This chapter covers Azure Functions from an Azure Administrator's perspective, focusing on what you need to know for the AZ-104 exam. Azure Functions is a serverless compute service that lets you run code in response to events without managing infrastructure. Expect 5-10% of exam questions to touch on serverless compute, including Azure Functions and Logic Apps. You'll need to understand hosting plans, scaling, triggers and bindings, and how to monitor and secure function apps.
Jump to a section
An Azure Function is like a fully automated vending machine. You (the developer) stock the machine with snacks (your code) and define the price and dispensing logic (the function's trigger and binding). When a customer inserts money and presses a button (an event, like an HTTP request or a new queue message), the machine instantly executes the mechanical process: it checks the selection, verifies payment, dispenses the snack, and returns change if any. The machine only runs when someone makes a purchase—it sits idle otherwise, consuming no power. If a hundred customers press the same button simultaneously, the machine can process multiple orders in parallel, each in its own compartment (scaling out). The machine has no memory of previous customers—it's stateless. If you want to offer a free sample, you can set the price to zero (a timer trigger that runs on a schedule). The machine's internal workings (the runtime) are hidden; you only care about the snack and the button. This is exactly how Azure Functions work: event-driven, stateless, automatically scaled, and billed only for execution time.
What Are Azure Functions?
Azure Functions is a serverless compute service that enables you to run small pieces of code (called functions) in response to events. Unlike virtual machines or App Service plans, you do not manage the operating system, runtime, or scaling. The platform handles all infrastructure concerns, allowing you to focus on code. Functions can be written in multiple languages: C#, JavaScript, Python, Java, PowerShell, and TypeScript.
Why Serverless?
Serverless computing abstracts away the server. You are billed only for the time your code executes (consumption plan) or for a pre-provisioned plan (premium/dedicated). This model is ideal for sporadic workloads, microservices, and event-driven architectures. For example, processing an image when it's uploaded to Blob Storage, or responding to an HTTP request.
How Azure Functions Work
When an event occurs (e.g., a message arrives in a queue), the Functions runtime invokes the appropriate function. The function executes and may produce output (e.g., write to a database). The runtime handles scaling automatically: if many events arrive simultaneously, the runtime creates more instances of the function app. The function must be stateless—any state should be stored externally (e.g., in Azure SQL, Cosmos DB, or Blob Storage).
Key Components
- Function App: A container for one or more functions. It defines the runtime environment, hosting plan, and common settings. - Triggers: Define how a function is invoked. Common triggers: HTTP, Timer, Blob, Queue, Event Grid, Service Bus, Cosmos DB. - Bindings: Connect your function to other Azure services for input or output without writing connection code. For example, an input binding can read from Blob Storage; an output binding can write to a queue. - Hosting Plans: - Consumption Plan: Default. Scales automatically based on demand. You pay only for execution time (per second) and number of executions. Cold start can occur (up to 10 seconds). - Premium Plan: Pre-warmed instances to avoid cold starts. Scales out to more instances. VNet integration. Billed per second for baseline instances and execution time. - App Service Plan (Dedicated): Runs on a VM that you manage. Predictable pricing. No cold starts. Good for long-running functions (up to 230 minutes).
Defaults and Limits
Timeout: Consumption plan: 5 minutes (can be increased to 10 minutes for HTTP functions). Premium: 30 minutes (unlimited for Premium v3). Dedicated: up to 230 minutes.
Max instance count: Consumption: 200 instances per function app. Premium: 100. Dedicated: depends on plan.
Max function app size: 1 GB (consumption), 14 GB (premium/dedicated).
Concurrent executions per instance: 1 (default) but configurable up to 100 for some languages.
Storage account: Required for the function app runtime. Must be a general-purpose Azure Storage account (Blob, Queue, Table).
Creating an Azure Function
Using Azure CLI:
az group create --name MyResourceGroup --location eastus
az storage account create --name mystorageaccount --location eastus --resource-group MyResourceGroup --sku Standard_LRS
az functionapp create --resource-group MyResourceGroup --consumption-plan-location eastus --runtime dotnet --functions-version 4 --name MyFunctionApp --storage-account mystorageaccountThis creates a function app in the Consumption plan. The --storage-account is required for internal operation (e.g., storing function code and metadata).
