This chapter covers two critical Azure compute lifecycle capabilities: disk snapshots and custom VM images. These are distinct but complementary technologies: snapshots capture point-in-time disk states for backup and recovery, while custom images capture a generalized VM configuration for rapid, consistent deployment. Together, they form the backbone of disaster recovery, scaling, and DevOps pipelines. On the AZ-104 exam, approximately 15–20% of compute questions touch on snapshots or images, often in scenarios involving backup strategies, VM scaling, or Azure Policy enforcement. You will be tested on differences between managed and unmanaged snapshots, how to generalize a VM, the sysprep process, and when to use snapshots versus images versus Azure Backup. This chapter provides the deep, mechanism-level understanding needed to answer these questions confidently.
Jump to a section
A disk snapshot is like a freeze-frame photograph of a whiteboard during a brainstorming session. When you take a photo, you capture the exact state of every marker stroke on the board at that moment. Later, you can print that photo and redraw the board exactly as it was, but the photo itself doesn't record every single pen movement that happened before; it only stores the final image. Similarly, an Azure managed disk snapshot is a point-in-time, read-only copy of a disk's data. Under the hood, Azure uses Copy-on-Write (CoW) technology: when a snapshot is taken, Azure does not copy the entire disk immediately. Instead, it records a pointer to the original disk blocks. The first time a block is modified after the snapshot, the original block is copied to the snapshot storage before the write proceeds. This means the snapshot only contains the blocks that changed after it was taken, combined with pointers to unchanged blocks on the source disk. The snapshot is stored as a managed resource, independent of the source disk, and can be used to create a new disk or restore a disk to that exact state. The analogy breaks if you think the photo captures the entire board at once — it does, but only the changed portions are physically stored new; the rest is a reference back to the original. Azure snapshots have a default retention of 30 days when used with backup policies, but they persist until explicitly deleted. Deleting the source disk does not delete the snapshot; they are independent resources. However, if the source disk is deleted, the snapshot's pointers to unchanged blocks become orphaned, but the snapshot still retains a full copy of all data blocks that were changed after the snapshot, plus any blocks that were read from the source before deletion. In practice, Azure snapshots are stored in the same storage account type as the source disk (Standard HDD, Standard SSD, or Premium SSD) and incur costs based on the storage used. They are ideal for quick backups before maintenance, but not for long-term archival due to cost. The exam tests that snapshots are incremental by default for managed disks, but full for unmanaged disks.
What Are Disk Snapshots and Why Do They Exist?
A disk snapshot is a read-only, point-in-time copy of a virtual hard disk (VHD) used by an Azure VM. Snapshots exist to provide fast, low-cost backup and restore capabilities without needing to copy the entire disk. They are essential for protecting against data corruption, accidental deletion, or configuration errors before applying updates. Snapshots are also used to create new disks from a specific state, such as before a risky change.
Custom VM images, on the other hand, are generalized VM configurations that include the OS, applications, and settings, stripped of machine-specific identifiers (like SID, hostname). Images enable rapid, consistent deployment of multiple VMs with identical configurations. They are fundamental for scaling out workloads, creating development/test environments, and implementing infrastructure-as-code.
How Snapshots Work: The Mechanism
Azure snapshots use Copy-on-Write (CoW) technology for managed disks. When you create a snapshot of a managed disk, Azure does not immediately copy all data blocks. Instead, it creates a differential snapshot: it records a mapping of which blocks existed at snapshot time. The snapshot initially shares the same underlying storage blocks as the source disk. When a write occurs to a block on the source disk after the snapshot, the original block is copied to the snapshot storage before the write proceeds. This ensures the snapshot always reflects the state at the time of creation, without blocking writes.
For unmanaged disks (stored in a storage account as page blobs), snapshots are full copies by default. Azure creates a new page blob and copies all data. This is slower and more expensive than managed disk snapshots. The exam frequently tests this distinction: managed disk snapshots are incremental; unmanaged disk snapshots are full.
