The AZ-100 Microsoft Azure Infrastructure and Deployment course equips IT professionals with the skills to implement, manage, and monitor core Azure services. Covering virtual networking, storage, compute, identity, and governance, the course prepares learners to handle real-world infrastructure challenges in Azure environments. It emphasizes hands-on labs and scenarios to ensure practical understanding of virtual machines, load balancers, VPNs, and more. Ideal for administrators and engineers, this course aligns with the Azure Administrator Associate certification path for career advancement.
INTERMEDIATE LEVEL QUESTIONS
1. What is the purpose of Azure Resource Manager (ARM)?
Azure Resource Manager (ARM) is the deployment and management service for Azure. It provides a consistent management layer that enables users to create, update, and delete resources within their Azure subscriptions. Through ARM, users can manage resources as a group, apply access controls, monitor activity logs, and use templates for deployment consistency.
2. Explain the concept of Azure Availability Sets.
Azure Availability Sets are used to ensure high availability of virtual machines. They distribute VMs across multiple physical servers, compute racks, storage units, and network switches within a datacenter to prevent a single point of failure. Each set has update and fault domains to minimize downtime during maintenance or unexpected failures.
3. What are Network Security Groups (NSGs) in Azure?
Network Security Groups (NSGs) act as virtual firewalls to control inbound and outbound traffic for Azure resources. They contain rules that allow or deny traffic based on IP addresses, port numbers, and protocols. NSGs can be applied to subnets or individual network interfaces to secure communication within Azure virtual networks.
4. How does Azure DNS work and what are its benefits?
Azure DNS is a hosting service for domain name system (DNS) domains using Microsoft Azure infrastructure. It allows for the management of DNS records using the same credentials, APIs, and billing as other Azure services. Benefits include high availability, fast response times, scalability, and secure domain management.
5. Describe the role of Azure Load Balancer.
Azure Load Balancer is a Layer 4 (TCP, UDP) service that distributes incoming network traffic across multiple virtual machines. It provides high availability and network redundancy by automatically balancing load. It supports inbound and outbound scenarios, including health probes to monitor service availability.
6. What is the difference between Azure Blob Storage and Azure File Storage?
Azure Blob Storage is optimized for storing large amounts of unstructured data like text and binary files, while Azure File Storage provides managed file shares accessible via the Server Message Block (SMB) protocol. Blob Storage is ideal for streaming and big data workloads, whereas File Storage supports traditional file system use cases.
7. How does Azure Monitor help in managing Azure resources?
Azure Monitor collects, analyzes, and acts on telemetry data from Azure and on-premises environments. It helps administrators understand the performance and health of their systems by providing metrics, logs, and diagnostic insights. It integrates with tools like Azure Log Analytics and Application Insights for comprehensive observability.
8. What are Azure Virtual Network Peering and its use cases?
Virtual Network Peering connects two or more virtual networks in Azure, allowing resources in each network to communicate as if they were part of the same network. It is used to achieve low-latency, high-bandwidth connectivity across regions or resource groups without VPNs or gateways.
9. Explain the importance of Azure Role-Based Access Control (RBAC).
Azure RBAC is a system that provides fine-grained access management to Azure resources. It enables users to assign roles to individuals or groups, defining what actions they can perform. By implementing RBAC, organizations can enforce least privilege access and improve security posture.
10. How can you back up virtual machines in Azure?
Azure Backup provides a simple and reliable solution to back up virtual machines. It captures snapshots of the VMs and stores them in Recovery Services Vaults. Backups can be scheduled, encrypted, and restored with minimal effort, ensuring data protection and business continuity.
11. What is Azure Bastion and why is it used?
Azure Bastion provides secure and seamless RDP and SSH connectivity to virtual machines directly through the Azure portal, without exposing them to the public internet. It eliminates the need for public IP addresses on VMs and reduces exposure to brute force attacks.
12. What is the function of Azure Resource Locks?
Resource Locks prevent accidental deletion or modification of critical Azure resources. There are two types: CanNotDelete (ReadOnly) and ReadOnly. Locks can be applied at the subscription, resource group, or resource level to ensure administrative control and stability.
13. How is Azure Traffic Manager different from Azure Load Balancer?
Azure Traffic Manager operates at the DNS level and directs client requests to the most appropriate endpoint based on routing methods such as performance, priority, or geographic location. Azure Load Balancer, on the other hand, works at Layer 4 and manages traffic within or across virtual machines within Azure regions.
