Azure Virtual Machines
An Azure Virtual Machine (VM)An IaaS offering that gives full control over the OS, installed software, and configuration. When creating a VM you must choose a region, VM size (vCPUs, RAM, temp storage), OS image, authentication method, and at least one disk.
Encryption at hostAn opt-in VM-level setting that encrypts the temp disk, OS disk cache, and data disk cache on the physical host before data flows to Azure Storage — separate from server-side storage encryption. is an opt-in VM-level setting that encrypts the temp disk and disk caches on the physical host before data flows to Azure Storage — separate from server-side storage encryption.
Availability Sets
Availability SetsA feature that protects VMs against localized hardware failures within a single datacenter by spreading VMs across up to 3 fault domains and up to 20 update domains. Provides a 99.95% SLA but cannot protect against datacenter-level outages. protect VMs against localized hardware failures within a single datacenter by spreading VMs across up to 3 fault domains and up to 20 update domains, providing a 99.95% SLA.
- Fault domains: Separate racks sharing power and network (up to 3)
- Update domains: Groups of VMs rebooted together during planned maintenance (up to 20); only one rebooted at a time with 30 minutes recovery before the next
Availability Zones
Availability ZonesPhysically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying VMs across at least two zones provides protection against datacenter-wide failures and earns a 99.99% SLA. are physically separate datacenters within an Azure region, each with independent power, cooling, and networking; deploying VMs across at least two zones earns a 99.99% SLA.
Availability Zones and Availability Sets are mutually exclusive — you cannot assign a VM to both.
VM Scale Sets (VMSS)
Azure Virtual Machine Scale Sets (VMSS)A resource that allows deploying and autoscaling a group of identical or mixed VMs. Supports Uniform and Flexible orchestration modes — Flexible is recommended for new deployments. allow deploying and autoscaling a group of identical or mixed VMs; Flexible orchestration is recommended for all new deployments.
| Orchestration Mode | Description | Recommended? |
|---|---|---|
| Uniform | Identical VMs from a profile; older model | No — legacy |
| Flexible | Supports mixed VM types, up to 1,000 instances, Azure Backup, Azure Site Recovery | Yes — for all new deployments |
The orchestration mode is set at creation time and cannot be changed. Scale-in policies control which VMs are removed first: Default (highest instance ID after zone balancing), NewestVM, or OldestVM.
Feature Comparison
| Feature | Availability Set | Availability Zone | VMSS Flexible |
|---|---|---|---|
| Protects against | Rack / hardware failure | Datacenter failure | Both (zone-spanning) |
| SLA | 99.95% | 99.99% | Up to 99.99% |
| Max fault domains | 3 | N/A | Max spreading |
| Autoscale | No | No | Yes |
| Azure Backup | Yes | Yes | Yes (Flexible only) |
Availability Set Immutability
Exam Trap
"You can add a VM to an availability set after it's been deployed." → You cannot. Availability set membership must be set at VM creation time. Changing it requires redeployment (delete and recreate the VM).
Zone vs. Set — Protection Level
Must Memorize
- Availability Set: 99.95% SLA — protects against rack-level failures within ONE datacenter
- Availability Zone: 99.99% SLA — protects against DATACENTER-level failures
- They are mutually exclusive — you cannot assign a VM to both
VMSS Orchestration Mode
Exam Trap
"VMSS Uniform orchestration mode is preferred for new deployments." → Microsoft now recommends Flexible orchestration for all new VMSS deployments. Flexible supports standard VM APIs, Azure Backup, and Site Recovery — which Uniform does not.
Encryption at Host vs. SSE
Must Memorize
Encryption at host encrypts temp disk and disk caches on the physical VM host before data reaches Azure Storage. Server-side encryption (SSE) protects data at rest in Azure Storage. They are complementary, not the same. Encryption at host fills the gap that SSE does not cover.
Moving VMs
Exam Trap
"Moving a VM to a new region is a simple drag-and-drop operation." → Moving a VM to another region requires Azure Resource Mover or redeploying the VM. A simple resource move only applies to resource group or subscription changes within the same region.
Create a Virtual Machine
- Portal → Create a resource → Virtual machine
- Basics tab: Subscription, Resource group, VM name, Region, Availability option (zone or set), Image, Size, Authentication
- Disks tab: OS disk type (Premium SSD / Standard SSD / Standard HDD), optional data disks, Encryption at host toggle
- Networking tab: VNet, subnet, public IP, NIC NSG
- Review + create → Create
Enable Encryption at Host
- During VM creation → Disks tab → scroll to Encryption section → toggle Encryption at host to On
- Requires the subscription feature to be registered:
az feature register --name EncryptionAtHost --namespace Microsoft.Compute
Configure an Availability Set
- Portal → Create a resource → search Availability set → set fault domains (up to 3) and update domains (up to 20)
- When creating a VM → Basics tab → Availability options → select Availability set → pick the set
Deploy a VM Scale Set
- Portal → Create a resource → Virtual machine scale set
- Choose orchestration mode: Flexible (recommended)
- Set scaling: Manual count or enable Autoscale → define min/max instance count and CPU-based rules
Move a VM to another Resource Group
- Portal → navigate to the VM → Overview → Move → Move to another resource group
- Select the target resource group → note that the VM must be stopped for region moves
AZ-104 Exam Focus
Exam Trap
"You can add a VM to an availability set after it's been deployed." → You cannot. Availability set membership is immutable after VM creation. The VM must be deleted and recreated with the availability set specified.
Exam Trap
"Availability Zones and Availability Sets provide equivalent protection." → Zones protect against datacenter-level failures (99.99% SLA); availability sets only protect against rack-level failures within one datacenter (99.95% SLA).
Exam Trap
"You can assign a VM to both an Availability Zone and an Availability Set." → These are mutually exclusive. Choosing a zone means you cannot also choose an availability set for that VM.
Exam Trap
"VMSS Uniform orchestration mode is preferred for new deployments." → Microsoft recommends Flexible orchestration for all new VMSS. Flexible supports standard VM APIs, Azure Backup, and Site Recovery — which Uniform does not.
Exam Trap
"Moving a VM to a new region is a simple drag-and-drop operation." → Moving a VM to another region requires Azure Resource Mover or redeployment. Simple resource moves only work for resource group or subscription changes within the same region.
Exam Trap
"Encryption at host is the same as Azure Storage Server-Side Encryption." → Encryption at host encrypts the temp disk and disk caches on the VM host before reaching Azure Storage. SSE protects data at rest in Azure Storage. They are complementary, not identical.
Question — click to flip
Q: What is the maximum number of update domains supported by an Availability Set?
Question — click to flip
Q: What SLA does deploying VMs across multiple Availability Zones provide?
Question — click to flip
Q: Can you add a VM to an availability set after the VM is deployed?
Question — click to flip
Q: Which VMSS orchestration mode supports Azure Backup, Azure Site Recovery, and standard VM APIs?
Question — click to flip
Q: What does encryption at host encrypt that server-side storage encryption does not cover?
Question — click to flip
Q: Are Availability Zones and Availability Sets mutually exclusive?