Key Components and Defaults
Snapshot Type: Managed disk snapshots are incremental. Unmanaged disk snapshots are full.
Storage: Snapshots are stored in the same storage tier as the source disk (Standard HDD, Standard SSD, Premium SSD). You can change the tier when creating a snapshot.
Cost: You pay only for the storage used by changed blocks. For incremental snapshots, the first snapshot may be as large as the source disk, but subsequent snapshots are smaller.
Retention: Snapshots persist until deleted. There is no default retention period; they are not automatically deleted unless part of a backup policy.
Performance: Creating a snapshot does not impact disk I/O performance; it is instantaneous from the user perspective. However, restoring a disk from a snapshot involves copying data, which takes time proportional to the size of changed blocks.
Limits: You can have up to 200 snapshots per subscription per region. Snapshots cannot be shared across regions unless copied.
Configuration and Verification Commands
To create a snapshot of a managed disk using Azure CLI:
az snapshot create \
--resource-group myResourceGroup \
--name mySnapshot \
--source myDiskFor a specific source disk ID:
diskId=$(az disk show --resource-group myResourceGroup --name myDisk --query id --output tsv)
az snapshot create \
--resource-group myResourceGroup \
--name mySnapshot \
--source $diskIdTo create a disk from a snapshot:
az disk create \
--resource-group myResourceGroup \
--name myNewDisk \
--source mySnapshotTo attach the disk to a VM:
az vm disk attach \
--resource-group myResourceGroup \
--vm-name myVM \
--name myNewDiskUsing PowerShell:
$disk = Get-AzDisk -ResourceGroupName myResourceGroup -DiskName myDisk
$snapshot = New-AzSnapshotConfig -Location $disk.Location -SourceUri $disk.Id -CreateOption Copy
New-AzSnapshot -ResourceGroupName myResourceGroup -SnapshotName mySnapshot -Snapshot $snapshotCustom VM Images: Generalized vs Specialized
A custom VM image is created from a generalized VM. Generalization removes machine-specific information using Sysprep (for Windows) or waagent -deprovision (for Linux). The process:
1. Run Sysprep with /generalize /shutdown on Windows. This resets the Security Account Manager (SAM), clears event logs, and prepares the OS for imaging.
2. Run sudo waagent -deprovision+user on Linux. This deletes SSH host keys, resets configuration, and prepares the VM.
3. After generalization, the VM is stopped and deallocated.
4. Capture the image using the Azure portal, CLI, or PowerShell.
Azure CLI command to capture an image:
az vm deallocate --resource-group myResourceGroup --name myVM
az vm generalize --resource-group myResourceGroup --name myVM
az image create \
--resource-group myResourceGroup \
--name myImage \
--source myVMThe image is stored as a managed resource in the same region. You can then create VMs from it:
az vm create \
--resource-group myResourceGroup \
--name myNewVM \
--image myImage \
--admin-username azureuser \
--generate-ssh-keysInteraction with Related Technologies
Azure Backup: Uses snapshots as part of backup policies. Recovery Services Vault stores snapshots with a retention of up to 30 days by default (configurable). Azure Backup uses incremental snapshots for managed disks.
Azure Site Recovery (ASR): Replicates VMs to another region using continuous replication, not snapshots. Snapshots are used for crash-consistent or app-consistent recovery points.
VM Scale Sets: Custom images are ideal for scale sets because they ensure all VMs are identical. Snapshots are not used directly for scale sets.
Azure Policy: You can enforce that all disks have snapshots or that images are from approved sources.
Key Differences: Snapshot vs Image
Purpose: Snapshot captures disk state; image captures full VM configuration (OS + data disks).
Generalization: Snapshot does not require generalization; image does (unless specialized).
Reusability: Snapshot creates one disk; image creates multiple VMs with identical configuration.
Data disks: Snapshots can include data disks; images capture only the OS disk unless you specify data disks.
Cost: Snapshots are incremental and cheaper for backups; images are full copies and cost more.
