🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-104 Domain 3
Domain 3 — Module 7 of 7 100%
18 of 27 overall

AZ-104 Study Guide

Domain 1: Manage Azure Identities and Governance

  • Microsoft Entra ID: Your Identity Foundation Free
  • Users, Groups & Licenses Free
  • RBAC: Who Can Do What in Azure Free
  • Subscriptions, Resource Groups & Management Groups Free
  • Azure Policy & Resource Locks Free
  • Tags, Cost Management & Azure Advisor Free

Domain 2: Implement and Manage Storage

  • Storage Accounts & Redundancy
  • Securing Storage: Keys, SAS & Firewalls
  • Blob Containers & Storage Tiers
  • Blob Lifecycle, Versioning & Soft Delete
  • Azure Files: Shares, Snapshots & Recovery

Domain 3: Deploy and Manage Azure Compute Resources

  • ARM Templates & Bicep: Infrastructure as Code
  • Virtual Machines: Create & Configure Free
  • VM Disks, Encryption & Migration
  • Availability Sets, Zones & Scale Sets
  • Containers: ACR, ACI & Container Apps
  • App Service Plans & Scaling
  • App Service: Slots, Certificates & Networking

Domain 4: Implement and Manage Virtual Networking

  • Virtual Networks & Subnets
  • VNet Peering & User-Defined Routes
  • NSGs & Application Security Groups
  • Azure Bastion, Service & Private Endpoints
  • Azure DNS & Load Balancers

Domain 5: Monitor and Maintain Azure Resources

  • Azure Monitor: Metrics & Logs
  • Alerts, Insights & Network Watcher
  • Azure Backup & Vaults
  • Azure Site Recovery & Disaster Recovery

AZ-104 Study Guide

Domain 1: Manage Azure Identities and Governance

  • Microsoft Entra ID: Your Identity Foundation Free
  • Users, Groups & Licenses Free
  • RBAC: Who Can Do What in Azure Free
  • Subscriptions, Resource Groups & Management Groups Free
  • Azure Policy & Resource Locks Free
  • Tags, Cost Management & Azure Advisor Free

Domain 2: Implement and Manage Storage

  • Storage Accounts & Redundancy
  • Securing Storage: Keys, SAS & Firewalls
  • Blob Containers & Storage Tiers
  • Blob Lifecycle, Versioning & Soft Delete
  • Azure Files: Shares, Snapshots & Recovery

Domain 3: Deploy and Manage Azure Compute Resources

  • ARM Templates & Bicep: Infrastructure as Code
  • Virtual Machines: Create & Configure Free
  • VM Disks, Encryption & Migration
  • Availability Sets, Zones & Scale Sets
  • Containers: ACR, ACI & Container Apps
  • App Service Plans & Scaling
  • App Service: Slots, Certificates & Networking

Domain 4: Implement and Manage Virtual Networking

  • Virtual Networks & Subnets
  • VNet Peering & User-Defined Routes
  • NSGs & Application Security Groups
  • Azure Bastion, Service & Private Endpoints
  • Azure DNS & Load Balancers

Domain 5: Monitor and Maintain Azure Resources

  • Azure Monitor: Metrics & Logs
  • Alerts, Insights & Network Watcher
  • Azure Backup & Vaults
  • Azure Site Recovery & Disaster Recovery
Domain 3: Deploy and Manage Azure Compute Resources Premium ⏱ ~13 min read

App Service: Slots, Certificates & Networking

Deployment slots let you test changes before going live. Custom domains and TLS certificates secure your app. Network settings control how it connects. Master the advanced App Service features every Azure admin needs.

Deployment slots

☕ Simple explanation

Deployment slots are like having a staging area next to your production line.

Instead of deploying code directly to your live website (risky!), you deploy to a “staging” slot first. Test it. If it works, you swap the staging slot with production — instant, zero-downtime switch. If something breaks, swap back in seconds.

Each slot has its own URL (e.g., myapp-staging.azurewebsites.net) and can have different configuration settings.

Deployment slots are live app instances within the same App Service plan. Each slot has its own hostname, configuration, and deployment target. The swap operation exchanges the content and configuration between two slots, enabling zero-downtime deployments.

During a swap, Azure warms up the target slot by sending requests to it before routing traffic. Slot-specific settings (connection strings, app settings marked as “slot setting”) can be configured to stay with the slot rather than swapping with the content.

Slot settings

Some settings should swap with the code (same config in staging and production). Others should stay with the slot (different database connection strings per environment).

