Flash sale is here! Get Extra 25% off on ALL COURSES! Use coupon code FLASH25. Ends today.
Domain 04 · 15–20% of Exam

Implement and Manage Virtual Networking

VNets, NSGs, load balancers, DNS, peering, and private endpoints

15–20%Exam Weight
12Sub-topics
HighPriority
Practice Tests →
📌

The networking domain covers virtual network design, connectivity patterns, traffic routing, security groups, and DNS. Networking questions are often scenario-heavy. The table below maps every official sub-domain to the type of question you will face in the exam.

What the Exam Tests
Sub-domain / TopicWhat kind of question to expect
Create and configure virtual networks and subnets
  • Questions test your ability to identify what must be configured before a VM can receive an IP address from a specific range, requiring you to understand the relationship between address spaces, subnets, and IP allocation. Questions also test the regional constraints that apply when creating network resources such as NICs — you need to know which existing resources determine the valid region for a new resource.
  • Questions test which virtual networks in a given subscription are valid deployment targets for a named Azure network resource — given VNets across different regions and resource groups, you need to identify which VNets are eligible based on the resource's region and resource group constraints.
Create and configure virtual network peering
  • Questions test which virtual networks can be peered together and which VNets a given VNet can route packets to — you need to understand peering constraints across subscription and tenant boundaries, and know that VNet peering is not transitive by default.
  • Questions also test what must be done before peering is possible when two VNets have overlapping address spaces — you need to know which configuration must be modified first and what action resolves the conflict.
  • Questions present a table of VNets with different address spaces and ask you to identify which can be peered with a given VNet — address space overlap is the key eligibility constraint to evaluate.
  • Questions test how to fix a disconnected peering status — given a peering shown as Disconnected, you need to identify the required remediation action before the connection can be re-established.
  • Questions test what must be provisioned before two VNets in different Entra tenants can be connected — peering across tenants requires additional prerequisites that differ from same-tenant peering.
  • Questions test the prerequisite for enabling cross-VNet DNS resolution — when VMs across different VNets need to use a custom DNS server hosted in one VNet, you need to know which network configuration must be in place first.
Configure public IP addresses
  • Questions test which Azure resource types support direct public IP address association. You are given a mixed list of resource types and asked to identify which ones are valid targets for a public IP — not all resource types can have a public IP directly attached.
  • Questions test which existing public IP addresses meet the requirements for a specific Azure service — given a table of IPs with different SKUs, tiers, IP versions, and assignment methods, you need to identify which IPs are compatible with the target service's requirements (such as Azure Firewall requiring a Standard SKU, static allocation, and IPv4).
Configure user-defined network routes
  • Questions test your understanding of when and how to use custom route tables, including which next hop type applies in different scenarios. You also need to know how on-premises traffic can reach resources on a peered VNet via an existing VPN gateway, and which routing approach achieves this while minimising cost.
  • Questions present a full route table configuration scenario — given a requirement to route VPN gateway inbound traffic through a virtual appliance, you need to correctly identify the address prefix (the VNet's full address space), the next hop type, and which subnet the route table must be assigned to in order for the route to take effect.
  • Questions test which resource types a route table can be associated with — given a virtual network, its subnet, and a NIC in the same region, you need to know which resource type is the valid association target for a route table.
Troubleshoot network connectivity
  • Questions test which Network Watcher diagnostic tools to use for a given connectivity problem — given a scenario where a VM cannot connect to another VM on a specific port across a peered VNet topology, you need to identify which two tools from a list can diagnose the issue. You need to know the purpose of each tool and which scenarios each one addresses.
  • Questions test the distinction between specific Network Watcher features — IP flow verify identifies which security rule is blocking a packet from reaching a VM; Connection troubleshoot validates outbound connectivity from a VM to an external endpoint. You need to match the stated diagnostic task to the correct tool.
Create and configure network security groups (NSGs) and application security groups
  • Questions test how to configure NSG outbound rules to allow VM traffic to reach an Azure PaaS service while following least privilege and minimising administrative effort — you need to know which destination type to use and how the available options differ in scope and manageability.
  • Questions also test which destination type to use in an NSG rule when you need to block access to a specific Azure service (such as the Azure portal) while still allowing traffic to other internet destinations — you need to know which destination type precisely targets a named Microsoft service.
  • Questions test which VMs an NSG's rules apply to when the NSG is associated at the subnet level — you need to understand that only VMs with a NIC in that specific subnet are covered, not all VMs in the broader virtual network.
  • Questions test which subnets an NSG can be applied to — given NSGs and VNets in different Azure regions and resource groups, you need to know that an NSG can only be associated with subnets in the same region as the NSG.
  • Questions test whether an NSG on a subnet controls inbound traffic to an App Service web app — a subnet-level NSG controls traffic only when the app is deployed into that subnet (App Service Environment / Isolated tier); it does not control inbound internet traffic to a web app that merely uses that subnet for outbound VNet integration.
  • Questions present a VNet with multiple subnets with different traffic requirements and ask for the minimum number of NSGs needed — since NSGs can be associated at the subnet level and different subnets may have identical requirements, you need to determine the minimum count that enforces all stated rules, potentially by sharing one NSG across subnets with the same requirements.
Evaluate effective security rules in NSGs
  • Questions test how NSG association scope affects which VMs are covered by a rule — given a scenario where an outbound rule should apply to multiple VMs, you need to identify whether the NSG should be associated with the subnet or with individual NICs.
  • Questions also present a scenario with both subnet-level and NIC-level NSGs and ask whether specific connectivity (such as inbound RDP from the internet or between VMs) is permitted — you need to evaluate the combined effect of default rules and any custom rules at both levels to determine the actual outcome.
