AZ-104 logo
Focused certification exam prep
Start practice
Home / Study Resources / Domain Deep Dives / AZ-104 Domain 4: Implement and manage virtual

AZ-104 Domain 4: Implement and manage virtual networking (15-20%) - Complete Study Guide 2026

Updated 11 min read AZ-104 Exam Prep
Table of Contents
TL;DR
  • Domain 4 carries 15-20% of the AZ-104 exam weight, meaning roughly 6-12 questions out of the ~40-60 you will face.
  • Virtual network peering, NSG rule evaluation order, and Azure Load Balancer SKUs are consistently high-value topics within this domain.
  • The passing threshold is a scaled score of 700, not 70% raw-precision on a cluster of networking questions can swing your result.
  • Private DNS zones, Private Endpoints, and Service Endpoints are distinct concepts that the exam tests with scenario-based drag-and-drop and hot-area items.

What Domain 4 Actually Covers

Domain 4-Implement and manage virtual networking (15-20%)-is the section of the AZ-104 skills outline that turns abstract cloud knowledge into real operational competence. It tests whether a candidate can design, deploy, secure, and troubleshoot the network layer that everything else in Azure depends on. Compute instances, storage endpoints, and identity flows all ride on top of networking constructs, which is precisely why Microsoft weights this domain alongside storage in the 15-20% band.

Unlike Domain 1's identity and governance focus, which leans heavily on policy and role configuration, Domain 4 demands both conceptual clarity and hands-on fluency. A candidate who understands why a subnet is segmented but cannot configure a route table in the portal or via CLI will struggle with the interactive item types this domain generates.

The current skills measured as of April 17, 2026 group Domain 4 content into several major capability buckets: virtual network configuration, network security, load balancing and routing, hybrid connectivity, and monitoring. Each bucket maps to real-world Azure administrator tasks, and the exam tests them through scenario-driven questions rather than trivia recall.

Scope Alert: Domain 4 is not limited to VNet basics. Candidates who prepare only for subnetting and NSGs frequently encounter questions on Private DNS zones, VNet peering route propagation, and Azure Firewall policy tiers that they did not anticipate. Cover the full breadth of the published skills outline.

Weight, Format, and What to Expect on Exam Day

The AZ-104 is administered through Pearson VUE, costs $165 USD in the United States (regional pricing varies), and allocates 100 minutes for the scored assessment itself. The full appointment block includes check-in, tutorial, and survey time on top of that. Candidates commonly encounter 40-60 questions, and the item types for Domain 4 specifically tend toward hot-area diagrams of network topologies, drag-and-drop rule ordering, build-list configurations, and case studies that ask you to recommend a connectivity solution across multiple constraints.

Performance-based lab tasks may also appear on your delivery. If they do, you could be asked to create a virtual network with specific address spaces, configure peering between two VNets in different regions, or apply an NSG rule to a subnet and verify connectivity-all inside a live Azure environment with no additional time added. This makes hands-on portal and CLI practice non-negotiable for Domain 4.

Because the passing score is 700 on Microsoft's scaled model-not a straight percentage-there is no reliable way to calculate exactly how many Domain 4 questions you can miss. What matters is performing strongly across all five domains. If you want a broader picture of overall difficulty and score distribution, the complete AZ-104 difficulty guide covers how candidates experience the exam across domains.

Domain 4 Capability Clusters (April 2026 Skills Outline)

Microsoft's published skills outline for Domain 4 organizes expectations around these operational areas:

  • Configure and manage virtual networks, subnets, and peering
  • Configure private and public DNS zones and records
  • Implement and manage network security groups (NSGs) and application security groups (ASGs)
  • Configure Azure Load Balancer, Application Gateway, and Traffic Manager
  • Configure VPN Gateway, ExpressRoute, and Virtual WAN for hybrid connectivity
  • Monitor networks using Network Watcher, flow logs, and connection diagnostics
  • Implement Service Endpoints, Private Endpoints, and Azure Firewall basics

Virtual Networks and Subnetting Deep Dive

An Azure Virtual Network (VNet) is the foundational isolation boundary for resources in Azure. Understanding how address spaces work-CIDR notation, allowable ranges, reserved IP addresses per subnet-is table-stakes knowledge. The exam tests whether you know that Azure reserves five IP addresses in every subnet (network address, gateway, DNS x2, broadcast) and expects you to correctly size subnets given a requirements scenario.