Setting TypeSwaps with Content?Example
App settings (default)YesAPI keys, feature flags
App settings (marked “slot”)No — stays with slotConnection strings, environment-specific URLs
Connection stringsConfigurableDatabase connection per environment
Handler mappingsYesScript processor mappings
Custom domain bindingsNo — stays with slotDomain names stay with production

Custom domains and TLS certificates

Mapping a custom domain:

  1. Create a CNAME or A record in your DNS pointing to the App Service
  2. Add the custom domain in App Service → Custom domains
  3. Azure validates ownership (via CNAME or TXT record verification)

TLS/SSL certificates:

  • Free App Service Managed Certificate — auto-renewed, covers the custom domain (Basic tier or higher)
  • App Service Certificate — purchased through Azure, stored in Key Vault
  • Bring your own certificate — upload a PFX/PEM file

Enforce HTTPS: App Service → TLS/SSL settings → HTTPS Only = On (redirects HTTP to HTTPS)

💡 Exam tip: Domain verification methods

The exam tests how domain ownership is verified. For a CNAME record, point your subdomain (www) to yourapp.azurewebsites.net. For a root domain (no www), create an A record pointing to the App Service IP AND a TXT record for verification. A TXT record with asuid.yourdomain.com = the App Service’s custom domain verification ID is required.

App Service backup

App Service backup creates scheduled backups of your app’s content, configuration, and connected databases.

Requirements:

  • Standard tier or higher (not available on Free or Basic)
  • An Azure Storage account and container to store backups
  • Maximum 10 GB combined (app + database)

What’s backed up: App configuration, file content, connected databases (SQL Database, MySQL, PostgreSQL)

Backup types:

  • Scheduled — automatic, on a schedule you define
  • Manual — on-demand backup at any time
App Service TLS certificate options
Certificate OptionCostBest For
Free Managed CertificateFree (Basic tier or higher)Most custom domains — auto-renewed, zero maintenance
App Service CertificatePaid (purchased via Azure)When you need wildcard certs or want Azure Key Vault integration
Bring Your Own CertificateYour cost (external CA)When you have existing certs from a third-party CA

Networking settings

FeatureWhat It DoesTier Required
VNet IntegrationApp can access resources in a VNet (databases, VMs)Standard+
Hybrid ConnectionsAccess on-prem resources without VPNStandard+
Private EndpointsApp receives a private IP in a VNetStandard+
Access RestrictionsAllow/deny traffic by IP or VNetAll tiers
Service EndpointsRestrict access to app from specific VNetsAll tiers
Real-world: Meridian Financial's App Service setup

Meridian Financial’s customer portal uses:

  • Deployment slots: Staging + Production, with slot-specific database connection strings
  • Custom domain: portal.meridianfinancial.com with a managed TLS certificate
  • HTTPS Only: Enabled (HTTP redirects to HTTPS)
  • VNet Integration: App connects to their backend SQL database via private VNet
  • Private Endpoint: The app itself is only accessible via their corporate VNet
  • Backup: Daily backups to a storage account, retained for 30 days
Question

What happens during a deployment slot swap?

Click or press Enter to reveal answer

Answer

Azure warms up the target slot (sends requests to it), then swaps the routing rules so traffic goes to the new content instantly. Configuration marked as 'slot setting' stays with the slot; everything else swaps. The result is zero-downtime deployment.

Click to flip back
Question

What App Service plan tier is required for deployment slots and backups?

Click or press Enter to reveal answer

Answer

Standard tier (S1) or higher. Free and Basic tiers do not support deployment slots or scheduled backups. Standard provides 5 slots; Premium and Isolated provide 20 slots.

Click to flip back
Question

How do you enforce HTTPS on an Azure App Service?

Click or press Enter to reveal answer

Answer

Go to App Service → TLS/SSL settings → set HTTPS Only to On. This redirects all HTTP requests to HTTPS automatically. You should also ensure a valid TLS certificate is bound to the custom domain.

Click to flip back

Knowledge check

Knowledge Check

Alex deploys a new version of TechCorp's web app to the staging slot. After testing, he swaps staging with production. The staging slot has a different database connection string (marked as a 'slot setting'). What happens to the connection string after the swap?
Knowledge Check

CloudFirst Labs wants their App Service to access a SQL database deployed in a private VNet. The database has no public endpoint. What App Service feature should they configure?

🎬 Video coming soon

← Previous

App Service Plans & Scaling

Next →

Virtual Networks & Subnets

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.