πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-104 Domain 3
Domain 3 β€” Module 3 of 7 43%
14 of 27 overall

AZ-104 Study Guide

Domain 1: Manage Azure Identities and Governance

  • Microsoft Entra ID: Your Identity Foundation Free
  • Users, Groups & Licenses Free
  • RBAC: Who Can Do What in Azure Free
  • Subscriptions, Resource Groups & Management Groups Free
  • Azure Policy & Resource Locks Free
  • Tags, Cost Management & Azure Advisor Free

Domain 2: Implement and Manage Storage

  • Storage Accounts & Redundancy
  • Securing Storage: Keys, SAS & Firewalls
  • Blob Containers & Storage Tiers
  • Blob Lifecycle, Versioning & Soft Delete
  • Azure Files: Shares, Snapshots & Recovery

Domain 3: Deploy and Manage Azure Compute Resources

  • ARM Templates & Bicep: Infrastructure as Code
  • Virtual Machines: Create & Configure Free
  • VM Disks, Encryption & Migration
  • Availability Sets, Zones & Scale Sets
  • Containers: ACR, ACI & Container Apps
  • App Service Plans & Scaling
  • App Service: Slots, Certificates & Networking

Domain 4: Implement and Manage Virtual Networking

  • Virtual Networks & Subnets
  • VNet Peering & User-Defined Routes
  • NSGs & Application Security Groups
  • Azure Bastion, Service & Private Endpoints
  • Azure DNS & Load Balancers

Domain 5: Monitor and Maintain Azure Resources

  • Azure Monitor: Metrics & Logs
  • Alerts, Insights & Network Watcher
  • Azure Backup & Vaults
  • Azure Site Recovery & Disaster Recovery

AZ-104 Study Guide

Domain 1: Manage Azure Identities and Governance

  • Microsoft Entra ID: Your Identity Foundation Free
  • Users, Groups & Licenses Free
  • RBAC: Who Can Do What in Azure Free
  • Subscriptions, Resource Groups & Management Groups Free
  • Azure Policy & Resource Locks Free
  • Tags, Cost Management & Azure Advisor Free

Domain 2: Implement and Manage Storage

  • Storage Accounts & Redundancy
  • Securing Storage: Keys, SAS & Firewalls
  • Blob Containers & Storage Tiers
  • Blob Lifecycle, Versioning & Soft Delete
  • Azure Files: Shares, Snapshots & Recovery

Domain 3: Deploy and Manage Azure Compute Resources

  • ARM Templates & Bicep: Infrastructure as Code
  • Virtual Machines: Create & Configure Free
  • VM Disks, Encryption & Migration
  • Availability Sets, Zones & Scale Sets
  • Containers: ACR, ACI & Container Apps
  • App Service Plans & Scaling
  • App Service: Slots, Certificates & Networking

Domain 4: Implement and Manage Virtual Networking

  • Virtual Networks & Subnets
  • VNet Peering & User-Defined Routes
  • NSGs & Application Security Groups
  • Azure Bastion, Service & Private Endpoints
  • Azure DNS & Load Balancers

Domain 5: Monitor and Maintain Azure Resources

  • Azure Monitor: Metrics & Logs
  • Alerts, Insights & Network Watcher
  • Azure Backup & Vaults
  • Azure Site Recovery & Disaster Recovery
Domain 3: Deploy and Manage Azure Compute Resources Premium ⏱ ~12 min read

VM Disks, Encryption & Migration

Azure VMs need disks for storage and encryption for security. Learn about managed disks, encryption options, and how to move VMs between resource groups, subscriptions, or regions.

Managed disks

β˜• Simple explanation

Managed disks are the hard drives for your Azure VMs β€” but Microsoft manages the underlying storage for you.

On-prem, you’d install SSDs or HDDs in your server and configure RAID. In Azure, you choose a disk type and size, and Azure handles the rest: redundancy, performance guarantees, and physical hardware management. You pick from four tiers based on how fast you need the disk.

Azure Managed Disks are block-level storage volumes managed by Azure, used with Azure Virtual Machines. They abstract the underlying storage account management, provide built-in redundancy (three replicas), support snapshots and images, and integrate with RBAC and Azure Backup.

Disk types include Ultra Disks, Premium SSD v2, Premium SSD, Standard SSD, and Standard HDD, each with different performance and cost characteristics.

