about user and group management, including administrative units there is also a need to understand guest accounts via Entra B2B. The learning path then moves onto Azure subscriptions and covers cost management and resource tagging. To implement guardrails, Azure policy is used to set what is allowed to help with cost and compliance considerations and can be set at management group, subscription or resource group level and are hierarchical. There is a big emphasis on role-based access control (RBAC) which generally is the best practice method of assigning permissions to resources. Lastly for this section there is self-service password reset which allows users to initiate their own password reset to cut down on administrator burden.

Next up is Implement and manage storage in Azure, in which the candidate will need to know about storage accounts and how they are used and secured. The first module in this learning path is configuring storage accounts, having a knowledge of blobs, queues, files and tables and their use cases. An important part in this section is storage replication strategies – it is highly likely to feature in the exam as will public and private network access considerations. Blob storage is a major part in all public cloud offerings so it’s no surprise there’s a whole module in the learning path and another high probability of being in the exam. Being able to understand and implement the different blob access tiers, including using lifecycle management rules is important. This is followed by deploying and managing Azure Files for NFS/SMB file sharing and using Azure File Sync for using as a file cache via prem or cloud-based Windows servers. The major security focus for storage is on Shared Access Signatures (SAS). To conclude the storage path, there’s a section tools and services, namely Azure Storage Explorer, Azure Import/Export service and AZcopy.

Azure Shared Access Signatures
Creating a Shared Access Signature token in the Azure portal

A big subject area is the next topic, Deploy and manage Azure compute resources which currently makes up 20-25% of the exam. Beginning with creating and managing a Virtual Machine in the portal and CLI, with an emphasis on ensuring the candidate knows about correctly sizing and choosing the correct storage performance for your requirements. There are sections on availability. This includes availability sets (update domains and fault domains), availability zones, scaling up and out (vertical and horizontal scaling) with a focus on VM scale sets and autoscaling. Moving away from VMs, the learning path includes Azure App Service. On the Microsoft Learn content, it talks about the concept of the App Service Plan – which is the best for your application workload. What is interesting is they list the features and capacity of each of the plans. This may be a tough one to memorise so if there is a question on this, it would be a perfect use of the open book feature of the exam if you got a question for example on what plan gives you the ability to run up to 30 instances and you cannot recall. Other areas in the App Service section are scaling, DevOps best practice including the use of deployment slots, security, custom domains, backing up and restoring, and monitoring your App Service using application insights. The last area covered is Azure Container Instances (ACI) to run Docker images in Azure.

The cornerstone of any cloud project is networking. Whether surfacing an internal application or hosting a publicly accessible website, networking configuration will need to be considered and deployed. Configure and manage virtual networks for Azure administrators is the learning path that covers all things networking. There are many services that fall under the networking umbrella, so there’s a lot to cover in this section. To begin, the virtual network (VNet). The VNet is the focal point for planning many Azure projects. The candidate will need to know about IP addressing and subnetting when building their VNets. Expanding on VNets themselves, virtual network peering is a service to connect virtual networks regionally or globally, even across different Azure tenants. Another area of focus is Network Security Groups (NSGs) which provides IP and port allow and deny rules (OSI layer 3 and 4) at subnet or NIC level. There is a fair amount of DNS items to know about such as DNS zones including private DNS zones to manage and resolve domain names in your virtual network and hosting your domain on Azure DNS. Routing and endpoints are on the skills path, with user defined routes (UDF) and service and private endpoints being essential items to know about as it is highly unlikely one or more of those won’t have at least one question on. To conclude this section, there are two of the Azure load balancing solutions; Azure Load Balancer which works at OSI layer 4 and Azure Application Gateway which is an OSI layer 7 load balancer, making it able to do smart stuff like URL path or multi-site routing and offering the optional Azure Web Application Firewall (WAF) to defend against multiple threats.

