Practising with these examples will help to prepare you for the kind of tasks that you will find in the two AZ-300 lab sections.

IMPORTANT!! Note that there are no longer exams in the AZ-300. This page will be retained in case they return, and also so that you can test your own knowledge and get broader portal experience if you find any gaps.

There are two lab sections in the exam:

  1. IaaS
  2. PaaS

These examples are a little more complicated than those you’ll find in the exams.

Most of the exam lab work is completed in the portal, but you may be asked to achieve something in the Cloud Shell. The question will stipulate either Azure CLI or PowerShell.


Provision services in the portal to understand the available options. Combine your architectural knowledge whilst reading the docs to determine why certain options would be selected.

Put yourself in the position of an examiner. What knowledge could you test for? How would you test for it? And therefore what do you need to remember?

As a student then be effective with your time. Aim for the minimum effort to achieve the objectives. Don’t over-engineer!

Configuration is programmatically assessed after each section. Order of completion is not important, but make sure all tasks are completed before clicking on done.

Don’t configure the Cloud Shell before being asked to do so. There will be specific instructions and you cannot reconfigure.

There have been some technical issues with the labs which are under continual improvement. If something happens during your test then speak with the proctor. They can normally resume the session in a new tab with little loss of time. However, you should ask for additional time to be added if the host server needs to be rebooted.

Azure CLI

  1. Start Cloud Shell in Bash mode for the Azure CLI
  2. Type az to show the first level
  3. Type az network --help to see what is available at the second level
  4. Type az disk create --help to see full command help and examples
  5. Type az find subnet to show common commands that include the string “subnet”

You won’t be asked to do anything too complex such as JMESPATH queries or integrating with scripting via the different output types.


  1. Switch the Cloud Shell to PowerShell mode
  2. Note that the cmdlets have been updated from AzureRM to Az
  3. Type help
  4. Type help disk to show all cmdlets that include disk in the cmdlet name or description
  5. Type help New-AzDisk to see full cmdlet help and example

Again, the questions will only ask for simple one line cmdlet execution, so no scripting, objects, etc.

Getting started


  • We will be working exclusively in West Europe unless otherwise stated
  • All resources will be created in the “practice” resource group unless otherwise stated
  • Skip the AAD and RBAC steps if you have insufficient access


  1. Verify that there is an AAD group called Exam Practice
    1. If not then create one if you have permissions
    2. Become an owner for the group
  2. Provision a resource group called “practice”
    1. Add tags for
      1. Owner: <your name>
      2. Environment: training
  3. Allow any members of the “Exam Practice” group to start, stop or reboot virtual machines that are in the “practice” resource group
    1. Use a built in role
    2. Use principle of least privilege

IaaS Networking


  • All vNets are named vNetX, where X is a number, and are /16
  • The second octet in the address space for the vNets will match the vNet number X
  • Subnets are named subnetY (where Y is a number)
  • Third octet in the address prefix for a subnet will be Y
  • Subnets will have a subnet mask of
  • Note that you won’t be completing the connections to (the imaginary) on premise devices in these labs


  1. Provision a vNet called vnet0, with namespace
    1. this will be your hub vNet in a hub and spoke config
    2. we’ll create a VPN gateway later; so create a suitable subnet with address prefix of
    3. create an Azure Firewall called “firewall” (
  2. Deploy a VPN Gateway called vpngw (don’t wait for it to finish)
    1. the customer does not yet understand their traffic requirements
    2. there are two on premise VPN devices, requiring IKEv2
    3. they use BGP, and have requested you specify AS number 65515
    4. the customer is concerned about Azure datacentre failure and minimising any downtime
  3. Add two spoke vNets, called vnet1 and vnet2
    1. vNet1 needs one subnets, subnet1
    2. vNet2 needs two subnets, subnet2 and subnet3
  4. vNet peer both spokes vNets to the hub vNet
    1. resources in vnet1 should not be able to talk to resource in vnet2, and vice versa
    2. the spoke vNets will use the hub for on prem traffic
    3. note that you won’t be able to configure this until the VPN Gateway has been successfully deployed
  5. Create static route table called “spoke”
    1. Via the VPN gateway to reach on prem address space
    2. Via the firewall for default traffic
    3. Use in both spoke vNets
  6. Add a “mgmt” vNet ( that can access the spoke vNets
    1. VMs in the mgmt vNet should not be accessible from the spokes

