Microsoft Certified Azure Security Engineer Associate

Exploring Certifications: Microsoft Azure Security Engineer Associate

November 26, 2024 / / 0 Comments

Who is this certification for?

This certification is for those who implement security measures in Azure. Unlike an architect certification, where a lot of the knowledge required is about planning and designing, the security engineer cert is more about getting in with the nuts and bolts of security.

We can think of someone who has gained the required knowledge to pass this exam can then be able to deploy and monitor in areas such as implementing security controls and set up identity and access permissions. Additionally, they will be able to safeguard data, applications, and networks across Azure, multi-cloud, and hybrid environments.

This exam and resulting qualification could therefore be described a security focused equivalent to the Azure Administrator certification.

Exam requirements

To obtain the Azure Security Engineer Associate certification, only one exam, AZ-500 is required. There are no prerequisites for taking the AZ-500 but if you haven’t already, passing AZ-900 and AZ-104 before attempting AZ-500 will give you a solid foundation and lot of confidence in knowing where to navigate to find features relevant to security posture.

Topics covered

The headline skills that make up the AZ-500 of expected knowledge areas are manage identity and access, secure networking, manage security operations and secure compute, storage, and databases. Each of them are roughly weighted around one quarter of the exam each. Let’s dive into each one individually and see what you can expect to see.

The manage identity and access topic unsurprisingly covers the various features and functionality of Microsoft Entra ID (formally Azure Active Directory). There is a section on managing identities which covers users management, groups, leveraging external identities and implementing Microsoft Entra Identity protection. The next section covered is manage authentication by using Microsoft Entra ID which includes the two methods for working with Active Directory identities – Entra connect and Entra cloud sync. This part also covers the methods used to authenticate the credentials between AD domain and an Entra tenant, namely password hash synchronisation, pass through authentication and Federation. The remainder of this important part covers technologies such as MFA, passwordless authentication, password protection, Entra ID single sign-on (SSO), Microsoft Entra Verified ID and modern authentication protocols. The final section of manage identity and access is Manage application access in Microsoft Entra ID – centred around Entra ID app registration, managed identities and service principals. This section, and the topic itself is concluded with Microsoft Entra Application Proxy.

Entra ID is an important subject area for any Azure Security Engineer.

The next topic in the AZ-500 learning path is a favourite of mine, networking. This is networking features in Azure with an emphasis on security. It is broken into 3 sections, the first of which is plan and implement security for virtual networks. For this part of the syllabus, the candidate is expected to know about Azure Virtual Networks, with a focus on Network Security Groups (NSGs), Application Security Groups (ASGs), User-Defined Routes (UDRs), Virtual Network peering, VPN gateways, Virtual WAN and ExpressRoute which includes demonstrating how to encrypt traffic over an ER circuit. This section is concluded with configuring firewall settings on PaaS resources and a describing each of the network monitoring and diagnostic tools and their use case. Next up is Plan and implement security for private access to Azure resources where we are looking at services including service endpoints, private link and private endpoints. Then the module looks at network integration for Azure App Service and Azure Functions before going on to look at network security configurations for an App Service Environment (ASE) and for Azure SQL Managed Instances. The subject of the final networking module is plan and implement security for public access to Azure resources. For this, we start with implementing Transport Layer Security (TLS) to applications, including Azure App Service and API Management followed by Azure Firewall, Azure Firewall Manager and firewall policies. The remainder of this module comprises of many of the Azure public facing load balancers and supporting services including Azure Application Gateway (including web application firewall (WAF) and Azure Front Door, (including Content Delivery Network (CDN). This module and networking as a whole, concludes by covering Azure DDoS Protection Standard.

The penultimate topic is Secure compute, storage, and databases and begins with a module entitled Plan and implement advanced security for compute. This contains security best practice for many Azure compute services. It discusses Azure Bastion and just-in-time (JIT) virtual machine (VM) access and then moves onto network isolation for Azure Kubernetes Service (AKS). Then there is coverage of securing Azure Kubernetes Service (AKS), Azure Container Instances (ACIs), Azure Container Apps (ACAs) and Azure Container Registry (ACR). The module is concluded with Azure Disk Encryption (ADE) and recommend security configurations for Azure API Management. The next module is Plan and implement security for storage. For this section, it describes securing the storage account itself, including account keys. Then it covers off selecting and configure an appropriate method for access to Azure files, blobs, tables and queues. Thereafter, the syllabus moves to methods for protecting against data security threats, including soft delete, backups, versioning and immutable storage followed by requiring the candidate has knowledge on brining your own key (BYOK). The storge section is concluded with enabling double encryption at the Azure Storage infrastructure level. Plan and implement security for Azure SQL Database and Azure SQL Managed Instance is the module that covers authentication, monitoring and auditing, some light coverage of Purview and wraps up with some key SQL DB security features; dynamic mask, transparent data encryption and Always Encrypted.