Azure Backup Centre
Azure Backup Centre overview – a dashboard to check on backup health

Monitor and back up Azure resources is the final learning path for this certification. To kick off, Azure backup provides robust, scalable and secure backup solutions for VMs (including SQL and SAP HANA in virtual machines), Azure files, Azure blob storage, Azure managed disks and Azure Database for PostgreSQL server. Azure backup can also backup on premises machines and virtual machines using the Microsoft Azure Recovery Services (MARS) agent. Next, we move to monitoring, and the central hub for monitoring in Azure is Azure Monitor. The candidate is expected to know about logs and metrics that are generated from various Azure services, with a focus on using this data to create alerts when certain thresholds are exceeded. The Log Analytics workspace is generally where the logs and data are stored for Azure monitor. For querying the data, Azure Log Analytics supports the Kusto Query Language (KQL) which is SQL-like and provides fast powerful queries for examining events and exceptions. There are many KQL queries built in to get you started or you can write your own.

Exam hints and tips

This is an associate level exam so it is going to require more detailed knowledge of the subject matter then say a fundamentals exam, which is a broad overview, or expert, which is usually conceptual in nature (think design and planning). As such it going to test your in-depth knowledge on many Azure components. So practice using, or at least watching a demonstration video of the services covered being deployed and administered will give a significant advantage over a mere overview of the product.

Expanding on the previous point, there are often questions regarding putting a set of steps in the correct order, so knowing the sequence in how something is deployed will aid answering this type of question correctly.

Another popular exam format is the case study. A case study section of the exam typically describes the existing and planned status of a fictious organisation’s Azure and wider IT landscape. It will then ask around 4-5 questions that you will look through the information given to determine the correct course of action. Beware, these can burn up time if you aren’t careful. The best way to approach these is skim the info quickly then look at the first question. There is far more detail in the case study then there are questions so looking at the questions soon, you can refer to the most appropriate section to get the answer.

Microsoft exams tend not to ask about detailed facts and figures, such as how much a service costs but there may be questions such as knowing what is the most cost efficient SKU that will unlock a certain feature or level of performance. Sometimes this is hard to train for as it invariably means memorising fine grained details. For this, remember that an associate level exam is open book, allowing you access to the Microsoft Learn website. It could make all the difference to exam success if used correctly – just remember the clock is still ticking down whilst you are looking up and reading content. Expert and specialist exams also are open book – not fundamentals.

At the time of writing, the MS Learn website search isn’t always good at bringing up the best result to the top of the list, so a practice at search terms or learning to swiftly navigate the website via links could be helpful before taking an exam. You cannot go out to an external search engine to help narrow down a page you require – no other websites including other Microsoft website resources are accessible from the exam.

There are more exam hints and tips on the Azure Fundamentals Certification post which also apply to this exam.

Recommended resources

It is a good idea to include Microsoft’s own content for the AZ-104 exam as part of your learning toolkit. Being Microsoft’s official content, they have been careful to cover all areas of the exam skills measured. For some, the official content and some hands-on experience is likely enough to pass the exam, however having a couple of different learning materials broadens coverage and gives the learning process a fresh dynamic.

John Savill’s Azure training on YouTube is essential viewing

Becoming a regular mention on the blog, John Savill has an AZ-104 course on YouTube. He knows Azure inside and out and has excellent presentation skills. The study cram itself is incredible and now there is a v2 with updated information. John works for Microsoft and his John Savill’s Technical Training YouTube channel has many useful videos, often organised into playlists for various certifications. This free content is as good if not better than many paid for courses.

Beyond that, there are tons of comprehensive AZ-104 courses on YouTube. It really is incredible what people offer for free and the quality of some of the content. It is worth trying one or two and seeing if you favour a particular presentation style and if it is helping your understanding. When I took the AZ-104 back in 2021, I used a course by Mike Pfeiffer and Tim Warner, which was on Mike’s training website, cloudskills.io but that has since been bought by the training company, INE so I have spent some time looking at what is on offer commercially with a view to knowing something about the provider or presenter. There is a comprehensive course on LinkedIn Learning presented by T Ray Humphrey in conjunction with Microsoft Press. I haven’t done the course, but being a LinkedIn premium subscriber, I have access to LinkedIn Learning and have found the content high quality when studying for other exams. Chase Dovey presents an AZ-104 course on Pluralsight, which again I haven’t done but I have done other courses with Pluralsight and have consumed learning content with Chase in the past.

Next steps

The Azure Administrator Associate certification is arguably the most useful Azure certification there is. It is heavy on process and the nuts and bolts of using Azure. Therefore, if someone wants to be proficient in creating and maintaining Azure services, this is certainly unbeatable in that respect.