14. What are Managed Disks in Azure and their benefits?
Managed Disks are an Azure-managed disk storage solution for VMs. They handle storage account creation and management automatically, improving scalability and reliability. Managed Disks offer features like snapshots, encryption, availability zones, and enhanced performance for mission-critical applications.
15. What tools are available in Azure for automating deployments?
Azure provides several tools for automation, including Azure Resource Manager (ARM) templates, Azure CLI, PowerShell, and Azure DevOps. These tools support infrastructure as code (IaC) practices, enabling consistent, repeatable, and scalable deployments across environments.
ADVANCED LEVEL QUESTIONS
1. Explain the concept and architecture of Azure Virtual Network and its role in hybrid cloud scenarios.
Azure Virtual Network (VNet) acts as the fundamental building block for private networking within Azure. It allows resources like VMs, application services, and databases to securely communicate with each other, the internet, and on-premises networks. VNets are logically isolated, enabling organizations to define their own IP address space, subnets, routing policies, and security settings. In hybrid cloud architectures, VNets support VPN Gateway and ExpressRoute connections for secure communication with on-premises infrastructure. Peering and network virtual appliances further enhance hybrid setups, allowing seamless extension of datacenter networks to Azure while preserving security, performance, and compliance standards.
2. Describe in detail the Azure Resource Manager (ARM) deployment model and its benefits over the classic model.
Azure Resource Manager (ARM) provides a unified management layer for provisioning, configuring, and managing Azure resources. Unlike the classic deployment model, which managed resources individually and lacked role-based access control, ARM allows resources to be grouped into resource groups for streamlined management. This model supports declarative templates (ARM templates), tagging, RBAC, and policy enforcement, enabling automation and governance at scale. ARM ensures dependencies are respected during deployments and enables rollback, repeatable infrastructure as code (IaC), and lifecycle management. These capabilities drastically reduce configuration drift and promote DevOps practices.
3. How does Azure support high availability and disaster recovery for mission-critical workloads?
Azure provides multiple services and architectural patterns to ensure high availability (HA) and disaster recovery (DR). For HA, Azure offers Availability Sets, Availability Zones, and Load Balancers. Availability Sets protect against hardware failure within a single datacenter, while Availability Zones provide zone-redundant deployments across physically separate facilities within a region. Azure Load Balancer distributes traffic across healthy endpoints. For DR, Azure Site Recovery replicates workloads to secondary Azure regions or on-premises environments. Combined with geo-redundant storage and backup solutions, this ensures continuity during disasters. These services are critical for complying with RTO/RPO requirements and achieving enterprise-grade resilience.
4. What are Azure Managed Identities and how do they enhance security in cloud-native applications?
Azure Managed Identities allow Azure services to authenticate securely without embedding secrets or credentials in code. These identities integrate with Azure Active Directory and are automatically managed by Azure. There are two types: System-assigned and User-assigned. System-assigned identities are tied to a single resource and deleted when the resource is deleted, while user-assigned identities can be shared across multiple services. They are commonly used to authenticate to services like Azure Key Vault, Azure SQL Database, and Azure Storage without the need for explicit credentials, thereby minimizing attack surfaces and supporting secure, scalable identity management.
5. How does Azure Policy differ from Azure Role-Based Access Control (RBAC), and how do they complement each other?
Azure Policy and RBAC serve distinct but complementary purposes in governance. RBAC focuses on defining "who" has access to "what" and "what they can do," using roles assigned at different scopes (subscriptions, resource groups, or resources). Azure Policy, on the other hand, enforces "what" can or cannot be deployed or configured, regardless of user permissions. For instance, Azure Policy can restrict VMs to specific sizes or regions, while RBAC can restrict who can create VMs. Together, they enable enterprises to enforce security and compliance while allowing flexibility in operational roles.
6. What is the significance of Azure Blueprints in enterprise-scale deployments?
Azure Blueprints allow organizations to define a repeatable set of Azure resources and governance controls to standardize environment provisioning. A blueprint may include ARM templates, RBAC roles, policies, and resource groups. Blueprints are version-controlled and support locking of resources to prevent changes. This is especially beneficial in enterprise environments with regulatory requirements, as it ensures consistency and compliance across environments such as dev, test, and production. It facilitates a DevOps-friendly approach where environments can be provisioned rapidly while maintaining centralized governance.
7. How does Azure Monitor and Log Analytics provide full-stack observability in complex environments?
Azure Monitor collects metrics and logs from virtually all Azure resources, applications, and on-premises environments. Log Analytics, a component of Azure Monitor, enables querying and analysis of this telemetry data using the Kusto Query Language (KQL). Together, they support proactive alerting, performance tuning, and root-cause analysis. Azure Monitor integrates with Application Insights for application-level monitoring and supports workbooks and dashboards for visual insights. These capabilities enable full-stack observability by correlating infrastructure metrics with application traces, supporting DevOps, SRE, and security teams in maintaining uptime and performance.