Knowledge on the different Defender products will be useful for exam success

Manage security operations concludes the topic headers for the current Microsoft Azure Security Engineer Associate syllabus. And to kick this off; the Plan, implement, and manage governance for security section begins with what is Azure governance, then covers core Azure services that provide guardrails against would-be compromised security posture. These include Azure Policy and Initiatives, Azure Blueprints, Azure Landing Zones and the largest topic for this part- Azure Key Vault. The second module is Manage security posture by using Microsoft Defender for Cloud. This gives us a high level overview of Defender for Cloud concepts such as secure score, adding industry and regulatory standards, custom initiatives, connecting hybrid cloud and multicloud environments and External Attack Surface Management (Defender EASM). If you made it this far, you have done well – just two more modules to go, starting with Configure and manage threat protection by using Microsoft Defender for Cloud. This one is a long one because of all the various components that make up Defender for cloud. They include enabling workload protection services, configuring Defender for servers and Defender for Azure SQL Database. A large part of this module pertains to setting up container security in Defender before moving on to sections that focus on Microsoft Defender Vulnerability Management, Defender for Storage, DevOps and GitHub security then concluding with security alerts, automation and evaluating vulnerability scans from Microsoft Defender for Server. The final module is configure and manage security monitoring and automation solutions which begins with Monitor security events by using Azure Monitor and concludes with the setup, alerting and automation of Microsoft Sentinel.

Exam hints and tips

Its worth knowing, that unlike many other tests you can take from any number of vendors, Microsoft exams are not there to trip you up. There are no trick questions so always go with the obvious answer, taking into account all parameters in the question. Whilst there are no trick questions, if you misread or skip a part of the question, this could alter what you think the answer is.

If you are new to cybersecurity or at least in the context of Azure and the Microsoft ecosystem, consider studying for and sitting the SC-900, Microsoft Certified: Security, Compliance, and Identity Fundamentals exam to ease you into this path. It gives a solid overview, builds confidence and if you take the exam and pass, you will have another certification to your name.

Microsoft exams test a candidate on services that are GA (generally available). They do not (should not) test on things that are in public or private preview. However, there have been a few exceptions to this rule where a product hasn’t technically left public preview but is a de facto solution now.

Be sure to check out more tips on the other certification posts. You can access them via the post archive.

Recommended resources

To start, please ensure you read through all the resources linked on the official Microsoft specific AZ-500 course.

You maybe unsurprised to know, that for excellent video learning, I will point you to John Savill’s AZ-500 playlist, which includes one of his famous crams, in this case, the AZ-500 study cram.

Applied skills complement certifications.
Image Credit: Microsoft

Be sure to try some of the security focused Microsoft Applied Skills. These lab based assessments will give you practical skills to solve security challenges you may encounter in real world scenarios.

Next steps

If you are working in cybersecurity or want to demonstrate a deeper knowledge of security matters that relate to the Microsoft stack, then consider the Microsoft Certified: Cybersecurity Architect Expert certification. This expert level exam will focus on designing the security infrastructure the engineers would roll out and maintain.
To obtain the Microsoft Certified: Cybersecurity Architect Expert cert, you need to pass the SC-100 exam plus one of the following:

Microsoft Certified: Azure Security Engineer Associate (exam AZ-500)
Microsoft Certified: Identity and Access Administrator Associate (exam SC-300)
Microsoft Certified: Security Operations Analyst Associate (SC-200)

You can take the SC-100 and AZ-500 for example in either order and once you have both, you will obtain the Microsoft Certified: Cybersecurity Architect Expert badge!

Azure Compute

Spotlight on : Azure Compute Services

June 2, 2024 / / 0 Comments

A core feature of any public cloud provider is compute. From heavyweight offerings like virtual machines through to serverless tech in the form of functions. Azure is no exception. In fact, the list of services for compute in Azure is extensive. Here we will explore those services, describing them, giving reasons why you might use a given solution and some use cases.