  • Questions present a set of effective inbound rules with explicit allow and deny entries across different port ranges, and ask what internet users can connect to — you need to trace each relevant port through the priority-ordered rules and determine which ports are blocked, which are allowed, and from which source.
  • Questions test what happens when a specific rule is added or removed from an NSG — you need to recalculate the effective access outcome given the modified rule set, including the interaction between custom rules and default allow/deny rules.
Implement Azure Bastion
  • Questions test the scope of a Bastion deployment — which VMs can be reached based on VNet peering configuration.
  • Questions test the IP address requirements for Bastion (SKU, assignment type, IP version) and the sequence of steps needed to enable native client RDP access.
  • Questions also test which NSG inbound port must be open on the AzureBastionSubnet to allow internet traffic to reach the Bastion host.
  • Questions test which resource types Azure Bastion can protect — given a mixed environment with virtual machines, web apps, and domain services resources all connected to the same VNet, you need to identify which specific resource types are eligible for Bastion-based access.
  • Questions present a multi-requirement Bastion scenario (host scaling, file transfer, coverage across peered VNets) and ask you to determine the correct Public IP SKU and the minimum AzureBastionSubnet size — these requirements constrain which SKU tier and subnet prefix are valid.
  • Questions test Bastion connectivity scope in a peered VNet topology — given a Bastion deployed on VNet1, VMs on VNet2 (directly peered with VNet1) are reachable via Bastion, but VMs on VNet3 (only peered with VNet2, not VNet1) are not reachable. Bastion reach follows only one hop of direct peering.
  • Questions test which Bastion features require a specific SKU — native client access (using mstsc.exe or SSH client) requires the Standard SKU; the Basic SKU only supports browser-based access through the Azure portal.
Configure private endpoints for Azure PaaS
  • Questions test which configuration is required to ensure that traffic between Azure resources does not traverse the public internet. Given a scenario with resources in different regions, you need to identify the correct feature to configure on the storage or PaaS resource to enable private connectivity.
Configure service endpoints for Azure PaaS
  • Questions test service endpoint policy eligibility — given a policy created in a specific region, you need to determine which subnets it can be applied to, based on the region of the virtual network the subnet belongs to and whether the subnet has the required service endpoint configured.
  • Questions also test how service endpoint policies control which storage accounts can be accessed from a given subnet — you need to determine whether a VM on a specific subnet can reach a particular storage account based on the policy's scope and the subnet's service endpoint configuration.
  • Questions test whether a service endpoint policy applies to a specific service type (such as Microsoft Entra ID) — not all Azure services use private IP routing via service endpoints, and knowing which services do is essential for determining whether a VM's traffic uses its private IP.
  • Questions test how many service endpoints are needed to meet a set of connectivity requirements — VNet peering does not require a service endpoint, and multiple storage accounts of the same service type share a single endpoint; Microsoft Entra ID traffic requires its own service endpoint type. You need to calculate the minimum number of endpoints needed.
Configure Azure DNS
  • Questions test how private DNS zone auto-registration works — which VMs get records registered, which IP address type is recorded, and whether a VM on a non-linked VNet can resolve records in the zone.
  • Questions test what must be done at the domain registrar to make a public Azure DNS zone resolvable from the internet — you need to know which record type at the registrar must be updated, distinguishing this from actions taken within Azure.
  • Questions also test DNS resolution precedence — when both a NIC-level DNS server and a VNet-level DNS server are configured, you need to know which setting takes priority for each VM, and what a VM uses when no NIC-level DNS is set.
  • Questions test how to ensure AD DS DNS name resolution when migrating a domain controller to Azure — you need to know whether the VNet should use a custom DNS server or Azure-provided DNS, and how to configure the DC's IP address correctly within the target subnet's address range.
  • Questions present a complex scenario with multiple peered VNets, some linked to a private DNS zone and others using a custom DNS server — you need to determine what IP address a specific VM resolves for a given name based on whether its VNet is linked to the private zone (uses zone records) or uses a custom DNS server (uses that server's records), and whether VMs on VNets without a direct link can resolve records at all.
Configure an internal or public load balancer
  • Questions test which Azure service to choose for load distribution in a given scenario — you need to understand the difference between services that operate at the network layer versus those that work at the application layer, and which is appropriate for internal east-west traffic versus internet-facing traffic.
  • Questions present multi-tier application scenarios and ask which load distribution resource to use for a specific requirement — such as distributing traffic equally across internal VMs, or protecting web servers from application-layer attacks like SQL injection.
  • Questions also test advanced internal load balancer configuration for network virtual appliances — given a requirement for active-active NVA deployment with automatic failover and traffic to multiple backend services, you need to know which load balancer SKU, rule settings (HA Ports, Floating IP), and backend pool configuration to use.
  • Questions test the SKU compatibility rules for adding VMs to a load balancer's backend pool — given VMs with different public IP SKUs and statuses, you need to determine which combination of changes (such as removing a mismatched IP or upgrading an IP SKU) allows all VMs to be added to a Standard load balancer backend pool.
  • Questions test how to route a specific protocol to a single VM in a load-balanced set — when the requirement is to direct one type of traffic exclusively to one backend VM rather than distributing it, you need to know which load balancer feature achieves this.
  • Questions test Basic SKU load balancer requirements — VMs must be in the same availability set or scale set to be added to a Basic LB backend pool, and health probe configuration determines whether traffic is distributed to each backend VM.
  • Questions also test what changes to a VM are required before it can receive traffic from a Standard public load balancer — you need to know the NSG requirement and what must be done with the VM's existing dynamic public IP address before the backend pool can be created.
  • Questions present a table of public IP addresses with different versions (IPv4 vs IPv6) and SKUs and ask which can be used with a Standard Load Balancer — Standard Load Balancer requires Standard SKU public IPs; IPv6 addresses are not supported as a frontend IP for a Standard public load balancer.
📝 Since now you know what the exam tests on the Networking domain, it's time to revise the concepts. The Domain 04 Revision Notes cover all 35 topics with exam-focused explanations.
Common Questions