After passing the AZ-104 exam, the candidate could pass just one more exam (AZ-305) to unlock the Microsoft Certified: Azure Solutions Architect Expert certification. Additionally, passing the AZ-400 exam in addition to passing the AZ-104, the candidate will be awarded the Microsoft Certified: DevOps Engineer Expert certification*. These two certifications should therefore be a consideration as a next step.

Beyond that, there are role-based certifications in areas such as Data, Networking, AI and Security which may appeal to those who would like to specialise.

*You can also pass the AZ-204: Developing Solutions for Microsoft Azure exam alongside the AZ-400 to obtain the DevOps Engineer Expert certification instead of the AZ-104.

Spotlight on : Azure Virtual Networks

Any major cloud provider will have a strong Networking offering for connecting and securing resources. It is an essential consideration in any cloud deployment, whether using IaaS, PaaS or SaaS services. Depending on the complexity or type of services being used, the administrator’s involvement will range from a general awareness through to a varying amount of planning, deployment and maintenance.

The networking products and services in Azure are vast and one could write a book on the subject – indeed many have. This is a single post so we will focus specifically on a core Azure networking service, the Virtual Network (VNet) and components and services that are specifically for the VNet.

Networking in the cloud is wonderous. Software defined networking abstracts what would-be managed switches, cables and network appliances and allows you to build them with the typing of a few commands or a few clicks of a mouse. Amazing!

Virtual Network (VNet)

The most prevalent part of most Azure architectures is the VNet. Typically deployed to a region where your users or customers are, they provide a base for many Azure services including VMs, Kubernetes clusters, private endpoints for services such as storage accounts, databases and many more. The VNet determines the available IP addresses for your own private network in the cloud. By using different workloads and services within the VNet, you can surface privately and publicly accessible resources to serve your users. A Virtual Network creates a boundary in which you can secure and segregate workloads to suit your requirements.

When a VNet is created, you need to specify at least one RFC1918 private IP range (10.x.x.x / 172.16.x.x / 192.168.x.x) or you can use a public in CIDR format. Whether the address range(s) you create are public or private, the address range is still only reachable only from within the virtual network, from peered VNets, or any on-premises networks that you’ve connected to the virtual network via a site-to-site VPN for example.

You can use IPV6 ranges as well but only in a dual stack setup. You have to have an IPv4 on the Virtual Network and subnets as well as IPv6. The subnets for IPv6 must be exactly /64 in size.

We shall walk through the products and services you may use within the VNet to maximise the benefit.

Subnets

For the VNet to be usable, you will need to create at least one subnet for each CIDR range you specified when going through the creation process. A subnet can cover the VNet CIDR length or be segregated into multiple subnets . You do not need to occupy the whole VNet range if not required, leaving room for new subnets at a later date.

There are some reserved subnet names that are reserved for special services. These include GatewaySubnet, BastionSubnet & FirewallSubnet which are responsible for VPN/ExpressRoute connectivity, VM secure remote access and for hosting the Azure Firewall service respectively. Some will have a minimum or recommended size so be sure to read the documentation before deploying.

Security

Security is a huge part of networking, whether in the cloud or on-premises. So, the provision of security apparatus for virtual networks is comprehensive. We will walk through some of the key security components now.

Firstly, the primary service for securing Azure VNets are Network Security Groups. NSGs contain a set of rules, passed in order of priority, that either allow or block inbound and outbound traffic at OSI layers 3 and 4 (IP address, port and protocol). These Network Security Groups can be assigned to a subnet. The NSG can be assigned to more than one subnet if the rules required for those subnets are the same. You can group VM NICs into an Application Security Groups (ASGs) which simplifies the creation and management of rules for a set of resources in the subnet. You can use service tags to allow or deny whole services within Azure, such as Storage, Backup or Logic Apps, further aiding ease of management.

NSGs can be assigned to a VM’s Network interface (NIC) but it is recommended to apply to the subnet where possible. If an NSG is assigned to the NIC and another to the subnet, the rules will be processed NIC first then subnet for outbound traffic, or Subnet then NIC for inbound. For example, if port 80 inbound is allowed on the NSG assigned to the subnet but blocked on the NSG assigned to the NIC, traffic on port 80 to that host will be blocked but allowed on other hosts who do not have an NSG blocking port 80 assigned to it’s NIC.

