Network Integration Exam Tips

IntermediateCertification20 min4 min readAzure

AZ-104 notes: Network Integration Exam Tips. Covers key concepts for the Azure Administrator Associate exam.

#azure #az-104 #exam-tips

This section summarizes key Network Integration concepts for the AZ-104 exam. It covers how Azure integrates virtual networks with PaaS services securely.

Core topics:

Azure Bastion
Azure Virtual Network Service Endpoints
Azure Private Endpoint
Azure Storage (Service Firewall context)

1️⃣ Azure Bastion – Secure VM Administration

What It Does

Azure Bastion provides:

Browser-based SSH/RDP
Over HTTPS (TLS encrypted)
Managed PaaS jump host
No public IP required on VMs

Why It Matters for Exam

You must remember:

✔ Dedicated subnet named AzureBastionSubnet ✔ Minimum subnet size: /26 ✔ Must be in same region as VNet ✔ VM does NOT require public IP

When to Choose Bastion

Secure admin access required
Remove public IP exposure
Reduce jump-box management overhead

Exam Trigger Words:

“Secure browser-based access”
“No public IP”
“Managed jump host”

2️⃣ Service Endpoints – Subnet-Level Backbone Access

What They Do

Service Endpoints:

Enabled at subnet level
Route traffic to Azure PaaS services
Use Microsoft Backbone
Still use public endpoint

Important:

⚠ No private IP assigned ⚠ Still public endpoint ⚠ Affects all services under that provider
Example: Enable Microsoft.Storage → applies to all storage accounts.

How It Works

Without service endpoint:

VM → Internet route → Public endpoint

With service endpoint:

VM → System route → Microsoft Backbone → Public endpoint
No public IP needed on VM.

Exam Key Distinction

Service Endpoint:

Subnet-based
Public endpoint
Moderate security

3️⃣ Private Endpoints – True Private Connectivity

Private Endpoints are part of:

Azure Private Link

What They Do

Assign private IP to PaaS service
Create NIC in VNet
Allow granular sub-resource access (Blob, File, etc.)
Support hybrid (VPN / ExpressRoute)

Example:

StorageAccount → Blob → Private IP

Major Differences

Exam Trigger Words:

“Private IP for storage”
“Disable public access”
“Hybrid access required”
Answer → Private Endpoint

4️⃣ Service Firewall (Storage Network Access)

Many PaaS services include a service firewall, including:

Azure Storage
Azure SQL Database
Azure Key Vault

What It Does

Controls access to:

→ Public endpoint only

Options:

Allow all networks
Allow selected VNets/IPs
Disable public access

Critical Exam Concept

Service Firewall:

✔ Affects Service Endpoints ❌ Does NOT affect Private Endpoints

If public access disabled:

Service Endpoint → blocked
Private Endpoint → works

5️⃣ Security Architecture Patterns (Exam Scenarios)

Moderate Security

Service Endpoint

Firewall allows specific VNet

High Security (Zero Trust)

Private Endpoint
Public access disabled
Firewall blocks all public
DNS integrated

Secure Admin Pattern

Bastion for VM access
No public IP on VMs
NSGs restrict inbound traffic

6️⃣ Decision Tree for Exam Questions

If question mentions:

🔹 “Browser-based RDP/SSH” → Bastion
🔹 “Subnet-level backbone routing” → Service Endpoint
🔹 “Assign private IP to storage” → Private Endpoint
🔹 “Block all public access” → Service Firewall + Private Endpoint
🔹 “Hybrid access required” → Private Endpoint

7️⃣ Common Exam Traps

🚩 Service Endpoint gives private IP → False 🚩 Firewall does not affect Service Endpoint → False 🚩 Bastion requires VM public IP → False 🚩 Private Endpoint uses public endpoint → False