Virtual Machines

A great place to start is Virtual Machines. VMs have been the staple of on prem and co-lo solutions for many years. It was only natural that public clouds, Azure included would offer this. Falling under the category of infrastructure as a service (IaaS), a VM gives the administrator OS access (not the host OS, just the guest), meaning fine-grained environment settings can be made. However, with power comes responsibility – the administrator will be responsible for updating the OS and ensuring security settings are adequate.

You can run a variety of different Linux or Windows VMs from the Azure marketplace or using your own custom images. For those who have larger workloads, need to build in resiliency or have varying levels of traffic, Azure offers Virtual Machine Scale Sets (VMSS) which can be configured to create more VM instances based on metrics such as CPU use.

A huge number of general purpose and specialist VM SKUs are available

Choosing VMs as your compute solution could be driven by a desire to make the quickest migration from on prem to cloud (known as lift and shift), it could also be because of some legacy application that would be complex to move into a more cloud native solution.

Azure App Service

Azure app service allows you to host http(s) based services (websites and APIs) without the complexity of maintaining VMs or having to run docker images. This is a platform as a service (PaaS) that supports multiple programming languages including PHP, Java, Node.js and .net. With this service, you can run on Windows or Linux but all the OS is abstracted away and all you are left with is an environment to host and run your applications. There’s cool features like continuous integration and deployment with Azure DevOps, GitHub, BitBucket, Docker Hub or Azure Container Registry.

Organisations would use Azure app service to deliver website front ends, mobile backends or provide RESTful APIs for integration with other systems. By supporting multiple programming languages, has integration with Visual Studio and VS Code, and can work in DevOps pipelines, makes Azure app service popular and familiar for developers to use. Patching is done automatically and you can scale your application automatically to meet changing demands.

Azure Functions

Next up, we have Azure functions. Functions are what is known as a serverless application, in which code is run when a trigger such as a HTTP request, message queue, timer or event initiates it. This is perfect for short lived sporadic workloads because you are only charged during execution of your code on the back of trigger and not charged when the function is not running.

Azure functions supports multiple programming languages including Java, JavaScript, Python and C#. Generally these are stateless, meaning they hold no information from one trigger to the next, however there are durable functions which can retain information for future processing. Durable functions are an extension of Azure functions and have practical uses in various application patterns such as function chaining and fan out / fan in.

Functions generally play well for short-lived tasks. There is no need to stand up other compute services, only to have it sit idle for the majority of the time. Use cases include orchestrating some automation in a solution or initiating some data processing when new data becomes available. Generally, they form part of a larger, loosely coupled architecture, where services are independent allowing for modular development of a single part without affecting other parts. This enables resilience in the design, such as incorporating message queues, so if one part of the system becomes temporarily unavailable, the app as a whole can continue to run.

Azure Kubernetes Service

Kubernetes is a container orchestration system, originally designed by Google, it is now an open source solution that has become the de facto way to deploy, manage and scale containerised applications in the form of Kubernetes clusters. Kubernetes (also known as k8s) is an ideal solution for running apps using the microservices model.

Initial options for creating a AKS instance in the Azure Portal

Azure Kubernetes service (AKS), is Azure’s offering of Kubernetes in the cloud. By using AKS, it strips a lot of the control plane away and allows you to focus on deploying your application quickly. Being an Azure service, it plays nicely with other areas of Azure such as identity, networking, monitoring and more.

Almost any type of application could be run in containers, and when there’s a need to manage and monitor multiple containers for scale, security and load balancing, AKS provides these advantages. Essentially it is provisioning containerised microservices in a more sophisticated way than deploying and managing containers individually.

Azure Container Apps

For other container workloads that do not require all the features of Kubernetes, there is Azure Container Apps. This solution is a fully auto scaling solution, including scale down to zero instances, which makes this a serverless offering where required. You can auto scale based on HTTP traffic, CPU, memory load or event-based processing such as on-demand, scheduled, or event-driven jobs.

Under the hood, Azure Container Apps is powered by AKS but it is simplified so that deployment and management are a lot easier. When deploying your container, Azure Container Apps can create the TLS certificate, meaning you can use your application securely from the outset with no additional configuration. Dapr (Distributed Application Runtime) is also included in the service, allowing for ease of managing application states, secrets, inter-service invocation and more . With Azure Container Services, you can deploy in your Virtual network, giving you many options regarding routing, DNS and security.