NSGs are powerful but are limited to layer 4 filtering. For looking at layer 7, at URLs and web traffic, there is Azure Firewall. Azure Firewall is not only more functional, but it also sits on a subnet of its own and can provide protection for subnets on the same VNet, on other VNets via peering, and for On Premises via a VPN/ExpressRoute connection. It can provide inbound and outbound firewall rules.

Azure Firewall is available in Basic, Standard and Premium SKUs, be sure to check the differences before deploying as they will have varying maximum throughput and features such as web content filtering not available on the Basic SKU and TLS inspection only available on the Premium SKU. Azure Firewall is a first-party Network Virtual Appliance (NVA) but there are other 3rd party NVAs available from the Azure Marketplace. Some allow you to bring an existing licence (BYOL) over so check out those options too.

DDos Protection is running on Azure as standard but there is a paid for service which allows for more features. You can purchase as Network Protection which covers VNets in a subscription, or you can buy per IP address. If you go for Network Protection you get additional features such as DDos rapid response support and cost of data transfer and scale out guarantee (Microsoft reimburses you the cloud consumption costs incurred by the attack).

For web application level DDos protection, you can activate DDos protection on the Azure Web Application Firewall (WAF) which in turn can be used with Application Gateway or Azure Front Door which are both described below.

Services to allow public access to your applications

Whilst it is possible to access a web application via a Public IP address assigned to a VM NIC, this is not considered best practice from a security standpoint, nor will it allow for load balancing or serving workloads that are not on a VM such as containerised services. For best practice, there are 4 main ways of managing inbound access each with their own use case.

First, we have Azure Load balancer. This is an OSI level 4 load balancer which can be set to load balance between different Availability Groups in a given region or across multiple Azure regions with the Global tier. It is a high performance, highly available service options to point to NICs on a VNet or you can specify IP addresses when using the Standard load balancer (the basic SKU has no SLA and isn’t recommended for critical workloads).

If you require regional load balancing but would prefer to work at OSI layer 7, so you can do things like route to different nodes in the server pool based on URL path or domain or want to take the SSL handshake burden off the nodes, then Azure Application Gateway is the service you need. With Azure App Gateway you can activate the Web Application Firewall (WAF) which is the Azure Firewall running within the Gateway. Additionally, in the WAF configuration you can activate DDos protection.

For globally distributed apps, content and websites, you could use Azure Front Door. Whilst not just for resources contained within a VNet, this is a popular use case. Microsoft also describes Front Door as a Content Delivery Network (CDN) because it can route users to the closest region of your app/website. Working at layer 7 it has many features found in Azure Application Gateway such as routing based on URL and having the ability run WAF on Front Door.

Lastly, there is Azure Traffic Manager which again doesn’t have to point to an endpoint contained within a VNet but it is certainly a use case. Traffic Manager is a DNS based load balancer that can work on a global scale. It monitors the endpoints for health like a usual load balancer but this one works by configuring a routing method including Priority which returns the DNS host(s) for a primary service endpoint with backup endpoints if the primary is offline, Performance which will return hosts with the lowest network latency, Weighted is for distributing traffic based on an endpoint’s configured weighting, Geographic will direct users to endpoints based on location which is good for compliance requirements, Multivalve returns all healthy endpoints and allows the client browser/app to select one and finally Subnet routes an end user’s IP address to a specific endpoint. It is worth noting that app traffic does not travel through the Traffic Manager, but Traffic manager serves the client with DNS responses based on the routing method selected from the list above.

Services to support VNet configurations

Azure NAT Gateway is used to give predictable results to outbound traffic for any subnets assigned to it. When setting up the service, you must create or assign a public IP address or an IP prefix to the service. The result of deploying NAT Gateway is you will know the IP address(es) that will be used for external traffic, so you can whitelist services or just know what IP will connect to to make connectivity. You use an IP prefix when your number of systems needing to gain outside access will cause SNAT port exhaustion. A single IP address provides 64,512 ephemeral ports to NAT gateway for connecting outbound. Azure NAT Gateway doesn’t require any custom routing – an assigned subnet is automatically updated with the appropriate routing.

For DNS within a subnet, Azure provides a free DNS service which will register any hostnames in a VNet automatically and take care of everything via the Azure global resolver IP address, 168.63.129.16. There is also Azure Private DNS which allows you to create private DNS zones so you can register DNS entries for multiple VNets for virtual machines, virtual machine scale sets and any other services based on VMs. A private DNS zone allows custom domains instead of the Azure standard ones such as xxx.internal.cloudapp.net. If you have specific needs, you could use your own DNS server solution.

