Deploy and manage azure compute resources

Question 1

What weighting has this section in the az-104 exam?

Answer 1

20% to 25%

Question 2

What is compute resource in azure?

Answer 2

Virtual
Machines

Question 3

What are the Security types available when creating a new VM?

Answer 3

1. Standard Virtual Machines: The baseline offering in Azure, suitable for a broad range of applications, providing a balance of compute, memory, and storage resources.
2. Trusted Launch Virtual Machines: Enhances security with features like Secure Boot and a virtual Trusted Platform Module (vTPM) to protect against advanced rootkits and bootkits, and enable secure storage of secrets.
3. Confidential Virtual Machines: Offers the highest level of security by encrypting data in use, using hardware-based Trusted Execution Environments (TEEs) to isolate data from the host OS and other VMs, ideal for handling sensitive data in highly regulated industries.

Question 4

What ports are open to the virtual machine by default?

Answer 4

inbound port rules ( blocked by default on all ports but SSH and rdp ports are especially important to open depending on your com connection method

Question 5

What is an image and what are the options available when creating a new VM?

Answer 5

Images are static copies of a particular operating system in a specific state from a hard disk. Images are used to create a vm in a specific state with a specific operating system and configuration.

Question 6

What are instance sizes?

Answer 6

Instance sizes represent the hardware combination of CPU GPU and memory. They are presented in a menu which divides the options in to series categories, each series being especially good for a particular type of vm the workload.

Generally you should choose the latest version of a series except if you have existing vms which use a previous version and compatibility is paramount.

Question 7

What is the use of the administrator account created when creating the VM?

Answer 7

The administrator account is for connecting with Remote Desktop to the VM

Question 8

What is an azure spot instance?

Answer 8

Azure spot instances are offered at reduced cost in exchange for no guarantee that the VM will remain working on the customers workload. If another customer who is paying full price for their VM requests a VM while none are available, those customers running VMs as spot instances may find that their VM is given to the full paying customer.

Spot instances can lead to substantial savings but require low urgency low priority workloads that can safely be stopped (and restarted on another vm) without losing the integrity of the work done.

Question 9

What are the different disk options available?

Answer 9

-OS disk holds the operating system and can be temporary or permanent storage. Temporary storage
- data disks are additional external disks for your vm

Question 10

What’s the max number of data disks you can add to a VM?

Answer 10

8

Question 11

What disk encryption options are available?

Answer 11

By default a virtual machines disk is encrypted however the encryption at host check box stored the encryption of the operating system as well as the disks with a bitlocker encryption.

Question 12

What is the delete with vm option

Answer 12

It means that if you delete the VM the disk will be automatically deleted too

Question 13

What it’s ultradisk?

Answer 13

It’s a high performance disk with very low latency at a massive throughput. The most performant disk option available in azure.

Question 14

How many VMs can a data disk be attached to at the same time?

Answer 14

1.

If you need a disk to be attached to more vms then you need to look at azure fileshare.

Question 15

What kind of threat and virus protection is available for cloud VMs?

Answer 15

Microsoft defender. It’s free and can be opted out of ( maybe you plan to deploy your own or something about the defender software isn’t compatible with your VM workload?

Question 16

What is a vm system managed identity?

Answer 16

A user that can be created and fully managed by Microsoft and tied to this VM resource to interact with the vm. It simplifies some of the setup because with this you don’t need to mentally manage a service user on the device ( unless you want more service users).

Question 17

What is the purpose of logging with azure ad?

Answer 17

It allows you to give access to anyone in the azure Active Directory instance to the vm.

Question 18

What is the purpose of auto shutdown?

Answer 18

You can program on and off times ( maybe during the night) to reduce the cost of the VM

Question 19

What is site disaster recovery?

Answer 19

You run a clone of the vm in another site and it is constantly being updated to twin the active running vm. In case of a disaster, in a few minutes the vm previously a backup will become the main vm and your down time will be drastically reduced as a result.

Question 20

What is hotpatching?

Answer 20

It is a process where patching can be done without a VM restart

Question 21

Can you opt out of automatic patching and updates?

Answer 21

Yes

Question 22

What is the easiest way to set up monitoring for a new VM?

Answer 22

The monitoring tab of the new VM setup allowed you to customise some predefined alerts a notifications like:

• cpu % greater than X
• available memory less than Y
• iops consumed by disk
• iops %
• network usage
• vm availability

Alerts can use action groups , emails, sms etc.

Question 23

What is the purpose of the boot diagnostics option?

Answer 23

To gain access to the boot logs. You must pay for the storage to store these.

Question 24

What agents are available to install in the new VM setup?

Answer 24

There are a lot of agents. Custom script extension for example allows you to run powershell scripts on start up. There are loads.

Question 25

What is the purpose of custom data?

Answer 25

It’s a small scripting block where you can define variables, scripts etc and that script will be persisted to the vm in a known location.

Good for configurations or scripts that you need on your machine from the moment of creation

Question 26

What is the user data checkbox for?