Azure Managed Disk types
Disk TypeIOPS (max)Best For
Ultra DiskUp to 160,000IO-intensive: SAP HANA, top-tier databases
Premium SSD v2Up to 80,000Production workloads needing tuneable performance
Premium SSDUp to 20,000Production VMs, enterprise applications
Standard SSDUp to 6,000Web servers, dev/test, light workloads
Standard HDDUp to 2,000Backups, non-critical data, infrequent access

Key disk operations:

  • Add data disks β€” attach additional disks to a VM for data storage (OS disk has the OS; data disks hold your data)
  • Resize disks β€” increase disk size (can’t decrease). May require VM deallocation
  • Change disk type β€” switch between Standard HDD, Standard SSD, and Premium SSD
  • Create snapshots β€” point-in-time copy of a disk for backup or cloning

Encryption options

All managed disks have server-side encryption (SSE) enabled by default using Microsoft-managed keys. But there are additional options:

Encryption TypeWhat It EncryptsKey ManagementEnabled By Default?
Server-Side Encryption (SSE)Data at rest on the diskMicrosoft-managed or customer-managed keysYes (Microsoft keys)
Encryption at HostData on the VM host, temp disk, and cacheMicrosoft-managed or customer-managed keysNo (must enable)
Azure Disk Encryption (ADE)OS and data volumes inside the VMKeys in Azure Key VaultNo (must enable)
πŸ’‘ Exam tip: Encryption at Host vs Azure Disk Encryption

Encryption at Host ensures data is encrypted on the physical host machine BEFORE it reaches Azure Storage. This covers the temp disk and OS/data disk caches that standard SSE doesn’t cover.

Azure Disk Encryption (ADE) uses BitLocker (Windows) or dm-crypt (Linux) inside the VM to encrypt the OS and data volumes. Keys are stored in Azure Key Vault.

The exam often asks which encryption method covers the temp disk β€” the answer is Encryption at Host or ADE, not standard SSE.

Moving VMs

You can move VMs between resource groups, subscriptions, or regions:

Move TypeDowntime?What Moves Together
Between resource groupsNo (metadata move)VM + all dependent resources (disks, NICs, IPs)
Between subscriptionsNo (metadata move)VM + all dependent resources (both subs must be in same Entra tenant)
Between regionsYes (requires recreating)Use Azure Resource Mover or recreate from snapshot/image
πŸ’‘ Exam tip: Moving VMs between regions

Moving a VM to a different region is NOT a simple move operation β€” you can’t just drag it. You need to: (1) create a snapshot of the disks, (2) copy the snapshot to the target region, (3) create new disks from the snapshot, (4) create a new VM in the target region using those disks. Azure Resource Mover can help automate this process.

Question

What does Encryption at Host protect that standard SSE doesn't?

Click or press Enter to reveal answer

Answer

Encryption at Host encrypts data on the physical VM host, including the temp disk and OS/data disk caches. Standard SSE only encrypts data at rest in Azure Storage. Encryption at Host ensures data is encrypted before it even leaves the host machine.

Click to flip back

Question

Can you move a VM to a different Azure region without downtime?

Click or press Enter to reveal answer

Answer

No. Moving to a different region requires recreating the VM. You snapshot the disks, copy snapshots to the new region, create new disks, and deploy a new VM. The original VM experiences downtime during the cutover. Azure Resource Mover can assist with this process.

Click to flip back

Question

What is the difference between Azure Disk Encryption (ADE) and Encryption at Host?

Click or press Enter to reveal answer

Answer

ADE uses BitLocker (Windows) or dm-crypt (Linux) to encrypt volumes INSIDE the VM β€” keys are stored in Key Vault. Encryption at Host encrypts data on the physical host BEFORE it reaches Azure Storage, covering temp disks and caches. ADE is VM-level; Encryption at Host is infrastructure-level.

Click to flip back

Real-world: TechCorp migrates VMs between subscriptions

TechCorp Solutions needs to move their test VMs from the Dev subscription to a new Testing subscription (both under the same Entra tenant). Alex follows these steps:

  1. Verifies both subscriptions are in the same Entra tenant
  2. Checks that the VM size is available in the target subscription’s quota
  3. Moves the VM + all dependent resources (OS disk, data disks, NIC, public IP) together
  4. Updates any automation scripts that reference the old resource IDs

The move completes in minutes with zero downtime β€” it’s just a metadata change.

Knowledge check

Knowledge Check

Meridian Financial requires that the temporary disk on their VMs is encrypted. Which encryption option addresses this?

Knowledge Check

Alex needs to move a VM from the Dev resource group to the Prod resource group in the same subscription. Will there be downtime?

🎬 Video coming soon

← Previous

Virtual Machines: Create & Configure

Next β†’

Availability Sets, Zones & Scale Sets

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.