Azure Container Apps are great when working on a multi-tiered project, such as a web front-end, a back-end, and a database tier in a microservices architecture.

Azure Container Instances

Another service for containers in Azure is Azure Container Instances (ACI). This service is much more basic than Azure Kubernetes Service or Azure Container Apps. Creating an instance is as simple and allows Docker containers in a managed, serverless cloud environment without the need to set up VMs, clusters, or orchestrators.

If using Linux containers, you can create a container group which allows multiple containers to sit on the same host machine. By adding to a group, the containers share lifecycle, resources, local network, and storage volumes. This is similar to a pod concept in Kubernetes.

Because ACI allows containers to be run in isolation, this suits batch or automation/middleware workloads which are not tightly coupled to other parts of the system. The removal of orchestration features makes it easy for anyone to quickly use containers in their projects. Ideal use cases could be running app build tasks or for doing some data transformation work.

Azure Batch

If you have a workload that needs a lot of compute for a limited amount of time, Azure Batch is a great service that is simple to use and understand. You create an Azure Batch account and create one or more pools of VMs. The VM selection is vast and includes the GPU backed SKUs, ideal for rendering and AI tasks.

From there, you create a job in which one or more tasks are created. When the job is run, the VMs work in parallel to accelerate the processing of the task(s). There are manual and auto scaling features to ensure you have sufficient compute power to complete the job in the required timeframe. Azure Batch supports the use of spot instances, which are excess capacity in Azure datacentres, sold at a fraction of the cost, with the proviso they can remove without notice if they need the resource back, which is ideal for VMs you only need to spin up when a job is being run.

Azure Batch conceptual illustration. Credit: Microsoft

Use cases for Azure batch would include data processing on huge datasets, rendering workloads, AI/ML or scientific work that require large-scale parallel and high-performance computing (HPC), which would ordinarily require organisations to have mainframe computing on premises.

Azure Service Fabric

If you are building cloud native projects that go beyond just containers, then Azure Service Fabric is a good contender to consider. It is a distributed systems platform that aims to simplify the development, deployment and ongoing management of scalable and reliable applications.

Service Fabric supports stateless and stateful microservices, so there is potential to run containerised stateful services in any language. It powers several Microsoft services including Azure SQL database, Azure Cosmos DB and Dynamics 365. As Microsoft’s container orchestrator, Service Fabric can deploy and manage microservices across a cluster of machines. It can do this rapidly, allowing for high density rollout of thousands of applications or containers per VM.

You are able to deploy Service Fabric clusters on Windows Server or Linux on Azure and other public clouds. The development environment in the Service Fabric SDK mirrors the production environment. Service Fabric integrates with popular CI/CD tools like Azure Pipelines, Jenkins and Octopus Deploy. Application lifestyle management is supported to work through the various stages of development, deployment, monitoring, management and decommissioning.

Azure Spring Apps

The Spring framework is a way of deploying Java applications in a portable environment with security and connectivity handled by the framework so deployment is quicker and simpler. With Spring, you have a solid foundation for your Java applications, providing essential building blocks like dependency injection, aspect-oriented programming (AOP), and transaction management.

Azure Spring apps provides a fully managed service, allowing you to focus on your app, whilst Azure handles the underlying infrastructure. It allows you to build apps of all types including web apps, microservices, event-driven, serverless or batch. Azure Spring apps allows your apps to adapt to changing user patterns, with auto and manual scaling of instances.

Azure Spring Apps supports both Java Spring Boot and ASP.NET Core Steeltoe apps. Being built on Azure, you can integrate easily with other Azure services such as databases, storage and monitoring. There is an Enterprise offering which supports VMware Tanzu components, baked with an SLA.

Azure Red Hat OpenShift

Red Hat OpenShift is an Enterprise ready Kubernetes offering, enhancing Kubernetes clusters in a platform that provides tools to help develop, deploy and manage your application.

Built on Red Hat Enterprise Linux and combined with the security and stability of Azure, it offers enhancements in areas like source control integration, networking features, security, a rich set of APIs and having hybrid cloud at the heart of its design.

Red Hat OpenShift is versatile and can support a number of use cases including web services, APIs, edge computing, data intensive apps, and legacy application modernisation. Being built for Enterprise use, there are a large number of Fortune 500 companies use Red Hat OpenShift – a testament to the value proposition it brings.

Conclusion

As we can see, there are a whole array of compute offerings within Azure. Deciding on which to use will depend on use case, cost and how the application will interact with other services or the outside world.