Triggers and Bindings
Triggers and bindings are defined in the function's configuration (function.json) or via attributes in code. For example, a Blob trigger function in C#:
public static void Run(Stream myBlob, string name, ILogger log)
{
log.LogInformation($"C# Blob trigger function Processed blob
Name:{name}
Size: {myBlob.Length} Bytes");
}The trigger is defined in function.json:
{
"bindings": [
{
"name": "myBlob",
"type": "blobTrigger",
"direction": "in",
"path": "samples-workitems/{name}",
"connection": "AzureWebJobsStorage"
}
]
}Scaling Behavior
In the Consumption plan, the Azure Functions scale controller monitors the trigger's event rate. For a queue trigger, it polls the queue length. When a message appears, it creates a function instance. If many messages arrive, it creates more instances, up to 200. Each instance processes one message at a time by default. The scale controller uses a threshold: if the queue length exceeds 1,000 messages, it adds instances aggressively.
Monitoring and Logging
Application Insights: Integrated monitoring. Provides metrics like function execution count, duration, failures, and live telemetry.
Azure Monitor: Alerts on metrics like function failure count, HTTP 5xx errors.
Streaming logs: Real-time logs via Azure Portal or CLI.
az webapp log tail --resource-group MyResourceGroup --name MyFunctionAppSecurity
Authentication/Authorization: Azure AD, Facebook, Google, Twitter, Microsoft Account. Configured in the function app settings.
Access keys: HTTP triggers require a function key or host key. Keys are stored in the function app's Azure Storage.
VNet Integration: Only available in Premium and Dedicated plans.
Interaction with Other Azure Services
Functions are often used with: - Azure Logic Apps: Orchestrate multiple functions and services visually. - Azure Event Grid: Trigger functions on events from Azure resources. - Azure Cosmos DB: Input/output bindings for NoSQL operations. - Azure Service Bus: Trigger on queue/topic messages.
Best Practices for Administrators
Use Managed Identity for accessing other Azure resources instead of connection strings.
Enable Application Insights for all function apps.
Set appropriate timeout values based on function duration.
For production, consider Premium plan to avoid cold starts and enable VNet connectivity.
Monitor function app health using Azure Monitor alerts.
Create a Function App
In the Azure Portal, navigate to 'Create a resource' and select 'Function App'. Choose a unique name, select a runtime stack (e.g., .NET 6), version (e.g., 4), and region. For the hosting plan, select 'Consumption (Serverless)' for pay-per-execution. Create a new storage account or reuse an existing one. Review and create. This step provisions the Azure resources needed: a storage account, the function app container, and a hosting plan. The storage account is critical—it stores function code, logs, and runtime state. Without it, the function app cannot start.
Create a Function with Trigger
Inside the function app, click 'Functions' then 'Add'. Choose a trigger type: HTTP trigger for API endpoints, Timer trigger for scheduled tasks, or Blob trigger for file processing. For HTTP trigger, you can set authorization level (Anonymous, Function, Admin). The portal generates a function template with sample code. The trigger defines the event that invokes the function. For example, a Timer trigger uses a CRON expression to schedule execution. The function code is stored in the storage account's file share.
Configure Bindings
Bindings connect your function to Azure services without writing connection code. In the portal, under 'Integrate', you can add input or output bindings. For example, add an output binding to Azure Queue Storage. This requires a queue name and a storage account connection string. The binding is stored in function.json. When the function runs, the runtime automatically creates a queue message with the function's return value. Bindings reduce boilerplate and make code cleaner.
Test the Function
For HTTP trigger functions, you can get the function URL from the portal. Use curl or Postman to send a request. For example: `curl https://myfunctionapp.azurewebsites.net/api/HttpTrigger1?code=YOUR_FUNCTION_KEY`. The function executes and returns a response. For Timer or Blob triggers, you can trigger manually by uploading a file or waiting for the schedule. Check the 'Monitor' tab to see execution logs and success/failure status. Application Insights provides detailed telemetry if enabled.
Monitor and Scale
Use Azure Monitor to set up alerts on function failures or high execution count. In the Consumption plan, scaling is automatic. You can see scaling events in the 'Scale out' tab (Premium/Dedicated only). For troubleshooting, enable streaming logs via CLI: `az webapp log tail`. Common issues: timeouts (increase function timeout), cold starts (use Premium plan), and storage account throttling (use a separate storage account for the function app).