Azure also has public DNS service where you can manage domain names in Azure and all your A, TXT, CNAME, MX etc. record types. You can get your DNS records managed in Azure either by setting up the DNS zone and pointing your domain name to Azure’s nameservers, or you can buy a new domain name in Azure if using Azure App Service.

Azure subnets have a set of default routes which may not suit the use case. You cannot delete the default routes, but you can override them with user defined routes. You can create a route table and assign it to a subnet or multiple subnets. For example, by default there is a 0.0.0.0/0 route that routes all non-internal traffic to the Internet. But say you want to route traffic via Azure Firewall, then a custom route which sets next hop to the NVA would suit this requirement.

If you need to connect two or more Vnets, then the most straightforward approach is to use Azure virtual network peering. Peering is very versatile, with the ability to connect two VNets in the same region or in different regions using global virtual network peering. All traffic travels securely via Microsoft’s backbone infrastructure. With the correct credentials, VNet peering can to VNets on different subscriptions, even different tenants.

To connect two virtual networks, you must ensure each network’s IP range doesn’t overlap, if it does, you must make amendments to one before setting up peering. A common use case for peering is creating a hub and spoke architecture, where one VNet is the hub, containing resources such VPN gateway, Azure Bastion and firewall and the spoke networks connect via the hub to provide connectivity to on premises clients or out to the Internet via the firewall.

Azure Bastion is a great way to securely access to your Windows (via RDP) and Linux VMs (via SSH) without exposing the VMs RDP port/ SSH port to the Internet or having to go via a VPN. Azure Bastion can replace the traditional Jump Box server by allowing secure login via the Azure portal or by creating a Bastion Shareable Link. Bastion works particularly well for administrators, allowing to remote access of individual virtual machines by RDP or SSH.

Secure connectivity to on prem servers and clients and remote workers

The most popular secure connectivity method is the VPN. There are two types of VPN in Azure: site-to-site and point-to-site. One is for connectivity to a whole remote network, and one is for individual client devices to connect to the Azure network. Both connect via a VPN gateway, which runs from a special subnet called Gateway Subnet. There are various SKUs for Azure VPN depending on if you require the VPN to be zone redundant and how much performance you require.

For a site-to-site VPN there are 4 components – a VNet with a subnet called GatewaySubnet. The subnet should be /27 or larger. If you are managing multiple VNets or even if you are preparing for changes later, it may be worth considering this VNet/subnet to be in the hub of a hub and spoke network for ease of management and better security. The main component is the VPN gateway which also provides the point-to-site VPN should you need users to access your Azure resources directly from their devices when, for example working from home. When creating the VPN Gateway, that is where you pick the SKU based on requirements. For each site you are connecting to, you will need to create a local network gateway. A local network gateway is a representation of the remote site. When creating, you will specify the public IP address and the address spaces on the remote LAN. This is what creates the routing to those ranges. Be sure not to overlap remote and Azure address ranges where there needs to be communication. Last step is creating a VPN connection where you configure encryption and security parameters to match your on-premises device configuration. You should ensure your IPSEC and IKEv2 settings give your organisation an acceptable level of encryption as the VPN tunnel will traverse the Internet.

The VPN gateway runs 2 VPN servers, and as default one is active and one is a standby for planned maintenance or should something fail (active-standby). You can however run active-active for more availability. For this configuration, you also need two public IP addresses, one per gateway VM. For maximum availability, you can have 2ll connections each with its own router/appliance at your premises, both connected to both Azure VPN gateway VMs.

Point-to-site connectivity can be to Windows, Mac or Linux devices, using OpenVPN, SSTP or IKEv2, depending on your operating system. Authentication can be done via certificate, Entra ID or an Active Directory Domain Server (using RADIUS).