Azure Compute decision tree. Credit: Microsoft

Sometimes the a particular compute service maybe ideal for dev/test but a different service when the app is in production. In other cases, multiple compute types maybe used for larger, more complex projects.

Take time to consider which services would satisfy your requirements, then weigh up the merits and challenges of each of them before making a decision.

Azure solutions architect expert

Exploring Certifications: Microsoft Azure Solutions Architect Expert

February 9, 2024 / / 0 Comments

Widely accepted as the pinnacle of Azure Certifications, many choose to aim for the Azure solutions architect certification after completing several fundamentals and associate level certifications in the Azure space. It is an expert level certification and covers the architecture design of cloud computing in Azure. Whilst one of the required exams is relates to administration, the principal of an architect is in the planning of the infrastructure and choosing best services for a given workload, factoring in customer and regulatory requirements.

Let’s look at this certification in more detail.

Who is this certification for?

Being an expert level certification, it would assume some knowledge and experience in IT already, and more specifically in the Azure cloud environment. You could be gaining knowledge through learning, through practice or a combination of the two. Someone who is in an Azure administrator or helpdesk role may consider this certification to move up into becoming a cloud architect. A cloud architect, specifically an Azure cloud architect will help organisations transitioning to the cloud or improve existing cloud assets by rearchitecting into cloud native solutions, potentially adding ability to scale and/or design redundancy into their applications.

Considering a career in cloud architecture

Internally at Microsoft, there are Azure customer success managers (CSMs), who can move into a Azure cloud solution architect (CSA) role, and obtaining this certification is highly advantageous for the CSA position, or potentially join the company as a CSA if Microsoft are recruiting externally. Azure has many partners and end user customers, many of them who will be recruiting for cloud architects.

Exam requirements

Previously, this certification was achieved by passing two exams one regarding the technology and one regarding the design – AZ-303 and AZ-304 were the last iterations of this format. Now, we find there are still two exams to pass but one is a certification in itself and it is likely already in many Azure professional’s portfolio, the AZ-104, Microsoft Azure Administrator. The other exam is the AZ-305, Microsoft Azure Architect Design. You can take the exams in either order but the Microsoft Certified: Azure Solutions Architect Expert certification is not awarded until both exams have been passed.

The certification is valid for 1 year and you can revalidate your certification to extend year on year by passing an assessment. You can take the assessment 180 days before expiry right up to the expiry date. You don’t have to renew the Azure administrator certification to keep the Azure architect certification, but it would be nice to think you would renew all the certifications as they become eligible to do so.

In a previous blog post, we have gone through the AZ-104 exam and related certification, so in this post we will cover the AZ-305.

Topics covered

If we follow along Microsoft’s own learning path material, starting with a perquisite set of modules they provide, which includes core architectural components of Azure, describing compute, networking and storage services. There is a module on identity, access and security and another on the Microsoft cloud adoption framework for Azure. The prerequisites modules conclude with an introduction to the Microsoft Azure well-architected framework. Depending on your experience and how recently you have covered these areas will determine if you want to work through these or not. Now, let’s continue with the actual modules that are part of the AZ-305 and should cover the skills measured.

Role-based access control is a central feature of identity and governance

The first learning path is titled design identity, governance, and monitor solutions. Most of this should be familiar to those who have already completed the Azure administrator certification. The first module in this learning path is design governance, which deals with the management group > subscription > resource group hierarchy as well as tags, policies, role-based access control (RBAC) and landing zones. This is followed by design authentication and authorization solutions, which is very Entra ID heavy, including business-to-business (b2b), business-to-consumer (b2c), conditional access, identity protection, access reviews, service principals and managed identities. There is also a section on Azure key vault. The last module in this learning path is design a solution to log and monitor Azure resources, which covers Azure monitor, log analytics workspace and Azure Data Explorer.

Next learning path in the series is the design business continuity solutions, which covers describe high availability (HA) and disaster recovery (DR) strategies module, which includes HA and DR for PaaS and IaaS resources, Recovery Time Objective (RTO), Recovery Point Objective (RPO) considerations, and what to plan for in hybrid (cloud and on prem) scenarios. The other module in this learning path is design a solution for backup and disaster recovery which focuses on Azure backup, specifically for Azure blob, Azure files, Azure virtual machine, Azure SQL backup and recovery. Lastly for this module, designing for Azure site recovery is included.