Answer 26

It does something similar to the custom data but the input is available to vm applications for the life time of the vm. Best to avoid as GDPR restricts the duration you may keep user data without re gaining the users consent.

Question 27

Can you opt in to use nvme storage for the os?

Answer 27

Yes, it’s super fast. It’s expensive.

Question 28

What is the option of having a dedicated host?

Answer 28

You pay a lot more but the hardware runs only your VMs. You’re essentially renting a server and creating your VMs on the same server. This means interacting VMs are together and l communication lag is eliminated.

Question 29

What are capacity reservations?

Answer 29

If you need a certain number of VMs to run your workload and you are concerned that at some point azure might run out of hardware to run all the hardware you need for your VMs, you can make a capacity reservation of X number of VMs. This means you immediately start start posting for all X of the VMs even if you are not ready to use them yet.

Question 30

What is a proximity placement group?

Answer 30

It’s a group to place VMs in that you want to be close together to reduce communication lag between them. Much cheaper than using a dedicated host though not equally performant.

Question 31

How can you see an estimate for the price of your vm?

Answer 31

On the tenure and create screen there is a summary of all the chosen options and a price per hour.

Question 32

What are the mechanisms for connecting to a virtual machine hosted in azure?

Answer 32

Network settings must be set up to allow incoming traffic to the public ip of the vm on port 80 443 3389. This allowed us to connect either ssh 443 , http 80 and Remote Desktop 3389. The only exception is connecting using the azure service Bastion where no ports are required to be open.

Click Connect from the vm interface and select your connection method. Then you can download a small executable to run Remote Desktop connection to the vm. You will likely have to login is using the admin user created out defined during vm creation. You will need to accept the certificate prompt.

On the azure vm ui even you will also see a powershell script with you can run to connect as a text only interface with the vm.

Question 33

How can you change the size of a running vm?

Answer 33

In the size menu of the blade, you can choose another vm size/ type with different cpu/gpu/memory specifications. Note that this will require a vm restart.

You can automate this type of resizing using a powershell script to grow and shrink at specific moments like for example you want to pay for a faster , snappier server response during the holidays to increase the customer view to purchase ratio. This is called vertical scaling and generally horizontal scaling with scale sets as they are a more seemless
Method to increase traffic throughput but vertical scaling may have a limited number of use cases.

Question 34

When assigning disks to a vm, what are you charged for exactly?

Answer 34

For the provisioned space, not the used space.

This is not the same as azure file shares where you’re charged by used storage, not the maximum capacity.

Question 35

Can you add additional vm hard disks?

Answer 35

Yes just via the disks link of the vm UI blade. Create the disk in the interface and wait a few minutes for its deployment. Note if you want to add this newly deployed disk to an existing vm, go to the vm ui in the azure portal, to disks then select in the disk to add settings to attack existing disk.

Connect to the vm with rdp and you’ll see that the new disk will not yet be attached. You need to go to disk manager where the new hardware will be detected and you will be prompted to initialise the new disk, you will define whether it needs to be in the master boot record or gpt (so usually it will just be part of gpt as mbr is only for the c drive). Then you will see the new drive in the disk management ui in which you can via a right click menu create partitions and file systems in it mapped to your network drive letter or choice.

You can have up to 8 additions disks after your primary c drive holding your operating system.

Question 36

What is the bastion service?

Answer 36

It’s a more secure option to connect to your VMs. The bastion vm sits in its own private subnet with incoming traffic limited to the machines from which you wish to connect to your protected VMs. Then the bastion vm receives the incoming traffic and routes out to the target vm which has been configured to only accept traffic from the bastion.

The vm has no public ports either no configured open ports.

You connect to the bastion server and the traffic if routed to your target vm.

Bastion servers are not cheap but they can be manually or automatically configured and leave your VMs without any open port for malicious hackers to try to exploit.

Question 37

What’s the difference between a basic and a standard bastion service?

Answer 37

Basic:
- connect with peered vpn
- access private keys in key vault
- connect to Linux vm using ssh
- connect to windows using rdp
- Kerberos auth
- vm audio out

Standard only
- shareable link
- connect to VMs using a native client
- connect via Ip address
- host scaling
- specify custom inbound port
- connect to Linux m using rdp
- connect to windows m using ssh
- upload or download files
- disable copy paste ( web based clients)

Question 38

Hope much does a bastion service cost?

Answer 38

At the time of writing a basic bastion is $0.19 per hour and a standard is $0.29 with the possibility to get a second instance for just $0.14 per hour. That works out at around $120 per month for basic or $210 a month for a standard (720 hours in a month).

Data is paid for separately in the case of large file uploads and downloads.

Question 39

How to actually connect once the bastion service is configured?

Answer 39

In the vm ui you can click the connect drop down and you will see that apart from the standard ssh and rdp you also see the option to connect with the bastion service. You’ll be prompted for the vm admin user and password and then you will connect via the browser in another browser tab.

Question 40

What is a vm scale set (VMSS)?