VNet Peering and Global Peering

VNet peering connects two VNets so that resources communicate using Microsoft's backbone network without traffic traversing the public internet. Regional peering connects VNets in the same Azure region; global peering connects VNets across regions. The exam frequently presents topology diagrams and asks which resources can communicate and why-often introducing a hub-spoke architecture where the hub VNet contains shared services and spokes cannot communicate with each other directly without additional route configuration.

Key peering facts that generate exam questions: peering is non-transitive by default, each side of a peering link must be configured independently, and the Allow forwarded traffic and Use remote gateways settings control more advanced behaviors that appear in scenario questions.

Route Tables and User-Defined Routes

System routes exist automatically in every VNet. User-defined routes (UDRs) override system routes and are attached at the subnet level. The exam tests scenarios where traffic must be forced through a network virtual appliance (NVA) or Azure Firewall, requiring you to create a route table with a next-hop type of Virtual appliance and the NVA's private IP address.

Common Exam Trap: Candidates often confuse which setting controls whether a VNet gateway's routes are propagated to peered VNets. The Use remote gateways option is set on the spoke side, while Allow gateway transit is set on the hub side. Getting this reversed is a frequent source of incorrect answers on topology questions.

Name Resolution and DNS in Azure

Azure provides built-in DNS resolution for resources within a VNet, but production environments almost always require custom DNS configuration. Domain 4 tests three distinct DNS scenarios: Azure-provided DNS, custom DNS servers, and Azure Private DNS zones.

An Azure Private DNS zone is a managed DNS service that allows you to use custom domain names within your VNet without managing DNS infrastructure. You link a private zone to a VNet with or without auto-registration enabled. When auto-registration is on, VMs in that VNet automatically get A records in the zone when they are created. The exam distinguishes between private DNS zones (internal resolution) and public DNS zones (internet-facing records managed in Azure DNS).

Private Endpoints introduce a critical DNS dependency: when you deploy a Private Endpoint for a storage account or key vault, you must configure a private DNS zone for the appropriate service (e.g., privatelink.blob.core.windows.net) to ensure that FQDN resolution returns the private IP rather than the public IP. This integration between Private Endpoints and Private DNS zones is a high-frequency exam topic tested in case-study format.

Network Security Groups and Application Security Groups

NSGs are the primary traffic filtering mechanism in Azure networking. An NSG contains inbound and outbound security rules evaluated in priority order, with lower numbers processed first. Default rules exist at priority 65000-65500 and cannot be deleted, only overridden with higher-priority custom rules.

NSG Association and Effective Security Rules

NSGs can be associated with subnets and with individual network interfaces (NICs). When both are present, inbound traffic is processed by the subnet NSG first, then the NIC NSG. Outbound traffic reverses this: NIC NSG is evaluated first, then subnet NSG. The exam tests scenarios where a VM is not reachable and asks you to identify the blocking rule-requiring you to trace inbound flow through both NSG layers correctly.

The Effective security rules blade in the Azure portal is the operational tool for this troubleshooting scenario, and knowing how to navigate to it and interpret its output is a practical skill the exam may test in a lab task.

Application Security Groups

ASGs allow you to group VMs logically and reference those groups in NSG rules, removing the need to maintain lists of IP addresses. An NSG rule can specify an ASG as the source or destination, making it possible to write rules like "allow WebServers to talk to DatabaseServers on port 1433." The exam tests ASG configuration in scenarios involving tiered application architectures.