The third AZ-305 learning path is design data storage solutions which begins with a module on designing a data storage solution for non-relational data. This will be all things storage accounts and specifically blob storage and Azure files. Also covered are Azure managed disks, data redundancy and storage security. The next module is not surprisingly design a data storage solution for relational data, covering Azure SQL database, Azure SQL managed instance, SQL Server on Azure virtual machines and Azure SQL edge. Items you are asked to consider include database scalability, availability and security for data in rest, in transit and in use. To conclude the module, we have table storage and the Cosmos DB Table API. The third and final storage solutions module is design data integration where the candidate will be asked to consider solutions that involve Azure data factory, Azure data lake, Azure databricks, Azure synapse analytics and Azure stream analytics. An important part of this data integration section is designing strategies for hot, warm, and cold data paths.

Azure Migrate is a suite of tools to aid cloud onboarding

The largest section in the skills measured, some 30-35% of the exam score is designing infrastructure solutions and so we will go through what is required in this subject area now. The first module is design an Azure compute solution and covers a large number of Azure compute services including virtual machines, Azure batch, Azure app service, Azure container instances (ACI), Azure Kubernetes service (AKS), Azure functions and Azure logic apps. Choosing the right compute service is a key part of cloud architecture so it is important to have these down pat. Next is design an application architecture, which mostly covers Azure event and messaging solutions, namely Azure queue storage, Azure service bus, Azure event hubs, and Azure event grid. There is a section on designing an automated app deployment solution using ARM templates or BICEP. Also covered in the apps section is Azure Cache for Redis, Azure API management and Azure app configuration. The number of components mentioned in the design network solutions learning path is considerable. It begins with general networking considerations, thinking about IP addressing, selecting a region, and choosing a topology; hub-and-spoke is the most popular so expect this to be featured in the exam. Azure virtual network NAT and route tables (system and user defined routes (UDR) are included also. The section in the module on on-premises connectivity to Azure virtual networks expects a knowledge of when to use Azure VPN Gateway or Azure ExpressRoute (with optional VPN failover) and when Azure virtual WAN maybe appropriate. Staying with networking, a section is dedicated to application delivery services, which mainly deals with load balancing solutions, namely Azure Front Door, Azure Traffic Manager, Azure Load Balancer and Azure Application Gateway. You are expected to know when to use a given solution depending on regional or global requirement, working on OSI layer 4 or 7 and if the workload is internal or public facing. Also you should know when to use the Azure Content Delivery Network (CDN). Then to wrap up networking there’s the section on designing application protection services which again contains a lot of services including Azure DDoS Protection, Azure Private Link, Azure Web Application Firewall, Azure Firewall, virtual network security groups (NSGs), Service endpoints, Azure Bastion and JIT network access. Design migrations is the final module of the infrastructure learning path. It begins with understanding the Azure migration framework as part of the wider Cloud Adoption Framework. This module then develops into leveraging tools that assist with the migration journey, including Service Map, Azure Total Cost of Ownership (TCO) Calculator, Azure Migrate, Data Migration Assistant (DMA), Database Migration Service, Azure Cosmos DB Data Migration tool and Azure Resource Mover. The migration section concludes with the various methods to get data in and out of Azure. Azure Storage Migration Service, Azure File Sync, Azure Import/Export service, AzCopy, Azure Storage Explorer and Azure Data Box are are services that are used to migrate your data. That is a lot but remember, this is design, so you won’t be going into these services in any great detail, only knowing when to use a solution for a given scenario.

The penultimate learning path for the AZ-305 exam is build great solutions with the Microsoft Azure Well-Architected Framework. This is an established process to follow to give a project in the cloud a great chance of success. The Microsoft Azure Well-Architected Framework consists of five pillars:

  • Cost optimization
  • Operational excellence
  • Performance efficiency
  • Reliability
  • Security

Each of these pillars will be understood by the candidate to ensure the opportunity to architect a solution has these important factors taken into account. To help with learning, each pillar has it’s own module within the learning path.

Considering SQL DB as a service instead of SQL on VMs

The final learning path is accelerate cloud adoption with the Microsoft Cloud Adoption Framework for Azure. The concept here is to understand the goals, evaluate the project from an IT, financial and operational perspective and bring along stakeholders to champion the cloud adoption through it’s various stages. There is a whole module on using Azure landing zones to support your requirements for cloud operations as well as other modules on migration best practice, building in resilience and designing with security in mind. As part of the adoption journey, there needs to be consideration regarding minimum viable product and measuring project effectiveness and what success looks like.