Iaas VMs


  • Ubuntu 18.04 latest is the default image, B1s is the default VM size
  • The customer application is architected to scale over multiple VMs
  • IOPS and throughput requirements are low unless stated otherwise
  • No public IPs, NSGs or data disks during VM creation unless specified
  • Use admin username “practice” and password “Pi=3.1415927”


  1. Deploy a single VM called ‘vm’
    1. Requires a 99.9% availability SLA
    2. Attach to subnet1 in vnet1
    3. Allow TCP port 22 if coming from within the vNet
    4. Block all other incoming traffic except on port 8443

Iaas Storage


  • None


  1. Create a storage account, name starts with sa1
    1. Needs to support file, blob and table storage
    2. General purpose, accessed by multiple servers and applications
  2. Create a storage account, name starts with sa2
    1. Longer term storage area with large blobs
    2. Cost sensitive
    3. Infrequent reads
    4. Data must be accessible in North Europe upon regional application failover
  3. Create a storage account, name starts with sa3
    1. Support file storage
    2. High performance required
    3. Low latency reads required

PaaS Web Apps


  • Your subscription may not have Microsoft.Insights registered as a provider. If that is the case then find Subscriptions in the search bar, filter to fine Microsoft.Insights and then register. It will take a few minutes. (In the labs all of the required providers should be pre-registered for you.)


  1. Create a Linux web app
    1. Running a NodeJS 10.14 based website
    2. Needs to be able to scale the underlying instances up and down based on site demand
    3. Application is CPU bound and a server starts to slow down when CPU is over 85% for more than 5 minutes. Anything under 40% is considered candidate for scaling down
    4. Customer has registered a domain to use for the site; it won’t be configured in this lab but select a SKU that can support that configuration
    5. All http URLs should redirect to https


A few things to remember for Web Apps:

  • A single “App Service Plan” can host multiple Web Apps also called “App Services” or sites
  • App Service Plans have pricing tiers (also called SKUs) that define both compute resources and features available
  • Scaling is at the App Service Level not the web app, either Scale Up (pricing plan) or Scale Out (number of instances)
  • Auto scaling is only possible on certain levels of pricing tiers
  • Consumption is a special type/tier of App Service Plan only used by Functions

Compare Web App features:

  • Windows App Service
    • Bring your code (FTP, git, Bitbucket, zipdeploy)
    • App is run inside Windows IIS sandbox
    • .NET Classic, .NET Core, Node.js, PHP (Python & Java supported but NOT recommended)
  • Linux App Service – Publish Code
    • Bring your code (FTP, git, Bitbucket, zipdeploy)
    • App is run Linux Container running a predefined “stack”
    • .NET Core, Node.js, PHP, Java, Python, Ruby
  • Linux App Service – Publish Container
    • Bring your own prebuilt Docker Linux container image
    • Support anything that runs in a container with HTTP/S traffic
  • Windows App Service – Publish Container (PREVIEW)
    • As Linux but runs Windows containers, only use if Windows Containers is a requirement for your app

PaaS Functions


  • Your function names will need to be globally unique
  • Configure storage to use your sa1 storage account


  1. Create a .Windows function app
    1. Running 64 bit .NET Core code
    2. Needs to be “warm” for good user experience on a high profile application
    3. Ensure FTP deployments are secure and HTTP is v2.0
  2. Create a Linux function app
    1. Running Python code
    2. Low cost
    3. Infrequently triggered



  • None


  1. The customer wishes to host private DNS records in Azure without running a domain controller
    1. Specify a globally unique test domain suffix i.e.
    2. Create a record for for the load balancer’s public IP address
    3. It is important that the public IP address does not change

PaaS Container Instances



The team wants to test that their new application runs in a container.

  1. Create an Azure Container Registry to store the application container image
  2. Use Azure Cloud Shell to build example app image from and push to ACR
    • Tip: The Azure CLI az acr build command lets you build directly from a Git URL and pushes it into the ACR
  3. Deploy ACI instance of the newly built image, make sure it has a public IP
    • Tip: It runs on port 8000
  4. Access the app in your browser to validate it has deployed and started

Additional Resources

Make use of these resource to help address any gaps in your knowledge of the AZ-300 topics.


Leave a comment