Enterprise Scenario 1: Image Processing Pipeline
A media company uploads thousands of images daily to Azure Blob Storage. They need to generate thumbnails and extract metadata. They deploy an Azure Function with a Blob trigger. When an image is uploaded to the images container, the function runs, creates a thumbnail using a .NET image library, and saves it to a thumbnails container. It also writes metadata to Cosmos DB. In production, they use the Premium plan to avoid cold starts because image uploads spike during business hours. They set the function timeout to 10 minutes to handle large images. They monitor using Application Insights and set up alerts if the failure rate exceeds 1%. Misconfiguration: If the storage account used for the function app is the same as the one being monitored, it can cause throttling. Best practice: use a separate storage account for the function app runtime.
Enterprise Scenario 2: Scheduled Data Sync
A financial services company needs to sync transaction data from an on-premises SQL Server to Azure SQL Database every hour. They create a Timer trigger function that runs every hour (CRON: 0 0 * * * *). The function uses a VNet-integrated Premium plan to securely connect to the on-premises database via a VPN gateway. It reads new transactions, transforms them, and writes to Azure SQL. They monitor execution duration and set alerts if it exceeds 50 minutes. Common issue: if the function takes longer than the timer interval, multiple instances can overlap, causing duplicate processing. Solution: use the Singleton attribute or queue-based processing.
Enterprise Scenario 3: Real-Time Order Processing
An e-commerce site processes orders via an HTTP-triggered function. When a customer submits an order, the function validates it, writes to a Service Bus queue for downstream processing, and returns a confirmation. They use the Consumption plan because traffic is unpredictable. During Black Friday, the function scales to 200 instances, handling thousands of orders per second. They use Managed Identity to access Service Bus instead of connection strings for security. Misconfiguration: if the function key is exposed in client-side code, attackers can invoke the function without authorization. Solution: use Azure AD authentication with App Service Authentication.
AZ-104 Exam Focus on Azure Functions
The exam objective 'Compute' includes 'Implement serverless computing with Azure Functions' (objective 3.3). You will be tested on:
Hosting Plans: Know the differences between Consumption, Premium, and App Service Plan. Common exam question: 'Which plan avoids cold starts and supports VNet integration?' Answer: Premium. Trap: 'App Service Plan also supports VNet, but it's not serverless.'
Triggers and Bindings: Recognize which trigger to use for a given scenario. Example: 'You need to process a message from Azure Queue Storage every time a new message arrives.' Answer: Queue trigger. Trap: 'Blob trigger' is for blob events, not queue.
Scaling Limits: Consumption plan max instances = 200. Premium max = 100. Dedicated depends on plan. Question: 'Your function app needs to handle 500 concurrent executions. Which plan supports this?' Answer: Consumption (up to 200 instances * 1 execution each = 200 concurrent, but you can increase concurrency per instance). Trap: 'Premium always supports more'—but Premium max instances is 100, so with default concurrency it's 100.
Timeout Values: Consumption: 5 min (HTTP: 10 min). Premium: 30 min. Dedicated: 230 min. Question: 'Your function runs for 15 minutes. Which plan must you use?' Answer: Premium or Dedicated. Trap: 'Consumption with 10 min HTTP timeout'—but 15 > 10.
Cold Start: The delay when a function is invoked after being idle. Premium plan eliminates cold starts with pre-warmed instances. Question: 'Which plan should you choose to minimize latency for a customer-facing API?' Answer: Premium.
Storage Account: Required for function app. Must be a general-purpose Azure Storage account. Question: 'You create a function app but it fails to start. What is the most likely cause?' Answer: Missing storage account or incorrect storage account type (e.g., BlobStorage only).
Authentication: HTTP triggers can use function keys, host keys, or Azure AD. Question: 'You want to secure an HTTP trigger so that only authenticated users from your Azure AD tenant can call it.' Answer: Enable App Service Authentication.
Common Wrong Answers:
Choosing 'App Service Plan' for serverless scenarios (it's not serverless; you pay for the VM).
Selecting 'Blob trigger' when the scenario describes a queue message.
Assuming Consumption plan supports unlimited execution time.
Thinking that VNet integration is available in Consumption plan (it's not).
Exam Numbers to Memorize:
Consumption plan timeout: 5 minutes (10 for HTTP)
Premium plan timeout: 30 minutes
Consumption max instances: 200
Premium max instances: 100
Function app size limit: 1 GB (Consumption), 14 GB (Premium/Dedicated)
Storage account type: General-purpose v2
Edge Cases:
If a function app is deleted and recreated with the same name, the storage account must be reused or a new one created.
Functions in a Consumption plan cannot use VNet integration without a Premium plan.