Exam Traps and Common Mistakes
Trap 1: Assuming snapshots are full copies. For managed disks, they are incremental. For unmanaged disks, they are full.
Trap 2: Thinking you can restore a VM directly from a snapshot. You must create a disk from the snapshot, then attach it to a VM.
Trap 3: Confusing generalized image with specialized image. A specialized image retains machine-specific info and is used for disaster recovery, not scaling.
Trap 4: Believing snapshots are automatically deleted when the source disk is deleted. They are independent and must be manually removed.
Trap 5: Assuming you can create a snapshot of a VM while it is running without coordination. For OS disk, you should stop the VM for consistency. For data disks, you can use application-consistent snapshots with the Volume Shadow Copy Service (VSS) on Windows.
Create a Snapshot of a Managed Disk
First, ensure the source disk exists. For the OS disk, it is recommended to stop/deallocate the VM to ensure data consistency. Use Azure CLI: `az snapshot create --resource-group myRG --name mySnapshot --source myDisk`. Azure initiates a Copy-on-Write operation: it records the current block mapping. The snapshot is created instantly (milliseconds) regardless of disk size. The snapshot resource is created in the same region as the source disk by default. You can monitor progress with `az snapshot show`. The snapshot is stored as a managed resource; you pay for the storage used. If the source disk is a Premium SSD, the snapshot will also be Premium SSD unless you specify a different SKU. The snapshot is read-only; you cannot write to it directly. This step is tested on the exam for command syntax and prerequisites.
Create a Disk from a Snapshot
Use `az disk create --resource-group myRG --name myNewDisk --source mySnapshot`. Azure copies the snapshot data to a new managed disk. The copy operation is asynchronous and takes time proportional to the size of changed blocks. For large snapshots (e.g., 1 TB), this can take minutes to hours. The new disk is created in the same region and availability zone as the snapshot, but you can specify a different zone. The disk creation does not require the source VM to be running. The new disk is a full, writable copy. You can then attach it to a VM with `az vm disk attach`. The exam may ask about the time required or the fact that the source snapshot persists.
Attach the New Disk to a VM
Attach the newly created disk to an existing VM using `az vm disk attach --resource-group myRG --vm-name myVM --name myNewDisk`. The VM must be in the same region and availability zone as the disk. The disk can be attached as OS disk or data disk. If attaching as OS disk, you must first stop and deallocate the VM, then detach the old OS disk. The disk attachment is a metadata operation; it takes a few seconds. The VM can then be started. The data on the disk is exactly as it was at snapshot time. The exam tests that you cannot attach a disk to a VM in a different region without copying the snapshot first.
Generalize a VM for Image Creation
For Windows, connect to the VM and run `sysprep /generalize /shutdown` from an elevated command prompt. Sysprep removes machine-specific security identifiers (SIDs), clears event logs, and resets the SAM. The VM shuts down automatically. For Linux, run `sudo waagent -deprovision+user` to deprovision the agent and delete SSH host keys. Then stop the VM with `az vm deallocate`. Do not skip deallocation; the image capture will fail if the VM is running. The generalization process is irreversible; you cannot restore the original VM state without a snapshot. The exam tests the specific command and the order: sysprep/deprovision first, then deallocate, then capture.
Capture a Custom Image from the Generalized VM
After generalization and deallocation, use `az image create --resource-group myRG --name myImage --source myVM`. Azure creates a managed image resource that contains the OS disk and optionally data disks. The image is stored as a snapshot-like resource in the same region. You can then create new VMs from this image using `az vm create --image myImage`. The image is a full copy; it can be used to create many VMs. The original generalized VM can be deleted after capture, but the image remains. The exam tests that you cannot capture an image from a running VM or from a specialized VM without generalization.