8. How does Azure Application Gateway differ from Azure Load Balancer, and what are its key use cases?
Azure Application Gateway is a Layer 7 (HTTP/HTTPS) load balancer with built-in application firewall (WAF) capabilities, whereas Azure Load Balancer operates at Layer 4 (TCP/UDP). Application Gateway provides advanced features such as SSL termination, URL-based routing, session affinity, and autoscaling. It is ideal for web applications requiring fine-grained traffic control, protection against OWASP vulnerabilities, and end-to-end SSL management. Azure Load Balancer, in contrast, is used for distributing network traffic among virtual machines or services at the transport layer and is often used in conjunction with Azure Application Gateway for multi-tier applications.
9. How can ExpressRoute be used for secure and reliable enterprise connectivity, and what are its components?
ExpressRoute provides dedicated, private network connections between on-premises infrastructure and Azure, bypassing the public internet. This results in improved reliability, security, and performance. It consists of components like ExpressRoute circuits, peering types (private, Microsoft, and public—though public is deprecated), and connectivity providers. It supports bandwidths up to 10 Gbps and allows global reach between multiple regions. ExpressRoute is critical for industries with strict compliance or latency requirements, enabling hybrid cloud setups, database replication, and enterprise-grade application hosting.
10. What are Availability Zones, and how should they be architected for fault-tolerant applications?
Availability Zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying applications across zones ensures high availability even if one zone goes down. Architecting for fault tolerance requires placing redundant application instances, databases, and services across zones, often using zone-redundant services or zonal deployments. Load balancing, data replication, and health monitoring must also account for zone-level failures. This architecture provides an SLA of up to 99.99% for multi-zone deployments, suitable for mission-critical applications.
11. What is the importance of Azure Private Link and how does it secure service access?
Azure Private Link enables private access to Azure services over a private endpoint within a virtual network. It eliminates exposure to the public internet by mapping services like Azure Storage, SQL, or custom services directly to private IPs. This enhances security by preventing data exfiltration and supports compliance with data protection policies. It also simplifies firewall rules and access control. In enterprise architectures, Private Link is essential for secure, scalable, and private access to platform services and customer-hosted applications.
12. How does Azure Disk Encryption work and what are the key considerations for implementation?
Azure Disk Encryption uses BitLocker (for Windows) or DM-Crypt (for Linux) to encrypt OS and data disks at rest. Encryption keys are managed using Azure Key Vault, allowing customers to use either platform-managed or customer-managed keys. Disk encryption ensures data protection against unauthorized access, especially in regulatory contexts. However, enabling encryption may impact VM performance and compatibility with backup and recovery tools. Careful planning around key rotation, access policies, and integration with automation processes is required for successful implementation.
13. What are the best practices for designing a scalable and secure multi-tier architecture in Azure?
A scalable and secure multi-tier architecture typically consists of presentation, application, and data layers separated into different subnets. Azure services such as Application Gateway, Azure Firewall, and NSGs enforce traffic control. Load balancing and autoscaling ensure performance at each layer, while Azure Bastion secures VM access. The data layer should use services like Azure SQL or Cosmos DB with private endpoints. Logging, monitoring, encryption, and compliance enforcement should be embedded into each tier. CI/CD pipelines automate deployments, while tagging and policies manage governance.
14. How can Azure Cost Management help organizations optimize spending and predict future expenses?
Azure Cost Management provides detailed insights into cloud usage and spending across subscriptions and resources. It allows users to set budgets, forecast future costs, and identify inefficiencies. By analyzing spending trends, organizations can right-size resources, eliminate idle services, and take advantage of reserved instances or spot pricing. Cost Management integrates with Azure Advisor for actionable recommendations and supports API access for third-party tools and automation. It’s essential for cloud financial operations (FinOps) teams aiming to balance performance and cost-efficiency.
15. What is the role of Azure Automation State Configuration, and how does it support infrastructure consistency?
Azure Automation State Configuration is a cloud-based configuration management solution built on PowerShell Desired State Configuration (DSC). It enables administrators to enforce and monitor the desired state of VMs and servers across Azure and on-premises environments. Configurations are defined as code and applied declaratively, ensuring consistent and compliant infrastructure setups. Drift from desired state is automatically detected, and remediation can be triggered. This tool supports DevOps practices by integrating with CI/CD workflows and reduces the risk of configuration-related outages.