Answer 40

It’s a system of automatic horizontal scaling , configured to increase or decrease the number of
VMs between a user configured minimum and maximum number VMs. The automatic change in the number of VMs
Is configured based on any factor related to the monitoring of the system so that for e.g. when memorable usage reaches a threshold a new vm is deployed running the same application to help handle the workload of the application.

Question 41

How much does it cost to use a vm scale set?

Answer 41

The service is free but you pay for the azure resources it
deploys.

Question 42

What are the main configurations when creating a vm scale set?

Answer 42

Its name, region, resource group, whether to deploy to multiple availability zones ( one vm deployed per availability zone selected). The image to put on the new VMs and the hardware options like gpu cpu memory and architecture. The security measures to access the VMs, the tier of instance ( standard, premium spot) the administrator account.

The network options, auto vs manual scaling range, on what metric, scale in and policy, diagnostic logs, whether you want to have Microsoft defender running, whether to enable Overprovisioning, whether to
handle the vm os updates automatically, health monitoring options ( the health probe) and automatic repairs ( replace sick
Vm) whether to turn on placement groups, reservations, hosts and tags.

Question 43

What is the difference between the uniform and flexible orchestration mode?

Answer 43

Uniform: where each vm is stateless and works alone. With identical instances. This is the traditional way to create vmss with any number of VMs ( lower numbers especially).

Flexible: where the type of instance can be different to achieve high availability. This is a newer option and is better for large numbers of VMs in a scale set (approx 30+) . Each VM will be treated as an individual vm, you can mix Linux and windows, standard premium and spot instances in the same scale set etc.

Question 44

What is the scale in policy?

Answer 44

It’s the method used to choose which VMs to destroy during a reduction in the number of active VMs. You can choose to delete the newest, the oldest or a default method which uses a balanced approach.

Question 45

What is the maximum number of VMs in a scale set?

Answer 45

100. If you need to scale up to a larger number of VMs on a scale set you will need to use placement groups. This allows scaling from 100 to 1000.

Question 46

How long does it take to deploy a scale set?

Answer 46

Just for the scale set, a couple of minutes. This does not include the vm deployment.

Question 47

How to create a VM using powershell?

Answer 47

Cloud shell and local shell are both options.

1. Connect powershell to az account with “Connect-AzAccount” and authenticate with the browser window which pops up
2. Create a resource group for the vm to be part of with “New-AzResourceGroup -Name myRsgrp -Location EastUs
3. Create the vm with “New-AzVM -Name myVm -Credential (Get-Credential) “ plus any optional parameters you want to take a non default value for ( see here for details https://learn.microsoft.com/en-us/powershell/module/az.compute/new-azvm?view=azps-11.2.0).

Eg

Connect-AzAccount

New-AzResourceGroup -Name myRsgrp -Location EastUs

New-AzVM -Name myVm -Credential (Get-Credential) -ResourceGroup myRsgrp

Follow the on screen prompts where required.

Question 48

What does the Invoke-AzVMRunCommand do?

Answer 48

It allows you to run a command on a vm without actually being rdp on it.

Question 49

How can you run a powershell command on a vm through the ui rather than powershell?

Answer 49

By selecting the “run command” link on the vm portal ui blade and selecting powershell script from the sub menu.

Question 50

How can you execute the start, restart, stop and delete commands of a vm using powershell?

Answer 50

You first need to Connect-AzAccount to authenticate your powershell instance.

Then:

Stop-AzVM -Name <vm> -ResourceGroupName <rg></rg></vm>

Start-AzVM -Name <vm> -ResourceGroupName <rg></rg></vm>

Restart-AzVM -Name <vm> -ResourceGroupName <rg></rg></vm>

Remove-AzVM -Name <vm> -ResourceGroupName <rg></rg></vm>

Remove-AzResourceGroup -Name <rg></rg>

Question 51

What is a generalised vm?

Answer 51

It is a vm that has give under the system preparation to be an image for other VMs to be created from.

To do it, go to the c:\windows\System32\sysprep directory and execute the Sysprep program. Once the program has finished and the vm has stopped , the vm ui interface will have a new capture button on the overview menu which will turn the vm into an image.

Question 52

What are the available encryption options for vm disks?

Answer 52

Server side Encryption: at rest with either a customer managed key, an azure managed key or a dual requirement so both user and azure keys are required to decrypt the disk.

Azure disk encryption ADD works within the os to encrypt data before it’s written to disk. This is what bitlocker does.

Question 53

How to activate dish encryption on an azure vm?

Answer 53

Fun the portal, select the disks item in the blade menu, then click disk settings to see the encryption settings.

Question 54

How does azure manage the encryption keys it’s supposed to manage?

Answer 54

Using Microsoft azure key vault. You will be prompted to create one or to choose an existing one when selecting an encryption mechanism for your disk.

Question 55

When choosing azure managed key encryption, if your RBAC permissions do not show you to create a key, just press save and azure will use its own access to create the key.

Answer 55

Question 56

Does encrypting a disk require a restart?

Answer 56

Yes, and the encryption process will likely take a much longer time than a regular restart would have. After the one time encryption process a restart will take a more normal time to complete.