5.3 VM Disks, Sizes, Encryption, and Host Settings

VM Sizes and Families

A VM size is more than a CPU and memory number. It controls the number of vCPUs, memory, temporary storage, maximum number of data disks, maximum IOPS, maximum throughput, network bandwidth, accelerated networking support, premium storage support, GPU availability, and price. Some sizes are general purpose, while others target compute, memory, storage, GPU, or high performance computing workloads.

Resizing is possible, but not every size is available in every region, zone, cluster, or host group. If the target size is not available in the current hardware cluster, Azure may require deallocation before resizing. Availability set deployments can also constrain resizing because all VMs in the set must be able to run on compatible hardware.

Useful commands:

az vm list-vm-resize-options -g rg-prod-compute -n vm-db-01 --output table
az vm list-skus --location eastus --resource-type virtualMachines --output table
az vm resize -g rg-prod-compute -n vm-db-01 --size Standard_E4ds_v5

If resizing fails, check quota for the target family, regional availability, zone availability, policy restrictions, and whether the VM must be deallocated. Quota is per subscription, per region, and often per VM family.

Managed Disks

Azure managed disks remove the need to manage storage accounts for VM disks. You choose a disk type and size, and Azure manages placement and durability. Common disk types include Standard HDD, Standard SSD, Premium SSD, Premium SSD v2, and Ultra Disk. Availability depends on region and VM size.

The OS disk stores the operating system. Data disks store application data. The temporary disk, when present, is local to the host and should not store durable data. It may be erased during maintenance, redeploy, or host movement. Exam questions often test this: never place critical persistent data on the temporary disk.

You can resize managed disks, but shrinking is not generally supported. Increasing an OS or data disk usually requires expanding the partition inside the guest OS after Azure reports the larger disk. Some disk performance changes are online, while others require downtime depending on disk type and VM state.

az disk update -g rg-prod-compute -n vm-db-01-data-01 --size-gb 512
az vm disk attach -g rg-prod-compute --vm-name vm-db-01 --name vm-db-01-data-02 --new --size-gb 1024 --sku Premium_LRS
az vm disk detach -g rg-prod-compute --vm-name vm-db-01 --name vm-db-01-data-02

Snapshots, Images, and Disk Recovery

A snapshot is a point-in-time copy of a managed disk. Snapshots are useful before risky patching, application upgrades, or disk manipulation. They are not a replacement for a full backup policy because they do not provide the same scheduling, retention, application consistency options, vault management, or cross-protection workflow.

Images and Azure Compute Gallery help standardize VM builds. A custom image can include baseline OS configuration, agents, and hardening. Azure Compute Gallery supports sharing image versions across subscriptions and regions. For AZ-104, know that images help repeat deployment, while backup helps restore protected instances.

Encryption Options

Azure Storage Service Encryption protects managed disks at rest by default. Platform-managed keys are simplest. Customer-managed keys use a disk encryption set backed by Azure Key Vault or managed HSM where supported. Azure Disk Encryption uses BitLocker for Windows or DM-Crypt for Linux inside the guest; it is older and more intrusive. Encryption at host encrypts VM data on the host before it flows to storage, covering temporary disks and caches for supported VM sizes and regions.

Bicep example for a VM setting encryption at host:

resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
  name: vmName
  location: location
  properties: {
    securityProfile: {
      encryptionAtHost: true
    }
    hardwareProfile: {
      vmSize: 'Standard_D2s_v5'
    }
    storageProfile: {
      osDisk: {
        createOption: 'FromImage'
        managedDisk: {
          storageAccountType: 'Premium_LRS'
        }
      }
      imageReference: imageReference
    }
    osProfile: osProfile
    networkProfile: networkProfile
  }
}

If a deployment fails after enabling encryption at host, check whether the subscription has the feature available, the VM size supports it, the region supports it, and policy does not conflict. If customer-managed keys fail, check Key Vault permissions, purge protection and soft delete requirements, managed identity access, disk encryption set identity, and network restrictions on the vault.

Host and Security Settings

Trusted launch provides security features such as secure boot and virtual TPM for supported generation 2 images and sizes. Confidential VMs protect data in use for supported scenarios. Dedicated hosts provide physical server isolation for compliance or licensing. Proximity placement groups place Azure compute resources physically close to reduce latency, but they can constrain availability and SKU choices. Accelerated networking improves network performance by bypassing the host datapath for supported sizes and operating systems.

Design table:

Troubleshooting Scenario

A database VM has high disk latency after migration. Start with metrics: disk IOPS consumed percentage, disk bandwidth consumed percentage, VM cached and uncached limits, queue depth, and guest OS counters. If the disk is Premium SSD but the VM size has a lower throughput cap than the disks, resizing the VM may help more than changing disk SKU. If the data disk uses host caching incorrectly, adjust caching based on workload guidance. Read-heavy workloads may benefit from read-only caching, but write-heavy database logs often should not use read-write caching without vendor support.

AZ-104 questions often combine cost and performance. The cheapest disk is not always acceptable, and the most expensive disk is not always useful if the VM size throttles it. Match VM family, VM size limits, disk type, disk size, caching, and redundancy to the workload.