Exam hints and tips

The first advice whether seasoned in Azure or not would be to complete the fundamentals and administrator certs before attempting this exam. There is a fair bit of crossover and keeping the broad topics fresh is a good way to build up to the more complex concepts. Also, if possible, try not to leave too much of a gap between taking them. Keeping the momentum going is a good way of not forgetting things already learned.

In many Azure certifications, it is often recommended to have hands on practice with the different types of resources as well as learning the theory. The design infrastructure solutions exam however is just that, design. The implementation comes in the administrator exam so this one is much more high level and plays to describing best practice solutions, not the nuts and bolts of creating a resource and so forth. In a way, this exam has a lot in common with the Azure fundamentals exam – although of course it is markedly more difficult.

Following some hints and tips from others can help

Life is busy and this is a big exam and a big deal for your career and professional recognition. As such, if you can, reserve more time for study just before exam date, so you can have a bulk of recently stored knowledge to walk into the exam with. Make provisions with home and/or work to have more time to give yourself a last push, but keep it balanced. After several hours a day, it will become counter-productive to try to endure even more learning. Also don’t cram on the day of the test. By then the adrenaline will be blocking the ability to properly concentrate. My advice is also, don’t book the exam for the evening unless you are generally asleep in the daytime. These exams are long and take stamina. Early to mid-afternoon works well for me.

It’s always worth booking the exam before you are fully ready, to try and set a learning pace. If it gets close to the date and you feel are still miles off, you can reschedule (or even cancel for a refund), so long as it is more than 24 hours before the exam start time. A lot of these exams is down to confidence, if you aren’t sure if you’ll pass or not, give it a go anyway. If you don’t pass as least you will have some understanding on how far off the pass mark you are and what troubled you the most, so you can pass on the next attempt. I have often practiced with a real exam in this way, sometimes I pass to my surprise, sometimes not, and that is ok also.

There is more exam advice, much of which applies to this certification as well on the Azure administrator and Azure fundamentals posts.

Recommended resources

This section is going to seem like a stuck record if you have read the AZ-900 and AZ-104 posts, but it has to be said, regardless of what 3rd party resources you decide to assist with your learning, you should consume the official Microsoft AZ-305 exam learning paths. It is curated to cover all aspects of the skills measured, so if its not on this content, its unlikely to be on the exam. There are some exercises in the prerequisite modules but the rest of the learning path is information only (being a design, not administrator exam, that makes sense, right?)

John Savill must be mentioned again. As discussed in previous posts, John’s YouTube content equals or surpasses much of the commercially available courses out there. Not only John gives up his free time to produce this huge body of work, he refuses to monetise his YouTube channel, so you don’t even see ads! For this exam John provides an entire playlist of videos relevant to the exam including his hugely popular AZ-305 study cram.

John Savill’s AZ-305 is essential viewing before taking the exam

Beyond those two free resources, there is plenty of other free material online as well as many popular websites such as Pluralsight, Udemy, LinkedIn Learning and Cloud Academy offering a dedicated AZ-305 course. I haven’t reviewed any of these so cannot comment on their quality, so check out what is on offer with any paid subscriptions you already have or ask others who have recently certified what courses they used.

Next steps

Once you have achieved the Microsoft Certified: Azure solutions architect expert certification, you really do have so many options on what to choose next, we could almost list every Azure certification here. What you do next in terms of certification will depend a lot on your strengths, your interests and perhaps some influencing factors such as encouragement by your current employer to follow a certain path that is compatible with a skill shortage they have identified. Or perhaps you have been reading articles in the IT industry press about an overall shortage of skilled people in a certain IT category and you think a good career move would be to be qualified in that area of expertise.

Now you have one expert level certification, there are a couple of others in the Azure space – DevOps engineer expert & Cybersecurity architect expert, both of which require a couple of exams to get the qualification, but in some cases, you may already have one of these when working towards other goals. For example, the AZ-104 is one of the two exams required for the Azure solutions architect expert exam, but it also can be used along with the AZ-400 to obtain the DevOps engineer expert certification.

There are plenty of associate level certifications in all sorts of areas of Azure cloud such as data engineering, networking, security, AI, Developer and so on. There are also speciality certifications in subjects such as Cosmos DB, Azure virtual desktop and Azure for SAP workloads.

Copyright © 2025 azureskills.tech

Theme by Anders NorenUp ↑