Timer triggers use CRON expressions; exam may ask 'Which CRON expression runs every 5 minutes?' Answer: 0 */5 * * * *
Elimination Strategy: For scenario questions, first identify the trigger type (HTTP, queue, blob, timer). Then consider scalability and timeout requirements. If the scenario mentions 'low latency' or 'no cold starts', eliminate Consumption. If it mentions 'VNet', eliminate Consumption. If it mentions 'long-running', eliminate Consumption (unless under 10 min).
Azure Functions runs code in response to events without managing infrastructure.
Three hosting plans: Consumption (serverless), Premium (no cold starts, VNet), App Service Plan (dedicated).
Consumption plan timeout: 5 minutes (10 for HTTP); Premium: 30 minutes; Dedicated: 230 minutes.
Consumption plan max instances: 200; Premium: 100.
Storage account is mandatory; must be general-purpose v2.
Triggers define the event that invokes a function (HTTP, Timer, Blob, Queue, etc.).
Bindings connect to Azure services without writing connection code.
VNet integration only in Premium and Dedicated plans.
Cold starts occur in Consumption plan; Premium eliminates them with pre-warmed instances.
Application Insights provides detailed monitoring and diagnostics.
These come up on the exam all the time. Here's how to tell them apart.
Consumption Plan
Pay only for execution time and number of executions.
Cold start can cause latency (up to 10 seconds).
Max timeout: 5 minutes (10 for HTTP).
Max instances: 200.
No VNet integration.
Premium Plan
Pay for pre-warmed instances plus execution time.
No cold starts due to always-ready instances.
Max timeout: 30 minutes (unlimited for Premium v3).
Max instances: 100.
Supports VNet integration.
HTTP Trigger
Invoked by an HTTP request (GET, POST, etc.).
Requires a function key or host key for security.
Returns an HTTP response immediately.
Best for REST APIs and webhooks.
Can be tested with any HTTP client.
Queue Trigger
Invoked when a new message arrives in an Azure Queue.
No keys needed; triggered by the queue event.
No direct response; output is via bindings.
Best for background processing and decoupling.
Scales based on queue length.
Mistake
Azure Functions always run on the Consumption plan by default.
Correct
The default plan is Consumption, but you can choose Premium or App Service Plan at creation time. The exam expects you to know when to use each plan.
Mistake
Functions can run indefinitely if needed.
Correct
Timeout limits apply: 5 minutes for Consumption (10 for HTTP), 30 minutes for Premium, 230 minutes for Dedicated. For long-running tasks, use Durable Functions or a different service.
Mistake
VNet integration is available in all hosting plans.
Correct
VNet integration is only available in Premium and Dedicated plans. Consumption plan functions cannot access resources inside a VNet unless you use a Premium plan or a hybrid connection.
Mistake
Storage account is optional for Azure Functions.
Correct
A storage account is mandatory. It stores function code, runtime state, and logs. Without it, the function app cannot start. The storage account must be a general-purpose account (Blob, Queue, Table).
Mistake
All triggers require a function key or host key.
Correct
Only HTTP triggers require keys (unless authentication is set to Anonymous). Other triggers (Blob, Queue, Timer) do not use keys; they are triggered by events from Azure services.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Functions are code-first: you write functions in languages like C# or Python to handle events. Logic Apps are designer-first: you create workflows visually using connectors. Functions are better for custom logic; Logic Apps are better for integrating SaaS services. For the exam, know that both are serverless but Logic Apps are more about orchestration.
Yes, with Azure Functions Runtime (on-premises) or via Azure Stack. However, for the exam, Azure Functions are primarily a cloud service. On-premises scenarios use Azure Arc or Azure Stack.
Use the Premium plan, which keeps instances warm. Alternatively, use a Timer trigger function to ping the function periodically (not recommended for production). The exam expects Premium as the solution.
It depends on the plan: Consumption: 5 minutes (10 for HTTP trigger), Premium: 30 minutes, App Service Plan: 230 minutes. For longer tasks, use Durable Functions or a different service.
Yes, but only in the Premium or App Service Plan. Consumption plan does not support VNet integration. Use Premium for VNet access with serverless benefits.
The scale controller monitors trigger events. For queue triggers, it checks queue length. If many events arrive, it adds instances up to the plan's maximum (200 for Consumption, 100 for Premium). Each instance processes one event at a time by default.
A general-purpose Azure Storage account (v2) that supports Blob, Queue, and Table storage. It is used for function code, runtime state, and logs. Premium storage accounts (BlockBlobStorage) are not supported.
You've just covered Azure Functions for Administrators — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?