AZ-104 Domain 04: Frequently Asked Questions

Common questions about what this domain tests, which sub-topics matter most, and how to approach exam questions on this topic.

What does AZ-104 Domain 04 cover?

Domain 4 covers VNets and subnets, VNet peering (including cross-subscription and cross-tenant), public IP addresses, user-defined routes, NSGs, Azure Bastion, private and service endpoints for PaaS connectivity, Azure DNS, and load balancers. It is weighted at 15–20%.

Why is Domain 04 considered the hardest in AZ-104?

Networking questions require multi-step reasoning — tracing a network path through peering, route tables, NSG rules, and firewall rules simultaneously. NSG rule priority evaluation, VNet peering transitivity constraints, and DNS resolution across linked and unlinked VNets are common error sources.

How is VNet peering tested on AZ-104?

VNet peering questions test cross-subscription and cross-tenant prerequisites, non-transitive peering (VNet A peered with B, B peered with C — A cannot reach C), overlapping address space constraints, the Disconnected status and how to resolve it, and DNS resolution behaviour for VNets linked to private DNS zones.

How are NSG rules tested on AZ-104?

NSG questions require evaluating effective rules given subnet-level and NIC-level NSGs on the same VM, tracing rule priority order to determine whether traffic is allowed or denied, and calculating the result of adding or removing a rule. Questions also test service tags for outbound PaaS access and NSG regional constraints.

How is Azure Bastion tested in AZ-104?

Bastion questions test SKU differences (Basic = browser only, Standard = native client), minimum subnet size (/26 for Standard), public IP requirements (Standard SKU, static, IPv4), NSG inbound port requirements for AzureBastionSubnet, and the one-hop peering limit.

How is Azure DNS tested in AZ-104?

DNS questions test private DNS zone auto-registration, registrar NS record updates for custom public domains, NIC-level DNS override behaviour, and multi-VNet resolution scenarios where VNets have different DNS configurations.

Discussions (0)

Share how you reason through topics on this page. You can also share your feedback on this guide.

0 / 200 words
No comments yet — be the first to start the thread.