Feature NSG Azure Firewall Application Gateway WAF
Layer Layer 3/4 Layer 3-7 Layer 7 (HTTP/S only)
FQDN-based rules No Yes Yes (URL-based routing)
Centralized management Per VNet/subnet Azure Firewall Policy WAF Policy
Threat intelligence No Yes (Premium SKU) Yes (OWASP rule sets)
Typical exam scenario Subnet-level traffic filtering Forced tunneling / NVA replacement Web application protection

Load Balancing and Traffic Routing

Azure offers several load-balancing services, and knowing which to choose for a given scenario is a core Domain 4 skill. The exam frequently presents a requirement and asks you to select the correct service-making the distinctions between them critical to learn.

Azure Load Balancing Services: Key Distinctions

Each service is suited to a specific traffic type and scope:

  • Azure Load Balancer (Standard SKU): Layer 4, internal or public, distributes TCP/UDP traffic within or across availability zones. Standard SKU is required for zone-redundant scenarios and is the exam-relevant SKU.
  • Application Gateway: Layer 7 HTTP/S load balancing with URL path-based routing, SSL termination, and optional WAF. Use when you need to route based on URL or host headers.
  • Azure Front Door: Global HTTP/S load balancing and CDN with anycast-based acceleration. Use when you need global distribution and failover across regions.
  • Traffic Manager: DNS-based global traffic routing across regions. Does not terminate connections; routes clients to the best endpoint based on routing method (performance, weighted, geographic, priority).

A common exam question pattern presents a multi-region application requirement and asks you to select Traffic Manager versus Front Door. Traffic Manager works at the DNS level and supports non-HTTP protocols; Front Door is HTTP/S-specific and provides additional features like caching and WAF at the edge. Knowing this distinction resolves a category of questions that trap candidates who try to generalize "global load balancing" without differentiating the services.

Hybrid and Cross-Network Connectivity

Connecting on-premises networks to Azure is a significant portion of Domain 4. The exam tests three primary mechanisms: VPN Gateway, ExpressRoute, and Azure Virtual WAN.

A VPN Gateway creates an encrypted IPsec/IKE tunnel over the public internet. Gateway SKUs determine throughput and the number of supported site-to-site connections. Point-to-site VPN enables individual clients to connect to an Azure VNet. The exam tests gateway SKU selection, active-active configurations for redundancy, and the difference between policy-based and route-based VPN types.

ExpressRoute provides a private, dedicated connection to Azure through a connectivity provider-no public internet traffic. ExpressRoute circuits are purchased in bandwidth tiers and can be configured with private peering (access to Azure VNets), Microsoft peering (access to Microsoft 365 and Azure public services), or both. The exam distinguishes between ExpressRoute and VPN Gateway in scenarios where compliance, latency, or bandwidth requirements make one preferable.

For candidates preparing for the full five-domain picture, the complete guide to all five AZ-104 exam domains provides context on how Domain 4 networking knowledge integrates with compute (Domain 3) and storage (Domain 2) topics.

Network Monitoring and Diagnostics

Azure Network Watcher is the primary toolset for diagnosing and monitoring network issues. Domain 4 expects candidates to know which Network Watcher feature to use for a given diagnostic scenario.

Network Watcher Tools to Know: IP flow verify checks whether a specific packet is allowed or denied by NSG rules. Connection troubleshoot tests end-to-end connectivity between a source and destination. NSG flow logs capture information about IP traffic flowing through an NSG and are stored in a storage account. Topology renders a visual map of the network resources in a region. Each of these has appeared in exam scenarios as the correct or incorrect diagnostic choice.

NSG flow logs feed into Traffic Analytics when integrated with a Log Analytics workspace, enabling pattern analysis and threat detection. The exam may test the configuration steps for enabling flow logs-specifically, that a storage account must exist in the same region as the NSG-as well as the distinction between flow logs (raw data) and Traffic Analytics (aggregated insights).

Building a Domain 4 Study Block

Given Domain 4's 15-20% weight relative to the higher-weighted domains (Domains 1 and 3 each at 20-25%), allocating proportional study time is practical. If your overall preparation spans four weeks, Domain 4 warrants approximately four to five days of focused work-but those days must include hands-on lab time, not just video or reading.

