5.2 Create, Configure, and Manage Virtual Machines

VM Resource Anatomy

An Azure virtual machine is the compute resource, but it is not useful by itself. A working VM usually has an OS disk, one or more network interfaces, an IP configuration on a subnet, network security controls, boot diagnostics, and optional data disks. It may also have a managed identity, diagnostic settings, VM extensions, backup protection, update configuration, and association with a load balancer or application gateway.

A common exam trap is treating the VM as one object. The NIC belongs to Microsoft.Network, the disk belongs to Microsoft.Compute, the public IP belongs to Microsoft.Network, and the VM ties them together. If a deployment fails, the failed resource may be the NIC, disk, VM extension, or public IP rather than the VM itself.

Portal Creation Workflow

In the portal, the normal path is Virtual machines > Create > Azure virtual machine. The Basics tab sets subscription, resource group, VM name, region, availability option, security type, image, size, admin account, inbound ports, and licensing. Disks selects OS disk type, encryption options, and data disks. Networking selects or creates the virtual network, subnet, public IP, NIC NSG, and load balancing options. Management covers monitoring, identity, auto-shutdown, backup, and patch settings. Advanced covers extensions, cloud-init, user data, host group, proximity placement group, and custom data.

Portal creation is good for learning dependencies and one-off deployments. For repeatable build standards, use Bicep, ARM templates, Azure CLI, PowerShell, or an image pipeline. Exam questions may show a portal setting and ask which tab contains it. They may also describe a production standard and expect infrastructure as code.

CLI and Bicep Examples

A quick Linux VM build can be done with Azure CLI:

az group create --name rg-lab-vm --location eastus
az vm create \
  --resource-group rg-lab-vm \
  --name vm-linux-01 \
  --image Ubuntu2204 \
  --size Standard_B2s \
  --admin-username azureadmin \
  --ssh-key-values ~/.ssh/id_rsa.pub \
  --vnet-name vnet-lab \
  --subnet snet-vms \
  --public-ip-sku Standard
az vm open-port --resource-group rg-lab-vm --name vm-linux-01 --port 22

For production, opening SSH from the internet is often the wrong answer. Use Azure Bastion, VPN, just-in-time VM access from Microsoft Defender for Cloud, or a private jump path. If the exam asks for browser-based RDP or SSH without a public IP on the VM, choose Azure Bastion.

A minimal Bicep VM pattern shows how resources connect:

param location string = resourceGroup().location
param vmName string = 'vm-app-01'
param adminUsername string
@secure()
param adminPassword string

resource nic 'Microsoft.Network/networkInterfaces@2024-05-01' existing = {
  name: '${vmName}-nic'
}

resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
  name: vmName
  location: location
  properties: {
    hardwareProfile: {
      vmSize: 'Standard_D2s_v5'
    }
    osProfile: {
      computerName: vmName
      adminUsername: adminUsername
      adminPassword: adminPassword
    }
    storageProfile: {
      imageReference: {
        publisher: 'MicrosoftWindowsServer'
        offer: 'WindowsServer'
        sku: '2022-datacenter-azure-edition'
        version: 'latest'
      }
      osDisk: {
        createOption: 'FromImage'
        managedDisk: {
          storageAccountType: 'Premium_LRS'
        }
      }
    }
    networkProfile: {
      networkInterfaces: [
        {
          id: nic.id
        }
      ]
    }
  }
}

This example assumes an existing NIC. In a full deployment, the VNet, subnet, NSG, public IP if needed, NIC, VM, diagnostics, and extensions may all be in the same Bicep file or modules.

VM Management Tasks

Administrators commonly start, stop, restart, redeploy, reapply, resize, attach disks, update tags, add extensions, configure identity, reset passwords, and capture images. Stop from inside the OS does not necessarily deallocate the VM, so compute charges can continue. In Azure, use Stop or az vm deallocate when you want to release compute allocation and stop compute billing. Storage costs for disks remain.

Useful commands:

az vm get-instance-view -g rg-prod-compute -n vm-app-01
az vm list-sizes --location eastus --output table
az vm resize -g rg-prod-compute -n vm-app-01 --size Standard_D4s_v5
az vm deallocate -g rg-prod-compute -n vm-app-01
az vm start -g rg-prod-compute -n vm-app-01
az vm run-command invoke \
  -g rg-prod-compute \
  -n vm-app-01 \
  --command-id RunPowerShellScript \
  --scripts "Get-Service W32Time"

Run Command is useful when network access is broken but the Azure VM agent is healthy. Serial Console is useful for boot and OS-level recovery, especially when firewall rules, boot loaders, or network configuration prevent normal access. Redeploy moves a VM to a new Azure host while preserving disks and configuration; it can help with host-level issues but causes downtime.

Extensions and Guest Configuration

VM extensions install agents, run scripts, join domains, configure monitoring, install antimalware, or apply custom setup. The Custom Script Extension is common, but it should be idempotent and log clearly. Extension failures are often guest problems: blocked downloads, bad script exit codes, missing permissions, DNS failure, TLS inspection, or incompatible OS.

Troubleshooting extension states:

Scenario Walkthrough

A company needs a Windows Server VM for an internal accounting app. It must not expose RDP to the internet, must be recoverable, and must use a predictable deployment process. A good design is a Bicep deployment that creates or references the subnet, deploys a VM without a public IP, enables a managed identity if the app needs Azure resource access, installs the Azure Monitor Agent, enables boot diagnostics, and protects the VM with Azure Backup. Administrative access should be through Bastion or VPN.

If users cannot connect after deployment, check the VM power state, guest OS firewall, NSG effective rules, route table, DNS, Bastion or VPN path, and application listener. Do not start by rebuilding the VM. AZ-104 often rewards methodical isolation: control plane, VM state, network path, guest OS, then application.