In a typical enterprise scenario, snapshots are used for pre-maintenance backups. For example, before applying a critical security patch to a production SQL Server VM, the DBA takes a snapshot of the OS and data disks. If the patch causes issues, the DBA can quickly create new disks from the snapshots and attach them to a new VM, restoring the database to the pre-patch state. This process takes minutes, whereas a full backup restore from Azure Backup could take hours. However, snapshots are not a replacement for Azure Backup because they lack long-term retention and cross-region redundancy. In practice, snapshots are often used in conjunction with Azure Backup for tiered protection: snapshots for quick recovery, backup for archival.
Another scenario involves custom images for scaling out a web application. The DevOps team builds a golden image with the OS, IIS, and application code. They generalize the VM and capture an image. Using Azure DevOps, they deploy a VM Scale Set referencing this image. When demand spikes, the scale set automatically creates new VMs from the image, ensuring identical configuration. The team updates the image monthly by patching the source VM, re-generalizing, and updating the image. They use Azure Policy to enforce that all web VMs must be from the approved image. Common misconfigurations include forgetting to deallocate before capture, which results in a failed capture, or not running sysprep, which leads to duplicate SIDs and domain join issues.
A third scenario involves disaster recovery. A company replicates VMs to a secondary region using Azure Site Recovery. For application-consistent recovery points, they use snapshots with VSS on Windows. The snapshot ensures that the database files are in a consistent state. Without VSS, the snapshot would be crash-consistent, which might require database recovery on failover. The exam tests the difference between crash-consistent and app-consistent snapshots.
The AZ-104 exam tests snapshots and custom images under Objective 3.1: Create and configure virtual machines. Specific sub-objectives include: 3.1.2 Configure high availability and scaling (images for scale sets), 3.1.3 Deploy and manage virtual machines (snapshots for backup). Questions often present a scenario: 'You need to create multiple VMs with identical configurations. What should you use?' The correct answer is a custom image, not a snapshot. Many candidates choose snapshot because they think it captures the entire VM, but a snapshot only captures disk state, not the generalized OS configuration.
Another frequent question: 'You need to back up a VM before applying an update. What is the fastest method?' Answer: a snapshot. Candidates often choose Azure Backup, but snapshots are faster because they are incremental and do not require a vault. However, snapshots do not provide long-term retention. The exam may ask about retention: snapshots persist until deleted, while Azure Backup has configurable retention.
Common trap: 'You have a managed disk snapshot. Can you create a VM directly from it?' No. You must first create a disk from the snapshot, then create a VM from that disk. Many candidates think you can create a VM directly, but that is only possible with images.
Edge case: 'You have an unmanaged disk snapshot. Is it incremental?' No, unmanaged disk snapshots are full copies. This is a key differentiator. The exam loves to test managed vs unmanaged.
Another edge case: 'You need to share a snapshot across regions.' You must copy the snapshot to the target region using az snapshot copy. Snapshots are regional resources.
Specific numbers: Maximum 200 snapshots per subscription per region. Default snapshot storage tier is the same as source disk. Sysprep /generalize /shutdown is the exact command. waagent -deprovision+user for Linux.
How to eliminate wrong answers: If the question mentions 'multiple identical VMs', eliminate snapshots. If 'point-in-time backup', eliminate images. If 'cross-region', eliminate snapshots unless copy is mentioned. If 'generalization', eliminate snapshots.
Managed disk snapshots are incremental; unmanaged disk snapshots are full copies.
You cannot create a VM directly from a snapshot; create a disk first.
Custom images require the source VM to be generalized and deallocated.
Sysprep /generalize /shutdown is the Windows command; waagent -deprovision+user for Linux.
Snapshots persist independently of the source disk; deleting the source does not delete snapshots.
Maximum of 200 snapshots per subscription per region.
Snapshots are regional; copy to another region for cross-region use.
Azure Backup uses snapshots but adds long-term retention and vault storage.
Custom images are ideal for VM Scale Sets to ensure identical configurations.
The exam tests the difference between snapshot and image in scenario-based questions.
These come up on the exam all the time. Here's how to tell them apart.
Managed Disk Snapshot
Incremental, uses Copy-on-Write; fast creation.
Captures only disk state; no OS generalization.
Can be used to create a disk for restore or attach.