Day 1-2

VNet Fundamentals and Security

  • Create VNets, subnets, and configure address spaces in the portal and via Azure CLI
  • Configure VNet peering (regional and global) and test non-transitivity
  • Build NSG rules, associate with subnets and NICs, and use Effective security rules to verify
Day 3

DNS, Private Endpoints, and Service Endpoints

  • Create a Private DNS zone, link to VNet, enable auto-registration, and verify VM record creation
  • Deploy a Private Endpoint for a storage account and configure the corresponding DNS zone
  • Distinguish Service Endpoints (subnet-level, public IP remains) from Private Endpoints (private IP in VNet)
Day 4

Load Balancing and Hybrid Connectivity

  • Deploy a Standard Load Balancer with a backend pool, health probe, and load-balancing rule
  • Work through Application Gateway URL path routing configuration
  • Review VPN Gateway SKUs and ExpressRoute peering types conceptually
Day 5

Monitoring, Review, and Practice Questions

  • Enable NSG flow logs and configure Network Watcher IP flow verify for a test VM
  • Run practice questions specifically filtered to Domain 4 topics at az104exam.com
  • Review all incorrect answers and map each to the relevant skills outline bullet

One area where methodology genuinely matters for Domain 4: spaced repetition works best when applied to the conceptual distinctions-Traffic Manager vs. Front Door, NSG inbound vs. outbound flow, peering transitivity rules-rather than to procedural steps. Use your practice question results to identify which distinctions are slipping, then revisit those specific items at increasing intervals.

When you want to see how Domain 4 fits alongside all other exam areas before building your full schedule, reading through the AZ-104 Study Guide 2026 provides a sequenced approach to the complete certification. For understanding how Domain 4 compares in difficulty to Domain 3's compute topics, the Domain 3 complete study guide is a useful companion read.

Targeted domain-level practice is one of the most reliable ways to identify gaps before exam day. Running practice tests filtered to networking questions at az104exam.com lets you see which sub-topics within Domain 4 need additional review without re-covering ground you already understand well.

Frequently Asked Questions

How many questions on the AZ-104 exam cover Domain 4 specifically?

Microsoft does not publish a fixed per-domain question count, but at 15-20% weight across a typical pool of 40-60 questions, Domain 4 accounts for roughly 6-12 items on any given delivery. Because Microsoft uses adaptive question selection, the exact number varies per candidate.

Is VPN Gateway or ExpressRoute more heavily tested in Domain 4?

Both appear, but VPN Gateway tends to generate more configuration-focused questions (SKU selection, active-active setup, point-to-site) while ExpressRoute is more commonly tested in scenario questions where you must choose the right connectivity solution based on compliance, latency, or bandwidth requirements. Neither can be safely skipped.

What is the difference between a Service Endpoint and a Private Endpoint for Domain 4 purposes?

A Service Endpoint extends a VNet's identity to an Azure service over the Microsoft backbone but does not assign a private IP-the service's public endpoint remains reachable publicly. A Private Endpoint creates a network interface with a private IP inside your VNet, making the service accessible only through that private address. The exam frequently tests which solution satisfies a requirement to eliminate all public internet exposure for a service.

Do I need to memorize Azure CLI commands for networking tasks?

You do not need to memorize exact syntax for every command, but you should be comfortable enough with az network command patterns-creating VNets, peering, NSG rules, and route tables-to recognize correct versus incorrect commands in CLI-based question stems. Lab tasks may require you to execute commands from scratch, so familiarity beyond recognition matters if labs appear on your delivery.

How does Domain 4 compare in difficulty to other AZ-104 domains?

Domain 4 is consistently rated as one of the more conceptually layered domains because it combines infrastructure knowledge (subnetting, routing) with Azure-specific service behavior (peering non-transitivity, NSG flow order, DNS zone integration). Candidates with hands-on networking backgrounds often find it accessible; those coming from a developer or governance background typically need the most dedicated lab practice here. For a broader perspective, see the complete AZ-104 difficulty guide.

Continue reading:

Ready to pass your AZ-104 exam?

Put this into practice with free AZ-104 questions across every exam domain.