AZ-104 Study Guide: Backup Policies, Networking & DNS
1. Azure VM Backup Policy Settings
All six settings are configurable when creating a VM backup policy:[learn.microsoft]โ
- Frequency โ how often backups run (daily or weekly)
- Time โ what time the backup job runs
- Daily Retention โ how many days to keep daily backups
- Weekly Retention โ how many weeks to keep weekly backups
- Monthly Retention โ how many months to keep monthly backups
- Yearly Retention โ how many years to keep yearly backups
Exam tip: “Select all that apply” + backup policy settings = all of the above.
2. VNet Peering with Gateway Transit
This is one of the most complex networking scenarios on AZ-104.[learn.microsoft]โ
The rule: Gateway transit sits on the VNet that owns the VPN gateway. Use remote gateways sits on the VNet that wants to borrow it.
| VNet | Has VPN Gateway? | Setting to enable |
|---|---|---|
| Payments | โ Yes | Allow Gateway Transit |
| Finance | โ No | Use Remote Gateways |
Both VNets also need Allow Forwarded Traffic enabled so traffic from outside can pass through. VNet peering must be configured bidirectionally โ Finance โ Payments and Payments โ Finance.learn.microsoft+1
Exam tip: VNet with gateway = Allow Gateway Transit. VNet without gateway = Use Remote Gateways.
3. Connecting Two VNets โ Right Tool for the Job
| Solution | What it does | Right for VNet-to-VNet? |
|---|---|---|
| VNet Peering โ | Directly links VNets via Azure backbone | Yes |
| User Defined Routing (UDR) | Custom routing table โ needs peering first | No (alone) |
| NSG Rules | Allow/block traffic โ doesn’t create connections | No |
VNet peering uses Microsoft’s backbone network โ no public internet, low latency, high throughput. NSGs should still be reviewed to ensure they don’t block peered traffic.[learn.microsoft]โ
4. Route-Based vs. Policy-Based VPN
When you need multiple connections or point-to-site VPN support:[learn.microsoft]โ
| VPN Type | Site-to-Site tunnels | Point-to-Site | Multiple connections |
|---|---|---|---|
| Route-Based โ | Multiple | โ Yes | โ Yes |
| Policy-Based | 1 max | โ No | โ No |
Exam tip: Remote users + VPN + multiple connections = Route-Based VPN. Policy-Based is legacy and limited.
5. Service Endpoints vs. Other Network Tools
To route traffic to Azure Key Vault (or any Azure PaaS service) without going over the public internet:[learn.microsoft]โ
| Option | Purpose | Secures PaaS traffic? |
|---|---|---|
| Service Endpoint โ | Routes PaaS traffic over Azure backbone | Yes |
| DDoS Protection | Mitigates volumetric network attacks | No |
| Firewall | Stateful traffic filtering for VNet resources | Not directly |
| DNS Servers | Name resolution only | No |
Service Endpoints extend your VNet identity to the Azure service, keeping traffic off the public internet.[learn.microsoft]โ
Exam tip: “Traffic to Azure service should not traverse the internet” = Service Endpoint.
6. Forcing Traffic Through a Central Point โ Route Tables
To direct all outbound VM traffic through a virtual appliance (e.g., a firewall NVA):[learn.microsoft]โ
- โ Route Table (UDR) โ creates a custom route that forces traffic to a specific next hop (the virtual appliance)
- โ WAF โ only handles HTTP/HTTPS, not RDP/SSH or custom ports
- โ Azure DNS โ name resolution only
- โ Second NSG โ can filter traffic but cannot redirect it to another appliance
Exam tip: “Force all traffic through a central point” = Route Table with User Defined Route.
7. Custom Domain DNS Records at Registrar
Two record types are supported when verifying a custom domain in Azure AD:[learn.microsoft]โ
| Record type | Required fields |
|---|---|
| TXT Record | Type + Alias (@) + Destination (MS code) + TTL |
| MX Record | Type + Alias (@) + Destination (MS code) + TTL + Priority |
MX records need an extra Priority field that TXT records don’t require. Both are valid verification methods.
Exam tip: MX record has one extra field โ Priority.
8. Azure DNS Alias Record Sets
Three record types support alias record sets in Azure DNS:[learn.microsoft]โ
- โ A Record โ maps hostname to IPv4
- โ AAAA Record โ maps hostname to IPv6
- โ CNAME Record โ maps hostname to another hostname
Exam tip: “Which records support alias sets?” = A, AAAA, and CNAME โ all three.
9. Azure Private DNS Benefits
Azure DNS for private domains provides all of the following:[learn.microsoft]โ
- No custom DNS solutions needed โ manage DNS zones natively in Azure
- All common record types โ A, AAAA, CNAME, MX, PTR, TXT
- Split-horizon DNS โ same zone name resolves differently inside vs. outside a VNet
- Cross-VNet hostname resolution โ simplifies peered network and service discovery
Exam tip: Private DNS benefits question = all of the above.
10. NSG โ NIC Only or Also Subnets?
True or False: NSGs can only be linked to a VM’s NIC.
Answer: False[learn.microsoft]โ
NSGs can be associated with:
- Network Interface Cards (NIC) โ applies rules to a specific VM
- Subnets โ applies rules to all resources within that subnet
Linking an NSG to a subnet is more efficient when you want to apply the same rules to every resource in that subnet without configuring each NIC individually.
Quick Recall Cheat Sheet
| Scenario | Answer |
|---|
| Scenario | Answer |
|---|---|
| All configurable backup policy settings | Frequency, Time, Daily, Weekly, Monthly, Yearly |
| VNet with VPN gateway in peering | Allow Gateway Transit |
| VNet borrowing a remote gateway | Use Remote Gateways |
| Connect two VNets for app communication | VNet Peering |
| VPN with P2S + multiple connections | Route-Based VPN |
| Send traffic to Key Vault off public internet | Service Endpoint |
| Force all VM traffic through central point | Route Table (UDR) |
| TXT vs MX domain verification difference | MX needs Priority field |
| DNS alias record types supported | A, AAAA, CNAME |
| NSG can attach to subnet? | True โ NIC and subnet both supported |