Costs based on changed blocks; cheaper for short-term.
Cannot create multiple VMs directly; must create disk per VM.
Custom VM Image
Full copy of OS and data disks; takes time to create.
Requires VM generalization (Sysprep or waagent).
Can create multiple VMs directly from the image.
Costs based on full size; more expensive for storage.
Ideal for scaling out identical VMs (e.g., scale sets).
Mistake
Snapshots are full copies of the disk and take as long to create as copying the entire disk.
Correct
For managed disks, snapshots are incremental and use Copy-on-Write, so creation is nearly instantaneous regardless of disk size. The first snapshot may appear full-sized, but subsequent snapshots only store changed blocks.
Mistake
Deleting the source disk automatically deletes its snapshots.
Correct
Snapshots are independent resources. Deleting the source disk does not delete the snapshot. The snapshot retains all data blocks that were changed after creation, plus pointers to unchanged blocks that become orphaned but still accessible.
Mistake
You can create a VM directly from a snapshot using the Azure portal or CLI.
Correct
You cannot create a VM directly from a snapshot. You must first create a managed disk from the snapshot, then create a VM and attach that disk as the OS disk. The only way to create a VM directly is from an image.
Mistake
A custom image can be created from a running VM without generalization.
Correct
To create a custom image, the VM must be generalized (Sysprep for Windows, waagent -deprovision for Linux) and then deallocated. Attempting to capture a running or specialized VM will fail. The exam tests this exact prerequisite.
Mistake
Snapshots and Azure Backup are interchangeable for disaster recovery.
Correct
Snapshots provide fast, point-in-time recovery but lack cross-region redundancy, long-term retention, and application-consistent backup for databases. Azure Backup provides these features and is designed for comprehensive disaster recovery. Snapshots are best for short-term pre-maintenance backups.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, you can take a snapshot of a running VM, but it is recommended to stop the VM for OS disk snapshots to ensure data consistency. For data disks, you can use application-consistent snapshots with VSS on Windows. If you snapshot a running VM without coordination, the snapshot may be crash-consistent, which is acceptable for some workloads but may require file system checks on restore.
First, create a managed disk from the snapshot using `az disk create --source mySnapshot`. Then, create a VM and attach that disk as the OS disk using `az vm create --attach-os-disk myNewDisk`. Alternatively, you can create a new VM and then attach the disk as a data disk. You cannot create a VM directly from a snapshot; an image is required for that.
A generalized image has been prepared with Sysprep (Windows) or waagent -deprovision (Linux) to remove machine-specific information like SID, hostname, and SSH keys. It is used to create multiple identical VMs. A specialized image retains machine-specific info and is used for disaster recovery or migrating a VM. You cannot create multiple VMs from a specialized image without conflicts.
Use `az snapshot copy` with the `--source-snapshot` and `--target-snapshot` parameters, specifying the target region. For example: `az snapshot copy --source-snapshot mySnapshot --source-resource-group myRG --target-snapshot mySnapshotCopy --target-resource-group myTargetRG --target-region westus`. The copy is asynchronous and may take time.
No, snapshots persist until explicitly deleted. They do not have a default retention period. However, if you use Azure Backup, the backup policy defines retention for snapshots stored in the Recovery Services vault. Standalone snapshots are not automatically cleaned up.
Yes, you can share a snapshot by generating a Shared Access Signature (SAS) URL using `az snapshot grant-access`. The SAS URL provides temporary, read-only access to the snapshot. The recipient can then use the URL to copy the snapshot to their subscription. Alternatively, you can use Azure RBAC to grant permissions to the snapshot resource.
You pay for the storage used by the snapshot. For incremental snapshots, the first snapshot may be as large as the source disk, but subsequent snapshots only store changed blocks. The cost is based on the storage tier (Standard HDD, Standard SSD, Premium SSD). You can reduce costs by using Standard HDD for snapshots if the source is Premium SSD, but restore performance may be slower.
You've just covered Disk Snapshots and Custom VM Images — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?