ExpressRoute is an alternative to VPN where company or regulatory policies dictate no traffic can traverse the public Internet, regardless of encryption. It also allows more predictable results because of the fewer hops required. The connectivity varies from any-to-any (IPVPN) network, a point-to-point Ethernet connection, through a virtual cross-connection via an Ethernet exchange or ExpressRoute Direct. All will have various costs associated and most will require a 3rd party for the provision of the circuit. ExpressRoute connections are highly available and supports bandwidths from 50Mbs to 10Gbs. There are options to connect to a region and just use any resources within that region’s geopolitical area, or globally using ExpressRoute Premium. For cost effectiveness, you can opt to use for resources located in only one region using the ExpressRoute Local SKU which is limited to a single region (not the whole geopolitical area) and includes data egress at no extra cost. ExpressRoute can be used to connect to Azure services or Microsoft 365 services.

To simplify the rollout of connectivity solutions within Azure, you can use Azure Virtual WAN. Using Azure Virtual WAN, you can deploy and manage services from a single interface. Services available include site-to-site and point-to-site VPNs, ExpressRoute connections, interbranch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE), routing and Azure Firewall. For just using site-to-site VPN only, there is a basic SKU, for any other services the Standard SKU must be used when setting up Azure Virtual WAN.

Azure Virtual WAN is deployed as a hub-and-spoke architecture. Multiple Azure Virtual WAN deployments can be connected via hub-to-hub connectivity.

Monitoring and diagnostics

There are a multitude of solutions for monitoring and performing troubleshooting tasks for Azure networking. As is the case for most Azure services, Azure Monitor plays a big part in diagnostics and monitoring of the Networking elements of your cloud architecture. From within the Azure Monitor there is a Networks link in the Insights section of the navigation. Here we will look at the various tools available.

The first few tabs in Monitor > Networks are visualisations and summaries of various networking services. On the Health and Metrics tab you can see various services such as Bastions, Virtual Networks, Network Interfaces etc. in a visual form, to quickly see if any of the services are in a degraded or unavailable state. Connectivity is a visualisation of any Connection Monitor Tests created within the Diagnostics Toolkit section. Traffic is the 3rd tab, which is a graphical representation of NSGs that have been configured on an NSG flow log. You also get Traffic Analytics on this view.

The Diagnostic Toolkit menu links to various components contained within Network Watcher, which is a collection of services that help with network and connectivity troubleshooting as well as drive many of the Monitor views discussed previously. Let’s look at each service.

Packet Capture – A popular tool in network engineering, this Azure version provides packet capture for the VMs you specify. By analysing traffic at the packet level, you can understand what data is being sent back and forth from VMs to other resources.

VPN Troubleshoot – Allows you to test for problems with your VPN gateways or connection.

Connection Troubleshoot – This will check TCP connectivity between a VM and another VM, fully qualified domain name (FQDN), URI, or IP address.

Next hop – This feature is a sanity check to ensure routing for a given host is set up correctly. You choose a VM and specific NIC and you can see if the next hop will be Internet, VNet local, VNet peering, Virtual Network Appliance, Virtual Network Gateway or none. It will also inform you if a system or user defined route determined the resulting next hop.

IP flow verify – This will allow us to test if a TCP/UDP connection can be established between a VM’s NIC and a remote host. It uses 5 tuple information (source/destination IP, source/destination port and protocol) which will return if the selected criteria would have passed or been blocked and by what NSG rule or by Azure Virtual Network Manager admin rule.

Effective security rules – With this feature you specify a VM and which NIC on the VM you want to test. It will then calculate all NSG rules applied to the NIC or subnet for inbound and outbound traffic. From that you will be able to ascertain if a given port on a given source/destination IP would be allowed or blocked.

NSG & VNet Flow Logs – You can use these logs to provide visibility about what traffic is being sent from and to your resources. You can use the data to diagnose specific concerns or pipe to a SIEM solution such as Microsoft Sentinel.

Network Topology – This is a tool that will generate a visual representation of your network layout. From VNets and subnets down to the resources within them, you can see what your networking topology looks like and the relationship between resources.

Conclusion

This was an overview of the Azure Virtual Network and associated products and services. If you plan on using any Azure networking components, please check official documentation to ensure best practices and any product updates.

If you want to become highly competent in Azure networking, including but not limited to virtual networks, then following the Microsoft AZ-700 exam learning path is a great place to start. If after digesting the material on MS Learn and other resources such as an online course, you could choose to sit the the Exam. If you pass, you will become a Microsoft Certified: Azure Network Engineer Associate.

Copyright © 2025 azureskills.tech

Theme by Anders NorenUp ↑