App Service Exam Tips

AZ-104 Exam Tips: Azure App Service#

Use this page for final revision before your exam. Each section targets a testable concept.

---

Service Models (Very Frequently Tested)#

Understand the three hosting models and what they share:

Key distinctions:

• Shared = cheapest, lowest isolation, no SLA
• Dedicated = your own worker nodes but still on shared network infrastructure
• Isolated = runs inside your VNet in an App Service Environment; highest security and compliance

Infrastructure Architecture#

• App Service runs in a scale unit (up to 1,000 worker nodes)
• A geo-controller decides which scale unit handles your deployment
• Front-end proxy routes requests to the correct worker node
• App Service Plan defines the tier and resources; all apps on a plan share those resources

Custom Domains and SSL#

• Default domain: <app-name>.azurewebsites.net (must be globally unique)
• Custom domain setup requires:
  • A record or CNAME record pointing to the App Service
  • TXT record for domain ownership verification
• App Service Managed Certificate is free and auto-renews (provisioning: up to 10 mins)
• SSL binding types: SNI-based (multiple certs per IP) or IP-based (one cert per IP)

Networking#

Inbound#

• Default: public internet access
• Restrict inbound with IP firewall rules (service firewall)
• Private Endpoint = private IP inside VNet; disabling public access blocks all except private endpoint traffic

Outbound#

• VNet Integration = service endpoint in a VNet subnet; app routes outbound traffic into VNet
• Hybrid Connection = relay-based; both app and on-prem connect outbound to relay (no inbound firewall changes)
• ExpressRoute works with VNet integration in same region only; cross-region requires a gateway (no ExpressRoute support with gateway-required VNet integration)

Outbound IPs#

• Outbound IPs can change when you stop/start an app
• Use dedicated outbound IPs if stability is required

Scaling#

• Scale out supports: Manual, Rules-based (CPU%, memory, schedule), Automatic (preview)
• Works similarly to VM Scale Sets under the hood
• Rules-based is the recommended approach for production

Backups#

• Always restore into a deployment slot in production — restoring directly overwrites the live app
• Custom backups with VNet integration: enable "backup and restore over VNet integration"

Deployment Slots#

• Available from Standard tier (5 slots) and Premium tier (20 slots)
• Each slot = separate App Service instance with its own URL
• Swap = zero-downtime deployment (staging → production)
• Rollback = swap back to previous version instantly
• Sticky settings = app settings/connection strings that stay with a specific slot (not swapped)
• Traffic splitting = route a % of traffic to a non-production slot for canary testing

Common Exam Traps#

• VNet integration does not host the app inside the VNet — it only enables outbound routing
• Only Isolated tier (ASE) actually runs the app inside a VNet
• Stopping/restarting an app can change outbound IPs — watch for this in networking scenarios
• Deployment slots require Standard+ tier; slot swap does not require any downtime
• Platform backup runs hourly but you cannot access the underlying storage account

---

Quick Revision Table#

Reference Documentation#

• App Service overview
• App Service plans
• App Service networking features
• Deployment slots
• App Service managed certificates
• Back up and restore